The Different Types of VPN & When to Use Them

A remote access VPN, sometimes called client-based VPNs or client-to-server VPNs, let you use the internet to securely connect to a private network, such as your home network or your company’s office network, from another location.

At one end of the scale, big tech companies like Fortinet, Palo Alto and Cisco all offer sophisticated and expensive software solutions aimed at larger businesses.

At the other, it’s also perfectly possible to set up your own VPN server for free if you have the appropriate hardware to hand.

We found TailScale the easiest way to create a remote access VPN for.

In fact, we liked TailScale so much that one of our reviewers now runs it on a Raspberry Pi at his mother’s house, allowing him to fix issues with her network remotely. What used to be difficult technical support calls are now quick, simple fixes.

Once installed on your device, a remote access VPN client creates an encrypted tunnel between you and the private network you want to access.

Remote access VPNs can be used in different ways, for example:

1. Traveling for work: You can use a remote access VPN to connect securely to your company network on your hotel WiFi. Not only are you able to access all your usual files and software, but the VPN also protects your data from security threats on public networks.
2. Working from home: This type of VPN can provide secure access to sensitive company systems that have been locked down by IP address. Your computer simply functions as if it were on the corporate network, with all the data encrypted as it travels across the public internet.
3. Access to personal files: A remote access VPN will allow you to directly access files on any device connected to your home network, such as photos saved to your desktop PC or music and movie files on a home media server, from wherever you are.
4. Securely access networked devices: As well as files, this type of VPN will allow you to securely control and monitor IoT devices on your network, such as surveillance cameras or smart home systems, which can otherwise be vulnerable to attack, while you are away.

EXPERT TIP: While remote access VPNs are very useful, cloud storage might be a more straightforward alternative if all you want to do is to access files remotely. Cloud storage (such as Dropbox or Drive) uses an encrypted browser connection to protect your data, and is much easier to set up than a VPN.

To use a remote access VPN on your device you typically need to install client software or configure your device’s operating system to connect to the VPN. There also needs to be a VPN server on the network end of the connection.

You can have as many client devices as you like and for as many users as need to remotely access the network.

Between them, the client software and VPN server manage the VPN connection.

There are many versions of remote access VPN but fundamentally, the choice is paying for a service or managing it yourself.

If you’re doing it yourself, it basically boils down to how you set up the VPN server that acts as the gateway to the private network you want to access. Popular options include:

1. An always-on PC, server or Raspberry Pi-style device running WireGuard or OpenVPN
2. A flashed router with WireGuard or OpenVPN installed
3. TailScale on a PC, mobile device or Raspberry Pi

The remote access VPN market is increasingly complex, particularly at the enterprise level.

While traditional VPN services remain available, vendors now heavily promote more expensive alternatives like Zero Trust Network Access (ZTNA), Software Defined Perimeter (SDP), and Secure Access Service Edge (SASE).

Here are some main types of remote access VPN as a service:

• Client-to-site VPN
• Cloud VPN
• SSL VPN Portal
• SSL VPN Tunnel
• NordVPN’s Meshnet feature

Examples of remote access VPNs for business include:

• Access Server by OpenVPN, which is free for up to two simultaneous VPN connections.
• Cisco AnyConnect, which integrates with Cisco’s enterprise security solutions.
• Perimeter 81 Remote Access VPN.
• Checkpoint Remote Access VPN, which comes as an IPSec Client and an SSL Portal.
• NordLayer, from the same company that operates highly-rated personal VPN service NordVPN.

Other popular remote access VPN products include Fortinet Forticlient, Palo Alto Global Protect, Pulse Secure, Sonicwall SSL VPN, Juniper Secure Connect.

An example of a self-managed remote access VPN is what we have set up for our own team to allow for hybrid working.

We have a WireGuard VPN server running on a Linux box in our office. WireGuard was the logical choice for us as it’s built into Linux, and is simpler and faster than OpenVPN.

The VPN client software installed on team members’ laptops is also free and open source: TunSafe for Windows users and the official WireGuard client for our Mac users.

This allows us to provide access to our back-end systems and other shared resources for our team when they work remotely without compromising security.

Our set up is free, highly secure and under the complete control of our sysadmins, with none of the risk of relying on a third party.

A mobile VPN, also known as an “Always-on VPN”, is a better option than a remote access VPN if the user is unlikely to have a stable connection, on the same network, for the entire session.

With a mobile VPN, the VPN connection persists even if the user switches WiFi or cellular network, loses connectivity, or switches their device off for a while.

Mobile VPNs tend to be offered by the same big tech companies that also provide standard remote access VPN services.

You should use a mobile VPN if you are constantly on the move and it’s critical that you maintain an uninterrupted connection to a remote private network.

This type of VPN also provides the convenience of a connection that adapts to network changes.

For example:

• First responders like firefighters and police officers rely on mobile VPNs to maintain access to critical resources such as vehicle databases, location tracking systems, and emergency dispatch applications as they move throughout their service area.

• Remote professionals in regions with unreliable internet can use a mobile VPN to maintain a secure office connection throughout the workday. This type of VPN avoids the inconvenience of constant re-authentication or the challenge of whitelisting revolving IP addresses.

From a user’s perspective, connecting to and using a mobile VPN is typically much the same as with a remote access VPN.

The main differences are technical, using specialized protocols to maintain your VPN connection as you move between networks, whether switching cellular towers or changing from WiFi to mobile data.

Mobile VPNs will typically use UDP-based protocols, such as IKEv2, for the same reason that they are usually the default option in the mobile apps of personal VPN services.

These VPN protocols are more resilient to network changes than TCP-based alternatives, as they can quickly re-establish connections without a full VPN handshake.

For an overview of how these types of VPN function, refer to our explanation of how a remote access VPN works.

Now, let’s delve into the aspects unique to mobile VPNs:

• Network switching process
  1. Your device switches networks (e.g., from WiFi to cellular), changing IP address in the process.
  2. Your VPN client detects the network change.
  3. The client sends a reconnection request using the unique ID assigned to the session.
  4. The VPN gateway validates the session and seamlessly resumes the connection.
  5. Even if you switch off your device to save battery, the VPN connection will still be active when it’s turned back on.
• Optimization techniques
  1. Connection durability: tolerating brief network interruptions
  2. Fast reconnections: minimizing handshake overhead
  3. Data compression: reducing data transfer for slower networks
  4. Quality of Service: QoS mechanisms ensure critical applications remain usable even in challenging network conditions.
• Common mobile VPN challenges and solutions
  1. Battery impact: continuous connection monitoring can drain the battery, requiring optimized polling intervals and efficient reconnection algorithms.
  2. Data usage: Keepalive packets consume data, requiring minimization and compression.
  3. Performance: Constant reconnections increase encryption overhead and latency, which is mitigated by hardware acceleration and optimized protocols.
• Common mobile VPN additional features
  1. Split tunneling for selective traffic routing.
  2. Automatic connection rules based on networks.
  3. Integration with Mobile Device Management (MDM).
  4. Performance analytics and troubleshooting tools.

Mobile VPN examples include:

• Bittium SafeMove Mobile VPN
• Cisco Mobile VPN
• Ivanti Connect Secure VPN
• Microsoft Always On
• Digi Mobile VPN is specifically aimed at first responders.
• Absolute Secure Access, previously known as Netmotion Mobility VPN.
• Radio IP software: enables mobile VPNs across all wireless network technologies.

A site-to-site VPN is used to connect entire networks in different locations, such as linking the corporate networks of a company’s multiple offices.

Unlike remote access VPNs that connect individual users to a network, site-to-site VPNs bridge two or more separate local area networks (LANs) over the internet.

This type of VPN enables offices to share resources and communicate seamlessly as if they were part of the same network, while keeping communications secure through encryption.

It can also extend to trusted business partners, allowing external companies to access parts of your network securely.

A site-to-site VPN is ideal when you need to connect multiple networks securely, for instance:

• Intranet-based VPN: This type of site-to-site VPN connects different branches of the same company into a unified private wide area network (WAN). Employees from each location can access shared resources across all branches seamlessly.
• Extranet-based VPN: This allows companies to securely share specific resources with external business partners by connecting their respective networks. It’s useful for suppliers, contractors, and collaborative ventures.

There are three main ways a site-to-site VPN can be implemented, via:

1. IPsec tunnel
2. Dynamic MultiPoint VPN (DMVPN)
3. Layer 3 VPN (L3VPN)

IPsec tunnel

IPsec tunnels create encrypted pathways between networks, implemented through routers at connected sites. This method is also known as a router-to-router VPN and comes in two variants:

1. A route-based IPsec tunnel acts as a virtual wire between networks, allowing all traffic to pass through.
2. A policy-based IPsec tunnel: employs specific rules to control the flow of traffic between IP networks.

Pros	Cons
Widely supported by most firewalls and routers	Point-to-point nature limits scalability
Strong security through encryption	Can become complex to manage in large networks
Relatively simple to implement for small-scale deployments	Relies on internet connectivity, which may affect performance

Dynamic MultiPoint VPN (DMVPN)

DMVPN addresses the scalability limitations of traditional IPsec tunnels.

This Cisco-proprietary technology is particularly suitable for large organizations with numerous sites, which would otherwise might need thousands of individual router-to-router IPSec connections.

DMVPN instead employs a hub-and-spoke architecture where:

• Branch sites (spokes) connect to a central location (hub).
• Dynamic IP addressing is supported.
• Direct spoke-to-spoke connections are possible with additional configuration.

Pros	Cons
Highly scalable for large networks	Vendor-specific (Cisco only)
Supports dynamic addressing	May require specialized expertise to implement and manage
Reduces configuration complexity in hub-and-spoke topologies	Still subject to internet performance limitations

MPLS-based Layer 3 VPN (L3VPN)

The IPsec and DMVPN approaches both sit on top of the internet, which means they can’t guarantee consistent performance.

L3VPNs instead operate at the network layer of the OSI model and use Multi-Protocol Label Switching to provide guaranteed quality of service across various transport media.

These are typically offered by service providers as managed WAN solutions.

Pros	Cons
Guaranteed performance and QoS	Significantly higher cost compared to internet-based VPNs
Traffic prioritization capabilities	Limited flexibility in terms of service changes
Provider-managed infrastructure	Dependency on service provider coverage
Protocol and transport medium agnostic

Examples of site-to-site VPN products include:

• OpenVPN Access Server – Allows for secure site-to-site connectivity using the OpenVPN protocol.
• Cisco VPN Solutions – A comprehensive suite of VPN technologies including DMVPN and IPsec options for enterprise networks.
• AWS Site-to-Site VPN – Enables secure, scalable connectivity between on-premises data centers and Amazon Virtual Private Cloud (VPC).
• Fortinet SD-WAN – Provides secure site-to-site connectivity with advanced traffic optimization and security features.

A personal VPN service connects you to a remote VPN server, which can be anywhere in the world.

This VPN server then acts like a middleman between your device and the online services you want to access.

The personal VPN – sometimes also called a ‘consumer’ or ‘commercial’ VPN – encrypts your connection, hides your identity online, and lets you spoof your geographic location.

A personal VPN service differs from a remote access VPN in that it doesn’t give you access to a private network.

Instead, a personal VPN works by giving you access to the public internet, but over an encrypted connection.

Personal VPNs are what we mostly talk about on this website in our VPN reviews, recommendations and guides.

The most common type of personal VPNs are the subscription services offered by providers such as ExpressVPN, NordVPN and Private Internet Access, or free services like Windscribe and Proton VPN.

However, just as with remote access VPNs, it is possible to set up your own personal VPN, although it is less common.

There are several reasons to use a personal VPN. Some of the most popular ones include:

• Unblocking georestricted content: A personal VPN allows you to stream movies and TV shows from different regions. For instance, connecting to a US-based VPN server allows you to access American Netflix’s extensive content library from anywhere in the world.
• Bypassing censorship: A personal VPN helps you overcome internet restrictions in countries with strict online censorship. Connecting to a VPN server in another country not only allows you to access blocked content but also protects your browsing activity from government surveillance.
• Enhancing internet privacy and performance: Personal VPNs prevent your internet service provider (ISP), governments, hackers, and anyone else from monitoring your online activity. This not only safeguards your privacy but can also prevent ISPs from throttling your connection speeds during high-bandwidth activities like streaming or gaming.

For a more extensive list, read our dedicated guide to what VPNs are used for.

Personal VPNs from free or paid providers all work in the same way and simply require the installation of client software on your device.

The VPN server network is managed by the provider and typically spans many global locations, either physically, virtually or both.

Self-managed, or “roll your own”, personal VPNs come in many forms and, as with remote access VPNs, require spinning up your own server.

Unless you rent a Virtual Private Server (VPS) in another country though, this type of personal VPN will lack the geolocation spoofing capacity of a VPN service.

On the other hand, several methods of setting up your own VPN server will provide you with both a remote access and a personal VPN.

Here’s how a personal VPN from a service provider works:

1. Install software from your VPN service provider onto your device.

   Personal VPN apps are available on all sorts of devices, including smartphones, streaming devices and gaming consoles.

   Alternatively, you can install the VPN software on your router to protect all the devices that connect to it.

The set-up process typically requires some kind of one-time sign-in or use of an activation code.

2. Connect to a server in your VPN provider’s network.

   Personal VPNs are very straightforward. You simply tap connect and authentication takes place automatically between the client and server.

   The tunnel is established in the same way as with a remote access VPN.

   Personal VPNs tend to have large server networks to choose from. If you just want to protect your privacy, connect to a local server for the fastest speeds.

   If you want to unblock streaming content, choose a server in the country where that content is accessible.

3. Browse the internet as normal.

   While connected to the VPN, all your internet traffic is routed via the remote server you selected.

   Your connection is encrypted, your IP address is replaced with that of the VPN server, and you can access geographically restricted content from other countries.

   For more detail on exactly how this works, see our breakdown of the phases of a VPN connection.

We’ve tested hundreds of free and paid personal VPNs since 2016. Currently, our three highest-rated VPNs are:

1. ExpressVPN
2. NordVPN
3. Private Internet Access

WireGuard is a modern VPN protocol that prioritizes simplicity and performance. It uses state-of-the-art cryptography and is implemented with only about 4,000 lines of code, making it easier to audit and less susceptible to vulnerabilities.

The protocol is built into the Linux kernel, which contributes to its exceptional speed and efficiency.

WireGuard is ideal for when you really need a high-speed connection, such as streaming or gaming. It’s also particularly effective on mobile, as it can switch between networks seamlessly.

Its main advantages include faster connection times, improved battery life on mobile devices, and better overall performance.

WireGuard’s simplicity means it is less configurable than other protocols however, which may be off-putting for some. Any concerns over IP-logging are completely unfounded in our view, as WireGuard can be configured to not record this data.

It’s the VPN protocol that we typically recommend using wherever possible.

OpenVPN is an open-source VPN protocol that became the industry standard for personal VPN services.

For many years it was our recommended option for consumer VPN users until WireGuard more recently replaced it as our protocol of choice.

OpenVPN offers a highly secure and versatile connection, using OpenSSL library and TLS protocols for encryption and authentication.

It is extremely flexible and difficult to block as it can be configured to run on any port and can use either UDP or TCP protocols.

OpenVPN is an excellent choice if security and privacy are more important to you than raw speed. It is particularly effective at bypassing firewalls and can be used on almost any platform.

The drawbacks of OpenVPN are that it can be slower than newer protocols like WireGuard, requires third-party software for implementation, and can be complex to set up manually.

IKEv2 (Internet Key Exchange version 2), when combined with IPSec, creates a highly secure and fast VPN protocol.

Developed jointly by Microsoft and Cisco, IKEv2 handles the SA (Security Association) attribute negotiation, while IPSec provides encryption for the actual data traffic.

This protocol is known for its ability to quickly re-establish a VPN connection when a user switches networks or temporarily loses their connection, which is why it’s ideal for mobile VPNs and personal VPN services’ mobile apps.

The main advantages of IKEv2 are its excellent stability, fast speeds, and native support on many platforms.

The protocol’s biggest downside is that it’s closed-source and so can’t be audited like WireGuard or OpenVPN for flaws or backdoors.

Other potential disadvantages are that IKEv2 isn’t supported by as many platforms as OpenVPN, and that, in theory at least, it’s easier to block as it uses fixed ports.

SoftEther (Software Ethernet) is a multi-protocol VPN software designed as an alternative to OpenVPN.

SoftEther can tunnel through most firewalls by using HTTPS, making it highly versatile in restrictive network environments. It started as an academic project at the University of Tsukuba in Japan but has grown into a powerful and flexible VPN solution.

SoftEther can be a good option if you need to bypass strict firewalls or network restrictions while maintaining good performance.

SoftEther’s strengths include its ability to support multiple protocols, that it’s usually faster than OpenVPN, and strong encryption.

However, it is not as widely supported by commercial VPN providers as other protocols, can be complex to set up, and may require more technical knowledge to implement effectively.

L2TP (Layer 2 Tunneling Protocol) is typically paired with IPSec for encryption, as it doesn’t provide encryption on its own.

Together they provide a very secure VPN connection that encapsulates data twice. L2TP/IPSec is a successor to PPTP and is significantly more secure while maintaining wide compatibility.

L2TP/IPSec is best for situations where security is paramount and native support is important, as it’s built into many operating systems.

The primary advantages of L2TP/IPSec include its widespread support, good security when properly configured, and ease of setup on most platforms.

Drawbacks include slower speeds due to double encapsulation, difficulty in getting through firewalls due to fixed ports, and potential vulnerabilities if Network Address Translation (NAT) is implemented incorrectly.

SSTP (Secure Socket Tunneling Protocol) is Microsoft’s proprietary VPN protocol that uses SSL/TLS encryption.

It’s similar to OpenVPN in that it can use TCP port 443, making it difficult to block and able to bypass most firewalls.

While SSTP can be useful in environments where other VPN protocols are blocked or restricted, we don’t recommend using it except as a last resort as it is closed-source.

It’s also not well-supported outside of Windows and slower than other protocols.

PPTP (Point-to-Point Tunneling Protocol) is one of the oldest VPN protocols still in use today.

Developed by Microsoft for dial-up networks, it was once the standard protocol for corporate VPN access but now has largely been phased out.

We do not recommend ever using this obsolete VPN protocol due to its age and known security vulnerabilities.