What is a site-to-site VPN?

Two laptops connecting to each other
(Image credit: Unsplash / freestocks)

Traditionally virtual private networks (or VPNs) were used by corporate employees to ‘dial home’ to their office network. These are called “Remote Access VPNs”. These set up a temporary connection between a device and a server somewhere else. This is sometimes called the “client/server” model.

For instance, imagine a remote employee, on the road checking the current delivery status. They can use their laptop to establish an encrypted tunnel connection to the company network and access the same information as if they were sitting at their desk. With the information in hand, the employee can shut down the laptop and the connection is closed.  

In my sites 

A site-to-site VPN works differently. Instead of using the client/server model, where an individual device connects to a network, it connects local area networks (LANs).

This means that instead of a single user accessing the network temporarily, an organization can share all network resources across multiple sites. This is done through setting up secure, encrypted ‘tunnels, effectively creating a permanent ‘Wide Area Network’ for all users.

Picture a company with a London and a Tokyo office. Each office will have their own computer network. So, both organizations first set up a proxy server or ‘gateway’ for the other. The company can then set up a permanent VPN connection between the two gateways. For a bit more information, we’ve answered the question What is a proxy server?

If the London office wants to access information in a database held by Tokyo, they can connect to the VPN gateway and send the database request to the Tokyo gateway. The connection is encrypted, so any information sent can only be decrypted by the Tokyo gateway. On receiving the request, the Tokyo gateway forwards it to the database. The requested information is sent back through the Tokyo Gateway again, where it’s encrypted. The London gateway can then decrypt the results to view the information..

This all takes place in seconds, and is seamless so, the end user doesn’t have to do anything more than make the data request and receive the results.

This model where a VPN is used to connect sites across one organization is commonly known as an “Intranet-based site-to-site” VPN. However different companies can also set up “Extranet-based site-to-site” VPNs to share information and resources securely with each other.

Site-to-site superiority 

If you’re running networks in multiple locations the benefits of being able to share resources across your entire organization is clear. Although there are other ways to do this, site-to-site VPNs make it much easier to add new devices to the network. Instead of installing special software they can just connect to the local VPN gateway to access data across the whole organization. 

The same is also true of new networks. If our company also opens an office in Paris, it’s a simple matter for a competent network admin to set up a new gateway to add it to the site-to-site virtual private network. 

Most importantly, these can be done in a secure way. All web traffic is encrypted across gateways, so there’s very little chance of sensitive data leaking through sending sensitive information. There are, of course, other ways to encrypt your connection but site-to-site VPNs do it in a very safe and user-friendly way, as the process is transparent to most users.

Site-to-site setbacks 

As we’ve seen, a site-to-site VPN is something very different to a Remote Access VPN, where individuals connect to their office network temporarily using just one device. 

In recent years the trend has been for more individuals to work from home, which is problematic for site-to-site VPNs, as to access data across the entire organization, each individual would need to set up their own VPN gateway. This isn’t practical for most people.

Manually setting up a VPN gateway also may be difficult for some small businesses, although it is possible to outsource this to a third-party. 

Small and medium-sized businesses may find it easier just to use centralized cloud-based resources across different sites. This would allow people to access the same data if they’re at home or in the office without setting up gateways. 

Very large organizations or extranet-based site-to-site VPNs also may be difficult to manage, as each individual network has to set up and maintain its own gateway. Any organization setting up a site-to-site VPN must therefore have a network policy and check in with admins on each of its sites to make sure these are maintained. This is particularly important to make sure that  you’re using the latest encryption VPN protocols to keep data safe. 

Some service providers like Amazon offer a “Cloud Wan” or “SD (Software Defined) WAN” to allow you to effectively manage multiple networks. This is relatively new technology but may offer an easier way to set up and manage site-to-site VPNs.

Site-to-site summary 

Site-to-site VPNs are used to connect multiple networks together in an efficient and secure manner. 

Whether or not you need to use one will depend on the size of your business, how far apart your networks are and what type of information you share. If you don’t have many sites or don’t routinely share sensitive information, there are alternatives. For instance, many now opt to use business cloud storage services and free cloud applications, which would make a site-to-site VPN unnecessary. 

If your organization has ambitions to grow and have a presence in multiple locations, you may prefer to start as you mean to go on through a site-to-site VPN, which supports scaling. You also won’t be trusting your data to a third-party provider as you would with cloud apps. 

Nate Drake is a tech journalist specializing in cybersecurity and retro tech. He broke out from his cubicle at Apple 6 years ago and now spends his days sipping Earl Grey tea & writing elegant copy.