Site-to-site VPNs: Types, requirements, and configuration

What is a site-to-site VPN?

A site-to-site virtual private network (VPN) is a secure VPN connection between two or more separate networks. Instead of securing individual devices, it protects the communication between entire local area networks (LANs), like a corporate HQ and a branch office.

This type of VPN acts like a wide area network (WAN), letting teams in different locations access shared resources as if they were on the same local network. Unlike other types of WAN, however, a site-to-site VPN creates a secure VPN tunnel between multiple LANs. It's commonly used to:

• Connect geographically distant corporate offices.
• Secure links between on-premises infrastructure and remote data centers.
• Enable safe communication between partner companies.

A remote access VPN is used to establish a connection between individual users and a central network (think of an employee accessing company resources from home). Meanwhile, site-to-site VPNs provide an encrypted connection between entire networks. One secures a device-to-network link, the other secures a network-to-network bridge.

How does a site-to-site VPN connection work?

A site-to-site VPN securely connects networks by creating a site-to-site tunnel using VPN protocols like IPsec (Internet Protocol Security). This tunnel encrypts all traffic between sites, making it unreadable to outsiders.

Each network has a gateway (usually a VPN-capable router or firewall) that handles the encryption and decryption of traffic. These gateways route data between sites using predefined rules, so devices on one network can talk to devices on the other as if they were in the same building.

IPsec is the most common protocol used for this. It handles encryption and authentication, often paired with L2TP or GRE for tunneling. GRE itself doesn't encrypt anything — it just creates the tunnel, so it's typically used alongside IPsec. Some setups may use OpenVPN, especially in more flexible or custom configurations.

Let's take a real-life example. Say a company has offices in Berlin and New York. Each location runs its own network of laptops, servers, printers, and other devices. The company wants those networks to function like one, without exposing anything to the public internet. To do that:

1. 1.VPN gateways are set up in both offices. They act as secure translators between the local network and the VPN tunnel.
2. 2.A tunnel is established between the gateways using IPsec.
3. 3.All traffic between the two offices is encrypted as it enters the tunnel, and decrypted when it exits.

So if Joe in Berlin wants to query a database in New York, his request goes through the Berlin gateway, gets encrypted, travels securely through the tunnel, gets decrypted by the New York gateway, and is passed to the database. The response takes the same encrypted path back. Joe never notices anything — all this process only takes seconds.

Site-to-site VPN requirements

To set up a site-to-site VPN, you'll need:

• VPN-compatible routers or firewalls at each location. Your hardware needs to support IPsec or similar protocols.
• Public IP addresses for each gateway. This is how they find each other over the internet.
• A shared VPN protocol. Most setups use IPsec for encryption and authentication.
• Network address planning. Avoid overlapping subnets between sites to keep routing simple.
• Admin access to each network's router and firewall. You'll need to configure tunnel settings on both sides.
• Reliable internet connections at each site. The whole setup depends on stable connectivity.

What are the types of site-to-site VPNs?

Two main types of site-to-site VPNs exist:

• Intranet-based site-to-site VPNs connect multiple offices or branches within the same organization. For example, a retail chain may link all its stores to the HQ to create a unified internal network. Everything runs over the public internet, but the connection is private and secure.
• Extranet-based site-to-site VPNs are used between separate organizations, like suppliers, partners, or clients. An extranet-based VPN allows controlled access to specific parts of your network without opening up everything.

For larger setups, some businesses choose an MPLS VPN, a private, managed alternative that can handle more complex routing.

What is the difference between a site-to-site VPN vs. a remote access VPN?

A site-to-site VPN is different from a remote access virtual private network. A remote access VPN is the most common type of consumer virtual private network, the kind you may use on your phone or laptop for personal day-to-day privacy.

Remote access VPNs use a client/server model. The client is an application installed on your device that routes your internet activity through a server and encrypts your data as it travels between client and server. This is an effective way to protect your privacy online, shield the IP addresses of your devices, and limit the threat of man-in-the-middle attacks.

Site-to-site VPNs don't use a client/server model. The tunnel of encryption runs between the gateways at each site, so a user doesn't need to have a client on their device as long as they send and receive information through their VPN gateway.

Remote access VPNs can be used for businesses and larger organizations as well, of course. Employees may use a client on their device to access a specific company server, for example, where files and other network resources are housed. Many enterprises use both remote access VPNs and site-to-site VPNs.

What is the difference between a site-to-site VPN vs. a point-to-site VPN?

Site-to-site VPNs connect entire networks and are great for businesses with multiple offices that need a constant, secure link between locations. They serve as a bridge between sites so teams can share resources like they're on the same local network.

Point-to-site VPNs, on the other hand, are made for individual users. They let remote employees securely connect to the office network from wherever they are: home, a coffee shop, or on the road. It's flexible, user-focused, and perfect for companies with a distributed workforce.

How to create a site-to-site VPN tunnel

Let’s take a look at the steps for setting up a site-to-site VPN tunnel:

1. 1.Choose VPN-capable routers or firewalls at each site.
2. 2.Configure each device with:
   • Static public IP addresses so they can find each other.
   • Matching VPN protocol (IPsec is common).
   • Matching encryption settings.
3. 3.Define local and remote subnets to tell each gateway what traffic to tunnel.
4. 4.Set up authentication (pre-shared key or digital certificate).
5. 5.Open necessary firewall ports (usually UDP 500 and 4500 for IPsec).
6. 6.Test the tunnel to make sure traffic is encrypted and routing is correct.

How to do the site-to-site VPN configuration

To configure a site-to-site VPN, you'll need access to a VPN-capable router or firewall at each site. Follow these steps to set it up:

1. 1.Log in to your router or firewall's admin interface.
2. 2.Go to the VPN section and select "Site-to-site" or "IPsec" VPN.
3. 3.Set the local subnet (your internal network) and the remote peer's public IP.
4. 4.Enter the remote subnet (the other site's internal network).
5. 5.Choose your encryption and authentication settings (like AES or SHA).
6. 6.Enter a pre-shared key or upload digital certificates.
7. 7.Enable NAT traversal if needed (depends on your network setup).
8. 8.Save and apply the settings.
9. 9.Repeat the configuration on the remote device.
10. 10.Test the connection to confirm the tunnel is working.

What are the best practices for a site-to-site VPN setup?

Getting the tunnel up is one thing — keeping it secure and stable is another. A few best practices will help you do it right:

• Use strong encryption like AES-256 with IPsec.
• Patch firmware regularly on all VPN devices.
• Restrict access using firewall rules.
• Check logs regularly and set up alerts for unusual traffic.
• Enable failover configurations if high availability is critical.

What hardware is required for a site-to-site VPN?

You don’t need fancy enterprise gear to run a site-to-site VPN, but you do need the right tools:

• A router or firewall that supports site-to-site VPN protocols (like IPsec).
• Dual-WAN routers if you want internet redundancy or load balancing.
• VPN concentrators for managing multiple tunnels in large-scale networks.
• A modem for a stable internet connection at each location.

Also worth noting that hardware should have sufficient processing power to handle encryption without impacting network performance.

What are the benefits of site-to-site VPNs?

Site-to-site VPN benefits for organizations of all sizes include:

• Enhanced data security. A site-to-site VPN encrypts data transferred between users or different locations (that's the encrypted VPN tunnel we referred to earlier). That means that if bad actors intercept data while in transit between sites, it will be visible to them only as indecipherable code without the proper decryption key.
• Streamlined resource sharing. While this is a benefit of most WANs, it's worth mentioning here. A site-to-site VPN allows employees in locations around the world to communicate, share resources, and safely access sensitive data. It's a great way to maintain synergy across a dispersed workforce, provided everyone has access to the sites where the gateways are set up.
• Easy onboarding. One benefit of using a site-to-site VPN network security solution is that it doesn't rely on a client/server model. Instead of requiring all users on a corporate network to install specific client software on their devices, they can just connect to the VPN gateway and start benefiting from the aforementioned data security. Using a non-client model also helps in the rare cases where particular operating systems and devices aren't compatible with VPN software.

What are the limitations of site-to-site VPNs?

Site-to-site VPNs also have some limitations that you should keep in mind:

• Unsuited to remote working. Since 2020, remote working has become much more normalized. As a result, many employees work from home or from coworking spaces, where they don't have access to a designated VPN gateway. The same goes for any organization that relies on freelancers, who are rarely able to physically access the sites that the VPN connects.
• Limited security and privacy. No matter how secure your VPN protocols are, a site-to-site VPN only protects data as it travels between gateways. The LANs on either side of those gateways aren't necessarily safe from cybercriminals and snoopers, so once information is decrypted and sent to a specific device on a site, it could be exposed. This is an area where client/server VPNs have an edge since data traveling to and from individual client-installed devices is usually encrypted.
• Decentralized deployment and management. While many companies are adopting VPN solutions to enhance network security, most prefer systems that can be deployed and managed from a central control point. Centralized management improves technical troubleshooting and security. Setting up a site-to-site VPN involves different teams at different sites, making centralized management harder.

Why use a site-to-site VPN for B2B communication?

You should use a site-to-site VPN for B2B communication because it has plenty of benefits: 

• Security. All traffic is encrypted between networks, reducing exposure to threats.
• Control. You decide exactly what parts of your network partners or contractors can access.
• Cost efficiency. It removes the need for pricey leased lines or dedicated circuits.
• Convenience. It makes external access feel like it’s happening inside your own network.

How do corporate networks take advantage of site-to-site VPNs?

Site-to-site VPNs let businesses operate like a single unit, no matter how many locations they have. Here’s how companies use them:

• Secure data sharing across global offices.
• Centralized backups from branch offices.
• Enabling internal apps (such as CRM or ERP) across all sites.
• Providing access to shared databases and tools.
• Creating a unified security policy across locations.
• Hybrid flexibility, combining site-to-site VPNs for office networks with remote access VPN for employees working from home or in the field.

Is a site-to-site VPN better than a web-based VPN?

It depends on what you need:

• A site-to-site VPN is built for connecting entire networks. It's best for internal business operations and partner access.
• Web-based VPN (like SSL VPN) is perfect for individuals who need quick, browser-based access to specific apps or services. It's great for occasional remote use but not built for full network integration.

Is a VPN right for your business?

A VPN can enhance the online privacy and data security of most businesses. NordLayer, one of the most effective B2B VPN solutions available, offers a variety of options to businesses of all sizes. If you choose the NordLayer site-to-site VPN service, you can benefit from dedicated gateways for all of your LANs.

Even if you already have a networking solution — MPLS, for example — NordLayer can play a key role in your overall cybersecurity strategy. NordLayer also offers a client/server model, allowing organizations to securely share data and resources with workers both in and out of the office.

NordVPN: Alternative software solution to site-to-site VPNs

NordVPN offers a simpler, more affordable alternative to traditional site-to-site VPNs, especially for small businesses that need secure remote access. While it’s not a site-to-site VPN, businesses can use a dedicated IP to give remote employees safe and controlled access to their network without the complexity of a traditional setup.

With features like AES-256 encryption, a global server network, and extra security options like Double VPN, NordVPN ensures that connections are fast and secure. Plus, its easy-to-use interface and 24/7 customer support make it a great choice for businesses that need reliable remote access without a complicated setup.