Site-to-Site VPN

Site-to-Site VPN connects remote networks, providing secure access to resources for organizations and home users. While it enhances security and integrates networks, it also poses setup challenges and relies on stable internet. Understanding your needs is crucial for selecting the right VPN type.

Site-to-Site VPN
Site-to-Site VPN cover

Introduction

A VPN between networks (hereafter Site-to-Site VPN) is often seen as something rather complex and primarily positioned as a solution for businesses and large organizations. Only within small circles of enthusiasts is a Site-to-Site VPN not seen as a "forbidden fruit" and used as a tool for solving specific tasks.

Today, we'll focus on the theory. To implement a Site-to-Site VPN at home, it's essential to understand the basic concepts. Let's dive in together!

What is a Site-to-Site VPN?

A Site-to-Site VPN (Virtual Private Network) is a type of VPN connection that allows two or more local networks (LANs) located in different geographic locations to be combined into a single secure network over the internet.

Базова діаграма Site-to-Site VPN з двома мережами обʼєднаними в одну через інтернет та зашифрований тунель
Site-to-Site VPN diagram

This solution is used for secure data transmission between company offices or between an office and cloud infrastructure.

Key features of Site-to-Site VPN:

  • Traffic Encryption: All traffic between the two sites (offices) is encrypted, protecting data from interception.
  • User Transparency: Users don’t need to manually configure the connection, as the VPN operates automatically.
  • Connecting Local Networks: Instead of connecting individual devices, a Site-to-Site VPN links entire networks, allowing devices in different physical locations to exchange data as if they were on the same network.

It can be implemented in two main ways:

  • Intranet VPN: Connects multiple offices within the same organization.
  • Extranet VPN: Links networks of different companies for secure collaboration.

A Site-to-Site VPN is often used by large organizations to ensure reliable communication between their branches or partners.

Schema with 2 branches of company A and partner's company B connected via Site-to-Site VPN into one network
Site-to-Site VPN diagram between two companies

Who is it for?

A Site-to-Site VPN can be valuable for various types of organizations and businesses needing to merge multiple offices or networks into a single secure infrastructure. Key categories of users include:

  • Large Companies with Multiple Offices: Corporations with branches in different cities or countries use Site-to-Site VPN to link their networks, enabling teamwork and providing access to corporate resources for all employees.
  • Small and Medium-Sized Enterprises: Businesses with multiple offices or remote teams can use VPN to connect their offices without the need for building a private data transmission network.
  • Organizations with Cloud Infrastructures: Companies using cloud services (e.g., Amazon Web Services, Microsoft Azure, or Google Cloud) can connect their local network securely to the cloud infrastructure with Site-to-Site VPN.
  • Business Partners: When two or more companies need to regularly exchange large volumes of sensitive data, they can create a secure communication channel between their networks using Site-to-Site VPN (Extranet VPN).
  • Government Agencies: Site-to-Site VPN can connect different departments and offices, ensuring secure communication.
  • Educational Institutions: Universities and schools with multiple campuses can use VPN for secure data exchange between locations, providing students and staff access to educational resources.
  • Healthcare Facilities: Hospitals and medical centers can use VPN to protect patient data and collaborate between departments or with other medical institutions.

Thus, Site-to-Site VPN is relevant for any organization needing a secure and stable network to share confidential data between geographically dispersed offices or networks.

Site-to-Site VPN for any organization
Site-to-Site VPN for any organization

Although less common for regular users, a Site-to-Site VPN can also be useful for home needs. Here are some situations where it may be beneficial:

  • Connecting Multiple Homes: If you have multiple locations (e.g., a primary home and a vacation house) and want to combine their networks into one, Site-to-Site VPN can make this possible. This setup allows you to easily share files or access devices (e.g., a home NAS server or surveillance cameras) regardless of your location.
  • Connecting a Home Network to a Remote Server: If you manage a home server or use cloud storage services, you can configure a Site-to-Site VPN to securely link your home network to a remote server. This offers safer access to your data and services than standard remote connections over the internet.
  • Remote Access to Your Home Network: You can set up a Site-to-Site VPN to connect to your home network from anywhere in the world, giving you secure access to your devices, such as computers, media servers, or cameras, without risking data loss or unauthorized access.
  • Gaming: If a group of friends or family members wants to connect their home networks for a private online gaming network, Site-to-Site VPN can create a closed, low-latency gaming environment.
  • Security and Privacy: A Site-to-Site VPN can provide secure access to home devices when you're away, keeping all your data encrypted during transmission.

Setting up a Site-to-Site VPN for home use can be somewhat complex and requires technical knowledge. However, many modern routers have built-in VPN support, simplifying the configuration process. This solution is ideal for tech-savvy users or those with specific security and data access needs.

Remote Access VPN and Point-to-Site VPN

It's worth mentioning that when discussing remote and secure access to specific networks or network resources, there are other approaches as alternatives to a Site-to-Site VPN.

Many people use VPNs, and in general practice, when VPNs are mentioned, they often refer specifically to a Remote Access VPN.

A bit about Remote Access VPN

When people say they use a VPN in their browser or on their computer to bypass certain restrictions, they usually mean a Remote Access VPN or a VPN client. This type of VPN allows them to change their IP address and encrypt traffic, enabling secure internet use and access to restricted content. Unlike Site-to-Site VPN, Remote Access VPN focuses on connecting a single user device to a network, typically for privacy or accessing network resources remotely.

Remote Access VPN
Remote Access VPN

Main Objectives of Using Remote Access VPN

  1. Bypassing Geographical Restrictions
    VPNs allow users to connect to servers in different countries, changing their IP address to one from a country where restrictions do not apply. This enables access to content blocked in certain regions, such as:
    • Streaming services with different libraries for various countries.
    • Websites that are only available in specific countries or blocked in the user's country.
  2. Protecting Privacy and Anonymity
    VPNs encrypt users' internet traffic, making their data secure from interception by hackers, internet service providers, or governments. This is useful for those who want to protect their online activities, maintain browsing privacy, or avoid tracking.
  3. Bypassing Internet Censorship
    In countries or organizations with strict internet censorship (e.g., China, Iran), VPNs allow access to blocked sites like Google, Facebook, or YouTube, which would otherwise be unavailable due to local restrictions.
  4. Accessing Blocked or Restricted Services
    Some services or websites may block users from certain IP addresses or regions. A VPN helps bypass these blocks by using a different IP address.
  5. Safe Use of Public Networks
    VPNs provide traffic encryption when connecting to unsecured networks, such as Wi-Fi in cafes, airports, or hotels. This reduces the risk of data interception or Man-in-the-Middle attacks.

Thus, in this context, VPNs are used for:

  • Changing IP addresses to appear as a user from another country.
  • Encrypting traffic to protect privacy.
  • Bypassing blocks and censorship to access content.

I hope this clarifies things a bit!

Comparison

The main difference between Site-to-Site VPN, Remote Access VPN, and Point-to-Site VPN lies in how they organize connections to the network and the scenarios in which they are used. For simplicity, we'll use everyday examples, but we will also mention business aspects.

Site-to-Site VPN

This type of VPN is generally not used by individuals in everyday life because it is more suited for connecting entire networks (for example, between two offices). However, in a home context, one can imagine the following scenario:

Example: You have two homes, one in the city and another at your summer house. Each home has its own network (Wi-Fi, computers, smart devices). If you want both networks to function as one—meaning you can remotely access your home devices from your summer house (or vice versa)—you could set up a Site-to-Site VPN. This would create the impression that both networks are part of a larger, unified network.

As mentioned earlier, businesses use this type of VPN to connect two or more separate local networks (offices, company branches, etc.) over the Internet. In this case, the networks act as one large segment, ensuring secure data transmission between various offices or locations.

  • Usage: Connecting two or more offices or branches.
  • Users: Automatically connect to the network via the local network.
  • Example: Connecting a company's headquarters to a remote office through a VPN.

Remote Access VPN

This is the most common type of VPN for regular users. It can be used to protect your data while connecting to the Internet or to bypass restrictions.

Example 1: You install a VPN on your laptop or smartphone. When you connect to the Internet via public Wi-Fi (in a café or airport), your VPN encrypts all the data you transmit. This way, no one can "eavesdrop" on your activities. Additionally, the VPN can change your IP address, making you appear as a user from another country—this allows you to access blocked websites or content available only in other countries (such as certain series on Netflix).

Example 2: You install a VPN on your laptop or smartphone. When you're away from home (for instance, at the office, hotel, or café), you can connect to your home network through your VPN. All data transmitted between your device and your home network will be encrypted, protecting it from potential threats in public networks. Through this connection, you can access important home services—such as a NAS server for file storage or a smart home system (Home Assistant) to control devices like cameras or lighting. Moreover, if you use a media server like Plex or Jellyfin, you'll be able to watch movies from your home library without worrying about the security of your connection in public networks.

Remote Access VPN
Remote Access VPN

In a business context, this solution is for remote users who want to connect to the corporate network over the Internet using their devices (computers, laptops). In this case, the user installs a VPN client on their device to connect to the corporate network.

Usage: For remote access to the corporate network from anywhere.
Users: Individual users (employees working from home or while traveling).
Example: An employee connecting to the company network from home to access internal resources.

Point-to-Site VPN

This type of VPN allows you to connect to a specific device or resource located remotely. It is similar to a Remote Access VPN, but instead of connecting to an entire network, you connect only to a specific device or server.

Example: You have a server or NAS (Network-Attached Storage) at home where you store important files, movies, or photo archives. If you want to access this server while away from home, you set up a Point-to-Site VPN. This allows you to connect directly to your home server from anywhere in the world, as if you were sitting at home.

In a business context, the concept is similar.

Summary of Comparison

In summary, we can note that:

  • Site-to-Site VPN connects entire networks (for example, your home and cottage).
  • Remote Access VPN is what most people use to protect their data or bypass restrictions on the Internet.
  • Point-to-Site VPN helps access a specific device (such as a home server) from anywhere.

For everyday use by regular people, the most commonly encountered VPN is the Remote Access VPN, which is used for anonymization and bypassing restrictions.

Advantages of Site-to-Site VPN

I would like to highlight the following advantages of Site-to-Site VPN in the context of home networks and #homelabbing:

  1. Access to Home Networks from Any Location
    Allows the integration of multiple home networks (for example, among friends or relatives), providing constant access to all devices from any location.
  2. Protection of Personal Data
    Ensures secure data transmission between remote networks, which is useful for file sharing, backups, or remote device management.
  3. Simplified Resource Sharing
    Combines all home servers, NAS devices, and other resources into one logical network, facilitating resource management and access.
  4. Experimentation with Real Networking Scenarios
    In homelabbing, this allows modeling of corporate networks and practical learning of VPN technologies without the need for commercial solutions.
  5. Scalability
    Easily adds new home nodes or devices to the existing network, which is beneficial for those who constantly experiment with different equipment or new technologies.

Limitations of Site-to-Site VPN

Among the noticeable limitations, we can mention the following:

  1. Complexity of Setup
    For average users, setting up a Site-to-Site VPN can be a complicated process. It requires certain knowledge of networking technologies, router configurations, and VPN tunnels.
  2. Dependence on Internet Connection Stability
    If one of the home networks has an unstable internet connection, the link may frequently drop or perform slowly, negatively impacting access to remote resources.
  3. Limited Data Transfer Speed
    The bandwidth of the VPN is dependent on the internet speed of both endpoints. If the home internet is slow or congested with other users, the data transfer speed through the VPN will also be low.
  4. Equipment Requirements
    Setting up a Site-to-Site VPN necessitates hardware that supports this function (such as routers or servers). Cheaper or older models may lack this support or not provide sufficient power for stable operation.
I want to clarify separately that Site-to-Site VPN is not optimized for access from mobile devices or laptops that frequently switch between networks, making this approach less convenient for accessing resources from variable locations. For this purpose, there is Remote Access VPN, as mentioned above.

How to Set Up a Site-to-Site VPN?

When setting up, much depends on the type of Site-to-Site VPN, the protocol, and the devices used. For example, I recommend checking the article from OpenVPN:
https://openvpn.net/as-docs/tutorials/tutorial--site-to-site-network.html

In general, here are the main steps for setting it up:

  1. Assess Requirements: Determine which networks need to be connected (for example, between two homes) and decide on the type of VPN protocol (such as IPsec or OpenVPN).
  2. Select Equipment: Ensure that the routers or VPN servers support Site-to-Site VPN. If using older models, firmware updates may be required. OPNsense and pfSense are good alternatives to expensive routers.
  3. Configure Routers: Log into the router's management panel. Then, enable the VPN feature and configure settings such as the IP addresses of both networks and encryption protocol (authentication settings need to be configured).
  4. Tunnel Configuration: Create a VPN tunnel between the two networks by specifying the external IP addresses of each router. Set up routing to ensure proper data exchange between the networks.
  5. Test the Connection: Verify the connection by sending data between the networks (for example, trying to connect to a device from one network to another). Ensure that all settings work correctly and data is transmitted without issues.
  6. Monitoring and Maintenance: Regularly check the status of the VPN to identify potential connectivity issues or set up monitoring services. Don’t forget to update the router firmware and keep an eye on the security of the settings.

These steps may vary depending on the hardware and protocols, but the overall structure remains similar.

Conclusions

In summary, Site-to-Site VPN is a powerful tool for connecting remote networks, providing secure access to resources and data. It is ideal for organizations with multiple offices as well as for home users who want to integrate their networks. Despite certain limitations, such as the complexity of setup and dependence on the stability of the internet connection, the advantages it offers significantly outweigh the drawbacks.

Proper configuration and regular maintenance of Site-to-Site VPN can ensure a high level of security and reliability. By considering the needs of your network and users, you can choose the optimal type of VPN for your situation.

The choice between Site-to-Site VPN, Remote Access VPN, and Point-to-Site VPN depends on the specifics of your use case, security requirements, and ease of access. In most cases, for accessing any network, a Remote Access VPN like WireGuard will be sufficient. However, when services or servers from one network need to maintain a constant connection with resources in another network without human intervention, the only option left is to merge the networks.

Read more

How to add ads.txt file in self-hosted Ghost blog

Як додати ads.txt до блогу на платформі Ghost

Додаєте ads.txt до блогу на Ghost? Дізнайтесь, як створити файл, опублікувати його на GitHub, налаштувати перенаправлення через redirects.yaml та перевірити коректність роботи. Це простий спосіб забезпечити відповідність стандартам реклами для вашого блогу.

By Volodymyr Lavrynovych