How to Configure a Business VPN: A Setup Guide for Your Business

A virtual private network (VPN) protects your internet connection and your privacy while you are online. Many see configuring a business VPN as an essential layer of cybersecurity protection for employees or persons who are traveling or are otherwise connecting to the Internet via public Wi-Fi or other types of Internet connection.

VPN for Business: what is it and why do you need it

VPN for Business refers to an enterprise-level VPN as opposed to VPNs that target and cater to individuals. Typically, business VPNs offer additional features such as added security and role-based or other types of user authorizations to grant access to company data.

Examples of VPNs for Business include, but are not limited to, Perimeter 81, Fortinet, AWS ProtonVPN, NordLayer, NordVPN, TunnelBear, and Surfshark.

Understanding VPNs

VPNs achieve user anonymity and privacy by creating a point-to-point tunnel that encrypts your data and hides your IP address. This can make your device appear to be in an entirely different country than where you or your employees actually are.

While typically VPNs are used for legitimate purposes, some use it to trick services to respond to a user that resides somewhere the service isn’t available. Companies should develop policies to instruct and enforce employees on proper VPN use.

How do VPNs Work?

A VPN works by routing your phone or laptop data through the VPN instead of through the Internet Service Provider (ISP). Your data and actions cannot be tracked because everything is encrypted, and your IP address remains hidden.

A VPN even hides your activity online, aka your browsing history, from the internet service provider (ISP), websites, online snoopers, and governments. VPNs are typically used by employees or companies working in countries known to harvest data from  users on the Internet, or to aggressively seek connections to pilfer or spy on foreign corporate or government interests.

Credit: NicoElNino / Alamy Stock Photo)

Why Your Business Needs a VPN

Many companies of all sizes use VPNs to secure access to company data by employees working remotely or from home.

"As employees continue working from home, CIOs, CISOs, and CTOs of distributed workforces have a requirement to protect their business from cybersecurity threats," said Subbu Sthanu, Chief Commercial Officer at IPVanish VPN.

But companies also need to protect employees in branch offices, satellite operations, and regional locations to prevent data breaches and other types of attacks.

Enhancing Security

Companies have a lot to protect from their databases to intellectual property and R&D departments, and even key executives while traveling to problematic countries. VPNs are an essential layer of protection for all of these cases, and more.

As a result, some countries are pushing back by banning VPNs so they can gain access to information to private information on their own citizens and visitors and data that companies need and work hard to protect. For example, a recent vpnMentor report found that “Russia's Roskomnadzor -- Russian media and internet regulator -- has announced a total ban on VPN services effective since March 1st, in Russia and occupied territories of Ukraine. This measure could significantly impact free speech and access to information for individuals attempting to circumvent the already existing censorship.”

But that’s far from the only example. A recent Surfshark report found that “Since February 18th, 2023, Surfshark has witnessed an increase in VPN usage in Pakistan. Daily new user acquisition rates have grown three to four times compared to the previous month, indicating a growing reliance on these services for internet access and privacy. However, due to the restrictions on VPNs imposed by the Pakistani government, difficulties may occur when connecting to the circumvention tools.”

Government officials and corporate VIPs traveling to such troubling areas can be more easily spied on in countries with measures that enable censorship of their citizens.

Surfshark’s Internet Shutdown Tracker shows Pakistan implementing five internet restrictions in early 2024 alone. The company says three restrictions happened in February and were election-related. The other two happened a month earlier, in January, during virtual events organized by the opposition. This is a dramatic rise over previous years. There were four internet restrictions in 2023 and three in 2022 in Pakistan.

As much as many businesses would love to avoid any appearance of conflict with any government anywhere, the fact remains that company VIPs and employees must be protected while traveling in or near problematic countries.

VPNs can be of great help. However, they are not all made alike. Reports of various VPNs being “broken” by some countries and restricted by several-- like China, Russia, and Pakistan-- are continuing to grow.

For example, NordVPN reports that “the Chinese government has banned the use of VPNs not approved by the government: VPNs must provide the government backdoor access to be approved, which renders them unsecure.”

So, does that mean that no VPN works in China, not even those used by foreign visitors?

NordVPN warns that’s a risky action: “Right now, it looks like you can use VPN software while you’re visiting the country. However, that doesn’t mean you won’t run into any trouble if you have one. During random phone searches, the police may ask visitors to delete VPN apps on their phones. Some people entering the northwestern Xinjiang region have reported that authorities have installed surveillance apps on their phones.”

But even if none of your organization’s executives or employees are traveling to or working in problematic countries, VPNs are needed to protect them at home and in friendlier countries as well. Hackers, attackers, and evildoers are everywhere!

Ensuring Remote Access

VPNs ensure secure connections to company data and apps for remote workers, at-home workers, employees participating in bring-your-own-device (BYOD) programs, and other scenarios through the use of data encryption, user activity and IP cloaking, and user authentication processes.

Company employees sometimes want to access streaming services and TV networks in their own language while traveling. Some shows are subject to censorship in some countries, too. VPNs can provide remote access to solve each of these challenges.

“Look for VPN services that offer you multiple simultaneous connections, excellent streaming performance, scalable and geographically diverse connectivity options, and strong security. Ideally, these services will offer you activity logs, but this is surprisingly rare. Another important feature for these VPN services is the “Kill Switch” that automatically blocks your traffic if your VPN or internet connection suddenly drops, protecting your originating source IP address from exposure,” said Dave Shackleford, IANS Faculty and Founder & Principal Consultant with Voodoo Security at IANS Research.

(Credit: Panther Media GmbH / Alamy Stock Photo)

Steps to Setting Up a Business VPN

Given the importance of a business VPN, implementing one is essential. The issue, then, is how to set up a VPN. Here are the steps to follow:

Step 1: Initial Preparation and Component Line-Up

First, determine whether you want to set up a remote access or site-to-site VPN. The first allows workers to connect anywhere. The latter is designed to connect multiple networks like corporate and branch offices or retail stores.

This step helps you plan what type of VPN you need and what components you’ll need as well.

Step 2: Network Preparation and VPN Protocol Setup

“The first step in determining the proper architecture for your business system is to establish the necessary security requirements. Both point-to-point VPNs and Cloud-hosted VPNs should be considered, and businesses need to decide if they will host the security platform on-premises or in the cloud. Once these items have been decided, the last step would be ensuring authentication,” said Sthanu.

Step 3: Download and Install VPN Clients

Typically, admin or the user will need to download and install the VPN client from the vendor website. Usually this is not a difficult process, and prompts guide the way.

Some companies opt to preinstall the VPN clients on corporate-owned laptops and desktops.

Step 4: Selecting and Installing VPN Protocols

Typically, the admin or the user goes to settings on the device or settings within a VPN app to select and install the appropriate VPN protocol.

In general, choose VPN protocols that fit your needs. For example, OpenVPN is good for general privacy whereas WireGuard is well suited for speed and security. IKEv2/IPSec is strong in making quick mobile connections. L2TP/IPSec is ideal for manual configurations.

Step 5: Testing and Troubleshooting

The most common way that VPNs are tested is on the user's device. Either IT support is on the phone or online at the time or readily available to troubleshoot if the user encounters any problems with VPN setup or use.

Usually, companies use layers of security and occasionally one layer will cause a conflict with VPN use. This potential problem should be detected and addressed before a VP is rolled out companywide.

(Credit: stanciuc / Alamy Stock Photo)

Best Practices, Tips, and Considerations

It's important to consider VPNs for their security protections but also as security risks themselves.

“When using WireGuard or OpenVPN, it's possible to use a username/password or a certificate as an authentication method. However, these typically will not have two-factor authentication (2FA). If you do not also use ZTNA, then once logged in, there would be no limit to what someone could access if credentials were stolen,” said Sthanu.

“Alternatively, it’s possible to use a service like Okta or OneLogin as an identity and authentication management platform. When using Okta or OneLogin combined with a VPN solution, a business can enforce strict login requirements, such as automatic sign-off periods and enforcing 2FA. This, of course, comes with a per-seat cost, raising the incremental cost for the business,” Sthanu added.

Effective Administration & Choosing the Right VPN Type

Understand the differences between point-to-point and cloud-based VPNs so you can make the right choices for your organization.

“The most common business use case is establishing a point-to-point Virtual Private Network between an on-premises server or a cloud-hosted server. When connected to this VPN, an employee’s connection is fully encrypted, their IP address is changed to the VPN IP address, and they can access resources hosted within the VPN. A VPN can be compared to a house – once you’ve gone through the front door, you have access to everything within the home,” said Sthanu.

By comparison, cloud-based VPNs give you more options and better control.

“In this use case, the purpose of the VPN is to protect and hide communications on the local network where the client resides, similar to a consumer-grade VPN. However, for business use, pre-defined restricted tunnels are defined between that cloud VPN endpoint and resources within the business environment. These can be open access once on the VPN, which acts like the P2P VPN above, or they can have restrictions based on the users who are connecting to the VPN, at which point they are similar to ZTNA,” Sthanu added.

Evaluation of VPN Hosting Options

On-premises is an option for some organizations although it involves more cost and effort. It’s typically done via SonicWall or a similar appliance and hosted in a local data center. Most organizations prefer to use a cloud provider that hosts a VPN such as AWS or Google Cloud.

“When using a third-party VPN provider, typically, the provider charges on a per-seat or usage basis. This means the more employees use the service and the more demand they put on it, the greater your cost will be. However, the applications and support may be provided in the charge, as is all equipment and equipment maintenance,” said Sthanu.