Skip to Content
Network and Access

What is a VPN (virtual private network)?

A VPN (virtual private network) creates an encrypted tunnel between an employee's device and the company network, so they can reach internal systems securely from anywhere, without exposing that traffic on the open internet. For decades it was the standard way to work remotely. Today the model is questioned, because once connected, the user usually reaches the whole network, not just what they need.

Zamak TechnologiesUpdated on July 11, 2026

How a VPN works

A VPN does not make the internet faster or make the user disappear; it creates a closed path where traffic travels encrypted, end to end, between the device and the network. Anyone in the middle sees scrambled traffic, not the data. The delicate part is not the tunnel itself, it is what it opens up once the connection is made.

1

Authenticates the user

Before opening the tunnel, the VPN confirms who is asking for access. If that check is only a password, a stolen credential is enough to get in.

2

Establishes the encrypted tunnel

The client and the gateway negotiate keys and raise an encrypted channel, usually with the IPsec protocol. From there, the traffic travels protected across the public internet.

3

Places the device inside the network

The VPN assigns the device an internal address, as if it were physically in the office. This is where the risk lives: 'inside the network' usually means broad access.

4

Routes the traffic through the tunnel

What the user reaches travels through the encrypted channel to the company's resources and back. The tunnel protects the path, but does not, on its own, decide what the user can or cannot reach.

Source: N-able Cyber Encyclopedia (VPN gateway, encrypted tunnel, the IPsec protocol, and the pairing with multi-factor authentication).

Signs your VPN has become a risk

  • Whoever connects sees the whole network. Without splitting access by application, a single compromised account opens everything at once.
  • The VPN asks only for a password, with no second factor. This is the scenario where a stolen credential, today the number-one way in, becomes full access.
  • The concentrator or gateway is behind on firmware. Edge devices and VPNs have become the preferred target, and most stay behind on patching.
  • Vendors and third parties use the same VPN as employees. A compromised partner comes in through the same broad door, with no limit on what they reach.

The types of VPN

  • Remote-access VPN Connects an employee's device to the company network from anywhere. It is the most common corporate use, and the one that concentrates risk when it grants access that is too broad.
  • Site-to-site VPN Connects two entire networks, such as headquarters and a branch, through a permanent tunnel. Useful for joining offices, but it widens what one side can reach on the other.
  • Browser (SSL) VPN Gives access to specific applications through the browser, with no client to install. Simpler for the user, still dependent on strong authentication so it does not become an open door.
  • Personal or consumer VPN Serves privacy and masks an individual's connection on the internet. It is not the same thing as a corporate VPN, and it does not replace a company's defenses.

Why the VPN became attackers' way in

8x
was the rise in exploitation of edge and VPN devices, from 3% to 22% of vulnerability-based breaches (Verizon DBIR 2025)
22%
of breaches start with a stolen credential, the number-one way in (Verizon DBIR 2025)
70%
of new remote access would move to zero trust (ZTNA) by 2025, up from under 10% in 2021 (Gartner projection)

The VPN was designed for a world in which few people reached the network from outside, now and then. That world is gone, and the model showed its fragility. Exploitation of edge devices and VPN gateways jumped from 3% to 22% of vulnerability-based breaches in a single year, roughly an eightfold rise (Verizon DBIR 2025), and most of those flaws went without a full fix. At the same time, the stolen credential is the number-one way in (22% of breaches, Verizon DBIR 2025): on a VPN that grants broad access, a leaked password does not open one application, it opens the whole network. That is why the market is moving: in Gartner's projection, by 2025 more than 70% of new remote access would use a zero-trust model (ZTNA) instead of a VPN, up from less than 10% in 2021. Meanwhile, a data breach still costs, on average, $ 4.44 million (IBM 2025).

How to use a VPN safely (and when to move on)

A VPN is not insecure by nature; it becomes a risk when it is used the way it was decades ago. A few practices cut the exposure, and one of them is knowing when to change models:

  1. Require a second factor, alwaysA VPN protected only by a password is one stolen credential away from disaster. Multi-factor authentication is the minimum, not the optional add-on.
  2. Keep the gateway patchedThe VPN concentrator is now one of the most exploited targets. Current firmware stopped being hygiene and became the front line.
  3. Limit what the VPN reachesApply least privilege and segment: remote access should not open the whole network, only the resources that person needs.
  4. Separate third-party accessVendors and partners should not come in through the same broad door as employees. Dedicated, restricted access contains the damage of a compromised partner.
  5. Evaluate zero-trust accessWhere broad access is the problem, the zero-trust model (ZTNA) grants application by application, not the whole network, and reverifies with every access. It is the direction the market is heading.

In practice

If a single employee's VPN password leaked today, what would the attacker reach with it? If the answer is 'almost everything,' the problem is not the password, it is the broad access the VPN grants.

How Zamak handles remote access

Zamak Technologies designs remote access on the zero-trust principle: verified identity, checked device, and access granted per application, with strong authentication, so a stolen credential does not open the whole network, alongside your team. A good starting point is the cybersecurity assessment, which shows where access is still too broad. It is part of Cybersecurity in the Zamak Method.

Frequently asked questions about VPNs

Is a VPN secure?
A VPN's tunnel protects the traffic on the way well. The risk is not in the encryption, it is in what the VPN opens up afterward: broad network access, often with only a password and a gateway behind on patching. Used with strong authentication, least privilege, and patching, a VPN is reasonable; used the way it was ten years ago, it is one of the most exploited doors.
What is the difference between a VPN and ZTNA?
A VPN, once connected, usually grants access to the whole network; ZTNA (zero-trust network access) grants one application at a time and reverifies with every access. On a VPN, a stolen account roams the network; with ZTNA, it stays confined to a single resource. That is why ZTNA is replacing the VPN for remote access.
Does a VPN hide my browsing?
A personal VPN masks an individual's connection on the internet, but that is different from a corporate VPN, whose purpose is to give secure remote access to company systems. For the business, a VPN is not an anonymity tool, it is an access channel, and it needs to be treated as one.
Do I need multi-factor authentication on the VPN?
Yes, without exception. Since the stolen credential is the number-one way in, a VPN protected only by a password is far too fragile. The second factor is what stops a leaked password, on its own, from granting network access.
Are a business VPN and a consumer VPN the same thing?
No. A corporate VPN connects employees to company systems with control and policy; a consumer VPN serves one person's privacy and masks their connection. Confusing the two leads to wrong decisions: the consumer kind does not protect the company network.
Should I replace my VPN with ZTNA?
It depends on the problem you have. If the pain is broad access, outdated firmware, and a single password, the zero-trust model fixes it at the root, granting per application. The migration can be phased, without switching off the VPN overnight; what matters is the direction.