Site-to-site vs client VPNs

Topic: Networking basics

Site-to-site VPNs connect two networks (e.g. office to cloud); client VPNs connect a single device to a network (e.g. laptop to corporate LAN). Choose site-to-site for always-on network links and client for remote users. Use this when designing or choosing VPN topology. Conceptual only; no vendor config.

Intent: Decision

Quick answer

  • Site-to-site: gateway-to-gateway tunnel; two networks appear as one; traffic between sites is encrypted and routed over the tunnel. Use for office-to-office, office-to-cloud, or branch connectivity.
  • Client VPN: one endpoint is a user device (laptop, phone); the device gets an address on the remote network and can reach internal resources. Use for remote access by individuals; each user typically has credentials or a config.
  • Hybrid: some setups use both (e.g. site-to-site for DC-to-cloud, client VPN for teleworkers). Choose based on who connects (networks vs users) and whether you need always-on links or on-demand access.

Prerequisites

Steps

  1. Site-to-site model

    Two gateways (routers, firewalls, or VPN appliances) establish a tunnel. Hosts on network A can reach hosts on network B as if on the same LAN; routing and possibly NAT are configured so traffic goes through the tunnel. Always-on or on-demand depending on product.

  2. Client VPN model

    One endpoint is a gateway (office or cloud); the other is software on a user device. The device gets an IP on the remote network (or a dedicated VPN subnet) and can reach internal services. User authenticates (and often gets a config) to join.

  3. Choose by use case

    Need to link two networks (e.g. DC and VPC)? Use site-to-site. Need to give remote users access to internal apps? Use client VPN. Need both? Deploy both; ensure routing and firewall rules do not conflict.

Summary

Site-to-site VPNs connect two networks via gateways; client VPNs connect a single device to a network. Use site-to-site for office-to-office or office-to-cloud links; use client VPN for remote users. Choose based on whether you are connecting networks or individual devices.

Prerequisites

Steps

Step 1: Site-to-site model

Two gateways establish a tunnel. Hosts on one network can reach the other as if on the same LAN. Routing (and possibly NAT) sends traffic through the tunnel. The link can be always-on or brought up on demand.

Step 2: Client VPN model

One endpoint is a gateway; the other is software on a user device. The device gets an IP on the remote network and can reach internal services. Users authenticate and often receive a config to connect.

Step 3: Choose by use case

Link two networks (e.g. DC and VPC): site-to-site. Give remote users access to internal apps: client VPN. If you need both, deploy both and ensure routing and firewall rules are consistent.

Verification

You can describe the difference between site-to-site and client VPN and when to use each.

Troubleshooting

Traffic not reaching the other site — Check routing on both gateways and any firewall rules that allow or deny traffic between the VPN subnets.

Client cannot reach internal hosts — Check that the client is assigned an IP and that the internal firewall allows that subnet; check split-tunnelling vs full-tunnel if only some destinations work.

Next steps

Continue to