Point-to-Site VPN: How Does It Work and Is It Right for You?

A point-to-site VPN gives you secure remote access to company resources, without the need for complicated hardware. But it’s not the right solution for every remote worker or company that needs to connect multiple offices or support a large workforce. 

To help you make the right decision, this article explains what a point-to-site VPN is, how it works, and the best practices to secure your remote access connection, whether through on-premises environments like a corporate data center or a cloud platform like Azure.

What Is a Point-to-Site VPN?

A point-to-site (P2S) VPN is a tool that lets you privately connect your device, whether it’s a laptop, desktop PC, or mobile, directly to a private network over the internet. The VPN uses strong encryption that makes the traffic that travels between your device and the network look like gibberish, which makes it difficult for anyone that may try to intercept the connection to spy on your activity.

It allows you to securely reach internal files, apps, or databases from anywhere without exposing them to the public internet. Because it’s internet-based, the connection can be made from virtually anywhere, whether at home, on the road, or halfway across the globe.

How Does a Point-to-Site VPN Work?

A point-to-site VPN works by creating a direct connection between your device and a private network. Each user connects individually, rather than through a shared office gateway (the main entry point for an office network), as with site-to-site VPNs. To set this up, you typically need to run a VPN app on your device, which handles the authentication and tunnel setup. 

Here’s an overview of a typical process:

1. Connection initiation: You open your VPN client, select your profile, and click connect. 
2. Authentication: You log in with your username and password, sometimes with an extra layer like a digital certificate (a file or token that proves device identity) or multi-factor authentication.
3. Tunnel creation: The VPN server sets up a secure, encrypted path between your device and the network. 
4. Private IP assignment: The VPN gives your device a private IP address from inside the company’s system, so you can connect to the office network and access company resources.
5. Network settings: Your device gets DNS settings (which tell your device how to reach internal sites, such as intranet.company) and routing rules that send only work-related traffic through the VPN. This allows you to access the apps, files, and systems you’re authorized to use, but all your other browsing stays on your regular internet connection.

That’s it! You can now work with files, apps, and databases inside the private network as if you were physically connected. Because you control when the tunnel starts and ends, you can connect or disconnect without affecting anyone else on the network.

When Do You Need a Point-to-Site VPN?

A point-to-site VPN is most useful when you need secure, individual access to a private network without building a permanent site-to-site tunnel. It’s a good fit for:

• Employees working from home or on the go: A P2S VPN lets staff securely access company systems, files, or apps while traveling or working from home.
• Contractors or partners who need temporary access: Instead of opening firewall rules or exposing services, you can give authorized third parties a controlled VPN connection that can be revoked at any time.
• IT administrators and developers: P2S VPNs are a safe way for admins to connect to servers in a private cloud or for developers to reach test environments without exposing them publicly.
• Cloud access without dedicated hardware: In cloud platforms like Azure and AWS, you can enable point-to-site on a VPN connection to give individuals secure connectivity to a cloud network, without requiring an office router or firewall on their side.

Pros and Cons of Point-to-Site VPNs

Point-to-Site VPN Pros

✅ Easy to set up: You don’t need special hardware. IT departments can configure a VPN gateway in the cloud or on-premises, and you just connect with the client settings they share.
✅ Good for individuals: A P2S VPN is built to connect single devices, making it simple for remote staff, contractors, or admins to get secure access without extra hardware.
✅ Flexible access: You can connect from anywhere with an internet connection, whether you’re at home, traveling, or on a mobile hotspot.
✅ Granular control: Access can be limited to certain apps or networks, and revoked anytime if someone leaves the project.
✅ Cloud-friendly: Works smoothly with platforms like Azure or AWS, without needing an office router or firewall on your side.

Point-to-Site VPNs Cons

⚠️ Not scalable: It doesn’t work well if your whole company needs access. Site-to-site VPNs or other solutions are better for that.
⚠️ High admin overhead: Each user needs to be added and managed separately, which can create extra work for IT teams.
⚠️ Performance limits: Every user has their own tunnel, so speeds can drop with heavy traffic or lots of connections.
⚠️ User-dependent: If employees don’t use the VPN client correctly, it can lead to an increase in tech support queries.
⚠️ Limited scope: P2S is great for connecting individuals, but not for linking entire office networks together.

How to Configure a Point-to-Site VPN

Whether you’re using Azure, AWS, or your own on-premises environment, the setup usually follows the same flow: build the network, configure the gateway, set up authentication, and install the client. Most of this is handled by IT teams, so don’t worry if these steps sound technical. Here’s the general process:

1. Create the Network Environment

You start by creating the private network that remote devices will join.

• In Azure, this means setting up a Virtual Network (VNet) with a special subnet (a section of a network with its own address range) reserved for VPN traffic. Azure calls this a GatewaySubnet.
• In AWS, you’ll create a Virtual Private Cloud (VPC) with a subnet connected to a Client VPN access point (called an endpoint).

💡Tip: Plan your IP ranges early. If the client’s VPN address space overlaps with your local network, you’ll run into routing conflicts that are painful to fix later.

2. Deploy the VPN Gateway

A VPN gateway in the cloud is the secure entry point for all point-to-site connections. In Azure it’s a VpnGw gateway, and in AWS it’s a Client VPN endpoint. The size or tier you choose decides how many users can connect at once and how much traffic it can handle.

💡Tip: Gateways have connection limits. Azure’s VpnGw1 gateway supports up to 250 users, while an AWS Client VPN endpoint supports about 7,000 users per subnet, scaling to 126,000 with five subnet associations. Pick a tier that matches your team size to avoid slowdowns or failed sessions.

3. Configure the Gateway for Point-to-Site

Once the gateway is in place, you enable P2S connectivity by assigning an address pool (the IP range given to VPN clients) and selecting the tunnel protocols you want to allow, such as IKEv2, OpenVPN, or SSTP.

💡Tip: Performance depends on your setup. Throughput varies with the chosen protocol, internet bandwidth, and gateway tier. Azure scales performance by the VPN gateway SKU (tier), while AWS Client VPN scales performance by the number of associated subnets on the endpoint.

4. Set up Authentication

Authentication means verifying who’s trying to connect before giving them access to the network.

Azure supports certificates, RADIUS servers (systems that check usernames and passwords against a central list), and Microsoft Entra ID (Microsoft’s cloud-based directory that manages employee accounts and permissions). AWS supports mutual certificate authentication or Active Directory (a company database that stores user accounts) integration. This step ensures only authorized users can connect.

💡Tip: Some authentication methods require extra infrastructure, for example, installing a RADIUS server or linking your company’s directory. Make sure you have the right identity system in place before rolling out.

5. Generate the Client Configuration

The VPN gateway produces a configuration file or installer that contains all the connection details. In Azure, you download a prepackaged VPN client; in AWS, you export an OpenVPN configuration file.

💡Tip: Protocol support differs by OS. For example, SSTP is Windows-only, while OpenVPN works across Windows, macOS, iOS, and Android. Pick a protocol that matches your user base.

6. Distribute and Install the Client

Provide the client package or configuration to end users. Each device must have the software installed and properly configured before connecting.

7. Connect and Test

Test to make sure routing works: check that users can reach apps, share files, or access databases inside your network.

Best VPN Protocols for a Point-to-Site VPN

Point-to-site VPNs can run over several protocols that define how the secure tunnel is established and which devices or operating systems it will work with. Each has its own strengths and trade-offs.

OpenVPN (TLS)

OpenVPN gives you strong encryption and flexibility. It works on most networks with strict firewalls because it uses the same pathway that websites use for HTTPS traffic (port 443). That makes it look like normal internet activity, so it’s less likely to be blocked.

This makes it ideal if your P2S users travel or work on networks with strict controls like those at airports, hotels, or offices. Since it works on Windows, macOS, Linux, iOS, and Android, it’s also the most universal option.

The trade-off is slightly slower speeds because it uses strong, layered encryption, which adds extra protection but takes a bit more processing power. For mixed-device environments, though, OpenVPN is often the most practical option.

IKEv2/IPsec

This protocol pair combines IKEv2 (which quickly reconnects when you switch from Wi-Fi to mobile data) with IPsec, which secures the tunnel itself. Together, they make fast, stable, and secure connections, which is great for people who move between networks or use mobile devices often. It runs natively on Windows, macOS, and many Linux versions. However, it’s easier for some firewalls to block because it doesn’t disguise itself as regular HTTPS traffic.

SSTP

SSTP, or Secure Socket Tunneling Protocol, is built into Windows, making it simple to roll out in Windows-only environments. It also runs over HTTPS (port 443), so most firewalls won’t block it. For P2S setups in Windows-only environments, SSTP can be the fastest way to get people connected. But it’s closed-source and doesn’t support other platforms, so it’s not the right choice if you have a mixed device fleet.

Security Best Practices for Point-to-Site VPNs

A point-to-site VPN gives each user their own secure tunnel into your network. That makes every device a new entry point. To keep your point-to-site VPN secure, follow these best practices:

✅ Limit access per user: Don’t dump everyone into the same access. Give developers, contractors, and staff their own lanes with per-user routes and role-based access. That way, if one account is hijacked, the attacker can’t roam across your entire environment.
✅ Use identity-driven authentication: Don’t rely on simple usernames and passwords. Use a secure login system that confirms who’s connecting. Add extra steps like certificates, phone codes (MFA), or one login for all tools (SSO) to block unauthorized access. 
✅ Rotate credentials and certificates: Don’t treat credentials as permanent. Expire and reissue client certificates regularly. If a device is lost or a contractor leaves, revoke their access immediately. It’s the same idea as changing locks when someone moves out.
✅ Keep software up to date: Outdated VPN clients are a common weak point. Apply security patches promptly to VPN gateways, client software, and connected devices to close known security gaps.
✅ Harden DNS and split traffic wisely: Decide what traffic should actually go through the VPN. Route only internal apps and services through the tunnel, and let public browsing use the user’s regular internet. This “split tunneling” reduces the load on the VPN (so connections stay fast). Pair it with secure DNS so internal lookups stay private.
✅ Monitor connections in real time: Watch for unusual activity, like repeated login failures or unexpected data transfers. Monitoring tools or logs help you catch potential problems before they escalate.
✅ Educate users: Train employees and contractors to recognize phishing attempts, use strong passwords, and follow safe remote work habits.

Site-to-Site VPNs vs. Point-to-Site VPNs

The main difference between a point-to-site VPN and a site-to-site VPN is that a P2S VPN connects individual devices to a private network, while a S2S VPN connects entire networks to each other. Here’s a quick overview of their main differences and similarities and when each one makes sense:

	Point-to-Site (P2S) VPN	Site-to-Site (S2S) VPN
🔌 Connection type	Connects a single device (laptop, phone) to a private network	Connects entire networks (ex: a branch office and headquarters)
👤 Best for	Remote workers, contractors, or short-term access	Always-on links between offices, data centers, or cloud networks
⚙️ Setup	No hardware on the user’s side; just install the VPN client	Needs VPN devices or gateways at both ends
📈 Scalability	Works best for small groups; not ideal for hundreds of users	Built for enterprise scale and many users
🔒 Access control	Per-user control: limits who can see which apps or subnets	Network-wide: Devices usually see everything unless segmented
📡 Typical protocols	OpenVPN, IKEv2, SSTP	IPsec (most common), sometimes SSL/TLS.

FAQ