What Is a Site-to-Site VPN? Setup, Benefits and How It Works
If you’ve ever wondered how large organizations securely connect multiple offices or networks across different locations, one answer is a site-to-site VPN. But what exactly is it, how does it work, and is it a good option for your business?
In this guide, we’ll break down exactly how site-to-site VPNs work, how to set one up, which protocols to use, and the security best practices to follow.
What Is a Site-to-Site VPN?
An S2S VPN securely connects two or more networks, like branch offices or data centers, over the internet. It creates an encrypted link between entire networks, rather than between individual devices.
The site-to-site connection is always active in the background and is usually set up using VPN-enabled routers or firewalls at each location. This allows companies to securely share resources, services, and internal data across locations.
Site-to-site VPNs fall into two main categories based on their use: intranet VPNs and extranet VPNs.
- Intranet-based VPN: Connects different offices of the same company (like a company’s headquarters to its branch offices).
- Extranet-based VPN: Connects a company’s network with that of a partner, supplier, or customer while maintaining controlled access.
How Site-to-Site VPNs Work
Site-to-site VPNs work by using VPN gateways, usually a VPN-enabled router or a firewall, at each location whose purpose is to automatically encrypt and decrypt data as it travels between networks over the internet. Here’s how the process works:
- Traffic selection: Each gateway knows what kind of traffic should use the secure connection because someone (usually the network administrator) sets clear rules for it. For example, “any data going to the other office’s network must use the VPN.” When data leaves an office, the gateway checks its destination. If it’s headed to the other site, the data goes through the encrypted tunnel. If not, it just uses the normal internet route.
- Gateway authentication: Before connecting, the gateways verify each other to make sure the connection is genuine and not an impostor pretending to be the other office.
- Security negotiation: The gateways agree on how they’ll protect the information, which includes deciding on encryption strength and how they’ll detect any tampering during transmission.
- Tunnel setup: Once everything checks out, the gateways build a private “tunnel” through the internet that only their data can travel through.
- Encryption and decryption: The gateway automatically encrypts the traffic before it leaves. To the outside world, that traffic just looks like random noise. The other side decrypts it instantly when it arrives.
The two networks can now communicate as if they were on the same local network, with the tunnel keeping all data secure and continuously monitoring for potential threats.
| Pros and Cons of Site-to-Site VPNs | |
|---|---|
| ✅ Strong privacy and compliance: Encrypts all data between networks, keeping sensitive information safe from interception. | ⚠️ Lack of flexibility: Connecting temporary sites or remote workers requires separate configurations or additional VPN solutions. |
| ✅ Cost savings over leased lines: Uses existing internet infrastructure, cutting high costs of dedicated circuits. | ⚠️ Limited traffic control: Requires extra firewall and routing rules for granular access between specific devices. |
| ✅ Simplified management: Lets IT teams enforce consistent security and access policies across all connected sites. | ⚠️ Hardware dependency: Relies on VPN-enabled routers or firewalls. |
| ✅ Performance and control: Supports automatic backup, tools to prioritize important traffic, and modern protocols (like WireGuard and OpenVPN) for stable, high-speed communication. | ⚠️ Risk of misconfiguration: Weak settings or mistakes can expose entire networks to security threats. |
How to Set Up a Site-to-Site VPN
Setting up a site-to-site VPN involves several critical steps, from planning to configuration and testing.
Pre-Configuration Checklist
Before setting up your site-to-site VPN, make sure you have the essentials ready on both sides. This will save you a lot of time and frustration later.
- Confirm that each site has a public IP address or dynamic DNS set up and is reachable from the other side.
- Check that both locations have routers, firewalls, or servers that support VPN connections.
- Decide on the VPN protocol you’ll use based on what your devices support.
- Choose the authentication method: either a pre-shared key (PSK) or digital certificates.
- Identify the internal subnet used at each site, and make sure they don’t overlap so the systems don’t conflict (e.g., 192.168.1.0/24 vs. 192.168.2.0/24).
- Ensure that firewall rules or port forwarding are set to allow VPN traffic.
- Verify that you have admin access to both VPN gateways to apply the configuration.
- Sync the system clocks on both gateways. If the clocks are out of sync, security checks can fail, especially when using certificates.
Configuration Steps for a Site-to-Site VPN
Specific steps vary by hardware and software, but the general configuration for a site-to-site VPN typically involves the following:
1. Log into the VPN gateways: Access the administrative interfaces of both VPN devices or firewalls at Site A and Site B using a web browser or terminal.
2. Create a new site-to-site VPN tunnel: Start a new tunnel configuration using your chosen VPN protocol and set the mode to “tunnel” or “site-to-site.”
3. Define local and remote network settings: Enter the public IP (or hostname) of the remote gateway, and specify the internal subnets at both sites that should communicate over the VPN.
4. Configure key exchange and encryption parameters: Choose how the VPN will protect the data: select the encryption method, add integrity checks, decide how long the keys stay valid, and provide the shared password or certificate the two gateways will use to trust each other.
5. Enable NAT traversal (if required): If either site or anything in the path of the data is behind NAT (when a router hides internal devices behind a single public IP address), you’ll need to enable a feature called NAT Traversal (NAT-T). This allows VPN traffic to pass through firewalls or routers correctly.
6. Apply firewall rules: Allow VPN-related ports and permit traffic between the internal subnets over the VPN tunnel on each VPN gateway.
7. Configure routing between sites: Configure static routes, which are fixed network paths from one gateway to the other. If you’re dealing with several remote sites, it’s better to use dynamic routing protocols that automatically decide the best path for traffic and update routes when network changes occur.
8. Activate the tunnel and check logs: Enable the VPN tunnel on both gateways, and monitor system logs to ensure the negotiation completes successfully and the tunnel status is “up.”
9. Test connectivity between networks: Ping devices across both sites, verify access to shared resources, and confirm that data is securely flowing through the tunnel.
10. Set up redundancy and monitoring: If high availability is required, configure a secondary tunnel or failover path, and enable monitoring or alerts for tunnel status.
Best Security Practices for Configuring Site-to-Site VPNs
Implementing a site-to-site VPN requires strong security and proper configuration to protect inter-network communications. Following best practices helps reduce vulnerabilities and maintain data integrity and confidentiality.
Choose the Right Protocol
IPsec is the industry standard for site-to-site VPNs, offering strong encryption, authentication, and broad device compatibility. If you need cross-platform support or must handle restrictive firewalls, choose OpenVPN. For cloud or high-performance workloads, use WireGuard for its speed and modern cryptography.
| Protocol | Best For | Why It’s a Good Choice |
| IPsec/IKEv2 | Traditional office-to-office links | Reliable, well-supported, secure, and works with most network hardware. |
| OpenVPN | Sites with mixed operating systems and behind strict firewalls | Flexible and firewall-friendly; works almost anywhere. |
| WireGuard | Modern or cloud-based site networks | Fast, simple to configure, and uses modern, efficient encryption. |
Use Strong Encryption (AES-256)
Always configure the VPN to use strong encryption. AES-256 (Advanced Encryption Standard with a 256-bit key) is the current gold standard, making brute-force attacks virtually impossible. You can combine it with SHA-256, a data-integrity check, which verifies that information hasn’t been altered or tampered with while in transit.
Authenticate Securely (IKEv2, Digital Certificates)
You need to verify VPN gateways before allowing any connection. Using pre-shared keys (PSKs) – single secret codes that both VPN gateways use to prove they trust each other – is quick to set up but risky; if attackers steal one, they can access your entire network.
It’s much better to use IKEv2 with digital certificates instead. Each gateway gets its own unique certificate that can’t easily be copied or reused, making them far more secure and easier to manage across multiple sites.
Enable Perfect Forward Secrecy (PFS)
You should enable perfect forward secrecy in your VPN configuration. PFS generates a unique key for every session, so even if an attacker compromises one session key, they cannot decrypt past or future communications.
Keep Firmware and Credentials Updated
Update your VPN gateways, routers, and firewalls with the latest firmware to patch security flaws. Using outdated software leaves your network open to known exploits. You should also protect administrative access with strong, unique passwords, and rotate them regularly to reduce the risk of credential-based attacks.
Segment VPN Traffic and Monitor Logs
Divide your network into segments to contain potential breaches. This way, compromising one segment won’t expose the entire environment.
Make sure that you also enable logging on all VPN devices, and review logs frequently for failed connections, suspicious activity, or configuration errors. Where possible, it’s good to integrate your VPN logs with an intrusion detection system (IDS) to spot threats early.
Configure Redundancy and Failover
Set up backup VPN tunnels or use VPN gateways with two network interfaces connected to different ISPs. This way, if one link or provider fails, traffic automatically switches to the secondary path. Redundancy like this keeps your site-to-site VPN available even during outages or equipment failures.
Use Access Control Lists (ACLs)
Defining Access Control Lists on your VPN gateways lets you strictly control which IP addresses, networks, or services can use the tunnel. Limiting access this way reduces your attack surface and prevents attackers from freely moving between sites if they compromise one network.
Enable Multi-Factor Authentication (MFA)
Protect administrative accounts and VPN logins with multi-factor authentication (MFA). By requiring an additional verification step, such as a one-time code or a VPN token, you make it much harder for attackers to gain access, even if they steal a password. MFA is especially important if you manage VPN devices over the internet.
Back Up VPN Configurations
Regularly create encrypted backups of your VPN device settings. Storing secure copies off the appliance lets you quickly restore connectivity if hardware fails, a device is lost, or a configuration change breaks the tunnel.
Site-to-Site VPNs for Cloud Services
As more businesses move workloads to the cloud, you may need to securely connect your on-premises network to cloud platforms like AWS and Azure.
AWS
AWS offers a managed VPN service that connects your network to a Virtual Private Cloud (VPC). You configure your firewall or router as a Customer Gateway, which connects to AWS’s Virtual Private Gateway. For multiple sites, you can use a Transit Gateway, a central hub that connects all your VPNs and routes traffic between them automatically, to simplify routing.
Azure
Microsoft provides an Azure VPN Gateway to link your network with an Azure Virtual Network (VNet). You set up your local device as a Local Network Gateway. Azure supports policy-based and route-based VPNs, with route-based recommended for easier scaling and dynamic routing.
FAQ
What is a site-to-site VPN and how does it work?
A site-to-site VPN is basically a secure bridge between two separate networks, like a main office and a branch office. Instead of connecting individual devices one by one, it links the entire networks together through encrypted tunnels between VPN gateways. Once set up, people at both locations can access files, apps, and services on the other network as if everything were on the same local network.
How is a site-to-site VPN different from a remote access VPN?
A site-to-site VPN connects entire networks (network-to-network): it’s always on, connecting two or more locations. A remote access VPN is different because it’s for individual users. For example, an employee working from home can use a remote access VPN to securely connect their laptop to the office network when needed.
What are the benefits of using a site-to-site VPN for businesses?
The biggest win is cost savings: you don’t need expensive private lines to link offices. It also makes it easier to manage multiple sites centrally, improves privacy and compliance by encrypting all traffic, and can boost reliability with features like automatic failover, which keeps the connection running by switching to a backup link if the primary one fails, and traffic prioritization (QoS).
Which protocols are commonly used in site-to-site VPNs?
The standard is IPsec, usually combined with IKEv2 for secure key exchange. OpenVPN is another option, especially for cross-platform compatibility, and WireGuard is a newer, lightweight protocol that’s gaining popularity because of its speed and simplicity.
Can site-to-site VPNs be used with cloud services like AWS or Azure?
Yes, and many companies use site-to-site VPNs to securely connect their on-premises networks to cloud environments like AWS or Azure. Services like AWS VPN Gateway and Azure VPN Gateway make it straightforward to extend your private network into the cloud if you need it.
