VPNs (Virtual Private Networks) create encrypted tunnels over public networks, enabling secure remote access and site-to-site connectivity. CompTIA Network+ N10-009 tests VPN types, protocols, and use cases across implementation and security domains. You must distinguish between remote access VPNs and site-to-site VPNs, understand the main VPN protocols (IPsec, SSL/TLS, OpenVPN, WireGuard), and recognize when each type is appropriate.
Practice this topic
Remote access VPN: connects individual remote users to the corporate network over the internet. The user's device runs a VPN client that establishes an encrypted tunnel to a VPN concentrator/gateway. Traffic from the user's device travels through the tunnel to the corporate network — the user appears to be locally connected. Enables secure home working and travel access.
Site-to-site VPN: connects two or more network sites over the internet as if they were directly connected via a private WAN link. The VPN tunnel is established between router/firewall appliances at each site — no client software required on user devices. Common use: connecting branch offices to headquarters. Traffic from branch users to HQ resources flows through the tunnel.
Split tunneling: only traffic destined for corporate networks travels through the VPN; internet-bound traffic goes directly to the internet. Reduces VPN bandwidth and latency for internet access. Full tunnel: all traffic (including internet) routes through the VPN — provides additional security/inspection but increases VPN load.
IPsec (Internet Protocol Security): the most widely used VPN protocol suite. Two modes: Tunnel mode (encrypts entire original packet — used for VPNs, adds new IP header) and Transport mode (encrypts only payload — used for host-to-host). Two protocols: AH (Authentication Header) provides integrity and authentication only — no encryption. ESP (Encapsulating Security Payload) provides encryption, integrity, and authentication — used for VPNs. IKE (Internet Key Exchange) handles key negotiation and SA (Security Association) establishment. Ports: IKE uses UDP 500; NAT traversal uses UDP 4500.
SSL VPN (TLS-based): uses standard HTTPS (TCP 443) — works through firewalls that allow HTTPS. Two types: clientless (browser-based, no software install) for portal access, and client-based (full-tunnel requiring software). Common in enterprise remote access. Examples: Cisco AnyConnect, Pulse Secure, Palo Alto GlobalProtect.
OpenVPN: open-source VPN using SSL/TLS, highly configurable, can use TCP or UDP. WireGuard: modern VPN protocol designed for simplicity and performance — uses state-of-the-art cryptography, UDP-based, much faster than OpenVPN or IPsec in practice.
PPTP (Point-to-Point Tunneling Protocol): legacy, uses MPPE encryption — considered insecure and deprecated. L2TP (Layer 2 Tunneling Protocol): provides tunneling but no encryption alone — combined with IPsec (L2TP/IPsec) for security. GRE (Generic Routing Encapsulation): tunneling without encryption — often combined with IPsec.
| Protocol | Encryption | Port/Protocol | Use Case |
|---|---|---|---|
| IPsec (ESP) | AES, 3DES | UDP 500/4500 | Site-to-site, client VPN |
| SSL/TLS VPN | TLS (AES) | TCP 443 | Remote access, clientless |
| OpenVPN | TLS (AES) | UDP/TCP (any) | Flexible client VPN |
| WireGuard | ChaCha20 | UDP (51820) | Modern, fast client VPN |
| L2TP/IPsec | AES via IPsec | UDP 1701/500 | Legacy client VPN |
| PPTP | MPPE (RC4) | TCP 1723 | Legacy — avoid |
All VPN protocols provide the same level of security
PPTP with MPPE is considered insecure and broken. L2TP alone has no encryption. IPsec with AES and SSL/TLS with AES are both strong. WireGuard uses modern cryptography. Always use current protocols — never PPTP
IPsec AH provides encryption
IPsec AH (Authentication Header) provides only integrity and authentication — it does not encrypt the payload. IPsec ESP (Encapsulating Security Payload) provides encryption. For VPNs, ESP is used
These questions are representative of what you will see on Network+ exams. The correct answer and explanation are shown immediately below each question.
A company needs to connect its branch office in another city to the headquarters over the internet, allowing branch users to access HQ resources transparently without VPN client software. Which VPN type is most appropriate?
Explanation: A site-to-site IPsec VPN connects two network sites via tunnels between gateway devices (routers or firewalls). Branch users don't need VPN client software — the tunnel is established at the network level. Remote access VPN requires per-user client software. PPTP is insecure. Clientless browser VPN is for individual remote users accessing specific web-based resources.
IPsec tunnel mode encrypts the entire original IP packet (header + payload) and adds a new IP header — used for VPN gateways to connect networks (site-to-site VPN). The original IP addresses are hidden inside the encrypted payload. Transport mode encrypts only the payload (data) and keeps the original IP header visible — used for host-to-host encryption (e.g., protecting traffic between two servers). VPNs almost always use tunnel mode.
Try free VPN Implementation practice questions with explanations, topic links and progress tracking.