{"slug":"corporate-vpn-explained","title":"Corporate VPN, explained","tags":["tailscale","networking"],"agent_summary":"Last validated: Jan 5, 2026","trigger_phrases":[],"runnable":false,"markdown":"\r\n# Corporate VPN, explained\r\n\r\nLast validated: Jan 5, 2026\r\n\r\nA corporate VPN extends the office network to remote locations.\r\nThis used to mean accessing shared files on a workstation from home\r\nby using a laptop, and as the business use of computing has increased in\r\nscope, so has the business VPN.\r\nToday it can mean accessing data center or cloud resources from the\r\noffice, or from home, or in the field with a phone or tablet.\r\nThe business VPN can connect data centers or be used to migrate\r\nbetween cloud providers.\r\nThe modern business network is built on VPNs.\r\n\r\n## [Business VPN Security](https://tailscale.com/docs/concepts/corporate-vpn\\#business-vpn-security)\r\n\r\nThe most important property of a business VPN is security.\r\nThe VPN stops unauthorized people from seeing network traffic.\r\nThis involves two components: encryption and authentication, using an identity provider\r\nsuch as Okta, Active Directory, or Google Workspace.\r\n\r\nMany corporate VPNs are based on TLS encryption, a reliable\r\ntechnology that can be used to secure connections between computers.\r\nTailscale is based on next-generation encrypted point-to-point\r\ntunnels: [WireGuard®](https://www.wireguard.com/).\r\n\r\n## [Connectivity](https://tailscale.com/docs/concepts/corporate-vpn\\#connectivity)\r\n\r\nThe traditional business VPN is based on the concept of a concentrator.\r\nThat is, a dedicated piece of hardware in an office that remote users\r\nconnect to, for accessing any of the machines in that office.\r\nThe modern business VPN needs to be far more accommodating of our\r\ndiverse computing environment.\r\n\r\nModern business VPNs also provide selective routing by default.\r\nOnly connections to corporate resources need to flow through the VPN,\r\nallowing users to access internet resources directly.\r\n\r\n### [Hardware-based VPNs are obsolete](https://tailscale.com/docs/concepts/corporate-vpn\\#hardware-based-vpns-are-obsolete)\r\n\r\nModern networks are not central offices with a few remote offices and\r\nhome computers: they are distributed across the internet.\r\nYou may have Virtual Machines in half-a-dozen data centers and across\r\ncloud providers, with users on phones and tablets, some on dedicated\r\nfiber lines and others connecting by using satellite.\r\n\r\nShipping hardware to a data center to spin up a Virtual Machine for a\r\nweekend training class across the country is impossible.\r\nSimilarly, being limited by the deployed concentrator hardware when\r\nsuddenly all your employees are working from home is a huge business\r\nrisk.\r\nDedicated hardware has too long a procurement cycle and reduces the\r\nflexibility of your business.\r\n\r\nModern corporate VPNs are entirely software based.\r\nYou can spin up a concentrator as a VPN, and split concentrators into\r\nsubnets when they become overloaded.\r\n\r\nAdvanced corporate VPNs like Tailscale can abolish concentrators\r\ncompletely: every server can run Tailscale directly, and individual\r\nclients can form point-to-point connections to each server it needs to\r\ntalk to.\r\nFine-grained centrally-managed [access controls](https://tailscale.com/docs/features/access-control) let you incrementally\r\nconvert your corporate network to a zero-trust environment.\r\n\r\n## [Access Control Panel](https://tailscale.com/docs/concepts/corporate-vpn\\#access-control-panel)\r\n\r\nAll VPNs need to be managed. Legacy hardware VPNs require devices to\r\nbe procured, tracked, deployed, and re-deployed as business needs\r\nchange by a corporate IT department.\r\nModern software VPNs need to be configured so only the resources an\r\nemployee should have access to are accessible to their computers.\r\nIf you build a business VPN from a toolbox-style solution, you have to\r\nfactor in a lot of IT time for future management.\r\n\r\nSophisticated modern business VPNs provide central inventory and access\r\ncontrol management.\r\n\r\nThe Tailscale admin console gives network administrators control over\r\nthe devices in the corporate network, the access each person has (and\r\nthus, their devices), at both a high level where devices can be\r\ncategorized by tags and at a low-level where administrators can\r\nrestrict access to precise port numbers.\r\nAccess control is managed by using the Tailscale access control system:\r\n\r\n```json\r\n\"grants\": [\\\r\n  // Engineering users, plus the president, can access port 22 (ssh)\\\r\n  // and port 3389 (remote desktop protocol) on all servers, and all\\\r\n  // ports on git-server or ci-server.\\\r\n  {\\\r\n    \"src\": [\"group:engineering\", \"president@example.com\"],\\\r\n    \"dst\": [\"*\"],\\\r\n    \"ip\": [\"22\", \"3389\"]\\\r\n  },\\\r\n  {\\\r\n    \"src\": [\"group:engineering\", \"president@example.com\"],\\\r\n    \"dst\": [\"git-server\", \"ci-server\"],\\\r\n    \"ip\": [\"*\"]\\\r\n  }\\\r\n]\r\n```\r\n\r\nYou can use the [visual policy editor](https://tailscale.com/docs/features/visual-editor) to manage your tailnet policy file. Refer to the [visual editor reference](https://tailscale.com/docs/reference/visual-editor) for guidance on using the visual editor.\r\n\r\nNetworks can be configured so employees can add their own\r\ndevices to the corporate network, or restricted so that IT must\r\nauthorize each piece of equipment beforehand.\r\nBy using an identity provider, authentication periods and MFA can be\r\nrequired as a matter of corporate policy.\r\n\r\nSensible defaults mean that small businesses can also adopt Tailscale\r\nwithout needing to configure any policies.\r\nYou can set up a simple modern corporate VPN in ten minutes,\r\ndownload it today to give it a try.\r\n\r\n![Project Logo](https://cdn.brandfetch.io/tailscale.com/fallback/lettermark/theme/dark/h/256/w/256/icon?c=1bfwsmEH20zzEfSNTed)\r\n\r\nAsk AI\r\n\r\nreCAPTCHA\r\n\r\nRecaptcha requires verification.\r\n\r\nprotected by **reCAPTCHA**\r\n","html":"<h1>Corporate VPN, explained</h1>\n<p>Last validated: Jan 5, 2026</p>\n<p>A corporate VPN extends the office network to remote locations.\r\nThis used to mean accessing shared files on a workstation from home\r\nby using a laptop, and as the business use of computing has increased in\r\nscope, so has the business VPN.\r\nToday it can mean accessing data center or cloud resources from the\r\noffice, or from home, or in the field with a phone or tablet.\r\nThe business VPN can connect data centers or be used to migrate\r\nbetween cloud providers.\r\nThe modern business network is built on VPNs.</p>\n<h2><a href=\"https://tailscale.com/docs/concepts/corporate-vpn#business-vpn-security\">Business VPN Security</a></h2>\n<p>The most important property of a business VPN is security.\r\nThe VPN stops unauthorized people from seeing network traffic.\r\nThis involves two components: encryption and authentication, using an identity provider\r\nsuch as Okta, Active Directory, or Google Workspace.</p>\n<p>Many corporate VPNs are based on TLS encryption, a reliable\r\ntechnology that can be used to secure connections between computers.\r\nTailscale is based on next-generation encrypted point-to-point\r\ntunnels: <a href=\"https://www.wireguard.com/\">WireGuard®</a>.</p>\n<h2><a href=\"https://tailscale.com/docs/concepts/corporate-vpn#connectivity\">Connectivity</a></h2>\n<p>The traditional business VPN is based on the concept of a concentrator.\r\nThat is, a dedicated piece of hardware in an office that remote users\r\nconnect to, for accessing any of the machines in that office.\r\nThe modern business VPN needs to be far more accommodating of our\r\ndiverse computing environment.</p>\n<p>Modern business VPNs also provide selective routing by default.\r\nOnly connections to corporate resources need to flow through the VPN,\r\nallowing users to access internet resources directly.</p>\n<h3><a href=\"https://tailscale.com/docs/concepts/corporate-vpn#hardware-based-vpns-are-obsolete\">Hardware-based VPNs are obsolete</a></h3>\n<p>Modern networks are not central offices with a few remote offices and\r\nhome computers: they are distributed across the internet.\r\nYou may have Virtual Machines in half-a-dozen data centers and across\r\ncloud providers, with users on phones and tablets, some on dedicated\r\nfiber lines and others connecting by using satellite.</p>\n<p>Shipping hardware to a data center to spin up a Virtual Machine for a\r\nweekend training class across the country is impossible.\r\nSimilarly, being limited by the deployed concentrator hardware when\r\nsuddenly all your employees are working from home is a huge business\r\nrisk.\r\nDedicated hardware has too long a procurement cycle and reduces the\r\nflexibility of your business.</p>\n<p>Modern corporate VPNs are entirely software based.\r\nYou can spin up a concentrator as a VPN, and split concentrators into\r\nsubnets when they become overloaded.</p>\n<p>Advanced corporate VPNs like Tailscale can abolish concentrators\r\ncompletely: every server can run Tailscale directly, and individual\r\nclients can form point-to-point connections to each server it needs to\r\ntalk to.\r\nFine-grained centrally-managed <a href=\"https://tailscale.com/docs/features/access-control\">access controls</a> let you incrementally\r\nconvert your corporate network to a zero-trust environment.</p>\n<h2><a href=\"https://tailscale.com/docs/concepts/corporate-vpn#access-control-panel\">Access Control Panel</a></h2>\n<p>All VPNs need to be managed. Legacy hardware VPNs require devices to\r\nbe procured, tracked, deployed, and re-deployed as business needs\r\nchange by a corporate IT department.\r\nModern software VPNs need to be configured so only the resources an\r\nemployee should have access to are accessible to their computers.\r\nIf you build a business VPN from a toolbox-style solution, you have to\r\nfactor in a lot of IT time for future management.</p>\n<p>Sophisticated modern business VPNs provide central inventory and access\r\ncontrol management.</p>\n<p>The Tailscale admin console gives network administrators control over\r\nthe devices in the corporate network, the access each person has (and\r\nthus, their devices), at both a high level where devices can be\r\ncategorized by tags and at a low-level where administrators can\r\nrestrict access to precise port numbers.\r\nAccess control is managed by using the Tailscale access control system:</p>\n<pre><code class=\"language-json\">\"grants\": [\\\r\n  // Engineering users, plus the president, can access port 22 (ssh)\\\r\n  // and port 3389 (remote desktop protocol) on all servers, and all\\\r\n  // ports on git-server or ci-server.\\\r\n  {\\\r\n    \"src\": [\"group:engineering\", \"president@example.com\"],\\\r\n    \"dst\": [\"*\"],\\\r\n    \"ip\": [\"22\", \"3389\"]\\\r\n  },\\\r\n  {\\\r\n    \"src\": [\"group:engineering\", \"president@example.com\"],\\\r\n    \"dst\": [\"git-server\", \"ci-server\"],\\\r\n    \"ip\": [\"*\"]\\\r\n  }\\\r\n]\n</code></pre>\n<p>You can use the <a href=\"https://tailscale.com/docs/features/visual-editor\">visual policy editor</a> to manage your tailnet policy file. Refer to the <a href=\"https://tailscale.com/docs/reference/visual-editor\">visual editor reference</a> for guidance on using the visual editor.</p>\n<p>Networks can be configured so employees can add their own\r\ndevices to the corporate network, or restricted so that IT must\r\nauthorize each piece of equipment beforehand.\r\nBy using an identity provider, authentication periods and MFA can be\r\nrequired as a matter of corporate policy.</p>\n<p>Sensible defaults mean that small businesses can also adopt Tailscale\r\nwithout needing to configure any policies.\r\nYou can set up a simple modern corporate VPN in ten minutes,\r\ndownload it today to give it a try.</p>\n<p><img src=\"https://cdn.brandfetch.io/tailscale.com/fallback/lettermark/theme/dark/h/256/w/256/icon?c=1bfwsmEH20zzEfSNTed\" alt=\"Project Logo\"></p>\n<p>Ask AI</p>\n<p>reCAPTCHA</p>\n<p>Recaptcha requires verification.</p>\n<p>protected by <strong>reCAPTCHA</strong></p>\n"}