Secure VPN in practice: protocols, risks, and real-world protection

1. Facade security or real protection? The ultimate test for your VPN

Not every encrypted tunnel is truly secure. And not every VPN offers the protection one might expect. While many companies treat VPNs as their primary barrier to remote access, the attack surface continues to expand .

According to a recent report by Orange Cyberdefense , a significant volume of CVEs exploited in 2024 involved flaws in secure connectivity technologies, including various VPN solutions. The problem, however, is rarely the technology itself, but how it is implemented : outdated protocols, weak authentication, and neglected maintenance are still common.

The vulnerability , therefore, lies not only in what the VPN protects, but in what it allows to pass through , whether due to over-trust, lack of visibility, or poorly enforced policies.

In this article, we'll get straight to the point: which protocols still make sense today, what to look for in configurations and monitoring, and why no corporate VPN should operate in isolation.

Let's go!

2. Protocols and authentication: where most people go wrong

The security of a corporate VPN doesn't begin when an employee connects. It starts much earlier, with the choice of protocols and the authentication model implemented . And that's precisely where many companies, even with good intentions, slip up.

2.1. First of all: what type of VPN does your company use?

Before discussing configurations, it's crucial to understand which VPN model your organization actually uses . This choice defines not only the level of exposure but also the degree of control and visibility that the security team has over the traffic.

• Remote Access VPN : connects the user to the company network, creating a tunnel between the device and internal systems. It is the most common model in hybrid environments, but requires extra attention to identity and authentication;
• Site-to-Site VPN : interconnects entire networks, such as headquarters and branches, with configuration usually done on routers or appliances . It is stable and efficient, but depends on consistent update and patch .
• Cloud VPN (or VPNaaS) : cloud-hosted, ideal for multi-cloud and integrations with corporate directories such as Azure AD and Okta . It offers scalability and ease of management, but requires precise configuration of access policies and federated authentication.

Understanding where your company fits within these models is the first step in strengthening your security architecture without sacrificing performance .

2.2. Protocols and secure authentication: what to use and what to avoid

Many VPN failures are not due to a lack of encryption, but to outdated technical choices . Currently, it makes no sense to maintain obsolete protocols or password-based authentication methods.

Check out the most recommended protocols today:

• OpenVPN : a well-established, audited reference compatible with virtually all systems. Supports TLS 1.3 and strong encryption ( AES-256 );
• WireGuard : lighter and faster, with lean code and modern encryption ( ChaCha20 ). It's worth remembering, however, that its native support is not yet available on all appliances ; many NGFWs ( Next-Generation Firewalls ) continue to prioritize IKEv2/IPsec;
• IKEv2/IPsec : excellent for mobility, supports automatic reconnection, and offers robust security when configured with updated parameters.

And the protocols that are discouraged or require attention are:

• PPTP : Considered insecure for years, lacking support for modern encryption;
• L2TP/IPsec : It is not insecure by default, but it can become vulnerable when configured with weak keys or outdated parameters. It is recommended to upgrade it to modern cipher suites such as AES-256 , SHA-2 , and valid certificates.

In authentication, the most common mistake is relying exclusively on login and password. Even complex credentials can be compromised by automation, phishing , or data breaches. The current standard is robust multi-factor authentication (MFA), with methods resistant to phishing and interception, such as:

• TOTP ( Time-based One-Time Password ) : effective and widely compatible;
• push with contextual validation : links the login attempt to a specific device and location;
• FIDO2 or physical keys : the most resistant method to social engineering attacks.
  

And an important warning : the use of SMS as a secondary security factor is considered weak by organizations such as NIST ( National Institute of Standards and Technology ) and ENISA ( European Union Agency for Cybersecurity ). This is because the SMS channel is vulnerable to interception attacks and SIM swapping (when the attacker transfers the victim's number to another SIM card to capture codes).

Even with modern protocols and robust MFA, VPN security can crumble if there are operational flaws. Therefore, in the next section, we will show how vulnerabilities exploited in known solutions, as well as routine errors, transform a legitimate connection into a real risk.

3. Flaws that turn VPNs into vulnerabilities

At first glance, a corporate VPN may seem to be fulfilling its purpose : connection established, traffic encrypted, everything working. But, in many cases , what exists is a superficial layer of protection, with weak configurations, delayed updates, and little operational visibility.

VPN solutions continue to be among the most exploited targets by cybercriminals. According to the ( Known Exploited Vulnerabilities catalog , maintained by CISA ( Cybersecurity and Infrastructure Security Agency ), more than 90% of known exploits involve flaws for which patches already existed but were not applied.

But the problem isn't limited to suppliers: a large part of the loopholes arise from internal practices . Among the most frequent errors are:

• Credential stuffing : using logins and passwords from other services in environments without MFA;
• MFA fatigue : repetitive sending of authentication notifications until the user accepts them by mistake or due to fatigue;
• Fragile configurations : split tunneling , lack of logs , and permissive access policies;
• Forgotten accesses : accounts that remain active even after job termination or changes in role.

These operational flaws are just as dangerous as technical vulnerabilities. An inconsistent security policy or a lack of continuous monitoring can turn a VPN into a privileged entry point for attacks, rather than a barrier.

That's why the focus needs to go beyond the secure tunnel : it's crucial to adopt complementary layers of validation, segmentation, and rapid response, capable of reducing the impact even when a credential or endpoint is compromised.

With that in mind, in the next topic, we'll see how these extra layers, from Zero Trust to EDR, elevate the protection of a traditional VPN to a new level of resilience .

4. Extra layers: why a VPN alone isn't enough

VPNs remain an important tool for securing remote connections. However, relying solely on them is like locking the front door and leaving the windows open .

Even with traffic encryption, VPNs don't prevent credential theft, session hijacking, or abuse of internal permissions. That's why, in 2025, real security begins beyond the tunnel , with continuous validation, segmentation, and visibility.

4.1. Essential supplementary protections

To maintain secure remote access in distributed and highly dynamic environments, it is necessary to adopt additional security layers that work in an integrated way with the VPN. Among the most relevant are:

• Zero Trust Network Access (ZTNA) : redefines remote access, based on the principle that no connection is trusted by default. Authentication is continuous and based on identity, device, and context. According to Gartner , in a Zscaler , by 2025, 70% of organizations using VPNs will migrate to ZTNA or hybrid models , reinforcing this trend as the new market standard.
• phishing -proof MFA : the second factor cannot be just an SMS token app-authenticated push FIDO2 , and contextual validations offer real defenses against social engineering attacks and interception.
• Privilege management and segmentation : applying the principle of least privilege is essential to reduce the impact of any potential compromise. Each access should be temporary, reviewed, and traceable;
• Endpoint protection with EDR : users' devices remain one of the most targeted links in the chain. Endpoint detection and response (EDR) solutions monitor and isolate suspicious behavior in real time, reducing the risk of lateral spread.

These measures don't replace VPNs; they strengthen them. Tunnel encryption remains important, but it's only effective if what's at the endpoints is equally reliable and monitored.

4.2. How does Skyone operate in practice?

At Skyone , we view cybersecurity as an adaptable architecture , capable of evolving alongside environments and threats. This concept materializes in integrated solutions, such as:

• Cloud Connect : authentication based on digital certificates, eliminating passwords and drastically reducing the risk of leaked credentials. Allows immediate revocation in case of compromise.
• Autosky incorporates continuous validation and Zero Trust , ensuring that each session is authenticated and contextualized, with dynamic segmentation and constant monitoring.
• Skyone SOC : offers real-time security visibility and intelligence, correlating events and reducing MTTR ( Mean Time to Respond ), which significantly improves compliance posture with LGPD and GDPR.

More than just isolated layers, these solutions form a unified security ecosystem that protects remote access without compromising operational agility. And this integration is even more powerful when accompanied by continuous monitoring and active compliance, as we will see below!

5. Monitoring and compliance is security that never sleeps

Even with modern protocols and additional layers of protection, no environment is truly secure without constant monitoring and continuous response. What goes unnoticed inevitably becomes a vulnerability.

Monitoring goes far beyond simply checking if the VPN is "active." The real focus should be on access behavior, on anomalies that reveal real risks , such as:

• Attempts to log in outside the norm, at unusual times or in unusual regions;
• Unknown devices or IP addresses attempting to access sensitive systems;
• Anomalous traffic on specific connections, indicating possible data leaks;
• Recurring authentication failures, which may signal automated attacks or credential stuffing .

These signals gain meaning when correlated within solutions such as SIEM ( Security Information and Event Management ) and SOC ( Security Operations Center ) , which enable:

• Unify and cross-reference events across multiple sources (VPN, endpoints , cloud, identities);
• Apply real-time threat intelligence to detect suspicious patterns;
• Generate actionable alerts based on context, prioritizing what truly matters;
• Reduce the MTTR, that is, the average time between the detection and mitigation of an incident.

This continuous visibility not only increases operational efficiency but also improves compliance with regulations such as LGPD and GDPR, which require traceability and active control over personal data and access. To meet these requirements, best practices include:

• Maintain logs , recording times, origins, and access identities;
• To guarantee traceability and accountability , ensuring that each connection can be validated and justified;
• Apply anonymization or pseudonymization whenever possible, scrambling personal data in records to avoid exposure, without compromising usefulness for audits and investigations.

These practices strengthen both responsiveness and organizational trust . They demonstrate technical maturity , data responsibility, and commitment to a culture of continuous security —values ​​that are clear competitive differentiators in today's market.

Have you made it this far and want to understand how your company can achieve this level of visibility, protection, and compliance without hindering operations? Talk to a Skyone specialist! dynamic, proactive, and adaptable security strategy .

FAQ: Frequently asked questions about secure VPN and remote work

Even with the advancement of new remote access approaches, VPNs still raise important questions, especially when it comes to security, authentication, and compatibility with modern models like Zero Trust .

Below, we've compiled direct and up-to-date answers to the main questions about Secure VPN in a corporate context.

1) OpenVPN , WireGuard , or IKEv2 : which protocol should I use?

It depends on the scenario and the infrastructure. Each protocol has its strengths:

• WireGuard : lighter and faster, with lean code and modern encryption ( ChaCha20 ). Ideal for mobile devices and connections with high latency variation. However, it still does not have native support on all enterprise appliances; many NGFWs continue to prioritize IKEv2/IPsec ;
  
• OpenVPN: widely compatible, flexible, and mature, with support for TLS 1.3 and strong encryption ( AES-256 ). It's the most balanced choice for those who need stability and auditability.
  
• IKEv2 : Excellent for mobility and stability in unstable networks, with automatic reconnection and widespread adoption in corporate environments.
  

In summary: OpenVPN and IKEv2 are the most mature for enterprise use, while WireGuard is a great option for modern environments, provided compatibility and support are guaranteed.

2) Can I still use SMS as a second factor?

Technically, yes, but it is strongly discouraged. SMS is vulnerable to interception attacks and SIM swapping , where the attacker transfers the victim's number to another SIM card and starts receiving authentication codes.

Organizations such as NIST and ENISA classify SMS as a weak second factor, unsuitable for sensitive corporate contexts. Instead, prefer using:

• Push notifications authenticated by an app (such as Okta Verify , Microsoft Authenticator , or Duo Mobile );
• Temporary codes ( TOTP );
• Physical keys or FIDO2 , which are more resistant to phishing and interception.

3) How can I tell if my VPN is being exploited?

Some signs indicate that the VPN may be compromised or under attack, such as:

• login attempts and failures originating from unusual regions;
• Simultaneous sessions of the same user in different locations;
• Anomalous traffic or unusual volume on specific connections;
• New devices attempting to connect without authorization;
• unpatched known vulnerabilities ( CVEs VPN appliances

Tip: Integrating VPN with solutions like SIEM and SOC allows you to correlate events, apply threat intelligence, and drastically reduce MTTR ( Mean Time to Respond ), transforming isolated signals into contextualized and actionable alerts.

4) Is it safe to access SaaS without a VPN?

Yes, provided that access is controlled and validated by secure identity policies. Modern SaaS applications don't require a VPN, but this is only secure if there is:

• Robust multifactor authentication (MFA);
• Integration with SSO ( Single Sign-On ) to centralize identities and reduce attack surfaces;
• Using a CASB ( Cloud Access Security Broker ) to govern traffic between users and cloud applications, enforcing visibility and compliance ;
• Continuous monitoring of user and device behavior.

For legacy systems or critical data, VPN and access segmentation are still essential, especially when there is no native support for modern authentication or detailed logs

5) Does a VPN replace the Zero Trust ?

No. VPN and Zero Trust Network Access (ZTNA) serve different but complementary roles. A VPN creates an encrypted tunnel between the user and the network, but does not continuously validate the context, device, or access behavior. ZTNA, on the other hand, operates on the principle that no connection is trusted by default, applying dynamic validations to each request.

Ideally, both approaches should be combined: using VPN to protect the communication channel and ZTNA to continuously validate access, reducing privileges and expanding contextual control.