Secure VPN in practice: protocols, risks, and real protection

1. Security facade or real shield? The ultimate test for your VPN

Not every encrypted tunnel is truly secure. And not every VPN protects as much as imagined. While many companies treat VPNs as their primary barrier to remote access, the attack surface continues to expand .

According to a recent report from Orange Cyberdefense , a significant volume of CVE exploits in 2024 involved flaws in secure connectivity technologies, including various VPN solutions. The problem, however, rarely lies in the technology itself, but in how it's implemented : outdated protocols, weak authentication, and neglected maintenance are still common.

The vulnerability , therefore, lies not only in what the VPN protects, but in what it misses , whether through overtrust, lack of visibility, or poorly enforced policies.

In this article, we'll get straight to the point: which protocols still make sense today, what to look for in configuration and monitoring, and why no corporate VPN should operate in isolation.

Let's dive in!

2. Protocols and authentication: where most people go wrong

The security of a corporate VPN doesn't begin when an employee connects. It starts much earlier, with the choice of protocols and the authentication model implemented . And this is precisely where many companies, even with good intentions, slip up.

2.1. First things first: what type of VPN does your company use?

Before discussing configurations, it's crucial to understand which VPN model your organization actually uses . This choice determines not only the level of exposure but also the degree of control and visibility the security team has over traffic.

• Remote Access VPN : Connects the user to the company network, creating a tunnel between the device and internal systems. This is the most common model in hybrid environments, but it requires extra attention to identity and authentication;
• Site-to-Site VPN : Interconnects entire networks, such as headquarters and branch offices, with configuration typically performed on routers or appliances . It's stable and efficient, but requires consistent update and patching routines ;
• Cloud VPN (or VPNaaS) : Hosted in the cloud, ideal for multicloud and integrations with corporate directories such as Azure AD and Okta . Offers scalability and ease of management, but requires precise configuration of access policies and federated authentication.

Understanding where your company fits into these models is the first step to strengthening your security architecture without sacrificing performance .

2.2. Protocols and Secure Authentication: What to Use and What to Avoid

Many VPN failures aren't due to a lack of encryption, but rather to outdated technical choices . These days, it doesn't make sense to maintain outdated protocols or password-based authentication.

Check out the most recommended protocols today:

• OpenVPN : consolidated, audited reference and compatible with virtually all systems. Support for TLS 1.3 and strong encryption ( AES-256 );
• WireGuard : lighter and faster, with leaner code and modern cryptography ( ChaCha20 ). It's worth remembering, however, that its native support is not yet available on all appliances ; many NGFWs ( Next-Generation Firewalls ) continue to prioritize IKEv2/IPsec;
• IKEv2/IPsec : Great for mobility, supports auto-reconnection, and offers robust security when configured with up-to-date parameters.

And the protocols that are not recommended or that require attention are:

• PPTP : considered insecure for years, without support for modern encryption;
• L2TP/IPsec : Not insecure by default, but can become vulnerable when configured with weak keys or outdated settings. It is recommended to upgrade to modern cipher suites such as AES-256 , SHA-2 , and valid certificates.

When it comes to authentication, the most common mistake is relying solely on logins and passwords. Even complex credentials can be compromised by automation, phishing , or leaks. The current standard is robust multi-factor authentication (MFA), with methods resistant to phishing and interception, such as:

• TOTP ( Time-based One-Time Password ) : effective and widely compatible;
• Push with Contextual Validation : Ties the login attempt to a specific device and location;
• FIDO2 or physical keys : the most resistant method to social engineering attacks.
  

And an important warning : the use of SMS as a second factor is considered weak by organizations such as NIST ( National Institute of Standards and Technology ) and ENISA ( European Union Agency for Cybersecurity ). This is because the SMS channel is vulnerable to eavesdropping and SIM swapping (when the attacker transfers the victim's number to another SIM card to capture codes).

Even with modern protocols and robust MFA, VPN security can be compromised by operational flaws . Therefore, in the next section, we'll show how exploitable vulnerabilities in known solutions, as well as routine errors, can turn a legitimate connection into a real risk.

3. Flaws that turn VPNs into vulnerabilities

At first glance, a corporate VPN may appear to be doing its job : connection established, traffic encrypted, everything working. But in many cases , what's really needed is a superficial layer of protection, with fragile configurations, delayed updates, and little operational visibility.

VPN solutions remain among the most exploited targets by cybercriminals. According to the KEV ( Known Exploited Vulnerabilities ) catalog, maintained by CISA ( Cybersecurity and Infrastructure Security Agency ), more than 90% of known exploits involve flaws for which patches already existed but were not applied.

But the problem isn't limited to suppliers: many of the breaches arise from internal practices . The most common errors include:

• Credential stuffing : use of logins and passwords from other services in environments without MFA;
• MFA fatigue : repeatedly sending authentication notifications until the user accepts by mistake or fatigue;
• Fragile configurations : unrestricted split tunneling logs and permissive access policies;
• Forgotten access : accounts remain active even after termination or role changes.

These operational flaws are just as dangerous as technical vulnerabilities. An inconsistent security policy or a lack of continuous monitoring can make a VPN a prime entry point for attacks, rather than a barrier.

That's why the focus needs to go beyond the secure tunnel : it's crucial to adopt complementary layers of validation, segmentation, and rapid response that can mitigate the impact even when a credential or endpoint is compromised.

With that in mind, in the next topic, we'll see how these extra layers, from Zero Trust to EDR, elevate traditional VPN protection to a new level of resilience .

4. Extra layers: why a VPN alone isn't enough

VPNs remain an important part of securing remote connections. But relying solely on them is like locking the front door and leaving the windows open .

Even though they encrypt traffic, VPNs don't prevent credential theft, session hijacking, or internal permission abuse. That's why, in 2025, true security begins beyond the tunnel , with continuous validation, segmentation, and visibility.

4.1. Essential supplementary protections

To maintain secure remote access in distributed and highly dynamic environments, it's necessary to adopt additional layers of security that work seamlessly with the VPN. The most important ones include:

• Zero Trust Network Access (ZTNA) : Redefines remote access, assuming that no connection is trusted by default. Authentication is continuous and based on identity, device, and context. According to Gartner , in an article by Zscaler , by 2025, 70% of organizations using VPNs will migrate to ZTNA or hybrid models , reinforcing this trend as the new market standard.
• phishing -proof MFA : The second factor can't just be an SMS token app-authenticated push FIDO2 , and contextual validations offer real defenses against social engineering and eavesdropping attacks.
• Privilege management and segmentation : Applying the principle of least privilege is essential to reduce the impact of a potential compromise. Each access must be temporary, reviewed, and traceable;
• Endpoint protection with EDR : User devices remain one of the most targeted links. Endpoint detection and response (EDR) solutions monitor and isolate suspicious behavior in real time, reducing the risk of lateral spread.

These measures don't replace VPNs; they strengthen them. Tunnel encryption remains important, but it's only effective if the endpoints are equally trusted and monitored.

4.2. How does Skyone work in practice?

At Skyone , we view cybersecurity as an adaptable architecture , capable of evolving alongside changing environments and threats. This concept is embodied in integrated solutions, such as:

• Cloud Connect : Authentication based on digital certificates, eliminating passwords and drastically reducing the risk of leaked credentials. Allows immediate revocation in case of compromise;
• Autosky : incorporates continuous validation and Zero Trust , ensuring that each session is authenticated and contextualized, with dynamic segmentation and constant monitoring;
• SOC Skyone : provides real-time security visibility and intelligence, correlating events and reducing MTTR ( Mean Time to Respond ), which significantly improves LGPD and GDPR compliance posture.

More than isolated layers, these solutions form a unified security ecosystem that protects remote access without compromising operational agility. And this integration is even more powerful when accompanied by continuous monitoring and active compliance, as we'll see below!

5. Monitoring and compliance is security that never sleeps

Even with modern protocols and additional layers of protection, no environment is truly secure without constant monitoring and continuous response. What goes unnoticed inevitably becomes a breach.

Monitoring goes far beyond checking whether the VPN is "active." The real focus should be on access behavior and anomalies that reveal real risks , such as:

• Non-standard login attempts
• Unknown devices or IPs trying to access sensitive systems;
• Anomalous traffic on specific connections, indicating possible data exfiltration;
• Recurring authentication failures, which may signal automated attacks or credential stuffing .

These signals gain meaning when correlated within solutions such as SIEM ( Security Information and Event Management ) and SOC ( Security Operations Center ) , which allow:

• Unify and cross-reference events between multiple sources (VPN, endpoints , cloud, identities);
• Apply real-time threat intelligence to detect suspicious patterns;
• Generate actionable alerts based on context, prioritizing what really matters;
• Reduce MTTR, or the average time between detection and mitigation of an incident.

This continuous visibility not only increases operational efficiency but also improves compliance with regulations such as LGPD and GDPR, which require traceability and active control over personal data and access. To meet these requirements, best practices include:

• Maintain logs , recording access times, origins, and identities;
• Ensure traceability and accountability , ensuring that each connection can be validated and justified;
• Apply anonymization or pseudonymization whenever possible, scrambling personal data in records to avoid exposure, without compromising usefulness for audits and investigations.

These practices strengthen both responsiveness and organizational confidence . They demonstrate technical maturity , data responsibility, and a commitment to a culture of continuous security —values ​​that are now clear competitive differentiators in the market.

Have you reached this point and want to understand how your company can achieve this level of visibility, protection, and compliance without hindering operations? Talk to a Skyone specialist! dynamic, proactive, and adaptive security strategy .

FAQ: Frequently asked questions about secure VPN and remote work

Even with the advancement of new remote access approaches, VPNs still raise important questions, especially when it comes to security, authentication, and compatibility with modern models like Zero Trust .

Below, we've gathered straightforward, up-to-date answers to the most common questions about Secure VPN in the corporate context.

1) OpenVPN , WireGuard or IKEv2 : which protocol should I use?

It depends on the scenario and infrastructure. Each protocol has its strengths:

• WireGuard : Lighter and faster, with leaner code and modern cryptography ( ChaCha20 ). Ideal for mobile devices and connections with high latency variation. However, it is not yet natively supported on all enterprise appliances; many NGFWs continue to prioritize IKEv2/IPsec .
  
• OpenVPN: Broadly compatible, flexible, and mature, with support for TLS 1.3 and strong encryption ( AES-256 ). It's the most balanced choice for those who need stability and auditability;
  
• IKEv2 : Excellent for mobility and stability in unstable networks, with automatic reconnection and wide adoption in corporate environments.
  

In short: OpenVPN and IKEv2 are the most mature for enterprise use, while WireGuard is a great bet for modern environments, as long as compatibility and support are guaranteed.

2) Can I still use SMS as a second factor?

Technically, yes, but it's strongly discouraged. SMS is vulnerable to interception and SIM swapping , when the attacker transfers the victim's number to another SIM card and receives the authentication codes.

Organizations like NIST and ENISA classify SMS as a weak second factor, unsuitable for sensitive corporate contexts. Instead, use:

• App-authenticated push Okta Verify , Microsoft Authenticator , or Duo Mobile );
• Temporary codes ( TOTP );
• Physical keys or FIDO2 , more resistant to phishing and interception.

3) How do I know if my VPN is being exploited?

Some signs indicate that your VPN may be compromised or under attack, such as:

• login attempts and failures from unusual regions;
• Simultaneous sessions of the same user in different locations;
• Anomalous traffic or unusual volume on specific connections;
• New devices trying to connect without authorization;
• unpatched known vulnerabilities ( CVE appliances or servers.

Tip: Integrating VPN with solutions like SIEM and SOC allows you to correlate events, apply threat intelligence, and dramatically reduce MTTR ( Mean Time to Respond ) by transforming isolated signals into contextualized and actionable alerts.

4) Is it safe to access SaaS without a VPN?

Yes, as long as access is controlled and validated by secure identity policies. Modern SaaS applications don't require a VPN, but this is only secure if:

• Robust multi-factor authentication (MFA);
• Integration with SSO ( Single Sign-On ) to centralize identities and reduce attack surfaces;
• Use of CASB ( Cloud Access Security Broker ) to govern traffic between users and cloud applications, applying visibility and compliance ;
• Continuous monitoring of user and device behavior.

For legacy systems or critical data, VPN and access segmentation are still essential, especially when there is no native support for modern authentication or logging .

5) Does VPN replace the Zero Trust ?

No. VPN and Zero Trust (ZTNA) fulfill different but complementary roles. VPN creates an encrypted tunnel between the user and the network, but does not continuously validate the context, device, or access behavior. ZTNA, on the other hand, assumes that no connection is trusted by default, applying dynamic validations to each request.

Ideally, a combination of both approaches is recommended: using VPN to secure the communication channel and ZTNA to continuously validate access, reducing privileges and expanding contextual control.