How to Set Up a Business VPN for Remote Workers
A practical guide to choosing and deploying a business VPN for remote employees — covering hardware, software, and cloud-based options.
Remote workers need access to internal resources — file shares, printers, line-of-business applications, servers — without those resources being exposed directly to the internet. A business VPN solves that problem by creating an encrypted tunnel between the remote worker and the office network. This guide covers the three main approaches, how to choose between them, and how to get a basic setup running.
VPN Approaches: Three Options
Not all business VPNs work the same way. The right approach depends on your infrastructure, budget, and technical resources.
Option 1: Router-Based VPN (On-Premises)
Many business-grade routers and firewalls include built-in VPN server capability — no additional software or subscription needed. The remote worker installs a VPN client on their device, connects to your office router’s public IP address, authenticates, and gets routed onto the office LAN as if they were sitting at a desk.
Common protocols:
- OpenVPN — open source, highly compatible, works on all platforms, requires a bit more configuration
- WireGuard — newer, faster, simpler to configure, built into Linux kernels and increasingly available on commercial routers
- IPsec/IKEv2 — older standard, natively supported on iOS and macOS, common on Cisco and Fortinet devices
- SSL VPN / SSTP — runs over HTTPS (port 443), tunnels through firewalls that block other VPN ports
Hardware that supports built-in VPN:
- Ubiquiti UniFi routers (WireGuard and OpenVPN via UniFi Network)
- pfSense / OPNsense (open-source firewall appliances — highly capable)
- Cisco RV series and Meraki (SMB-focused, strong feature set)
- Fortinet FortiGate (excellent but more expensive)
- GL.iNet travel routers (useful for small offices and home labs)
Best for: Offices that already have a capable router/firewall and a static IP address (or dynamic DNS), and an IT person comfortable with basic network configuration.
Option 2: Cloud-Managed Business VPN Service
Instead of running your own VPN server, you subscribe to a business VPN platform that hosts the infrastructure for you. Employees connect to the service, and the service provides access to your office network via a secure gateway — or just provides encrypted internet access depending on how it’s configured.
Popular platforms:
- NordLayer (formerly NordVPN Teams) — clean admin console, good for 5–50 users
- Perimeter 81 / Check Point Harmony Connect — zero-trust architecture, good policy controls
- Cloudflare Access / WARP for Teams — zero-trust network access, free tier available, excellent performance
- Cisco AnyConnect (Secure Client) — enterprise-grade, widely used in hybrid environments
- Twingate — connector-based, avoids exposing office IP, very easy to deploy
Pricing: Most cloud VPN services charge per user per month, typically $7–$15/user. For 5–10 remote workers, this is often cheaper than the IT labor required to manage an on-premises solution.
Best for: Businesses without a dedicated IT person, those who want minimal ongoing maintenance, or organizations that need zero-trust access controls.
Option 3: Remote Desktop Gateway (Not a Full VPN)
It’s worth distinguishing a true VPN from remote desktop tools. Products like TeamViewer, AnyDesk, and Microsoft Remote Desktop give users access to a specific computer rather than the whole network. These are simpler to set up but don’t provide general network access. If your remote workers only need access to one machine, a remote desktop gateway may be sufficient — and much simpler.
Setting Up a Router-Based VPN: WireGuard Example
WireGuard is now the best starting point for most small business VPN setups — it’s faster than OpenVPN, uses modern cryptography, and is simpler to configure. Here’s the general process for a router like Ubiquiti UniFi or a pfSense appliance.
Prerequisites
- A business router/firewall with WireGuard support
- A static public IP address at the office, or a dynamic DNS (DDNS) hostname pointing to your office IP (services like DynDNS or Cloudflare DDNS work well)
- Admin access to the router
Step 1: Enable WireGuard on the Router
In UniFi Network, navigate to Settings > VPN > VPN Server and enable WireGuard. The router generates a key pair automatically and opens UDP port 51820 by default.
In pfSense/OPNsense, go to VPN > WireGuard, enable the service, create a tunnel with a local address (e.g., 10.0.200.1/24), and note the public key.
Step 2: Create a Client Configuration
For each remote user, generate a client configuration file. This includes:
- The client’s private/public key pair
- The server’s public key and endpoint (your office IP or DDNS hostname + port)
- The IP address assigned to the client within the VPN subnet (e.g., 10.0.200.2/32)
- Allowed IPs — either your office LAN range only (split tunnel) or 0.0.0.0/0 (full tunnel, routes all traffic through the office)
UniFi generates a QR code and config file you can send securely to each user. pfSense requires manual export.
Step 3: Open the Firewall Port
Make sure UDP port 51820 is open on your router’s WAN-facing firewall. If your ISP blocks UDP traffic, you can change WireGuard to run on any port.
Step 4: Install WireGuard on the Remote Device
WireGuard has official clients for Windows, macOS, iOS, Android, and Linux — all free. The user imports the configuration file (or scans the QR code on mobile), and clicks Connect.
Step 5: Test the Connection
Once connected, the remote user should be able to ping internal IP addresses and access file shares using UNC paths (\server\share) or mapped drives. If ping works but file shares don’t, check Windows Firewall rules on the file server to ensure the VPN subnet is in the trusted zone.
Split Tunnel vs. Full Tunnel
This is a critical decision with real tradeoffs:
Split tunnel routes only traffic destined for the office LAN through the VPN. Everything else (internet browsing, streaming) goes directly to the internet from the user’s device. This reduces bandwidth load on your office connection and gives better performance, but means you have no visibility into what users are doing online.
Full tunnel routes all traffic through the VPN. The office internet connection becomes the user’s gateway. This lets you enforce web filtering and content policies on remote workers, but increases bandwidth usage at the office and adds latency to everyday internet browsing.
For most small businesses, split tunnel is the right default. Full tunnel makes sense if you have compliance requirements (HIPAA, PCI) or you’re in a regulated industry that requires monitoring all network traffic.
Security Best Practices
Once your VPN is running, tighten it up:
- Require MFA for VPN authentication. Most business-grade VPN solutions support RADIUS, LDAP, or TOTP-based MFA. A stolen VPN credential is only useful if the attacker also has the second factor.
- Limit access by user role. Not every remote employee needs access to the entire network. Create firewall rules that restrict VPN users to only the subnets and ports they actually need.
- Log VPN connections. Most routers and cloud VPN platforms log connection timestamps, source IPs, and data transfer. Review these periodically for anomalous logins.
- Revoke credentials immediately when an employee leaves. VPN access is a significant privilege — departing employees should have accounts disabled on their last day.
- Keep the VPN server firmware patched. VPN endpoints are Internet-facing and regularly targeted. Subscribe to your vendor’s security advisories.
Choosing the Right Approach for Your Business
| Situation | Best Approach |
|---|---|
| 1–3 remote workers, capable router already in place | Router-based VPN (WireGuard or OpenVPN) |
| 5–25 remote workers, no dedicated IT | Cloud-managed VPN (NordLayer, Twingate) |
| Need access only to one office PC | Remote Desktop (RDP, TeamViewer) |
| Compliance requirements (HIPAA, PCI) | Cloud zero-trust platform or managed firewall + VPN |
| Mixed remote and in-office, large team | Site-to-site VPN + cloud identity provider |
A business VPN doesn’t have to be complex to set up. For most small offices with five or fewer remote workers, WireGuard on an existing router takes under an hour to configure. For larger teams or those without in-house IT, a cloud-managed VPN service costs less per month than an hour of consultant time and requires no ongoing server management.
Related Articles
Employee Offboarding Checklist: How to Wipe and Redeploy a Returned Laptop
A practical small-business checklist for offboarding a departing employee and safely wiping, reimaging, and redeploying their returned laptop.
How to Set Up SPF, DKIM, and DMARC for a Small Business
How to add SPF, DKIM, and DMARC records for your business domain so your email actually lands in the inbox and spoofers can't impersonate you.
How to Set Up Guest Wi-Fi Safely in a Small Business
How to put guest Wi-Fi on its own VLAN, isolate clients, throttle bandwidth, and avoid the common shortcuts that expose your business network.