A VPN (Virtual Private Network) creates an encrypted tunnel between a remote employee's device and your office network, allowing them to access internal resources like file servers, printers, and on-premises applications as if they were sitting in the office. Setting up a proper business VPN requires a capable firewall or router, a clear plan for who needs access to what, and the right authentication to keep unauthorized users out.
Before diving into the setup steps, it is worth asking whether your business actually needs a traditional VPN at all. Many small businesses have moved entirely to cloud-based tools, which changes the equation significantly.
Do You Actually Need a VPN?
A VPN is necessary when employees need to reach resources that are physically located in your office: file servers, on-premises line-of-business applications, network printers, or IP-based security camera systems. If people need to access something that lives on your office network, a VPN is the way to get there securely.
However, if all of your business applications are cloud-based, you may not need a VPN at all. For businesses running on Microsoft 365 Business Premium, Conditional Access policies through Entra ID can secure access to cloud applications without routing traffic through your office. Instead of tunneling all traffic through a VPN, Conditional Access verifies the user's identity, device compliance (through Intune), and location before granting access to cloud resources like SharePoint, Teams, OneDrive, and email. This approach is simpler to manage and often more secure than a traditional VPN because it does not rely on a single point of entry that an attacker could target.
The honest answer for many small businesses is a hybrid: use Conditional Access for cloud applications and a VPN only for the few on-premises resources that still require it. This reduces the load on your VPN, simplifies the employee experience, and keeps your attack surface smaller.
What You'll Need
If you do need a VPN, gather the following before you start:
A business-grade firewall or router that supports VPN. Consumer routers do not have the processing power or security features for business VPN use. Look for hardware from FortiGate, SonicWall, Ubiquiti, or Cisco Meraki. These include built-in VPN server capabilities and the management tools to configure them properly.
A static public IP address from your ISP. Your VPN clients need a consistent address to connect to. If your ISP only provides a dynamic IP, you can use a dynamic DNS (DDNS) service as an alternative, though a static IP is more reliable.
An identity provider that supports multi-factor authentication (MFA). If your business uses Microsoft 365, you already have Entra ID, which can serve as your identity provider for VPN authentication. This means employees use their Microsoft 365 credentials and MFA to connect, rather than managing a separate set of VPN passwords.
A list of employees who need remote access and what they need to reach. Not everyone needs VPN access, and not everyone who needs VPN access needs to reach everything on the network. Define this upfront.
VPN Types for Small Businesses
There are a few different VPN configurations. Understanding the differences will help you choose the right one for your situation.
Client-to-site VPN is the most common setup for small businesses. Each employee installs a VPN client application on their device (laptop, desktop, or phone), and that client connects them to the office network over an encrypted tunnel. When the employee is done working, they disconnect.
Site-to-site VPN connects two office networks together permanently. For example, if your company has a main office and a satellite location, a site-to-site VPN links them so devices on either network can communicate as if they were in the same building. This runs continuously and does not require individual employees to connect or disconnect.
SSL VPN uses standard HTTPS encryption, the same technology that secures online banking. SSL VPN works through virtually any firewall and does not require special network configuration on the employee's side, which makes it the preferred option for most small businesses. Employees can connect from home, coffee shops, or hotels without running into blocked ports.
IPsec VPN provides strong encryption and is well-suited for site-to-site connections, but it can be more complex to set up for individual users. Some public networks (hotels, airports, conference Wi-Fi) block IPsec traffic, which can prevent employees from connecting. For client-to-site VPN, SSL is usually the better choice.
Step 1: Configure VPN on Your Firewall
Log in to your firewall's admin interface. The exact navigation varies by manufacturer, but here is the general process:
Navigate to the VPN section of the firewall's settings. On a FortiGate, this is under VPN > SSL-VPN Settings. On a SonicWall, look under VPN > SSL VPN > Server Settings. On Ubiquiti, navigate to Settings > VPN.
Enable the VPN server feature and select your VPN type (SSL VPN is recommended for client-to-site access). Configure the listening interface to use your firewall's public IP address or your dynamic DNS hostname.
Set the VPN address pool, which is the range of IP addresses assigned to VPN clients when they connect. This should be a different subnet from your office network. For example, if your office network is 192.168.1.0/24, assign VPN clients to 10.10.10.0/24.
Configure split tunneling vs. full tunneling. Split tunneling only routes office-bound traffic through the VPN; everything else (web browsing, streaming) goes directly through the employee's home internet. This is faster for the user and reduces load on your office internet connection. Full tunneling routes all traffic through the VPN, which gives you more visibility and control but uses more of your office bandwidth. For most small businesses, split tunneling is the practical choice.
Require multi-factor authentication for VPN connections. Integrate your VPN with Entra ID or a RADIUS server so employees authenticate with their Microsoft 365 credentials and MFA. A password alone is not sufficient for VPN access; compromised credentials are one of the most common ways attackers gain access to business networks.
Step 2: Create User Accounts and Access Policies
Rather than giving every VPN user full access to the entire office network, define access policies based on the principle of least privilege: each user should only be able to reach the resources they need.
If your firewall supports integration with Entra ID or Active Directory, connect it so that user accounts and group memberships are managed in one place. Create user groups based on access needs. For example, an "Accounting" group might have VPN access to the accounting server and file share, while a "General Staff" group might only access shared file storage.
Block VPN access to sensitive systems like domain controllers, backup servers, and management interfaces unless specifically required. Define these rules in the firewall's VPN access policy before any users connect.
Step 3: Deploy the VPN Client to Employees
Each employee who needs VPN access will need the VPN client software installed on their device. The client software is specific to your firewall brand:
- FortiGate uses FortiClient VPN
- SonicWall uses SonicWall Mobile Connect or NetExtender
- Cisco Meraki uses Cisco AnyConnect
- Ubiquiti uses the built-in VPN client in the operating system (L2TP/IPsec or WireGuard)
Download the client from your firewall vendor's website and install it on each employee's device. Configure the connection with your firewall's public IP address (or DDNS hostname), the authentication method, and MFA settings.
If your devices are managed through Microsoft Intune, you can push the VPN client and its configuration to devices automatically. This means employees do not need to configure anything manually; the VPN profile appears on their device ready to use. Intune can also enforce that only compliant devices (up-to-date, encrypted, with active endpoint protection) are allowed to connect.
Test each employee's connection before considering the deployment complete. Have them connect from outside the office network and verify they can reach the specific internal resources they need.
Step 4: Secure the VPN
A VPN that is not properly secured can become an entry point for attackers. Follow these steps to lock it down:
Require MFA for every connection. This is non-negotiable. If an employee's password is compromised through phishing or a data breach, MFA is the layer that prevents the attacker from connecting to your network.
Set session timeouts. Configure idle VPN connections to disconnect automatically after a period of inactivity, such as 30 minutes. This prevents sessions from staying open indefinitely when an employee walks away from their computer.
Enable logging. Turn on VPN connection logging so you have a record of who connected, when, from where, and for how long. This is important for both troubleshooting and security investigations.
Keep firmware updated. VPN vulnerabilities in firewalls are a common attack vector. When your firewall vendor releases a firmware update, apply it promptly. Subscribe to your vendor's security advisories so you are aware of critical patches.
Disable unused VPN protocols. If you are using SSL VPN, disable IPsec VPN (and vice versa) to reduce your attack surface. Every enabled service is a potential target.
Monitor for unusual activity. Watch for VPN connections from unexpected locations, connections at unusual hours, repeated failed authentication attempts, or a single account connecting from multiple locations simultaneously. These are signs of compromised credentials. If your business uses Huntress Managed EDR, their 24/7 SOC can help identify suspicious activity that correlates with VPN access patterns.
Common Issues and Fixes
"VPN connects but I can't access anything." The VPN tunnel is up, but traffic is not routing correctly. Check the VPN access policy and firewall rules. Verify that the VPN address pool has routes to the internal subnets the user needs to reach.
Slow VPN performance. VPN encryption is processor-intensive. Check your firewall's CPU usage during peak VPN hours. If it is consistently above 80 percent, your firewall may not have enough processing power for the number of concurrent VPN users. Switching to split tunneling can also significantly reduce VPN load by keeping non-office traffic off the tunnel.
VPN won't connect from a hotel or public network. Some networks block VPN protocols, especially IPsec. If this is a recurring problem, switch to SSL VPN, which uses port 443 (the same port as regular HTTPS web traffic) and is almost never blocked.
Employee forgot their VPN password. If your VPN is integrated with Entra ID, the VPN password is the employee's Microsoft 365 password. They can reset it at aka.ms/sspr without IT involvement. If VPN authentication is managed separately on the firewall, an admin will need to reset the password in the firewall's user management.
Need Help?
Setting up a secure VPN involves coordinating your firewall, identity provider, and device management. If you want help getting it right the first time, or if you are wondering whether Conditional Access could replace your VPN entirely, contact Athencia. We will evaluate your setup and recommend the right approach.
