Home » VPN Technologies: IPsec, SSL VPN, WireGuard, DMVPN, ZTNA และ VPN Architecture
VPN Technologies: IPsec, SSL VPN, WireGuard, DMVPN, ZTNA และ VPN Architecture
VPN Technologies: IPsec, SSL VPN, WireGuard, DMVPN, ZTNA และ VPN Architecture
VPN Technologies สร้าง secure tunnels สำหรับเชื่อมต่อ remote users และ sites IPsec เป็น standard สำหรับ site-to-site VPN, SSL VPN ให้ remote access ผ่าน browser หรือ client, WireGuard เป็น modern, lightweight VPN protocol, DMVPN สร้าง dynamic mesh VPN ระหว่าง sites, ZTNA เป็น next-generation replacement สำหรับ traditional VPN และ VPN Architecture ออกแบบ deployment ที่เหมาะสม
VPN เป็น backbone ของ remote connectivity มานานกว่า 20 ปี: site-to-site VPN เชื่อม branch offices, remote access VPN ให้พนักงานทำงานจากที่บ้าน แต่ traditional VPN มีปัญหา: ให้ full network access (ไม่ least privilege), performance ไม่ดี (hairpin traffic), complex management → ZTNA กำลังมาแทนด้วย per-application access control
VPN Protocol Comparison
| Protocol |
Type |
Speed |
Security |
Best For |
| IPsec (IKEv2) |
Site-to-Site / Remote |
Fast (hardware acceleration) |
Strong (AES-256, SHA-256) |
Site-to-site, enterprise remote access |
| SSL/TLS VPN |
Remote Access |
Moderate |
Strong (TLS 1.3) |
Clientless browser access, BYOD |
| WireGuard |
Remote Access / Site-to-Site |
Fastest (kernel-level) |
Strong (ChaCha20, Curve25519) |
Modern remote access, Linux/mobile |
| OpenVPN |
Remote Access / Site-to-Site |
Moderate (userspace) |
Strong (configurable) |
Cross-platform, open source |
| L2TP/IPsec |
Remote Access |
Moderate |
Strong (IPsec encryption) |
Legacy compatibility |
| DMVPN |
Site-to-Site (dynamic mesh) |
Fast |
Strong (IPsec) |
Many-to-many site connectivity |
IPsec Deep Dive
| Feature |
รายละเอียด |
| Phase 1 (IKE SA) |
Authenticate peers → establish secure channel (IKE SA) for negotiation |
| Phase 2 (IPsec SA) |
Negotiate encryption/integrity for data traffic → create IPsec tunnel |
| IKEv1 vs IKEv2 |
IKEv2: faster (fewer messages), MOBIKE (roaming), built-in NAT-T, more reliable |
| Tunnel Mode |
Encrypt entire original IP packet + new IP header → site-to-site (most common) |
| Transport Mode |
Encrypt only payload → host-to-host (L2TP/IPsec, within same network) |
| ESP vs AH |
ESP: encrypt + authenticate (standard) | AH: authenticate only (no encryption, rare) |
| PFS (Perfect Forward Secrecy) |
New DH key exchange per Phase 2 → compromise of one session ≠ compromise of others |
SSL VPN
| Feature |
รายละเอียด |
| Clientless |
Access web applications ผ่าน browser (HTTPS portal) — no software install |
| Full Tunnel |
Client software สร้าง full tunnel → all traffic ผ่าน VPN (like IPsec remote access) |
| Split Tunnel |
Corporate traffic → VPN | Internet traffic → direct (better performance, less load) |
| Port |
TCP 443 (HTTPS) → works through most firewalls/proxies (firewall-friendly) |
| Products |
Cisco AnyConnect, Palo Alto GlobalProtect, Fortinet FortiClient, Pulse Secure |
| Advantage |
Easy deployment (browser-based), works on BYOD, granular access control |
WireGuard
| Feature |
รายละเอียด |
| คืออะไร |
Modern VPN protocol — minimal code (4,000 lines vs OpenVPN 100,000+), kernel-level |
| Performance |
Fastest VPN protocol (kernel-space, no context switching → lower latency, higher throughput) |
| Cryptography |
ChaCha20 (encryption), Poly1305 (auth), Curve25519 (DH), BLAKE2s (hash) — fixed, no negotiation |
| Simplicity |
Config = public/private key pair + endpoint → dead simple setup |
| Roaming |
Built-in roaming (change IP/network → connection maintained seamlessly) |
| Platforms |
Linux (kernel module), Windows, macOS, iOS, Android |
| Limitation |
No dynamic IP allocation (static config), limited enterprise features (no RADIUS/LDAP natively) |
DMVPN (Dynamic Multipoint VPN)
| Feature |
รายละเอียด |
| คืออะไร |
Cisco technology สำหรับ dynamic mesh VPN — spoke-to-spoke tunnels created on-demand |
| Components |
mGRE (multipoint GRE) + NHRP (Next Hop Resolution Protocol) + IPsec + routing protocol |
| Hub-and-Spoke |
Phase 1: all traffic through hub (simple but suboptimal) |
| Spoke-to-Spoke |
Phase 2/3: dynamic direct tunnels between spokes (optimal path, on-demand) |
| NHRP |
Spoke ถาม hub สำหรับ public IP ของ spoke อื่น → สร้าง direct tunnel |
| Scale |
Hundreds of sites — spokes only need config to hub (no full mesh config) |
| Use Case |
Enterprise WAN ที่มี 50-500 sites ต้อง any-to-any connectivity |
ZTNA (Zero Trust Network Access)
| Feature |
Traditional VPN |
ZTNA |
| Access Scope |
Full network access (once connected → access everything) |
Per-application access (only authorized apps) |
| Trust Model |
Trust after authentication (inside = trusted) |
Never trust, always verify (continuous) |
| Posture Check |
Basic (OS version at connect time) |
Continuous (device health, location, behavior) |
| Lateral Movement |
Possible (full network access) |
Prevented (no network-level access) |
| Performance |
Hairpin through VPN concentrator |
Direct-to-app (via cloud edge/connector) |
| Products |
AnyConnect, GlobalProtect, FortiClient |
Zscaler ZPA, Cloudflare Access, Palo Alto Prisma, Netskope |
VPN Architecture Decisions
| Scenario |
Recommended |
Why |
| 2-5 sites |
IPsec site-to-site (static) |
Simple, reliable, hardware-accelerated |
| 50+ sites |
DMVPN or SD-WAN |
Dynamic mesh, scalable, simplified management |
| Remote workers (enterprise) |
SSL VPN → migrate to ZTNA |
SSL VPN easy to deploy, ZTNA better security |
| Remote workers (simple) |
WireGuard |
Fastest, simplest, great for tech teams |
| Zero Trust initiative |
ZTNA (Zscaler/Cloudflare) |
Per-app access, no network-level trust |
| Multi-cloud |
IPsec + Transit Gateway |
Standard inter-cloud connectivity |
ทิ้งท้าย: VPN = Evolving from Network Access to Application Access
VPN Technologies IPsec: standard site-to-site (IKEv2, ESP, PFS), hardware-accelerated, Phase 1 + Phase 2 SSL VPN: remote access via browser/client (port 443, firewall-friendly), AnyConnect/GlobalProtect WireGuard: modern, fastest (kernel-level, 4000 lines code), ChaCha20/Curve25519, simple config DMVPN: Cisco dynamic mesh VPN (mGRE + NHRP + IPsec), 50-500 sites, spoke-to-spoke on-demand ZTNA: per-application access (no full network), continuous verification, replaces VPN (Zscaler ZPA, Cloudflare) Architecture: 2-5 sites → static IPsec | 50+ sites → DMVPN/SD-WAN | remote → SSL VPN → ZTNA Key: VPN provides connectivity, ZTNA provides security — the industry is moving from VPN to ZTNA
อ่านเพิ่มเติมเกี่ยวกับ Firewall Architecture Next-Gen UTM Zero Trust และ SD-WAN Architecture SASE Migration ที่ siamlancard.com หรือจาก icafeforex.com และ siam2r.com
