Home » VPN Technologies: IPsec, SSL VPN, WireGuard, OpenVPN, Site-to-Site, Remote Access และ Zero Trust
VPN Technologies: IPsec, SSL VPN, WireGuard, OpenVPN, Site-to-Site, Remote Access และ Zero Trust
VPN Technologies: IPsec, SSL VPN, WireGuard, OpenVPN, Site-to-Site, Remote Access และ Zero Trust
VPN Technologies สร้าง encrypted tunnels เพื่อเชื่อมต่อ networks และ users อย่างปลอดภัย IPsec เป็น standard สำหรับ site-to-site VPN, SSL VPN ใช้ browser-based access, WireGuard เป็น modern lightweight protocol, OpenVPN เป็น open-source SSL-based VPN, Site-to-Site เชื่อม offices, Remote Access ให้พนักงาน work from anywhere และ Zero Trust กำลังแทนที่ traditional VPN
VPN market เปลี่ยนแปลงอย่างรวดเร็วหลัง COVID-19 ทำให้ remote work เป็น default: organizations ที่มี VPN สำหรับ 20% ของพนักงาน ต้อง scale เป็น 100% ใน 2 สัปดาห์ ปัญหา: VPN concentrator overload, split-tunnel vs full-tunnel debates, VPN latency สำหรับ cloud apps (traffic hairpin ผ่าน DC) → เร่ง adoption ของ ZTNA (Zero Trust Network Access) ที่เข้าถึง apps ตรงโดยไม่ต้องผ่าน VPN
VPN Protocol Comparison
| Protocol |
Encryption |
Speed |
Best For |
| IPsec (IKEv2) |
AES-256, SHA-256, DH Group 14+ |
Fast (hardware acceleration) |
Site-to-site, mobile (reconnect fast) |
| SSL/TLS VPN |
TLS 1.2/1.3, AES-256 |
Good |
Remote access via browser, clientless |
| WireGuard |
ChaCha20, Poly1305, Curve25519 |
Fastest (minimal code, kernel-level) |
Modern remote access, mobile, site-to-site |
| OpenVPN |
OpenSSL (AES-256-GCM) |
Good (userspace) |
Cross-platform remote access, flexibility |
| L2TP/IPsec |
IPsec encryption over L2TP tunnel |
Moderate (double encapsulation) |
Legacy — built into most OS but slow |
| PPTP |
MPPE (weak) |
Fast but insecure |
DEPRECATED — never use (easily cracked) |
IPsec Deep Dive
| Feature |
รายละเอียด |
| Phase 1 (IKE SA) |
Negotiate security parameters (encryption, hash, DH group, auth) → establish secure channel |
| Phase 2 (IPsec SA) |
Negotiate IPsec parameters (ESP/AH, encryption, interesting traffic) → create data tunnel |
| ESP |
Encapsulating Security Payload: encryption + authentication + integrity (most common) |
| AH |
Authentication Header: integrity + authentication only (no encryption) — rarely used |
| Tunnel Mode |
Encrypt entire IP packet + new IP header → site-to-site (hide original IPs) |
| Transport Mode |
Encrypt only payload (keep original IP header) → host-to-host |
| IKEv2 |
Improved: faster negotiation, MOBIKE (seamless reconnect on network change), built-in NAT-T |
WireGuard
| Feature |
รายละเอียด |
| Code Size |
~4,000 lines (vs OpenVPN 100,000+ lines) → easier to audit, fewer bugs |
| Performance |
Kernel-level implementation → 3-4x faster than OpenVPN, comparable to IPsec |
| Crypto |
Modern, fixed: ChaCha20 (encryption), Poly1305 (MAC), Curve25519 (DH), BLAKE2s (hash) |
| Simplicity |
Config = public/private key pair + allowed IPs → minimal configuration |
| Roaming |
Seamless handover between networks (WiFi ↔ 4G) — no reconnection needed |
| Stealth |
No response to unauthenticated packets → invisible to port scanners |
| Limitation |
No built-in user authentication (need external: LDAP, RADIUS), fixed crypto (no negotiation) |
Site-to-Site vs Remote Access
| Feature |
Site-to-Site |
Remote Access |
| Connects |
Network ↔ Network (office to office) |
User ↔ Network (laptop to office) |
| Always-On |
Yes — permanent tunnel between sites |
On-demand — connect when needed |
| Devices |
Router/firewall at each end |
VPN client on user device + VPN gateway |
| Protocol |
IPsec (most common), GRE over IPsec, DMVPN |
SSL VPN, IPsec IKEv2, WireGuard, OpenVPN |
| Users |
Transparent to users (no client needed) |
User initiates connection (login required) |
| Split Tunnel |
N/A (all inter-site traffic through VPN) |
Split: corporate → VPN, internet → direct | Full: all through VPN |
Zero Trust vs VPN
| Feature |
Traditional VPN |
ZTNA (Zero Trust) |
| Trust Model |
Trust after VPN connection (network-level access) |
Never trust, always verify (per-app access) |
| Access |
Full network access once connected (lateral movement possible) |
Only specific apps/resources (micro-segmented) |
| Authentication |
Once at connection (username/password + MFA) |
Continuous: device posture, user identity, context, risk score |
| Cloud Apps |
Hairpin through DC → slow for SaaS (O365, Salesforce) |
Direct-to-cloud → better performance for SaaS |
| Scalability |
VPN concentrator bottleneck → capacity limits |
Cloud-based → elastic scaling |
| Vendors |
Cisco AnyConnect, Palo Alto GlobalProtect, Fortinet FortiClient |
Zscaler ZPA, Cloudflare Access, Palo Alto Prisma Access, Netskope |
VPN Best Practices
| Practice |
Detail |
| MFA Required |
Always require multi-factor authentication for VPN access — password alone is not enough |
| Split Tunnel |
Use split tunnel for cloud/SaaS traffic → direct | Corporate resources → VPN |
| Certificate Auth |
Use machine certificates + user credentials — stronger than password-only |
| Posture Check |
Check device health before granting access: OS patched, AV running, disk encrypted |
| Least Privilege |
Don’t give full network access — restrict by user role/group to specific resources |
| Logging |
Log all VPN connections: who, when, where from, how long → audit trail |
| Modern Protocol |
Use IKEv2, WireGuard, or TLS 1.3 — avoid PPTP, L2TP (deprecated) |
ทิ้งท้าย: VPN → ZTNA = The Transition Is Happening
VPN Technologies IPsec: Phase 1 (IKE SA) + Phase 2 (IPsec SA), ESP encryption, tunnel/transport mode — site-to-site standard WireGuard: 4,000 lines, kernel-level, ChaCha20, fastest, seamless roaming — modern choice OpenVPN: open-source, cross-platform, flexible config — established remote access SSL VPN: browser-based, clientless option — easy deployment for remote access Site-to-Site: permanent tunnel (IPsec/DMVPN) | Remote Access: on-demand (SSL/WireGuard/IKEv2) Zero Trust (ZTNA): per-app access, continuous auth, direct-to-cloud — replacing VPN for remote access Best Practices: MFA required, split tunnel, certificate auth, posture check, least privilege Key: VPN is not dead but ZTNA is the future — start with ZTNA for cloud apps, keep VPN for legacy
อ่านเพิ่มเติมเกี่ยวกับ Firewall Deep Dive Stateful NGFW WAF IPS และ SSL/TLS Deep Dive Certificate Chain Handshake ที่ siamlancard.com หรือจาก icafeforex.com และ siam2r.com
