Business VPN for SMEs: practical guide — protocols, costs and deployment
Which VPN for your SME? OpenVPN, WireGuard, FortiClient: protocols, costs and deployment steps. IT guide by ECLAUD IT, MSP in Reunion Island.
Business VPN for SMEs: how to secure your remote access
A business VPN encrypts your employees’ connections when working remotely and secures access to your internal network. It’s not one tool among many: it’s the foundational security layer for any SME that allows remote access to its systems.
- What it does: creates an encrypted tunnel between the employee’s device and your network, as if their device were physically in the office
- SME-suitable solutions: OpenVPN, WireGuard, FortiClient depending on your infrastructure
- Average budget: 5 to 15 EUR/user/month for a managed solution — or 0 EUR with a self-hosted open source solution
This article covers VPN as the main topic: protocol selection, solution comparison, step-by-step deployment, and real costs. For a broader view of remote work security (MFA, device management, DNS filtering), see our complete secure remote work guide.
Why does your SME need a professional VPN?
Without a VPN, every employee connecting from home or a cafe sends their data unencrypted over a public network. They access company resources over the open internet — with no encryption, no centralised access control. An attacker able to intercept Wi-Fi traffic at a hotel can capture credentials, internal files, and client data.
Stat Box — 43% of cyberattacks in 2024 targeted SMEs (Verizon DBIR 2024). A single remote employee without a VPN is enough to compromise the entire network.
Risks without a VPN (public Wi-Fi, remote work, ransomware)
The most common scenario: a sales rep connects from an airport via public Wi-Fi and opens RDP access to your file server. Without a VPN, this connection travels over the internet unprotected. Man-in-the-middle attacks on public Wi-Fi are well-documented and automatable.
Second risk: RDP services exposed directly to the internet. Without a VPN, internal services (network shares, ERP, internal email) are accessible from anywhere — which means attackers can see them too. ANSSI (France’s national cybersecurity agency, comparable to NCSC in the UK or CISA in the US) ranks exposure of RDP services and unencrypted remote access among the top causes of SME compromise.
Third risk: ransomware. An infected device outside the VPN can encrypt local resources, then spread the attack once it reconnects to the company network. A well-configured VPN with network segmentation limits this spread.
Personal VPN vs business VPN: the real differences
This is a common confusion. A personal VPN (NordVPN, ExpressVPN) masks your IP address and encrypts your traffic to the internet. Its purpose: privacy from your ISP and online anonymity.
A business VPN does the functional opposite: it connects the employee’s device to the company’s internal network. Traffic doesn’t go out to the internet and back — it arrives directly at your servers, shared files, and ERP. These are two different products, architectures, and use cases with no overlap. A Chrome VPN extension cannot replace a professional VPN.
Alert — Browser VPN is not a business VPN. Chrome/Firefox VPN extensions only encrypt browser traffic and do not protect the company network. (Source: francenum.gouv.fr)
How does a business VPN work?
A business VPN establishes an encrypted tunnel between the client (employee’s device) and the VPN server hosted in your infrastructure or with a provider. All traffic passes through this tunnel, inaccessible to any third party intercepting the intermediate network.
The encrypted tunnel principle
When an employee activates their VPN client, three steps occur in sequence. First, authentication: the client proves its identity (credentials, certificate, MFA). Next, protocol negotiation: both parties agree on the encryption algorithm and security parameters. Finally, the tunnel is established: all traffic is encapsulated, encrypted, transmitted to the VPN server, then decrypted and routed to the internal resource.
The encryption used depends on the chosen protocol. AES-256 is the current standard — considered unbreakable to date by security agencies (ANSSI, NIST).
Authentication and access management (MFA, LDAP, Active Directory)
A VPN without strong authentication is a door left ajar. Professional solutions integrate with your directory (Active Directory, LDAP) to centralise access management. When an employee leaves the company, they’re disabled in AD, and their VPN access is immediately revoked — with no manual action needed on the VPN server.
Adding multi-factor authentication (MFA) is strongly recommended. A stolen username and password are no longer sufficient if a second factor (authenticator app, SMS) is required. Most SME solutions (FortiClient, OpenVPN Access Server, Sophos SSL VPN) natively support TOTP (Google Authenticator, Microsoft Authenticator).
Split tunnelling: benefits and configuration risks
Split tunnelling divides the employee’s traffic into two categories: traffic to internal company resources goes through the VPN; everything else (web browsing, streaming) goes directly through the local internet connection.
Benefit: performance. Without split tunnelling, all of the employee’s browsing transits through the VPN and your company connection — which quickly saturates your bandwidth.
Key Takeaway — Split tunnelling improves performance but requires careful configuration. If misconfigured, it creates a vulnerability: the employee’s device becomes a bridge between the internet and the company network. An infected machine can propagate an attack via the VPN tunnel even with split tunnelling active.
The 3 types of VPN for SMEs
Before choosing a protocol or solution, you need to identify the type of VPN you need. Three architectures serve different needs.
Remote access VPN — the most common for SMEs
This is the classic model: each remote employee installs a VPN client on their device. They connect to the company’s VPN server and access internal resources as if they were in the office. This is the right solution for 80% of SMEs.
Use case: itinerant sales reps, regular remote workers, business owners accessing their management software from home. Deployment is simple: one VPN server, configured clients on the devices.
Site-to-site VPN — for multi-site businesses
A site-to-site VPN connects two entire networks — for example, your head office and a branch office. Both local networks are permanently linked via a VPN tunnel. Users at both sites access each other’s resources as if they were on the same network.
This model is managed at the router or firewall level (Fortinet, Sophos, Cisco Meraki). No client needs to be installed on individual devices.
SSL VPN vs IPSec: which to choose?
SSL VPN (or TLS) uses port 443 — the same as HTTPS. Advantage: it passes through virtually all firewalls and network restrictions, because this port is rarely blocked. This is the preferred solution when employees connect from hotels, client sites, or restrictive network environments.
IPSec VPN is more performant and is the standard for site-to-site VPNs and remote access on controlled equipment. It’s native on Windows, macOS, and iOS. In heterogeneous environments with unmanaged devices, it can cause NAT traversal issues.
For most SMEs: SSL VPN for employee remote access, IPSec for site-to-site tunnels.
Which VPN protocol should your SME choose?
The protocol determines the encryption algorithm, performance, and compatibility. Three protocols dominate the SME market in 2026.
OpenVPN: the open source standard
OpenVPN has been the reference protocol for 15 years. Open source, audited by the security community, compatible with all operating systems. It uses TLS for the control channel and AES-256 for data encryption.
Strengths: proven reliability, granular configuration, vast community, available everywhere. Limitations: fairly complex manual configuration, lower performance than WireGuard on high-bandwidth connections.
Ideal for: SMEs with internal IT expertise or an IT provider, requiring full control, multi-platform.
WireGuard: modern, lightweight, fast
WireGuard appeared in 2020 and was quickly adopted as the reference protocol by the industry. Its source code is just 4,000 lines (compared to 400,000 for OpenVPN) — drastically reducing the attack surface and making security audits easier. Performance is significantly better, especially on mobile connections with frequent network changes.
Strengths: very high performance, low latency, minimal and auditable codebase, near-instant reconnection. Limitations: limited logging by design (complicated for certain traceability requirements), less configuration flexibility than OpenVPN.
Expert Quote — ANSSI recommends using a VPN with proven protocols (IPSec or TLS) for any remote access to the company’s information system. (Source: IT hygiene guide, ANSSI)
WireGuard is ECLAUD IT’s choice for most new SME deployments in Reunion Island: performance, management simplicity, and reduced attack surface.
IPSec/IKEv2: native on Windows and iOS
IPSec with IKEv2 is built natively into Windows 10/11, macOS, iOS, and Android. No additional client installation on devices. This is a considerable advantage in environments where installing third-party software is restricted (healthcare, government).
Strengths: native client on all major operating systems, very fast reconnection (mobiles), mature IPSec standard. Limitations: can be blocked on some networks (UDP ports 500 and 4500), more complex server configuration.
VPN protocol comparison table
| Protocol | Security | Performance | Deployment complexity | Port | Native client |
|---|---|---|---|---|---|
| OpenVPN | Excellent | Good | Medium | TCP/UDP 1194 or 443 | No |
| WireGuard | Excellent | Very good | Low | UDP 51820 | Partial (Win 11) |
| IPSec/IKEv2 | Excellent | Very good | High | UDP 500, 4500 | Yes (Win/Mac/iOS) |
| L2TP/IPSec | Good | Medium | Low | UDP 1701 | Yes |
| PPTP | Obsolete | Good | Very low | TCP 1723 | Yes |
Note: PPTP and L2TP/IPSec without additional encryption are no longer recommended. ANSSI explicitly advises against PPTP.
Which business VPN for your SME? Concrete solutions
The choice of solution depends on your existing infrastructure and IT management capacity. Four solutions cover the essentials of SME needs.
Fortinet FortiClient (integrated with Fortinet firewall)
If you already have a Fortinet firewall (FortiGate), FortiClient is the natural choice. The SSL VPN server is built into the FortiGate; FortiClient is the free client available on Windows, macOS, Linux, iOS, and Android.
Advantages: native firewall integration, centralised management via FortiManager, full connection visibility, built-in MFA, reporting. Cost: FortiClient EMS (centralised management) licences cost approximately 5 to 10 EUR/user/year. Basic VPN is included in FortiGate licences.
This is the solution we deploy for clients who already have Fortinet infrastructure.
Sophos SSL VPN (integrated with Sophos Firewall)
Same approach on the Sophos side: SSL VPN is built into Sophos Firewall, with a Sophos Connect client available on all operating systems. The admin interface is more accessible than Fortinet’s for businesses without dedicated IT staff.
Advantages: clear graphical interface, quick deployment, Sophos Central integration for unified management (endpoint + firewall + VPN). Cost: included in Sophos Firewall licences (from 400-700 EUR/year for an SME model).
OpenVPN Access Server (open source)
OpenVPN Access Server is the commercial server version of OpenVPN, with a web-based admin interface. The first two simultaneous connections are free — beyond that, licences cost 15-20 EUR/connection/year.
Advantages: audited open source, flexible, compatible with all firewalls, no vendor lock-in. Cost: free for 2 simultaneous users, approximately 200-400 EUR/year for 10-20 users. Requires a Linux server (VPS or internal VM).
Ideal for SMEs with minimum technical skills or an IT provider, wanting to avoid vendor licence costs.
Self-hosted WireGuard
WireGuard can be deployed on any Linux server in under an hour. Suites like WG-Easy add a web management interface accessible to non-specialists.
Advantages: zero cost (open source), maximum performance, lightweight configuration, perfectly suited to VPS and cloud VMs. Cost: 0 EUR in licences. Server cost (Linux VPS): 5 to 15 EUR/month.
At ECLAUD IT, self-hosted WireGuard is our recommendation for SMEs with 5 to 20 workstations and no existing firewall infrastructure.
SME VPN solutions comparison table
| Solution | Protocol | Estimated monthly cost (20 users) | Deployment complexity | Ideal for |
|---|---|---|---|---|
| FortiClient EMS | SSL/IPSec | 15-30 EUR (excl. FortiGate) | Medium | Existing Fortinet clients |
| Sophos SSL VPN | SSL | Included in firewall licence | Low | Existing Sophos clients |
| OpenVPN Access Server | OpenVPN | 25-35 EUR (licences) | Medium | Multi-platform, maximum control |
| Self-hosted WireGuard | WireGuard | 5-15 EUR (VPS only) | Low to medium | SMEs 5-30 devices, tight budget |
How to deploy a VPN in your SME (steps)
A well-executed VPN deployment takes one day for an SME of 10 to 30 workstations. Here are the steps we systematically follow for our clients in Reunion Island.
Step 1 — Preliminary network audit
Before installing anything, take stock: how many employees connect remotely, from what types of devices (Windows, macOS, iOS, Android), which internal resources need to be accessible (file server, ERP, RDP). Also identify the firewall in place and available ports.
This step determines everything that follows. A network infrastructure audit takes 2 to 3 hours and prevents unpleasant surprises during deployment.
Step 2 — Choose the protocol and solution
Based on the audit: if you have a FortiGate, FortiClient is the obvious choice. If the network has no UTM solution, WireGuard or OpenVPN Access Server. If employees primarily use iOS and Windows without the ability to install third-party clients, native IKEv2/IPSec.
Step 3 — Server installation and configuration
For WireGuard: key generation, wg0.conf file configuration, iptables rules for NAT, IP forwarding activation. For OpenVPN Access Server: Debian/Ubuntu package installation, web interface access, LDAP or local authentication setup, client profile generation. For FortiGate/Sophos: configuration via the firewall admin interface.
Critical configuration points: tunnel IP addressing (dedicated subnet, separate from LAN), firewall rules allowing VPN connections, split tunnelling (routes pushed to clients), key rotation policy.
Step 4 — Client deployment on devices
Distribute configuration profiles to employees. For WireGuard and OpenVPN, a .conf or .ovpn file is all that’s needed — imported into the client in one step. For FortiClient and Sophos Connect, the client is downloaded from the company web portal and configures itself automatically.
For our SME clients in Reunion Island (10-50 devices), user-side deployment takes an average of 30 minutes per device during a grouped deployment session.
Step 5 — Testing and user training
Test the connection from outside the network (mobile hotspot, not office Wi-Fi). Verify access to every internal resource identified in Step 1. Test disconnection and reconnection. Test the kill switch (if configured).
User training: 15 minutes is enough to explain how to activate/deactivate the VPN, recognise a connection problem, and know when the VPN should be active.
VPN and Zero Trust: what’s next for your SME?
The traditional VPN has a clear limitation: once connected, the user has access to the entire internal network. This works for SMEs where everyone needs access to all resources. But for businesses with segmented sensitive data or teams with differentiated access, this approach deserves rethinking.
Limitations of the traditional VPN
The VPN grants implicit trust to the authenticated user. If their credentials are stolen or their device is compromised, the attacker gains access to the complete network. The VPN model relies on the concept of a “trusted network” — once inside, everything is accessible.
Second issue: scalability. An on-premise business VPN is sized for a fixed number of simultaneous connections. During usage spikes (lockdowns, crises), capacity may be insufficient.
Zero Trust Network Access (ZTNA): when to make the switch?
Zero Trust is based on the opposite principle: never trust, always verify. Every resource access is evaluated in real time based on user identity, device status (patched, compliant), location, and resource sensitivity.
For an SME on Microsoft 365 Business Premium, Azure AD Conditional Access + Intune constitutes a lightweight Zero Trust architecture without a VPN. Since 2024, ECLAUD IT has been guiding its Microsoft 365 clients towards this architecture for cloud access: Conditional Access + Intune complements, and progressively replaces, the traditional VPN for SaaS applications.
SASE: the solution for cloud-first SMEs
SASE (Secure Access Service Edge) combines networking (SD-WAN) and security (ZTNA, CASB, SWG, FWaaS) in a unified cloud service. Solutions like Cloudflare Zero Trust, Zscaler, or Fortinet SASE. Relevant for SMEs with no on-premise infrastructure, running 100% in the cloud.
The VPN remains relevant in 2026 for SMEs with internal servers, resources not yet migrated to the cloud, or a limited IT budget. Zero Trust and SASE are an evolution, not an immediate replacement.
Frequently asked questions
Does a VPN slow down the internet connection for a business?
A well-configured VPN barely slows down the connection. With modern WireGuard or IPSec/IKEv2, throughput loss is under 5-10% on a fibre connection. Split tunnelling limits VPN traffic to business resources only, preserving performance for general browsing.
How much does a business VPN cost for an SME?
Costs range from 0 EUR (self-hosted open source OpenVPN or WireGuard) to 5-15 EUR per user/month for a managed solution integrated with a firewall. For an SME of 10 to 30 employees, the total annual budget (server or licence + deployment + maintenance) typically falls between 500 EUR and 3,000 EUR/year depending on the solution chosen.
Is using a VPN mandatory for remote work?
There is no explicit legal obligation requiring a VPN, but the NIS2 directive (transposed into national law across EU member states) requires businesses to implement technical measures to secure remote access. ANSSI strongly recommends VPN as a baseline measure for any access to the information system from outside. Not having a VPN while allowing remote work is a documented risk exposure.
What is the difference between a personal VPN and a business VPN?
A personal VPN (NordVPN, ExpressVPN) masks your IP address and encrypts your traffic to the internet. A business VPN connects the employee’s device to the company’s internal network: servers, shared files, ERP, internal resources. These are two completely different use cases. A personal VPN cannot replace a professional VPN.
Business VPN and GDPR: what are the obligations?
A VPN is not a GDPR requirement in itself, but the GDPR (Article 32) requires appropriate technical measures to protect personal data. Encrypting communications between remote employees and company systems via a VPN is considered an adequate measure. If your provider manages the VPN, they must be able to sign a DPA (Data Processing Agreement) and guarantee data hosting within the EU.
Can my firewall serve as a VPN server?
Yes, in most cases. Professional firewalls (FortiGate, Sophos Firewall, Cisco Meraki, pfSense) include a built-in VPN server. This is even the recommended configuration: the VPN is managed directly by the equipment that controls the network perimeter, simplifying security rule and access management.
See also: Managed IT for SMEs: definition, benefits and costs, Secure remote work for SMEs — the complete guide, SME IT audit: the complete checklist and Data backup for SMEs: the 3-2-1 guide
Looking to deploy a VPN or secure remote access for your SME? Contact ECLAUD IT — we provide a free assessment of your network infrastructure and recommend the solution that fits your business.
