Do we still need VPN if moving to zero-trust?

Yes, for legacy networks and thick clients. Use identity-first controls, least-privilege routes, and posture checks; gradually migrate to ZTNA/SASE for browser/SaaS use.

Should split tunneling be allowed?

Only with policy. Keep corporate DNS and sensitive routes inside the tunnel; allow per-app exceptions for approved tools to improve performance.

What logs should go to SIEM?

Auth success/failure, device posture, session metadata, routes/policies granted, denies with reason, and admin actions—tagged with user, device, policy version.

How do we enforce device posture?

Use MDM/EDR to attest OS version, disk encryption, EDR status, screen lock, and secure boot. Map posture to access policies before granting the tunnel.

Enterprise VPN — zero-trust aligned remote access

VPN for Enterprise: A 2025 Blueprint

By Denys Shchur • Nov 10, 2025 • Manual indexing

Most enterprises run a hybrid access model in 2025: zero-trust/ZTNA for browser/SaaS and a scoped, policy-driven VPN for legacy networks, thick clients, and admin workflows. Below is a pragmatic design that aligns VPN with zero-trust, integrates with SASE, and satisfies governance without recreating a flat, risky network.

NordVPN — Fast & Reliable Surfshark — Great Value

Core Architecture

Identity-First Access

Make the IdP the trust anchor. Enforce MFA, conditional access, and short-lived tokens (OIDC/SAML). Provision groups via SCIM. Avoid local static creds for VPN wherever possible.

Device Posture & MDM

Gate access on posture: OS version, full-disk encryption, EDR healthy, screen lock, secure boot, MDM enrollment. Deny or restrict if checks fail; on BYOD prefer per-app VPN.

Least-Privilege Routing

Replace “full LAN” with role-scoped routes and ports. Segment admin networks; require break-glass approvals and stronger factors for elevated profiles.

Corporate DNS & DLP

Keep DNS inside the tunnel; apply filtering and sinkholes. Add DLP for sensitive destinations and log policy hits to SIEM.

Zero-Trust Alignment

Per-app VPN: bind the tunnel only to sanctioned apps; personal apps stay off the tunnel.
Continuous verification: re-evaluate risk (geo, device health, user risk) during long sessions.
Short-lived sessions: rotate keys/tokens frequently; auto-disconnect stale sessions.
Deny by default: grant only what the role needs; everything else is blocked.

Split Tunneling: Policy, Not Preference

Full-tunnel simplifies control but may hurt performance for video/updates. Split tunneling helps UX but must be constrained:

Keep corporate DNS and sensitive routes inside the tunnel (no leaks).
Allow only approved apps to bypass with per-app rules.
Block P2P and known exfiltration patterns.
Document exceptions; review quarterly.

Logging & Governance

Auth: success/failure, factors, source IP, device ID, geo anomalies.
Session: start/stop, assigned IP, profile, routes, policy version.
Decisions: allow/deny with reasons (posture fail, group mismatch, geo/risk).
Admin: config changes, key rotations, profile edits, break-glass usage.

Forward to SIEM in near real time; apply retention per regulation (e.g., 12–24 months). Tag with user, device, and policy version for correlation.

Performance & Reliability

Modern protocols: prefer WireGuard-class; fall back to OpenVPN TCP 443 on restricted networks.
Regional gateways: place POPs near users; steer by latency and health checks.
QoS: prioritize VDI/RDP/SSH over bulk sync.
HA & Scale: active-active gateways with automatic failover; test DR quarterly.

Privileged Access

Separate admin profiles with stricter posture and no split tunneling.
Just-in-time elevation via PAM; time-bound access with approvals.
Record commands/sessions on critical infra where lawful; alert on risky patterns.

Key principle: A VPN is transport. Trust comes from identity, device health, and policy. Build those signals into every connection decision.

90-Day Rollout Plan

Weeks 1–2: Inventory apps/subnets/roles; design least-privilege route sets.
Weeks 3–4: Integrate IdP (SSO/MFA), set up SCIM, define posture via MDM/EDR.
Weeks 5–6: Pilot per-app VPN and split-tunnel rules; enable kill switch & DNS controls.
Weeks 7–8: Wire logs to SIEM; alerts for posture fail, impossible travel, brute-force.
Weeks 9–12: Phase rollout; retire legacy full-LAN profiles; publish admin SOPs.

Short Video Overview

Video courtesy of the NordVPN official channel (English).

Get NordVPN (Fast Setup) Try Surfshark (Unlimited Devices)

FAQ — Enterprise VPN

How to prevent lateral movement?

No LAN-wide routes. Use role-scoped subnets/ports, segment admin networks, and enforce per-app VPN on endpoints.

How to handle contractors/partners?

Separate profiles, stricter posture, minimal routes, time-boxed access; separate groups in the IdP.

How often to rotate keys?

Quarterly for server certs/keys at minimum; use short-lived client tokens and revoke on HR/device changes instantly.

Written by Denys Shchur

Founder and editor of SmartAdvisorOnline. Denys delivers practical blueprints that help CISOs evolve from legacy VPN to zero-trust aligned access without breaking productivity.

Privacy & Cookies: We use minimal, privacy-friendly analytics. You can block third-party cookies in your browser.

Affiliate Disclosure: Some buttons are affiliate links (NordVPN, Surfshark). We may earn a commission at no extra cost to you.