The three real options, not just one

1. Traditional VPN (site-to-site or client-server)

A VPN creates an encrypted tunnel between a remote user (or branch office) and your network, making remote resources behave as if the user were physically on-site. This remains the right call when your team needs access to internal, non-cloud resources — file servers, internal applications, printers, legacy line-of-business systems that were never designed to be internet-facing.

2. Direct cloud access

If your business has genuinely moved to cloud-hosted SaaS and cloud infrastructure (Google Workspace, cloud-hosted applications, cloud databases with proper access controls), a VPN to a physical office network may not be doing anything useful — your team can authenticate directly to the cloud services they need, with no need to "tunnel into the office" at all.

3. Zero-trust / identity-based access (e.g. Headscale/WireGuard-based mesh)

A middle path: instead of granting broad network access once connected (the traditional VPN model), each user or device is individually authenticated and granted access only to the specific resources they need — not the whole network. This significantly reduces the blast radius if one device or credential is compromised.

Traditional VPNDirect Cloud AccessZero-Trust Mesh
Best forOn-prem resources, legacy appsFully cloud-native businessesHybrid teams, sensitive access
Setup complexityModerateLow (per-app)Moderate–High
Breach blast radiusWhole network exposedPer-app onlyPer-resource only
Works without internet to HQNoYesYes
"The question isn't 'VPN or not.' It's 'what does this specific user actually need access to, and does granting them the whole network just to reach one file share make sense?'"

Why "just use a VPN" is increasingly the wrong default

The traditional VPN model grants broad network access once a connection is established — which made sense when "the network" was a tightly bounded office LAN. For hybrid teams accessing a mix of cloud services and on-prem resources from personal devices, home networks, and coffee shops, that broad-access model is a bigger security exposure than it needs to be. A compromised laptop with full VPN access is a much bigger problem than a compromised laptop with access to two specific internal services.

A practical decision framework

What we actually deploy

We support all three models and most of our clients end up with a mix — site-to-site VPN between offices, direct access to cloud SaaS, and a zero-trust layer (we typically use Headscale, a self-hosted WireGuard-based coordination server) for remote staff who need scoped access to specific internal systems without full network exposure.

Not sure which model fits your team?

We'll map your actual access requirements and recommend the simplest setup that's still genuinely secure.

See Our VPN Service →