NetworkingNetwork+

VPN Implementation for CompTIA Network+ N10-009

VPNs (Virtual Private Networks) create encrypted tunnels over public networks, enabling secure remote access and site-to-site connectivity. CompTIA Network+ N10-009 tests VPN types, protocols, and use cases across implementation and security domains. You must distinguish between remote access VPNs and site-to-site VPNs, understand the main VPN protocols (IPsec, SSL/TLS, OpenVPN, WireGuard), and recognize when each type is appropriate.

9 min

2 sections · 7 exam key points

1 practice questions

VPN Types by Purpose

Remote access VPN: connects individual remote users to the corporate network over the internet. The user's device runs a VPN client that establishes an encrypted tunnel to a VPN concentrator/gateway. Traffic from the user's device travels through the tunnel to the corporate network — the user appears to be locally connected. Enables secure home working and travel access.

Site-to-site VPN: connects two or more network sites over the internet as if they were directly connected via a private WAN link. The VPN tunnel is established between router/firewall appliances at each site — no client software required on user devices. Common use: connecting branch offices to headquarters. Traffic from branch users to HQ resources flows through the tunnel.

Split tunneling: only traffic destined for corporate networks travels through the VPN; internet-bound traffic goes directly to the internet. Reduces VPN bandwidth and latency for internet access. Full tunnel: all traffic (including internet) routes through the VPN — provides additional security/inspection but increases VPN load.

VPN Protocols

IPsec (Internet Protocol Security): the most widely used VPN protocol suite. Two modes: Tunnel mode (encrypts entire original packet — used for VPNs, adds new IP header) and Transport mode (encrypts only payload — used for host-to-host). Two protocols: AH (Authentication Header) provides integrity and authentication only — no encryption. ESP (Encapsulating Security Payload) provides encryption, integrity, and authentication — used for VPNs. IKE (Internet Key Exchange) handles key negotiation and SA (Security Association) establishment. Ports: IKE uses UDP 500; NAT traversal uses UDP 4500.

SSL VPN (TLS-based): uses standard HTTPS (TCP 443) — works through firewalls that allow HTTPS. Two types: clientless (browser-based, no software install) for portal access, and client-based (full-tunnel requiring software). Common in enterprise remote access. Examples: Cisco AnyConnect, Pulse Secure, Palo Alto GlobalProtect.

OpenVPN: open-source VPN using SSL/TLS, highly configurable, can use TCP or UDP. WireGuard: modern VPN protocol designed for simplicity and performance — uses state-of-the-art cryptography, UDP-based, much faster than OpenVPN or IPsec in practice.

PPTP (Point-to-Point Tunneling Protocol): legacy, uses MPPE encryption — considered insecure and deprecated. L2TP (Layer 2 Tunneling Protocol): provides tunneling but no encryption alone — combined with IPsec (L2TP/IPsec) for security. GRE (Generic Routing Encapsulation): tunneling without encryption — often combined with IPsec.

VPN Protocol Comparison

Protocol	Encryption	Port/Protocol	Use Case
IPsec (ESP)	AES, 3DES	UDP 500/4500	Site-to-site, client VPN
SSL/TLS VPN	TLS (AES)	TCP 443	Remote access, clientless
OpenVPN	TLS (AES)	UDP/TCP (any)	Flexible client VPN
WireGuard	ChaCha20	UDP (51820)	Modern, fast client VPN
L2TP/IPsec	AES via IPsec	UDP 1701/500	Legacy client VPN
PPTP	MPPE (RC4)	TCP 1723	Legacy — avoid

Key exam facts — Network+

Remote access VPN: user → VPN gateway (requires client software)
Site-to-site VPN: site gateway → site gateway (no client software on user devices)
IPsec ESP = encryption; AH = integrity only (no encryption)
IPsec tunnel mode = encrypts whole packet; transport mode = encrypts payload only
SSL VPN uses TCP 443 — traverses firewalls that allow HTTPS
PPTP is deprecated and insecure — avoid it
Split tunneling: only corporate traffic through VPN; full tunnel: all traffic

Common exam traps

All VPN protocols provide the same level of security

PPTP with MPPE is considered insecure and broken. L2TP alone has no encryption. IPsec with AES and SSL/TLS with AES are both strong. WireGuard uses modern cryptography. Always use current protocols — never PPTP

IPsec AH provides encryption

IPsec AH (Authentication Header) provides only integrity and authentication — it does not encrypt the payload. IPsec ESP (Encapsulating Security Payload) provides encryption. For VPNs, ESP is used

Practice questions — VPN Implementation

These questions are representative of what you will see on Network+ exams. The correct answer and explanation are shown immediately below each question.

Q1.A company needs to connect its branch office in another city to the headquarters over the internet, allowing branch users to access HQ resources transparently without VPN client software. Which VPN type is most appropriate?

A.Remote access SSL VPN

B.Site-to-site IPsec VPN

C.PPTP client VPN

D.Clientless browser-based VPN

Explanation: A site-to-site IPsec VPN connects two network sites via tunnels between gateway devices (routers or firewalls). Branch users don't need VPN client software — the tunnel is established at the network level. Remote access VPN requires per-user client software. PPTP is insecure. Clientless browser VPN is for individual remote users accessing specific web-based resources.

Frequently asked questions — VPN Implementation

What is the difference between IPsec tunnel mode and transport mode?

IPsec tunnel mode encrypts the entire original IP packet (header + payload) and adds a new IP header — used for VPN gateways to connect networks (site-to-site VPN). The original IP addresses are hidden inside the encrypted payload. Transport mode encrypts only the payload (data) and keeps the original IP header visible — used for host-to-host encryption (e.g., protecting traffic between two servers). VPNs almost always use tunnel mode.

Practice this topic

Network+practice questions

Test yourself on VPN Implementation

JT Exams routes you to questions in your exact weak areas — automatically, after every session.

Free practice test Start 7-Day Free Trial

No credit card · Cancel anytime