VPN gets brought up in almost every small business security conversation, often without a clear explanation of what it does or whether you actually need one. Let’s clear that up before you spend any money.

What a VPN actually does

A VPN (Virtual Private Network) creates an encrypted “tunnel” for your internet traffic. When you’re connected to a VPN, your network traffic passes through the VPN provider’s servers before reaching the internet. This does two main things:

  1. Encrypts your traffic on the network you’re currently using — helpful when you’re on public Wi-Fi where other people on the same network could potentially intercept unencrypted traffic
  2. Changes your apparent IP address — websites you visit see the VPN’s IP address, not yours

There’s also a third use case for businesses specifically:

  1. Creates a private network connecting remote employees to your office network, as if they were physically present — letting them access internal servers, printers, or software that’s only available on your office network

When small businesses actually need a VPN

Remote access to office resources: If you have employees working from home who need access to a file server, a printer, an internal app, or a network drive that lives in your office, a VPN gives them that access securely. This is the most common business use case.

Employee security on public Wi-Fi: If your team travels or frequently works from coffee shops, a VPN protects their traffic from the (real but limited) risk of someone snooping on the same network. This is a reasonable precaution for anyone handling sensitive client data or financial information remotely.

Compliance requirements: Some industries (healthcare, finance, legal) have specific requirements about how data is transmitted. A VPN may be part of meeting those requirements. Check with your compliance professional if this applies to you.

When you don’t need it: If your team works from home offices on their own private internet connections and all your business tools are cloud-based (Microsoft 365, Google Workspace, Salesforce, etc.), a VPN adds complexity without much security benefit. Cloud applications already encrypt your data in transit. A VPN on top of that is redundancy, not necessity.

Types of business VPNs

There are two flavors:

Remote access VPN: Individual employees connect from wherever they are to your business network. This is the most common type for small businesses. Each user installs a VPN client app and connects to your VPN server.

Site-to-site VPN: Connects two entire networks — like connecting your main office to a branch office so both locations act as one network. More complex, requires specialized equipment or cloud configuration, and is usually overkill for businesses with fewer than 20 employees.

Business VPN options

NordLayer (previously NordVPN Teams): Built specifically for businesses, not repurposed from a consumer product. Easy to deploy and manage, works on Windows, Mac, iOS, and Android. Around $8-10 per user per month. Good choice for teams of 5-50 people.

Cisco Meraki Client VPN: If you already have a Meraki router (common in small-to-midsize offices), it has built-in VPN capabilities. Configuration is done through Meraki’s dashboard and can cover 5-10 remote employees without additional licensing.

Cloudflare Zero Trust (WARP for Teams): A newer approach — rather than a traditional VPN, it gives employees secure access to your business applications without putting them on your whole network. More secure in some ways, more complex to configure. Free for up to 50 users.

OpenVPN Access Server: An open-source option that’s free for up to 3 simultaneous users. More technical to set up (requires a server to host it) but free and highly configurable. Good for technically inclined owners who want control over the whole setup.

Setting up a remote access VPN with NordLayer (a basic walkthrough)

  1. Sign up for NordLayer and create your organization
  2. Add your users via email invitation — they receive an email to download the client app
  3. Create a gateway — this is the VPN server your users will connect to. NordLayer hosts it in their infrastructure; you pick a location.
  4. Add a dedicated IP (optional but useful if you need to whitelist your business IP for other services)
  5. Users download the NordLayer app on their devices and log in with their company email
  6. Connect — one click in the app connects to your company’s VPN gateway

The whole setup takes about 30-45 minutes. The end result: every employee can connect to the VPN from anywhere and have their traffic encrypted and associated with your business IP.

A note on security theater

A VPN is not a magic security shield. It protects traffic in transit; it doesn’t protect against phishing, weak passwords, malware, or insider threats. A small business that implements a VPN but doesn’t have multi-factor authentication enabled is protecting the road while leaving the front door unlocked.

If you’re thinking about security investments for your small business, the priority order is:

  1. Multi-factor authentication on everything (especially email)
  2. Strong password management (a password manager for the team)
  3. Current software updates on all devices
  4. A backup strategy that actually works
  5. A VPN, if any of the use cases above apply to you

Get the first four right first. Then add the VPN if the situation calls for it.