Editing Virtual private network (section)

== VPN topology configurations ==
[[File:VPN classification-en.svg|thumb|upright=1.5|VPN classification tree based on the topology first, then on the technology used]]
[[File:Virtual Private Network overview.svg|thumb|upright=1.5|VPN connectivity overview, showing intranet site-to-site and remote-work configurations used together]]

Virtual private networks configurations can be classified depending on the purpose of the virtual extension, which makes different tunneling strategies appropriate for different topologies:

;Remote access
: A ''host-to-network'' configuration is analogous to joining one or more computers to a network to which they cannot be directly connected. This type of extension provides that computer access to [[local area network]] of a remote site, or any wider enterprise networks, such as an [[intranet]]. Each computer is in charge of activating its own tunnel towards the network it wants to join. The joined network is only aware of a single remote host for each tunnel. This may be employed for [[remote work]]ers, or to enable people accessing their private home or company resources without exposing them on the public Internet. Remote access tunnels can be either on-demand or always-on. Because the remote host location is usually unknown to the central network until the former tries to reach it, proper implementations of this configuration require the remote host to initiate the communication towards the central network it is accessing.

;Site-to-site
: A ''site-to-site'' configuration connects two networks. This configuration expands a network across geographically disparate locations. Tunneling is only done between gateway devices located at each network location. These devices then make the tunnel available to other local network hosts that aim to reach any host on the other side. This is useful to keep sites connected to each other in a stable manner, like office networks to their headquarters or datacenter. In this case, any side may be configured to initiate the communication as long as it knows how to reach the other. 

In the context of site-to-site configurations, the terms ''[[intranet]]'' and ''[[extranet]]'' are used to describe two different use cases.<ref>{{Cite IETF|title=RFC 3809 - Generic Requirements for Provider Provisioned Virtual Private Networks|rfc=3809|section=1.1}}</ref> An ''intranet'' site-to-site VPN describes a configuration where the sites connected by the VPN belong to the same organization, whereas an ''extranet'' site-to-site VPN joins sites belonging to multiple organizations.

Typically, individuals interact with remote access VPNs, whereas businesses tend to make use of site-to-site connections for [[business-to-business]], cloud computing, and [[branch office]] scenarios. However, these technologies are not mutually exclusive and, in a significantly complex business network, may be combined.

Apart from the general topology configuration, a VPN may also be characterized by:
* the tunneling protocol used to [[IP tunnel|tunnel]] the traffic,
* the tunnel's termination point location, e.g., on the customer [[Edge device|edge]] or network-provider edge,
* the security features provided,
* the [[OSI model|OSI layer]] they present to the connecting network, such as [[Layer 2]] link/circuit or [[Layer 3]] network connectivity,
* the number of simultaneous allowed tunnels,
* the relationship between the actor implementing the VPN and the network infrastructure provider, and whether the former trusts the medium of the former or not

A variety of VPN technics exist to adapt to the above characteristics, each providing different network tunneling capabilities and different security model coverage or interpretation.