Networking & Cybersecurity

How Should a Business Connect Remote Workers and Multiple Sites?

Good connectivity should make approved work easy without making every internal system broadly reachable. The right design depends first on whether you are connecting networks, individual people and devices, or both.

JR Lanteigne
Written by JR LanteignePublished · 13 minute read
Managed encrypted connections linking business sites, cloud systems, and remote workers
Site gateways connect whole networks, while device-based access connects individual workers under identity and policy controls.

The short answer

Use site-to-site connectivity when entire trusted networks must communicate continuously. Use device-based remote access when a person or managed endpoint needs selective access from changing locations. Many businesses need both, but they should not be treated as the same problem.

IPsec remains a strong choice for stable links between firewalls, especially when equipment from different vendors must interoperate. WireGuard is simpler and often easier to operate, but raw WireGuard does not provide user identity, device enrollment, policy management, or automatic peer lifecycle management. Businesses that want WireGuard without manually distributing and rotating keys should use a control plane built for that job.

Start with who or what needs access.

Protocol selection comes after defining users, devices, networks, applications, trust boundaries, and failure modes.

Site-to-site and road-warrior access solve different problems

A site-to-site tunnel joins networks through gateways. Devices behind each gateway can reach approved resources at the other site without running their own VPN client. This suits branch offices, warehouses, plants, and cloud networks that need predictable, always-on communication.

A road-warrior connection follows an individual device wherever it goes. It should normally be tied to a named user, a managed endpoint, multifactor authentication, and access policy. This suits employees, administrators, and contractors working from home, customer sites, hotels, or mobile connections.

QuestionSite-to-siteRoad warrior or device-based
What connects?One network gateway to another.An individual device to approved resources.
Typical identityGateway or site identity.User and device identity.
Best forStable, continuous inter-site traffic.Mobile users and selective application access.
Main riskA compromised site can become a path into another site.Lost, unmanaged, or poorly offboarded endpoints.
Common frictionOverlapping subnets, firewall rules, and failover.Client setup, authentication prompts, and access requests.

Do not give a remote worker broad network access simply because it is easy to route. Give the person and device the minimum access needed for the job. Likewise, do not install and manage a VPN client on every stationary device when a properly secured site gateway is the clearer design.

When to use IPsec and when to use WireGuard

IPsec for standards-based gateway interoperability

IPsec is mature, widely implemented in business firewalls and cloud platforms, and designed to protect IP traffic. It is often the practical default for a permanent tunnel between unlike gateway vendors. Its flexibility is also its operational burden: both sides must agree on authentication, encryption, integrity, lifetimes, routes, and traffic selectors. Troubleshooting mismatched proposals or NAT behaviour can consume time.

Raw WireGuard for small, controlled deployments

WireGuard has a deliberately small configuration model built around public keys, peer endpoints, and allowed IP addresses. That simplicity makes it attractive for links managed by a capable technical team. However, the WireGuard project explicitly leaves key distribution and pushed configuration outside its scope. Every peer relationship, key change, route, and removal still needs an operating process.

Managed WireGuard overlays for identity-driven connectivity

A managed overlay adds the missing control plane. It enrolls devices, coordinates peer information, connects to an identity provider, applies policy, and helps peers traverse NAT. The encrypted data path may remain direct between peers when conditions permit, while relays provide a fallback. This is usually much easier to operate for distributed teams and mixed site-plus-user access.

WireGuard is a tunnel protocol, not a complete business access system.

The control plane determines how devices are admitted, how access is approved, how keys and policy change, what gets logged, and how quickly a departed employee loses access.

What managed control planes exist?

Several vendors use WireGuard as part of a larger business connectivity product. The important comparison is not only tunnel speed. Evaluate identity integration, device posture, policy model, site routing, high availability, audit logs, relay behaviour, self-hosting requirements, support, and how the product behaves if its control service is unavailable.

OptionUseful fitImportant consideration
TailscaleFast deployment for users, devices, subnet routers, and multiple sites.Managed coordination service; evaluate plan features, policy, logging, and dependency requirements.
NetBirdWireGuard-based access with identity, routes, policy, and managed or self-hosted deployment.Self-hosting provides control but makes the business responsible for operating the management, signal, and relay services.
NetmakerWireGuard network management for remote access, gateways, and distributed networks.Validate the current product edition, client model, support, and operational ownership against the deployment.
Cloudflare OneBroader zero-trust, application access, internet security, and network connectivity requirements.It is a wider SASE platform, not simply a neutral WireGuard key manager. Architecture and traffic paths require careful review.

These are examples, not a universal shortlist. Product capabilities and licensing change. A proof of concept should test your actual internet links, firewalls, applications, identity provider, routes, and support procedures before a broad rollout.

Security decisions that matter more than the protocol

  • Use individual identity. Avoid shared remote-access accounts and shared client configurations.
  • Require multifactor authentication. Prefer phishing-resistant methods for administrators and high-risk access.
  • Separate enrollment from authorization. A registered device should not automatically reach every network.
  • Apply least-privilege routes and policy. Limit access by user, device, role, site, application, and port where practical.
  • Plan offboarding and expiry. Test how quickly access is removed when a user, device, contractor, or site is retired.
  • Protect the gateways. Patch them, restrict administration, back up configuration, and monitor changes.
  • Log meaningful events. Retain enrollment, authentication, policy, administrative, and connection records appropriate to the risk.
  • Design for failure. Understand relay dependency, control-plane outages, gateway loss, ISP failure, and recovery procedures.

Full-tunnel remote access, where all internet traffic passes through the business, can improve control but also adds latency, bandwidth demand, privacy considerations, and a central failure point. Split tunnelling reduces that burden but requires precise routes and policy. Choose deliberately instead of accepting a product default.

Overlapping private address ranges are another common source of friction. Two sites using the same subnet cannot route cleanly without renumbering, translation, or product-specific workarounds. Address planning early is cheaper than troubleshooting ambiguous routes later.

What should a business choose?

  1. Choose firewall-to-firewall IPsec for a small number of stable sites when existing gateways support it well and broad vendor interoperability matters.
  2. Choose raw WireGuard for a small, controlled environment when the technical team is prepared to own configuration, key lifecycle, routing, monitoring, and documentation.
  3. Choose a managed WireGuard-based control plane when users and devices move, sites change, identity-based policy matters, and manual peer management would create friction or risk.
  4. Evaluate a broader zero-trust or SASE platform when the goal includes application-level access, web filtering, cloud security, and private-network connectivity under one policy system.

A sound design may combine these approaches. For example, two permanent facilities might use IPsec between supported firewalls while administrators and remote staff use identity-based device access. The goal is not protocol purity. It is connectivity that people can use, administrators can understand, and the business can revoke or recover when something changes.

Rugged Technology Services helps New Brunswick businesses design, document, and support secure networks through our cybersecurity services and managed IT services.

Primary sources

Networking and security products change over time. Confirm current features, licensing, traffic paths, and operational requirements before selecting or deploying a platform.

JR Lanteigne

About the author

JR Lanteigne

JR works across systems integration, operational technology, embedded systems, Linux administration, and networking at Rugged Technology Services.

Read JR's profile

Need Connectivity That Is Easier to Operate?

We help New Brunswick businesses connect people and sites securely, document the design, and reduce day-to-day access friction.

Discuss Your Network