Mesh VPNs & How They Differ from Hub and Spoke VPNs
by Erin Risk

Mesh VPNs & How They Differ from Hub and Spoke VPNs

As traditional VPN technologies become less effective and more problematic, companies are searching for another way to provide secure remote access to their private resources. Mesh VPN solutions offer an alternative that replaces VPN’s original hub-and-spoke model with a distributed, peer-to-peer topology. Although it solves some problems, mesh VPN does not address all the challenges modern enterprises face.

We will explain what mesh VPNs are, how they work, and how they differ from traditional VPN solutions. As enterprise networks and workforces become more distributed, however, mesh VPNs add complexity and struggle to scale. Secure access solutions based on Zero Trust principles are better suited for how business works today.

What is mesh VPN?

A mesh VPN is a private, centrally-managed peer-to-peer (P2P) network that creates direct, secure connections between any two member nodes. Unlike public P2P services such as Gnutella or BitTorrent, mesh VPN solutions give administrators control over access and visibility into network activity. That central control does not extend to the mesh VPN’s data traffic which passes directly between nodes through encrypted tunnels.

Mesh VPNs let organizations build efficient network topologies that link multiple geographically separated sites together without running them through a central location. Increasingly, companies are looking at mesh VPNs to support distributed workforces.

How Mesh VPNs work

Most of the work in a mesh VPN is done by software agents running on each node. The agent maintains a list of the other nodes in the network and their public keys and IP addresses. When two nodes connect, they exchange keys and establish an encrypted connection.

Some mesh VPNs, such as the open-source project tinc, use a pure P2P model. However, many solutions take a hybrid approach to centralize some features. For example, the list of authorized nodes may be synchronized from a central server rather than distributed by the P2P agents themselves.

The difference between Mesh and Traditional Hub and Spoke

Mesh VPNs attempt to address some of the weaknesses inherent to the traditional hub and spoke VPN topologies. Originally created as an affordable, internet-based solution to wide-area networking, VPN was designed to connect a few trusted networks. It was only later that VPN’s features extended to providing remote access. Even then, the remote users were a small subset of the company’s employees.

Hub and Spoke VPN topologies

A hub and spoke topology was a logical design decision. A VPN gateway provided a central point for remote offices and users to access the central, protected network. However, in today’s distributed network environment, this approach creates significant challenges.

  • VPN gateway visibility: The VPN gateway must have a public IP address to be discoverable by remote clients. But that visibility also makes the gateway discoverable by anybody — including cybercriminals.
  • Full network access: VPN gateways treat any authenticated client as a trusted network. The user and device get full access to the protected network. Should hackers compromise a device, they are free to roam wherever they want.
  • Network performance: The hub and spoke model forces all traffic from the spokes through the VPN gateway. This includes any traffic between users and cloud-based resources. As a result, throughput and latency often suffer.
  • Flexibility and scalability: All traffic must be encrypted and decrypted as it passes through the gateway. If demand for remote access increases suddenly, the performance of a company’s existing VPN appliances or servers may not be enough to handle the increased workload. The time and resources needed to upgrade VPN capacity make the technology less responsive to dynamic business needs.

Distributed VPN topologies

Mesh VPNs eliminate the centralized structure of traditional VPN solutions in favor of a P2P approach. This distributed topology offers several improvements:

  • Hidden nodes: The list of node addresses is not published outside the mesh VPN so the attack surface is smaller.
  • Access control: Administrators can determine what a node can see and connect to within the mesh VPN.
  • User experience: Direct connections can follow the most performant route to improve user experience.
  • Network performance: Since traffic is not concentrated through a gateway, traffic on the company’s network is reduced.

However, mesh VPNs do not fix every weakness in the VPN model — and they create new issues that companies must address.

  • Node addresses: Some mesh VPN solutions require each node to have a unique IP address across all networks. Readdressing every node has knock-on effects throughout the organization. The network infrastructure, system settings, and workflows must be updated. Users must change their bookmarks and learn how to use the new addresses.
  • Scalability: Companies are used to having VPN clients running on every user device. Mesh VPNs also need agents running on every device hosting a resource. That includes every on-prem server and cloud VM. As a result, mesh VPNs increase administrative overhead.
  • Complexity: The complexity of mesh VPN solutions can require higher levels of expertise to manage. Some solutions, for example, require policies to be written in JSON rather than being set in simple user interfaces.

Hybrid VPN topologies

Companies searching for an alternative to a traditional hub and spoke VPN are not limited to distributed mesh solutions. VPN’s original site-to-site capability, for example, can alleviate the pressure on the company’s central hub. VPN gateways at regional offices provide local network access while site-to-site VPN connections handle the traffic passing between offices. This approach becomes challenging to manage and expensive as the number of site-to-site connections increase.

Dynamic multipoint VPN (DMVPN) blends the hub-and-spoke and mesh topologies. The network still has a central VPN gateway that forms the hub for incoming connections. When traffic needs to pass from one node to another, the DMVPN gateway dynamically configures a direct, peer-to-peer connection. DMVPNs are complex enterprise solutions requiring expertise to deploy and manage.

VPN considerations vs. Zero Trust secure access

Whether it is the traditional hub-and-spoke model, the distributed mesh model, or something in between, VPN technologies are no longer the best solutions for modern businesses. Resources are distributed across on-premises systems, co-located servers, private clouds, and X-as-a-Service platforms. Work-from-home policies and a growing reliance on contractors and other third parties mean remote access is no longer limited to a handful of executives and field engineers.

Zero Trust is a modern alternative to VPN that provides more efficient and performant access to resources while improving a company’s security posture. Central to Zero Trust is the concept that any network has probably been breached. In that light, every connection attempt — regardless of the user, device, or network — may be an attack. Authentication and role-based authorization is needed before any connection request is granted. And with access control rules based on principles of least privilege, users may only access the specific resources they need to do their jobs.

How Twingate enhances security beyond access control

Twingate’s Zero Trust solution is designed from the ground up as an enterprise product. From established businesses to rapidly-growing startups, we understand our customers’ challenges and designed a solution that meets their needs.

  • Deployment: Twingate coexists with your network infrastructure. You do not need to add hardware or reconfigure systems. This lets you roll out Zero Trust gradually without disrupting business operations.
  • Manageability: Mesh VPNs need to have software running on every device may work for smaller networks but becomes impractical in dynamic enterprise environments. Twingate’s lightweight Connector software can be installed on each network segment or VPC host.
  • Security stack integration: Twingate integrates with the major identity providers and two-factor authentication solutions you already use. Better yet, we extend 2FA to protect services such as SSH.
  • Device posture: Twingate lets you set authorization policies based on device posture. Operating system version, antivirus status, and other factors can limit the degree of resource access any device receives.
  • Indexed activity logs: Twingate makes it easier to identify usage patterns and detect potential attacks by indexing all activity logs to user and device identities.

Secure distributed networks with Twingate

Mesh VPNs are an attempt to mitigate the weaknesses of traditional VPN technologies by replacing hub-and-spoke with distributed, peer-to-peer topologies. They address some of VPN’s security weaknesses and eliminate the VPN gateways that undermine network performance. However, mesh VPNs introduce other issues that make them less suitable for modern businesses.

Twingate’s Zero Trust-based approach to secure access is designed for the way enterprises work today. Able to protect resources wherever they are located, easy to deploy, and simple to manage, Twingate reduces the friction businesses experience on the path to Zero Trust Network Access.

Contact us today to learn more about Twingate’s distributed network architecture.

Featured Articles