Connecting Multiple Office Locations With Site-to-Site VPN
When a business expands to a second location, one of the first infrastructure questions is: how do these two offices talk to each other securely? Employees at both sites need access to shared resources - file servers, internal applications, lab equipment, phone systems - without exposing anything to the public internet.
TL;DR: A site-to-site VPN creates an always-on encrypted tunnel between office locations. It lets devices at both sites communicate as if they're on the same network, which is critical for healthcare and lab environments with compliance requirements.
The answer, in most cases, is a site-to-site VPN tunnel.
What is a Site-to-Site VPN?
A site-to-site VPN is a permanent, encrypted connection between two or more office networks over the public internet. Unlike a remote access VPN used by individual employees, a site-to-site tunnel runs continuously between firewall appliances at each location and carries traffic for every device on both networks automatically.
How a Site-to-Site VPN Works
A site-to-site VPN creates an encrypted tunnel between two firewalls over the public internet. To the devices on each network, it looks like both offices are on the same private network. A workstation in one city can reach a server in another city using its local IP address, as if they were in the same building.
This is different from the remote access VPN that individual employees use from home or on the road. A site-to-site tunnel is always on, always connected, and handles traffic for every device on both networks automatically.
How I Set These Up
The typical setup uses a firewall appliance at each location running OpenVPN in peer-to-peer mode. One side acts as the server, the other as the client. The tunnel gets its own dedicated subnet so you can route traffic cleanly between the two office networks without address conflicts.
The important decisions are:
- Encryption - AES-256-GCM is the standard. Strong, fast, and hardware-accelerated on modern firewalls.
- Protocol - UDP is preferred over TCP for VPN tunnels. TCP-over-TCP creates performance problems under packet loss.
- Routing - Each firewall needs to know which subnets live on the other side of the tunnel so it can route traffic correctly.
- Monitoring - The tunnel should be monitored with automated health checks. A dropped tunnel means both offices are disconnected, and you want to know about it before users start calling.
Why It Matters for Healthcare and Lab Environments
In healthcare and laboratory settings, a site-to-site VPN isn't just convenient - it's often required. Lab instruments at a satellite location need to report results back to a central system. Electronic health records need to be accessible from every clinic. And all of that traffic needs to be encrypted to meet compliance requirements.
I've built these tunnels connecting offices across multiple states, with dedicated monitoring to alert on tunnel drops and latency spikes. The goal is always the same: make it invisible to the end users while keeping the traffic secure. Once the network is solid, it becomes the foundation for everything else - cloud migrations, remote access, and centralized management.
Scaling Beyond Two Sites
Once you have three or more locations, the topology gets more interesting. You can hub-and-spoke everything through a central office, or build mesh connections between sites that need to communicate directly. Each approach has tradeoffs in complexity, latency, and resilience.
Remote access VPN for individual employees can run alongside the site-to-site tunnels on the same firewall, using separate ports and authentication methods. Field technicians, traveling staff, and work-from-home employees all get secure access without affecting the site-to-site infrastructure.
The Bottom Line
A properly configured site-to-site VPN is one of those infrastructure investments that just works in the background. Users don't think about it, IT doesn't get tickets about it, and the business operates as if geography doesn't matter. That's the goal.
If you're opening a new location or need to connect existing offices securely, let's talk about your network.