Success usually comes to those who are too busy to be looking for it.Henry David Thoreau

Which VPN Topology is Also Known as a Hub-and-Spoke Configuration?

First, we will start with defining what is a virtual private network (VPN). VPN providers claim that the use of VPN will guarantee their customers anonymity and protect their data. However, VPN does not give you 100% protection. For example, when you download compromising files. VPN protects the data of the customers by masking their IP when they browse through the internet or accessing new networks. When you connect to unsecured public networks, your real IP won’t be visible, as your data is encrypted through a VPN.

ExpressVPN banner

To protect your data, VPN creates a private connection over an existing public connection. Your data could be accessed only through the authorization in the additional layers of protection such as certificates and passwords. So, no one would be able to steal your personal information such as bank details, passwords, or your logging details.

What is VPN topology?

A VPN topology indicates the peers and the networks that are incorporated into the VPN and how they are connected to one another. The policies can be connected to your VPN topology after you make a VPN topology. Moreover, VPN topology becomes available for configuration, after the creation. However, it still depends on the IPsec technology you were assigned with.

What is IPsec?

IPsec protocols are used simultaneously to encrypt connections between the devices. It protects your data when you use public networks. IPsec is frequently utilized to set up VPNs. It performs such functions as encrypting your IP. It also verifies where the IP came from. IP means ‘Internet Protocol’ and sec means ‘ security. Through Internet Protocol, most of the data routes in the Internet and IPsec is a secure protocol as it adds additional layers of protection such as encryption and authentication.

What is the function of the IPsec in the VPN?

IPsec allows VPN to create these encrypted connections. Nevertheless, the majority of the VPNs use the IPsec protocol and some utilize SSL/ TLS protocol.


SSL was a predecessor of the TLS and uses asymmetric cryptography to protect your data. Nevertheless, the SSL is still often used, the two terms are often used synonymously.

What types of VPN topology exist?

There are several topology types, which are used to create a required VPN topology to be able to fulfill specific purposes. The topology type depends on the size of the firm and its purposes. The three main configurations utilized for creating VPN: hub and spoke (centralized), point-to-point, full mesh, and transparent VPN. Not all topologies could be used with all IPsec. So, the type of configuration would depend on the type of IPsec technology used to make a VPN.

Gateway-to-Gateway VPN

Gateway-to-Gateway VPN or Site-to-Site VPN. This topology allows sharing files and resources between the branch office and the headquarters. Gate-to Gateway VPN uses IPsec to secure Internet connection. If you look at gateway-to-gateway VPN in more detail. It permits two routers to safely exchange information with each other. Moreover, the branch office and the headquarter would appear as one organization. To launch the tunnel connection both sides have to do a successful configuration.

VPN Hub and Spoke Connectivity

VPN connections can be configured in a Hub and Spoke topology. It is also known as a multi-site VPN topology or central. In this topology, all branch offices are connected to the central office. This topology controls traffic over all the offices and allows communication between each other through the VPN on the head office. In this topology, the head office is the hub, which connects the branches and the departments connecting to it. The VPN in the head office has to be very powerful as it provides all the departments with a secure connection. This is considered to be the best and the most secure method of connecting the head office with its branches. Moreover, the head office or the hub is indeed capable of controlling all the ongoing traffic in the network.

Full Mesh VPN Connectivity

This type of topology provides all offices (VPN devices) with a tunnel to all the offices (VPN devices). Branch offices have direct communication with one another and they do not require a connection to be made through the head office. Consequently, the head office is not controlling all the traffic and is not responsible for the connection. It allows better performance and does not require extra performance from the central hub VPN device. IT staff often use this topology to have full control over their VPNs.

Transparent VPN

VPN devices participate in two-layer routing or transparent mode. You would use this type of topology when the layer three modes are impossible and you can deploy only layer two routings. Commonly the transparent mode is used, when you are unable to redesign the three-layer addressing schema of the network.

An in-depth look at the centralized or VPN Hub and Spoke topology

In this type of VPN configuration, all tunnels coincide through the central location. It provides a central location (head office) with an opportunity to monitor and control all data. This type of topology is practical when resource availability is required. As all the resources are monitored and shared through a central location. This type of configuration is heavily dependent on the central location.

An in-depth look at the centralized or VPN Hub and Spoke topology

Moreover, only the head office connects the branches with each other. The VPN failure in the central location will result in the failure of the whole network. The capacity of the head office has to be increased when more branches are added to the network. Decentralized systems are better options when the resources are spread over huge distances. All types of IPsec technologies could be used in the hub-and-spoke VPN topology.

How does it operate

The central location connects with the branch offices through persistent connections to the Internet. The Firebox in the head office controls all data traffic through VPN tunnels. It redirects the traffic to the correct destinations. It switches tunnels if the data is going to another branch office and not the central one.


A reliable central location is needed. The central location has to accommodate all the VPN connections. Consequently, it has to operate on the accessible site for the branch offices.

Moreover, adequate bandwidth is required. Maximum bandwidth has to be high to be able to traffic data efficiently.


Bandwidth is the speed at which the data could be transferred across the given tunnel. For instance, when the highest speed is 200 kbps, it is not possible for him to use more, even if he has available bandwidth.

A Firebox fitting for all branches

Firebox capacities differ by model. For VPN topologies, it is required to estimate the passage limit of each model and not forget about the VPN throughput. You could find the best model by assessing the networking environment and configuration options.

VPN throughput

Vpn throughput is the measure of information disregarded by the VPN each second. The focal area measures exchanged traffic twice. The quantity of associated networks (as configured in tunnel routes) is responsible for the determination of the VPN tunnel count. For workplaces, this is by and large the quantity of regional networks duplicated by the number of distant networks. For the head office, this is the entirety of the tunnel count at all the locations. Disadvantages of centralized VPNs. In terms of centralized VPNs, there are two huge disadvantages: Closed Source Code and Centralization.

Closed Source Code

No one knows the type of protection and code was used by the VPN provider except the head office due to the closed source code feature used on the centralized VPNs. VPN providers have access to the data. Consequently, if your VPN provider will be hacked, your data may be stolen. For instance, through the VPN the data of almost 20 million users was leaked into the internet. So, it is very important to check the VPN provider.

Free VPN providers do not guarantee security. The use of free VPNs often results in data leakage.


When you connect to the VPN all the traffic is transmitted through the servers of the VPN providers. Consequently, it is stored on the servers of the VPN providers, which intentionally or unintentionally can result in the manipulation of your data.



  • Cost savings
  • The central location can control and monitor all data
  • Increasingly rapid rate
  • All DMVPN tunnels are backed up


  • Communication time lags
  • Failure of central location results in failure of the whole network
  • Possibility of data leakage
  • Supports only IP protocols

ExpressVPN banner

This type of configuration will suit best for the organization, which has several branches located not too distant from one another. An organization has to have central network resources at a head office. Moreover, it would suit an organization with limited resources as the cost of the centralized VPNs is significantly lower than the decentralized VPNs.