What Is a VPN Gateway?
🔍 Quick answer:
A VPN gateway is the endpoint on a private network that terminates incoming VPN tunnels. It's the counterpart to a client VPN app on your laptop. You'll find VPN gateways in AWS, Azure, GCP, on corporate firewalls, and on hardware routers from Cisco, Fortinet, and Palo Alto.
How a VPN gateway works
A normal consumer VPN has two ends: a client app on your device, and a VPN server operated by the provider. In a corporate or cloud setup, the "VPN server" side is called a VPN gateway:
- The gateway has a public IP address.
- It runs the same protocols as consumer VPNs — IPsec, WireGuard, OpenVPN, or SSL/TLS.
- Authenticated clients (employees' laptops, partner networks) connect to that public IP.
- Once the tunnel is up, the client can reach the private network behind the gateway (a VPC, an office LAN, a database server).
Where you'll see VPN gateways
☁️ Cloud
AWS has the Virtual Private Gateway and AWS Site-to-Site VPN. Azure has the VPN Gateway service. GCP has Cloud VPN. They all use IPsec IKEv2 by default.
🏢 On-prem firewalls
Cisco ASA, Fortinet FortiGate, Palo Alto, pfSense, Sophos. They terminate IPsec site-to-site and SSL remote-access tunnels.
🏠 Consumer routers
Asus, Netgear, GL.iNet routers with Merlin/OpenWrt firmware act as WireGuard or OpenVPN gateways for the home LAN.
VPN gateway vs VPN client
| Aspect | VPN client | VPN gateway |
|---|---|---|
| Where it runs | Your device (laptop, phone) | A server / firewall / cloud service |
| Public IP | No (initiates connection) | Yes (accepts connections) |
| Typical use | Personal privacy, unblocking | Site-to-site, remote access to private networks |
| Protocols | WireGuard, OpenVPN, IKEv2 | IPsec IKEv2, SSL VPN, WireGuard, OpenVPN |
Real-world example: AWS Site-to-Site VPN
- You have an on-premise data center with a private subnet
10.0.0.0/16. - You create a VPC in AWS with subnet
172.31.0.0/16. - You create a Virtual Private Gateway in AWS and a Customer Gateway referencing your on-prem router's public IP.
- You configure an IPsec tunnel between them. Now your on-prem hosts can reach AWS resources (and vice versa) over an encrypted tunnel.
When to use a VPN gateway
Use a VPN gateway whenever you need to connect two private networks over the public internet — for example, your data center to AWS, or two office branches. For individual remote employees, a client VPN (like WireGuard on a Pi) is simpler.
💡 Pro tip: A VPN gateway is a feature, not a product. You don't "buy a VPN gateway" the way you buy a laptop — you turn on a gateway feature in your router, firewall, or cloud console. AWS charges ~$0.05/hour for a VPN connection; most firewalls include the feature for free.
On this page
Top 3 VPNs 2026 Tested
We earn commission if you purchase through links
Similar questions
Terms you'll meet
- IP address
- Your device's public ID online.
- Encryption
- Scrambling data so only you can read it.
- No‑logs policy
- VPN doesn't store your activity.