Business VPN should be dead by now. So why is it still thriving?
If Zero Trust actually worked like the industry said it would, VPNs would’ve disappeared years ago. Instead, they’re booming. We’ve all heard the warnings, seen the vendor pitches, and read enough LinkedIn posts to fill several lifetimes: Zero trust is supposed to be here.
And yet, despite all that hype, the business VPN market isn’t just alive — it’s thriving, projected to nearly double from $5.7 billion in 2024 to well over $10 billion by 2033.
CEO and Co-founder of Tailscale.
The Comfort of the Familiar
I wrote my first VPN — Tunnel Vision — back in 1998, for the first customer of my first startup. Later we replaced it with an IPsec key manager. Then I wrote sshuttle, a sort of VPN built on top of SSH. At Google, I ended up writing a multicast VPN tool we called “frobnicast” (don’t ask). And finally, I co-founded yet another VPN company to try fixing this once and for all. That makes it five VPNs so far. As the meme goes, we have become exceedingly efficient at it.
Why do we keep writing new VPNs? Because the old ones suck. But honestly, it’s not just VPNs that suck — it’s TCP/IP that sucks. If IPv4 had been encrypted by default and access-controlled from the beginning and didn’t run out of IP addresses and IPv6 had successfully rolled out, we wouldn’t need VPNs. Every generation of these tools has been a workaround for something broken further down the stack.
Still, businesses don’t let go of familiar tools easily. I once wrote that “not changing stuff is amazingly powerful as a product strategy.” VPNs are dependable. Or at least, they’re the devil we know. They’re built into enterprise security bundles, they’re in the onboarding checklist, and they’ve been “good enough” for long enough that most teams have figured out how to live with them.
But when a tool sticks around long after its design goals are obsolete — like my old dialer program WvDial, still popular decades after modems became irrelevant — it’s worth asking why. In WvDial’s case, the answer was simple: everything else was worse. That story still applies to VPNs.
When Security Gets in the Way
According to recent research, this comfort comes at a cost. Over 83% of engineers admit to bypassing their company’s security controls simply to get work done. Worse yet, 68% retain access to internal systems after leaving their employers, exposing critical gaps in the security lifecycle. Yet, despite these clear risks, only 10% of professionals feel their current VPN “works well.”
So, VPNs linger not because they’re ideal, but because migrating fully to zero trust isn’t trivial. It’s not a product you can buy; it’s a shift in how you think. Continuous verification, least privilege access, and identity-first networking sound simple until you try to retrofit them into a sprawling, 20-year-old IT architecture.
The VPN Misconception
There’s a common belief that VPNs are fundamentally insecure. They’re not. But the traditional enterprise VPN model, the one that drops you inside the perimeter and lets you wander freely, is dangerous. That’s like giving everyone a master key to your office building.
A better model grants access one step at a time, based on who you are, what you need right now, and where you’re coming from. Microsegmentation. It’s not about banning tunnels — it’s about more, smaller tunnels, each with its own control valve.
Where Zero Trust Really Begins
The most secure approach is one where identity management is everything. Not where you are, not what subnet you’re on, not whether you’re in the office. Identity. Strong authentication, hardware-backed keys, just-in-time access.
But identity isn’t easy. Our survey found only 29% of organizations have adopted identity-based access control at scale. Even fewer use automation. Many still rely on spreadsheets and service account credentials that outlive the employees who set them up.
So security becomes a tax. It slows people down. And when security gets in the way, people route around it. That’s why VPN fatigue is real — and growing.
Yet, there’s hope. Nearly half of surveyed companies are consolidating fragmented tools, embracing automation, and experimenting with adaptive policies. But more interestingly, they’re starting to rethink their whole approach.
Security and engineering teams are collaborating instead of clashing. They’re designing systems that work with people, not against them. AI tools are emerging — not to replace humans, but to help notice the things humans miss: a sudden pattern change, a weird login time, an unexpected access request.
More companies are adopting modular, policy-driven systems. Instead of writing 50 firewall rules, they define intent: “this kind of app talks to that kind, under these conditions.” That’s not Zero Trust as a checklist — it’s Zero Trust as infrastructure.
A Pragmatic Path Forward
Zero trust isn’t a product you install. It’s a direction you walk in.
Start by reducing implicit trust — wherever you find it. Use strong identity through encryption, not IP addresses. Make credentials short-lived. Assume the worst. Break your network into zones. Shrink the blast radius.
But do it gradually. Nobody rips out all their networking in a day. Choose one high-value system and zero-trustify it. Learn. Repeat.
VPNs will stick around a while, not because they’re good, but because everything else is hard or immature. But as we’ve seen with tools like WvDial, still in use long after its time, familiarity isn’t the same as fitness. The future belongs to systems that embrace the complexity of real-world access — and make it feel simple.
I don’t want to write VPNs, I don’t want to deploy VPNs, I just want to solve real problems. But we can’t solve the real problems without a working network. So here I am with a $1.5B company still selling VPNs. Sure it’s maybe the best VPN. But it looks like I’ll be continuing to do it for years, so that other people can finally solve real problems.
And if we finally get it right this time, maybe we can stop reinventing the same broken tunnel — one VPN at a time.
We’ve listed the best VPN deals.
This article was produced as part of TechRadarPro’s Expert Insights channel where we feature the best and brightest minds in the technology industry today. The views expressed here are those of the author and are not necessarily those of TechRadarPro or Future plc. If you are interested in contributing find out more here: https://www.techradar.com/news/submit-your-story-to-techradar-pro
If Zero Trust actually worked like the industry said it would, VPNs would’ve disappeared years ago. Instead, they’re booming. We’ve all heard the warnings, seen the vendor pitches, and read enough LinkedIn posts to fill several lifetimes: Zero trust is supposed to be here. And yet, despite all that hype,…
