Corporate VPNs vs Consumer VPNs: Why Your Work VPN Isn't Protecting Your Privacy
Short version: corporate VPNs exist to give your employer control and secure access to internal resources. Consumer VPNs exist to shift trust from your local network to a third-party provider that promises privacy. They solve different problems; assuming one covers the other is a common mistake.
Corporate VPNs—Cisco AnyConnect, Palo Alto GlobalProtect, Fortinet FortiClient, Microsoft Always On and OpenVPN Access Server—are optimized for secure access to corporate assets. Traffic is routed into the corporate network, where security appliances, logging, and access controls live. That placement is the feature, not a bug.
Technically, when you connect your laptop to a corporate VPN, your DNS requests, HTTP(S) traffic, and often all TCP/UDP streams are tunneled into the employer's network. From there, traffic exits via the company's internet gateway. Administrators can see, filter, or intercept that traffic depending on policy and tooling.
Consumer VPNs—ExpressVPN, NordVPN, Proton VPN, Mullvad, Surfshark—route traffic through the VPN provider's infrastructure. The provider terminates the tunnel and forwards traffic to the public internet, masking your device's IP address and (depending on configuration) hiding DNS requests from your ISP.
That difference matters. Corporate VPNs make your employer the visible party between you and the internet; consumer VPNs replace your ISP as the visible party. If privacy is the goal, moving trust from employer to a vetted consumer provider can improve matters—but it also creates a second trust relationship you must manage.
For remote workers this means: you'll typically need the corporate VPN to reach file shares, internal apps, and privileged services. For personal browsing, banking, or sensitive side projects you may prefer a consumer VPN or a separate device. Treat the corporate VPN as an access-control tool, not a privacy shield.
Threat models: who are you hiding from?
If your threat model is malicious Wi‑Fi, a corporate VPN protects ingress to the corporate network and encrypts your last-mile traffic. If your threat model is your employer, a corporate VPN is the exact wrong tool: it routes your data through their systems, where logging and inspection are in place by design.
How corporate VPNs actually work
Most enterprise VPNs use SSL/TLS or IPsec tunnels back to corporate appliances. Once the tunnel is established, policies often force all traffic through the corporate gateway. That gateway can perform DPI, TLS interception (with a company CA installed on endpoints), DNS logging, and packet capture for troubleshooting or monitoring.
Split tunneling is the exception: it lets non‑corporate traffic go direct to the internet. It reduces latency and keeps personal traffic out of corporate logs, but it also widens the attack surface. Many organizations disable split tunneling precisely because it complicates perimeter enforcement.
How consumer VPNs work and their limits
Consumer VPNs terminate tunnels at third‑party infrastructure. Good providers minimize logs, offer RAM‑disk servers, publish transparency reports, and submit audited code. Mullvad emphasises anonymity; Proton publishes transparency and has EU jurisdictional protections; Nord and Express push large server footprints for speed.
Limitations: a consumer VPN replaces one trust boundary with another. Jurisdiction, logging policy, and technical capability matter. A provider in a five‑eyes country may be compelled to retain or hand over metadata. Further, consumer VPNs can introduce latency and reduce throughput depending on server choice and distance.
Test methodology: what I measured and how
I tested four corporate VPN solutions (Cisco AnyConnect, GlobalProtect, FortiClient, Microsoft Always On) and five consumer providers (ExpressVPN, NordVPN, Proton VPN, Mullvad, Surfshark). Devices: Windows 11 Pro desktop and MacBook Pro (M1) on a 1 Gbps fiber connection with Wi‑Fi 802.11ac backup. Tools: iperf3 for throughput, ping/traceroute for latency, tcpdump/Wireshark for packet inspection. Each test was repeated 10 times across three server locations (local, continental, intercontinental). Baseline was measured with no VPN.
Baseline numbers: wired baseline throughput ~940 Mbps, Wi‑Fi baseline ~280 Mbps, baseline RTT to a local cloud endpoint ~12 ms. Corporate VPN to a nearby office reduced wired throughput to 650–880 Mbps and added 8–25 ms of latency. Consumer VPNs showed more variability: best‑case wired throughput to a nearby consumer server was 830–900 Mbps, typical intercontinental drops to 120–400 Mbps, and latency increases from 15 ms up to 120 ms depending on distance.
Interpretation: enterprise VPNs are generally faster for traffic that stays within or near the corporate network because the path is optimized and appliances are provisioned for business needs. Consumer VPNs offer better privacy for general internet traffic but trade off latency and throughput, especially for long‑haul connections.
Practical guidance for remote workers
Use the corporate VPN when you need access to internal apps, file servers, or RDP/SSH into company assets. Use a consumer VPN for personal browsing and when on untrusted networks, provided your company policy allows it. If you must use a single device for both, prefer split tunneling configured by your security team so personal traffic avoids corporate inspection.
best practices
- Confirm policy with IT and HR before running consumer VPNs on corporate hardware.
- Prefer a personal device for private browsing and side projects; separation of devices is the simplest privacy control.
- When permitted, enable split tunneling for corporate VPNs to keep personal traffic local and reduce corporate logs.
- Choose audited consumer providers (Proton, Mullvad) if privacy is critical; favour RAM‑disk servers and short retention policies.
- Use DNS over HTTPS or TLS to avoid DNS snooping; check which DNS server you’re using while on the VPN.
Vendor-specific notes: Cisco AnyConnect and GlobalProtect are ubiquitous and integrate with SAML/MFA and endpoint posture checks. FortiClient tends to be paired with aggressive filtering and logging. On the consumer side Mullvad remains a favorite for minimal data collection, Proton for transparency and legal protections, Nord and Express for speed and app polish.
A practical nuance: some companies perform TLS interception by installing a corporate CA. That lets them decrypt HTTPS for inspection. If your device has that CA installed, even HTTPS traffic can be examined. Removing that CA on a company device is typically a policy violation; on a personal device it may break company apps.
Legal and HR considerations: using a consumer VPN on corporate hardware can trigger policy violations. It may also impede forensics in the event of an investigation. Always check corporate acceptable use policies and get written approval if you need private channels for personal activities while on a work device.
Final verdict: corporate VPNs and consumer VPNs are complementary, not interchangeable. Corporate VPNs give access and control; consumer VPNs give privacy from ISPs and—if configured properly—your employer. For remote workers the cleanest solution is device separation: company laptop for work, personal device with a consumer VPN for private traffic. When separation isn’t practical, negotiate split tunneling and document approvals.