Remote work in Canada introduces a specific set of networking considerations that differ from in-office environments. When a workstation connects to corporate resources over a residential internet connection, the path between that device and the company network passes through infrastructure outside organizational control. VPNs address part of this exposure.
What a VPN Does at the Network Level
A VPN (Virtual Private Network) creates an encrypted tunnel between the remote device and a VPN endpoint — typically a server operated by the employer or a third-party provider. Traffic within that tunnel is encrypted before leaving the local network and decrypted at the endpoint, making it unreadable to anyone inspecting packets in transit.
For corporate remote workers, this means that traffic to internal resources appears to originate from the VPN endpoint's network rather than the employee's home IP address. It also ensures that the residential ISP cannot observe the content of work-related communications.
Note on scope: A VPN does not protect against threats on the local network itself, such as malware on the device or a compromised home router. Endpoint security and firmware updates remain relevant regardless of VPN use.
Common VPN Protocols Used in Canada
The protocol determines how the tunnel is established, how traffic is encapsulated, and the computational overhead involved. Different protocols make different trade-offs between compatibility, speed, and security.
OpenVPN
OpenVPN is an open-source protocol that has been widely deployed in corporate environments for over a decade. It runs over TCP or UDP and supports a range of cipher configurations. The main drawback in remote work settings is that it requires a dedicated client application and can be slower to establish a connection than more modern alternatives.
WireGuard
WireGuard is a newer protocol with a significantly smaller codebase than OpenVPN. It uses modern cryptographic primitives and typically achieves lower latency. It is now included in the Linux kernel as of version 5.6 and has been adopted by several major VPN providers. For home office use in Canada, it performs well on fibre and cable connections where the ISP does not restrict UDP traffic.
IPsec/IKEv2
IKEv2 over IPsec is commonly deployed in enterprise environments and is natively supported by macOS and iOS. It handles network changes well — such as moving between Wi-Fi and mobile data — which makes it practical for workers who use mobile devices alongside desktop systems.
SSL/TLS-based VPNs
Some corporate remote access tools use HTTPS-based tunnels rather than traditional VPN protocols. These operate over port 443, which is rarely blocked by ISPs or firewalls, making them reliable across different network environments including hotel or cafe Wi-Fi.
| Protocol | Typical Use | Port | Notes |
|---|---|---|---|
| OpenVPN | Corporate and self-hosted | UDP 1194 / TCP 443 | Mature, widely supported |
| WireGuard | Personal and growing enterprise use | UDP 51820 | Fast connection setup, modern crypto |
| IKEv2/IPsec | Enterprise, mobile devices | UDP 500, 4500 | Handles network switching well |
| SSL/TLS VPN | Corporate remote access portals | TCP 443 | Rarely blocked by firewalls |
VPN Performance on Canadian ISP Connections
VPN overhead varies by protocol, encryption settings, and the physical distance to the VPN endpoint. For a remote worker in Toronto connecting to a corporate VPN server located in Vancouver, the added round-trip time is measurable but generally below the threshold that affects normal work tasks. Connecting to a server in Europe adds more noticeable latency.
On HFC cable connections from providers like Rogers or Shaw (now owned by Rogers), upload speeds are typically a fraction of download speeds. VPN traffic in both directions is limited by the lower of the two, which means upload-heavy tasks — sending large files, screensharing — may feel constrained even at download speeds that seem adequate.
Split Tunneling
Split tunneling allows some traffic to go through the VPN while other traffic accesses the internet directly. For example, access to an internal corporate file server goes through the tunnel, while video streaming goes directly to the ISP connection. This reduces load on the VPN and can improve overall throughput during calls to external services. Whether this is permitted depends on the employer's security policies.
Home Router Configuration for VPN Users
Most home routers in Canada do not require changes for outbound VPN connections. However, some older ISP-provided devices restrict certain UDP ports, which can interfere with WireGuard or IKEv2 connections. If a VPN connection fails to establish from a home office but works on other networks, checking whether the relevant UDP port is reachable is a useful diagnostic step.
Some routers support running a VPN client directly on the router itself, routing all household traffic through the tunnel. This is practical for households where multiple devices need VPN access without installing a client on each one, but it requires a router that supports the target protocol in firmware.