Complete Guide to Remote VPN Setup: Steps and Costs for Telework Implementation

Overview of Remote VPN Environment Setup and Pre-Planning

Successfully building a remote VPN environment requires understanding the full picture and conducting proper pre-planning. A VPN deployment project typically consists of six phases: requirements gathering, product selection, network design, hardware deployment and configuration, client rollout, and testing followed by production launch. For small and medium-sized businesses in the Shinagawa, Minato, and Shibuya areas, the typical scope involves telework environments for 10 to 50 employees, with project timelines ranging from two weeks to two months. Preparation should include reviewing the current network topology, ISP details, static IP availability, and existing firewall models. You should also compile a list of telework-eligible employees, identify their work requirements, and estimate the required bandwidth and concurrent session counts.

Requirements Gathering: Concurrent Connections, Bandwidth, and Security Levels

During requirements gathering, you must quantify the performance and security requirements for your VPN environment. Concurrent connections should be calculated based on maximum simultaneous logins, typically assuming 70 to 80 percent of telework-eligible employees will be connected at the same time. Bandwidth requirements range from 1 to 2 Mbps per user for email and web browsing, and 5 to 10 Mbps for video conferencing and large file transfers. For example, 30 concurrent users with video conferencing would require 150 to 300 Mbps of VPN gateway throughput. Security requirements should specify mandatory multi-factor authentication (MFA), encryption standards such as AES-256, and access log retention periods of at least 90 days. If your industry is subject to regulations such as FISC security guidelines for finance or the three-ministry, two-guideline framework for healthcare data, those requirements must be incorporated as well.

VPN Product Selection: FortiGate, Cisco AnyConnect, SoftEther, and WireGuard Compared

Selecting the right VPN product depends on your organization's size, budget, and technical capabilities. FortiGate by Fortinet is a UTM-integrated appliance, and the FortiGate 40F model is well-suited for SMBs with 10 to 30 employees, priced at approximately 80,000 to 150,000 yen for hardware with annual licensing fees of 30,000 to 60,000 yen. Cisco AnyConnect is widely adopted by large enterprises, with the ASA 5506-X or cloud-based Cisco Secure Client as primary options, costing roughly 3,000 to 5,000 yen per user per year. SoftEther VPN is an open-source solution developed at the University of Tsukuba, making it ideal for budget-constrained SMBs since it carries no licensing costs and supports both SSL-VPN and L2TP/IPsec. WireGuard is a lightweight, high-speed VPN protocol with simple configuration that runs on Linux, Windows, macOS, iOS, and Android, though its enterprise management features remain limited. Many companies in Shinagawa have increasingly adopted the FortiGate series for its strong cost-performance balance.

Network Design: IP Address Planning and Subnet Segmentation

Network design for a VPN environment must ensure that the internal LAN and VPN client IP address ranges do not overlap. If your internal LAN uses 192.168.1.0/24, assign VPN clients a separate private range such as 10.10.0.0/24. Segment VPN user access and control access to business-critical servers like file servers and core systems through VLAN-based restrictions to strengthen security. When implementing split tunneling, route only internal resource traffic through the VPN while allowing internet traffic to flow directly, reducing the load on the VPN gateway. However, split tunneling increases security risks, so combining it with UTM or cloud proxy solutions is recommended. Office buildings in the Minato and Shibuya areas typically have fiber-optic internet service, but it is important to verify that your ISP contract provides sufficient upstream bandwidth for your VPN needs.

Firewall and Router Configuration Procedures

Firewall configuration is the core component of any VPN deployment. Using FortiGate as an example, begin by accessing the management console and configuring the WAN interface with a static IP or DDNS. For SSL-VPN, configure the appliance to listen on port 443 or a custom port, and set up VPN portal authentication using local database, LDAP, or RADIUS integration. Firewall policies should define access rules from the VPN tunnel interface to the internal LAN, explicitly specifying allowed destination ports such as SMB on 445, RDP on 3389, and HTTP/S on 80 and 443. For IPsec VPN deployments, configure IKE version 2, AES-256 encryption, SHA-256 or stronger authentication algorithms, and Diffie-Hellman Group 14 or higher. After completing configuration, always create a configuration backup and document all changes in a change management log.

VPN Client Deployment and Multi-Factor Authentication Setup

VPN client deployment involves installing VPN connection software on employee PCs and smartphones and configuring connection settings. FortiGate environments use FortiClient, which offers a free version, while Cisco AnyConnect environments use Cisco Secure Client. For large-scale deployments, leveraging Active Directory Group Policy or Microsoft Intune for silent installation improves efficiency significantly. Multi-factor authentication should be configured using one-time password (OTP) applications such as FortiToken, Google Authenticator, or Microsoft Authenticator. In FortiGate deployments, FortiToken Mobile is typically assigned to user groups, with employees registering via QR code during their first login. Creating client configuration templates and distributing them alongside setup manuals helps minimize help desk inquiries during the rollout.

Connection Testing and Performance Verification

Connection testing after VPN deployment is a critical step that must be completed before production launch. Minimum test items include VPN connection and disconnection verification, authentication success and failure patterns including wrong passwords and expired MFA tokens, access to internal resources such as file servers, intranet systems, and printers, and internet access while connected to the VPN. Performance verification should measure download and upload speeds over the VPN using tools like iperf3 and confirm that they meet the bandwidth requirements defined earlier. Load testing is equally important — apply approximately 120 percent of the expected maximum concurrent connections and verify that VPN gateway CPU and memory utilization remain within acceptable limits. Document all test results as evidence and address any issues discovered before proceeding to production.

Cost Estimates for VPN Deployment (10 to 50 Employees)

Here is a cost breakdown for VPN environment setup at SMBs with 10 to 50 employees. Hardware costs range from 80,000 to 250,000 yen for FortiGate 40F/60F models and 200,000 to 500,000 yen for Cisco ASA models. Software and licensing costs are 30,000 to 80,000 yen per year for FortiGate UTM bundle licenses, 100,000 to 250,000 yen per year for Cisco AnyConnect licenses depending on user count, and zero for open-source options like SoftEther and WireGuard. Static IP address costs run approximately 1,000 to 3,000 yen per month, with an additional 5,000 to 15,000 yen monthly if upgrading to a business-tier ISP plan. Outsourced deployment services range from 150,000 to 500,000 yen for basic setup, and 300,000 to 800,000 yen for end-to-end projects including network design and testing. Typical totals for SMBs in the Shinagawa, Minato, and Shibuya areas are 300,000 to 1,200,000 yen in initial costs and 50,000 to 300,000 yen in annual operating costs.

Building Post-Deployment Monitoring and Maintenance Systems

A VPN environment does not end at deployment — building monitoring and maintenance systems is the key to long-term stable operation. Set up log collection and analysis infrastructure using FortiGate's FortiAnalyzer or a Syslog server to regularly review VPN connection logs, authentication failure logs, and traffic volume trends. Establish a process for promptly applying VPN gateway firmware updates when security patches are released, with testing in a staging environment before production deployment. SSL certificate expiration management is also critical, so configure automatic alerts to prevent VPN outages caused by expired certificates. We recommend generating monthly VPN usage reports to track connection trends and peak load conditions for capacity planning. Prepare escalation procedures with contact lists for incident response and regularly review recovery runbooks to ensure operational readiness.

Establishing Telework Policies and Security Guidelines

In parallel with the technical VPN deployment, organizations must develop telework policies and security guidelines. Telework regulations should specify mandatory VPN usage, restrictions on VPN connections outside business hours, BYOD policies for personal devices, and rules prohibiting work on public Wi-Fi networks. Device management policies should require automatic OS updates, mandatory antivirus software, screen lock settings with a maximum 5-minute timeout, and remote wipe procedures for lost devices. Information security policies should define restrictions on taking corporate data offsite, rules for cloud storage usage, and incident reporting procedures. Conduct training sessions to communicate these policies to employees and reinforce understanding through quizzes or e-learning modules. Many SMBs in Shinagawa have been leveraging Tokyo Metropolitan Government telework subsidies to build out these governance frameworks.

VPN Environment Setup in Shinagawa, Minato, and Shibuya — Contact Oflight Inc.

Oflight Inc., based in Shinagawa, provides end-to-end remote VPN environment setup services for SMBs across Minato, Shibuya, Setagaya, Meguro, Ota, and the greater Tokyo area. We handle everything from requirements gathering and product selection consulting to network design, hardware configuration, client deployment, testing, and ongoing operations and maintenance, delivering VPN solutions tailored to each client's business needs and budget. With extensive deployment experience across major VPN products including FortiGate, we have supported organizations ranging from 10-person startups to 50-person mid-sized businesses. If you are considering building a telework-ready VPN environment, please contact us for a free initial consultation. We also assist with applications for the Tokyo Metropolitan Government's telework promotion subsidies, so feel free to reach out regarding cost optimization as well.