VPN for accessing CRM: setup and selection in 2026

If the CRM has stopped opening — it's no longer just an inconvenience. Managers cannot access deals, the manager cannot see the funnel, integrations fail. VPN for accessing CRM solves this problem, but only if you understand which specific problem you are solving — because tasks can vary, and so can the tools.

Here we will discuss three different scenarios: foreign CRM is blocked or limited by geolocation, the provider slows down traffic through DPI, and the internal corporate CRM is only accessible from the office network. Each case requires its own approach.

Why CRM stops opening and how VPN solves it

Access error to CRM can have four different sources. They cannot be mixed — each has its own solution. Sometimes a manager sees "connection reset," but the real reason is not blocking, but aggressive DPI from Rostelecom or MTS, which simply cuts traffic by signature.

Geoblocking of foreign CRMs (Salesforce, HubSpot, Pipedrive)

Salesforce and HubSpot have been limiting access from Russian IP addresses since 2022 — not due to a request from Roskomnadzor, but due to their own compliance policy with sanctions lists. Pipedrive behaves more leniently, but there are still failures. A manager opens the browser, goes to app.salesforce.com — and either gets a blank page or a redirect to a page with a notification of unavailability.

VPN changes the IP address to a European or American one, and the CRM "sees" the connection from Germany or the Netherlands. Access is restored.

Blocking and slowing down through DPI by Russian providers

DPI — deep packet inspection — is a traffic analysis technology that Russian providers use at the request of TSPU (technical means of countering threats). Roskomnadzor slows down or blocks traffic through this system even where there is no formal blocking.

Practically, it looks like this: the CRM opens, but loads the list of deals for 15–20 seconds instead of 1–2. Telephony within the CRM disappears. Attachments do not load. The provider does not formally block anything — traffic is simply cut by protocol signature. VPN bypasses DPI by wrapping traffic in an encrypted tunnel that the analyzer cannot classify.

Closed corporate network: access only from the office network

This is a fundamentally different story. If the CRM is hosted on the company's own server and is only accessible within the corporate network — a public commercial VPN will not help here. A corporate VPN gateway is needed: the employee connects to it, receives a "virtual office IP," and only then enters the closed network.

The corporate gateway is set up by the IT department. This can be an OpenVPN server, Cisco AnyConnect, FortiClient, or WireGuard on the company's own server. A public NvoVPN or any other commercial service will not replace the corporate tunnel in this situation.

What exactly does VPN do: encryption, IP change, tunnel to the office

VPN does three things simultaneously: encrypts traffic (the provider cannot see the content and cannot apply DPI by signature), changes the outgoing IP address (geoblocking by IP stops working), and creates a tunnel to the necessary network (corporate case). That’s why VPN for accessing CRM is not just one tool, but several different scenarios for applying one technology.

Which VPN protocol to choose for working with CRM

The protocol is not marketing; it is a real difference in speed, latency, and resistance to blocking. This is important for CRM: a heavy interface with analytics and attachments is sensitive to delays. Let's break it down honestly.

WireGuard — speed and low latency for cloud CRMs

WireGuard is currently the best choice for cloud CRMs in terms of performance. The protocol operates in the Linux kernel space, has minimal code (~4000 lines compared to ~400,000 for OpenVPN), and provides latency 20–30% lower than OpenVPN on the same servers. For Bitrix24 or amoCRM, where the deals page loads dozens of AJAX requests, this is noticeable.

One downside, but significant: WireGuard is easily detected by traffic signature. If the provider deliberately cuts VPN connections — WireGuard will be the first to be blocked.

OpenVPN — compatibility with corporate gateways

OpenVPN is the de facto standard for corporate VPN gateways. Cisco, Fortinet, Check Point — most corporate solutions support OpenVPN-compatible configurations. If the IT department provided a .ovpn file, that’s it.

In terms of speed, OpenVPN lags behind WireGuard by about 15–25% due to operating in user space. In TCP mode (which is needed to bypass some firewalls), the losses are even greater. For CRM with moderate load, this is quite acceptable.

IKEv2/IPsec — stability when switching Wi-Fi and mobile networks

IKEv2 has built-in support for MOBIKE — a mechanism that maintains the VPN session when switching between Wi-Fi and LTE. A manager in a car moves from a Wi-Fi zone to mobile internet — the connection does not drop, and the CRM continues to work.

For field employees with a mobile CRM application (amoCRM, Bitrix24 Mobile), this is really important. Downside: IKEv2 is detected and blocked by aggressive DPI systems more easily than VLESS or Shadowsocks.

Shadowsocks, VLESS/XRay, Amnezia — bypassing DPI where regular VPNs are cut

If WireGuard and OpenVPN are cut by the provider — that’s not the end. Obfuscating protocols make traffic look like regular HTTPS: DPI cannot classify it as VPN and lets it through.

VLESS/XRay is the most modern option with active development. Shadowsocks is a classic that is a bit easier to set up. Amnezia VPN is a domestic development that wraps WireGuard in obfuscation while remaining open. All three are noticeably more complex to set up than standard protocols, but work where others no longer pass.

Comparison table: speed, bypassing blocks, ease of setup

NvoVPN supports WireGuard and obfuscating protocols — you can switch between them depending on the situation. But this is one of the options, not the only one.

VPN setup for CRM access: step-by-step guide

Let's go through the real steps. Not "download the app and click connect" — but exactly what needs to be done for the VPN for CRM access to work correctly, without speed loss and without side effects.

Step 1. Determine the type of CRM: cloud or internal

This is the first question, without which everything else is meaningless. Cloud CRM (Bitrix24 at cloud.bitrix24.ru, amoCRM at yourdomain.amocrm.ru, Salesforce at *.salesforce.com) — a commercial VPN is needed to change IP or bypass DPI. Internal CRM on the company's server — a corporate VPN gateway is needed, the address and credentials of which are provided by the IT department.

If unsure: try accessing the CRM via mobile internet, disabling corporate Wi-Fi. If it opens — the CRM is cloud-based. If not — most likely, it is internal.

Step 2. Installing the client on Windows and Mac

For WireGuard: download the official client from wireguard.com. On Windows, it is wireguard-installer.exe, on Mac — the app from the Mac App Store. The installation is standard, with no special features. For OpenVPN on Windows — OpenVPN Connect v3 (not GUI v2, it is outdated). On Mac — Tunnelblick or the same OpenVPN Connect.

Important: do not confuse the WireGuard client from wireguard.com with apps like "WireGuard VPN Pro" in the Windows Store — these are third-party wrappers, quality is unpredictable.

Step 3. Setting up on Android and iPhone/iOS for field work

On Android: WireGuard from Google Play (official app from the WireGuard team), OpenVPN Connect from the same store. On iPhone: WireGuard from the App Store, OpenVPN Connect there as well. Both apps are free; they are client software, not a service.

On iOS, there is a nuance: the VPN profile via IKEv2 can be set up directly in the system settings (Settings → VPN → Add VPN Configuration) without a third-party app. This is more convenient for corporate IKEv2.

Step 4. Importing configuration (file .conf / QR code)

In the WireGuard client on desktop: click "Add Tunnel" → "Import from File" → select the .conf file provided by your VPN service or IT department. The tunnel appears in the list with the name from the configuration file.

On mobile, it's easier with a QR code: in the desktop WireGuard client, click on the tunnel → "Export to QR Code", open the mobile app, click "+" → "Scan QR Code". The phone imports the configuration in a second. For OpenVPN, it's similar: in OpenVPN Connect on mobile — "Import" → "Load from File", if the .ovpn file is already on the phone.

Step 5. Checking access to CRM and speed test

After connecting: open CRM and time how long it takes to load the list of deals or contacts (this is the heaviest operation for most CRMs). At the same time — ping to the CRM server via terminal or command line:ping app.salesforce.com. Normal ping through VPN to a European server is 30–80 ms. If it's above 150 ms — switch to a server closer to the CRM data center.

For Salesforce, the data centers in Europe are Frankfurt and Amsterdam. For Bitrix24 Cloud — Moscow and Germany. Choose the VPN server accordingly.

Step 6. Split tunneling: allowing only CRM traffic through VPN

Split tunneling is a setting where only traffic to specific addresses goes through the VPN tunnel, while everything else (YouTube, email, other sites) goes directly. This is critical for business for two reasons: CRM speed is higher (no unnecessary load on the VPN channel), and CRM integrations with external services do not break.

In WireGuard, split tunneling is configured through the AllowedIPs field in the configuration file. Instead of0.0.0.0/0 (all traffic), specify the specific IP ranges of the CRM. For example, for Salesforce: ranges from their official documentation (Salesforce Trust). For amoCRM — the IP of your subdomain vianslookup вашдомен.amocrm.ru. Most commercial VPN clients have this setting in the GUI under the name "Split tunneling" or "Separate tunnel".

If all traffic is routed through VPN without split tunneling — webhooks and CRM integrations (for example, with telephony or 1C) may start sending requests from the VPN IP, which will break the whitelists on the receiving side.

Data security of CRM when working through VPN

CRM contains personal data of clients: names, phone numbers, negotiation history. This is not an abstraction — it is direct responsibility under 152-FZ. Therefore, the choice of VPN for accessing CRM is not just a matter of convenience, but a matter of information security.

Traffic encryption and protection of the client database on public Wi-Fi

Without VPN, traffic to CRM on a public network (cafe, airport, coworking) can theoretically be intercepted in a MITM attack. Modern CRMs operate over HTTPS, which already provides encryption, but VPN adds an additional layer and hides metadata — which domains you connect to, how often, what volume of data you transmit.

For managers working from cafes or on business trips, a VPN with traffic encryption is a reasonable protection for corporate data.

Policy of free VPNs and the risk of data leakage

Free VPNs do not earn from subscriptions. They earn from user data — traffic, metadata, and in the worst cases, session content. Hola VPN sold user bandwidth to botnets in 2015. Betternet logged and sold data to advertisers. These are documented cases, not theory.

For working with CRM, where the client database is stored — this is an unacceptable risk. A paid VPN with a clear no-log policy and independent audit is the minimum standard. Paying $3–7 a month for this is worth it.

Coordination with the IT department and company security policy

Before installing any VPN on a work device or in a work network — check with the IT department whether this contradicts the corporate security policy. In some companies, using unapproved VPNs on corporate laptops violates policy and can lead to disciplinary consequences.

If the IT department provided a corporate VPN — use it. If not, and you need access to a cloud CRM blocked by the provider — discuss this with IT and document the approval. This protects both you and the company.

152-FZ and storage of clients' personal data

152-FZ places the responsibility for protecting personal data during transmission and storage on the data operator. If an employee works with the client database through an unencrypted channel or through a VPN service with questionable logging policy — this is a potential compliance risk with legal requirements.

I won't provide legal advice here — this is not my area. But considering this responsibility when choosing a VPN solution for working with CRM is reasonable. An approved corporate VPN or a verified paid service with a no-log policy meets basic requirements.

Solving typical problems: CRM is slow or does not open through VPN

You connected to VPN, but CRM still behaves incorrectly. Let's analyze specific failures — not abstractly, but with real causes and actions.

CRM opens, but very slowly — choosing a nearby server

The main reason for slow CRM through VPN is the large distance between the VPN server and the CRM data center. If you are connected to a server in New York, and Bitrix24 is located in Germany — traffic goes across the Atlantic and back. Ping increases, the interface lags.

Solution: choose a server geographically close to the CRM data center. You can usually find out the location of the data center in the service documentation or throughtraceroute/tracert to the CRM domain. Switch to WireGuard — it has less overhead compared to OpenVPN on the same channel.

Frequent disconnections on mobile internet

WireGuard on mobile can disconnect when switching between LTE towers or when changing from Wi-Fi→LTE. This is not a bug; it is the behavior of the protocol when the device's IP changes. Solution: switch to IKEv2 — MOBIKE maintains the session during network changes. Or enable persistent keepalive in the WireGuard settings (PersistentKeepalive = 25 in the config).

VPN is on, but CRM is still unavailable (DNS, split tunneling)

Three common reasons. First: DNS did not switch to the VPN resolver, and the CRM domain resolves to a blocked IP. Check:nslookup yourdomain.crm.com with the VPN on should return an IP different from the one without the VPN. Second: in split tunneling, the CRM domain is accidentally excluded from the tunnel. Check the exclusion list. Third: the provider's aggressive DPI blocks even encrypted VPN traffic — switch to VLESS/XRay or Shadowsocks.

Captcha and account blocking when changing IP

CRM security systems (especially Salesforce and HubSpot) track the geography of logins. If you logged in from Moscow yesterday and today from a Dutch IP of a VPN server, the system may request additional verification or temporarily block access.

Solution: use the same VPN server consistently — one IP, one country. Do not switch between servers unnecessarily. If CRM allows — add the VPN IP to the trusted list in the account security settings. When using a shared VPN server with several colleagues — one IP for multiple users may raise the system's suspicion. In this case, consider a dedicated IP offered by some VPN services.

It is better not to disable two-factor authentication — it is not the cause of the problem. Just set up an authenticator app (Google Authenticator, Authy) instead of SMS, then changing IP will not reset the session.