Do commercial VPNs guarantee my traffic will be tunneled back to the states before hitting the client’s network?
Commercial VPN IP addresses are easily identifiable in logs.
I think you’re asking the wrong question. If your employer is as paranoid as you say, is playing hooky worth your job? And more importantly, do you think the advice you receive on a subreddit dedicated to $100 pieces of network gear reliable enough to bank your income on?
Just start using the VPN while you’re still at home, if anything gets flagged it’s not a problem as you’ll actually still be in your state. Then if all is well go to the Caribbean and continue using the same connection.
Cannot comment about commercial VPNs, you’ll maybe have to ask them that question or on their forum.
However I was in Italy with my GL.iNet device. My corporate laptop VPN connects to the nearest node in a global SASE network.
My GL.iNet VPN connects back to my home network in the UK (your second scenario) which I use mainly for streaming UK content.
So without the GL.iNet VPN active my corporate VPN connected to a node in Italy. With the GL.iNet VPN active I was connecting to nodes in the UK.
VPN technology is such that you have leeway in how you deploy it. Geo IP blocking is an inexact science. People are less likely to use rules like “only allow US IPs” but are more likely to use “block Russian, North Korean, Iranian IPs” for example
One rule however they might use is block commercial VPN and proxy exit nodes.
What they might be looking for is the impossible traveller, a user who tries to connect from 2 locations at the same time.
My suggestion is to try BOTH options before you head for your trip. Unless you have a poor home connection the second scenario might be the best one.
However one question, do you have their VPN client on your machine? If so then they could gather data, however on the plus side they trust the machine which means they are more likely to let it in.
Of course I would maybe drop a question to the clients IT support. Explain that you are traveling a bit for work but will still be using their VPN to fulfill your duties, would there be any technical issues with that?
-
While a VPN setup at router level is quite effective in disguising location, if your devices have other location sensors, e.g. GPS, that tap location info from other means, and your company is tracking it, then you may still get your location leaked.
-
Even if it is completely fool proof, I suppose the best bet is still be honest with your company about your location. This is ultimately a trust and integrity issue.
-
If you plan to VPN back to your country, make sure your company is fine with you connect from a commercial one.
-
A home VPN is not very difficult to set up, provided that your home has a public IP. You can do it easily with a GL.iNet router at home.
Commercial VPNs can be identified easily. Look up residential VPN, it spoofs a home connection and if you’re lucky they have a major city. Then use it for a week while still at home and see if it sets off alarms, if it does, oops boss, my roommate turned on VPN to watch TV but I’m home
I never recommend chancing it with a commercial VPN. You’re putting a target on your back and just asking to be monitored more closely. Use your own VPN server.
Your assumption that a home VPN server will be cumbersome and introduce more overhead and latency is mostly wrong. It’s quite easy to setup and it will be entirely yours to use, no throttling or sharing bandwidth with other users. The only downside is potentially slightly worse latency internationally since commercial VPNs (which use large data servers), will have optimized routing. But this is the least of your concerns.
Our fortinet will show me the location of all users, also it might have that location on the blocked list, I only allow UK connections.
Before you go… start using the exact setup you want to use while traveling. You might quickly find it doesn’t work.
You’re going to tunnel over a tunnel. While this will work (make sure you use UDP tunnels like Wireguard, not sure what the client will have you connecting with.) your throughput will take a massive nose-dive. If you’re on shitty internet abroad, this is even worse. So if you are doing anything data intensive, even video calls, it’s not going to go well.
There is something like residential vpn that you can setup on your travel router. This ip address will not be on vpn provider list so any page will not show as proxy. You should check this out. It worked for me.
+1… on no commercial VPNs. Not only easily detectable on logs, but most commercial network gear includes access to security subscription services that maintain constantly updated lists of all commercial VPN IPs so the admins can simply flip a few buttons to either be alterted or just block connections from these providers entirely.
A dual router VPN using your home IP is the most common solution, though nothing is risk free. I personally worked this way for over a decade of my “big tech” career without issue, and know hundreds of people doing the same… but YMMV, and if you are using company-owned equipment there’s a bit more to consider than just the VPN.
Bad advice. What about potential Geo spillage when they are no longer in their home office?
I can comment on commercial VPNs - bad, bad idea, the IP addresses of those are easily detected by any respectable cybersecurity team.
Obviously, being upfront with your employer is the moral “best foot,” but I understand what you are trying to do as I have been doing the same for years now.
The only time I was caught was while using a commercial vpn. Office 365 ID’d my location as Panama, which is nowhere near where i was, but the IP was listed as being out of Panama and not at the server hub I. Los Angeles, which is what I paid for. That company had no express policy forbidding my remote-ness and my direct managers all knew where i was. Still lost that job.
Now, I have a fully setup and isolated work network using a super beefy server and my slates for travel. I also run pi-hole through unbound for DNS and all my services are tunneling through cloudflare so all my endpoints comeback with their IPs. I also have tailscale for backup support.
Moral of the story, it can be done but you have to truly want to do this. Put in the time and effort and you’ll be pretty secure against most paranoid of companies. One major caveat is that my work does not furnish us with hardware as our work is not typically advisable on a company network.
If configured and used properly it’s a solid setup. You’ll just need to ensure you have solid down and upload speed at your home server location and that your ISP provides you a public IPv4 (not CGNAT).
With a dual-router setup the VPN tunnel is just used for the segment to securely proxy your traffic from your travel location back to your home IP address. From there it looks just like if you are using the internet while sitting in your living room.
VPN blocking can be done in many ways, but would not be common for NA, SA or EU residential ISPs.
Most ISPs do not. You can easily tell, login to your ISP modem/router and look at the IP address assigned to the WAN interface. If it matches the address you see on whatismyip.com, then your modem has a public IP.
If it does not match and instead the modem has some address starting with 10.x or 100.x then you do have CGNAT, but may be able to get this upgraded to a public (not static, just public) IPv4 for a few $ extra/mo.
Si. Almost all residential IPs will be dynamic. That’s fine as long as it’s public. The DDNS client in the router will account for the dynamic part.