I work from home and I’m not allowed to connect from other place then Ireland, people says that our mandatory VPN fails conection if we’re not in the country. My question is, can I leave a PI on at home as an exit and use another PI connected by cable to a router and sharing it’s wifi to connect my laptop and connect the laptop VPN as if I was home? Would the macbook app “cisco any connect secure mobility client” connect to it vpn that tunnel my mac to California not noticing I’m not home? This question is like a inception inside an inception. Too much for my little brain.
I work from home and I’m not allowed to connect from other place then Ireland
Just a heads up you have been warned from your employer if you continue down this route
In theory its possible however its not 100% guaranteed as VPN leaks can occur so if your company is monitoring connections and you run into an issue with a leak they would see you attempting to connect from outside the country
another PI connected by cable to a router and sharing it’s wifi to connect my laptop and connect the laptop VPN as if I was home?
You would need a router at the remote location (not the ireland location) above that has the ability to force all traffic to the PI running tailscale. Generally you want a firewall that can do policy based routing where you can tell traffic from a certain client to use a certain gateway (most home/ISP routers dont do this).
If tailscale fails to connect to your exit node (either side) or tailscale the service has an issues your connection could potentially default to the remote location internet connection which then would expose you being outside the country.
I advise against your plan if you care about this job, your company IT has a policy that you can only connect to the VPN while being in the country. You shouldnt be trying to skirt around that, we in that career field already have enough on our plate trying to protect a network
What i always did was have a windows machine on my own server at home. I would log into that from wherever it was i was doing work from my laptop and i would vpn into work from my windows server at home. To them i was logging in from my home IP every time. Can use traditional IPsec VPN or Tailscale.
Just so you know your location is still discoverable via the WiFi networks your laptop can see and correlating with data from Wigle.net
Assuming your IT can run commands on your laptop
I advise against your plan if you care about this job, your company IT has a policy that you can only connect to the VPN while being in the country. You shouldnt be trying to skirt around that, we in that career field already have enough on our plate trying to protect a network
agreed.
your company lets you connect to your work VPN on any device ? It sounds like OP has a work laptop assigned to them
I have a work laptop but they always allowed VPN from any device because there wasn’t enough laptops to distribute during the pandemic. I’ve never actually used their laptop. But good point. I’m guessing IT would know if they’re logging in from a device other than work issues laptop. Although i don’t see why it would matter to IT
Although i don’t see why it would matter to IT
Well for one IT has no control over the box. You are introducing a device onto your works network that might not be secured, patched, or potentially infected exposing the work environment to something unknown.
If your company has a BYOD policy, awesome but its not a simple “why would it matter?” There are ways to limit exposure in a BYOD but a lot of ORGs dont implement them correctly and you saying “I have to bring my laptop in 1-2 times a year to get updates” makes me guess they dont have a good plan for BYOD connecting into their network"
Then what’s the purpose of the VPN? Doesn’t that prevent any issues on the laptop from getting to the work network? I’m not introducing my windows machine onto the work network if i connect to it via VPN.
A VPN allows a device over the internet to securely connect to a network, a vpn alone doesnt protect the work network from a machine. There is some tech/software out there that will make a machine do a health check before it connects to a VPN but that depends on your companies hardware/software.
If you have your company VPN client on a windows machine you own, you are exposing their network to their network and visa versa.
Some companies do have BYOD policies to allow personal machines im not arguring that, im just saying you open your personal machine to your work network
But at the same time they have no ability to remotely update the laptop for patches. They have us physically bring it in once or twice per year for updates. I guess i just don’t see how it’s not secure if i use my own windows machine. If it were not secure i would think they wouldn’t allow it. It’s government.
I’m not seeing how the company or government has access to your machine outside of the VPN connection. Like they shouldn’t be able to see over VPN what I’m viewing on the browser, unless that’s wrong. Personally i only use that windows VM for work purposes and it’s on its own VLAN.
There are ways to remotely patch machines, your job/company just doesnt want to pay for said software
I guess i just don’t see how it’s not secure if i use my own windows machine. If it were not secure i would think they wouldn’t allow it. It’s government.
Governments are terrible at cyber security, just look at what you said you have to litter ally bring your machines into get updates. This is the year 2023, there are ways to patch remote/WFH laptops
Microsoft releases OS updates every second Tuesday of th month. 3rd party applications gets updates through out the year. You are telling us your remote work systems only get patched once/twice a year which blows my mind
yes they can see what traffic your VPN client is using, your VPN client is routing through their network. Now they arent cracking open https but if they are doing full tunnels all your traffic is routed over the VPN (so they could see what websites you are going to while you are on the VPN machine).
You securing your side is great, my comments are more directed at your employer espically if its a gov entity. My advice: Only do work stuff on that personal machine that has the work VPN connected. Dont visit any kind of personal sites or sites that could get you in trouble.