I’m planning on spending a little time abroad and I just found out that my new employer has draconian presence requirements which they didn’t tell me about during negotiations. So I’m turning to setting up a VPN with a Beryl. I read Which router should I get - Connect from remote location to use Home Internet and especially @jdub 's messages and realized that there’s more to prevent disclosure of location than simply turning on a VPN. I started this thread to focus on the holistic approach, and not any one technology or configuring.
My thoughts are below:
- Certainly you need a VPN.
- Software VPNs on the work machine are out of the question. Any decent device management software would be able to detect that.
- You need to make sure that you don’t ever connect to work services without the VPN on. I’m not just talking about “internet kill switch” (though that’s part of it), but generally never letting that laptop connect directly even on the weekend when you just want to watch netflix. There are lots of various programs that will ping home or check for updates that could give you away. Even web pages can ping home when they’re not open (PWAs with service workers). To prevent this you’d probably need to run something like Little Snitch, but it’s probably best to have a dedicated laptop which ONLY connects to the VPN-ized AP.
- Same goes for your phone if there are any corporate apps installed. You might be safe with some standard commercial apps (like Slack) because companies are sensitive about sharing IP addresses. However, I see that GSuite offers admins a way to show login IP. It might not show IPs of all random connections, but no guarantees. Also, these apps might open direct connections to the corporate server (for SSO or to preview a webpage). And I haven’t even gotten to security apps like Okta Verify which probably make it a feature to alert on unexpected IP addresses and locations. All in all, if you have a phone, you probably need to disable cell connection and ONLY connect to your AP. You might be able to install a VPN on your phone (if it’s a personal phone) and force the app(s) to use it, but this seems risky.
- Other direct connections, like DNS lookups. I need to research more, but I understand that sometimes DNS doesn’t go through the tunnel.
- “Diagnostic” Data That Apps Might Send. You’ve taken care of the IP traffic itself, but what about what travels through the tunnel?
- Location services (both laptop and phone). Both laptops and phones can determine the user location and apps could choose to upload it. Laptops don’t (typically) have GPS, but they can trivially determine their location based on nearby wifi points and provide that location to a “GPS” request. Make sure that apps, including Chrome, can’t get the location. Turn off location services altogether. I suspect that a laptop configured with Device Management can force Location Services on and force-provide that permission to a “diagnostic” app, in which case there’s not much you can do other than a faraday cage.
- Speaking of which, the wifi access point name can be queried and uploaded. Don’t set your SSID to "VPN Tunnel From Abroad. I think some apps can get all visible SSIDs, and a close examination of those coudl give you away.
- Timezone. Similarly, apps can access the timezone and if your timezone is suddenly switched to Ottawa then that could give you away. Leave your dedicated laptop in your home timezone (easier to do when location services are off).
Anything else I’m forgetting? @jdub Your thoughts?