Preventing "location leaking" when using VPNs

I’m planning on spending a little time abroad and I just found out that my new employer has draconian presence requirements which they didn’t tell me about during negotiations. So I’m turning to setting up a VPN with a Beryl. I read Which router should I get - Connect from remote location to use Home Internet and especially @jdub 's messages and realized that there’s more to prevent disclosure of location than simply turning on a VPN. I started this thread to focus on the holistic approach, and not any one technology or configuring.

My thoughts are below:

• Certainly you need a VPN.
• Software VPNs on the work machine are out of the question. Any decent device management software would be able to detect that.
• You need to make sure that you don’t ever connect to work services without the VPN on. I’m not just talking about “internet kill switch” (though that’s part of it), but generally never letting that laptop connect directly even on the weekend when you just want to watch netflix. There are lots of various programs that will ping home or check for updates that could give you away. Even web pages can ping home when they’re not open (PWAs with service workers). To prevent this you’d probably need to run something like Little Snitch, but it’s probably best to have a dedicated laptop which ONLY connects to the VPN-ized AP.
• Same goes for your phone if there are any corporate apps installed. You might be safe with some standard commercial apps (like Slack) because companies are sensitive about sharing IP addresses. However, I see that GSuite offers admins a way to show login IP. It might not show IPs of all random connections, but no guarantees. Also, these apps might open direct connections to the corporate server (for SSO or to preview a webpage). And I haven’t even gotten to security apps like Okta Verify which probably make it a feature to alert on unexpected IP addresses and locations. All in all, if you have a phone, you probably need to disable cell connection and ONLY connect to your AP. You might be able to install a VPN on your phone (if it’s a personal phone) and force the app(s) to use it, but this seems risky.
• Other direct connections, like DNS lookups. I need to research more, but I understand that sometimes DNS doesn’t go through the tunnel.
• “Diagnostic” Data That Apps Might Send. You’ve taken care of the IP traffic itself, but what about what travels through the tunnel?
• • Location services (both laptop and phone). Both laptops and phones can determine the user location and apps could choose to upload it. Laptops don’t (typically) have GPS, but they can trivially determine their location based on nearby wifi points and provide that location to a “GPS” request. Make sure that apps, including Chrome, can’t get the location. Turn off location services altogether. I suspect that a laptop configured with Device Management can force Location Services on and force-provide that permission to a “diagnostic” app, in which case there’s not much you can do other than a faraday cage.
• • Speaking of which, the wifi access point name can be queried and uploaded. Don’t set your SSID to "VPN Tunnel From Abroad. I think some apps can get all visible SSIDs, and a close examination of those coudl give you away.
• • Timezone. Similarly, apps can access the timezone and if your timezone is suddenly switched to Ottawa then that could give you away. Leave your dedicated laptop in your home timezone (easier to do when location services are off).

Anything else I’m forgetting? @jdub Your thoughts?

Oh. I should add that the VPN server should be located in a personal residence or small business. You shouldn’t use a VPN IP address or a cloud server. There are lists of both sets of IP blocks (and some VPNs are actually colocated within cloud blocks). While the company might not have access to one of these blocks, I wouldn’t risk it. Also, the IP address geolocating services might suddenly start geo-locate you as coming from Council Bluffs, Iowa. Even if Netflix wouldn’t bat an eye, someone in IT might wonder why the employee living in Small Town, NH is suddenly geolocating in Boston.

You need to be able to disable all radios, WIFI, Bluetooth, GPS (if equipped), as they can all give away your location. The problem is, if you don’t own the system, and the system does not have physical switches to turn things off like Bluetooth or WIFI, which most systems don’t have now days, then some privileged application can turn things on from time to time, to figure out where the PC is currently located.

Even without WIFI using only an Ethernet connection to your own travel router running a VPN to your house can leave tracks. Wireguard is great, but it normally uses a smaller MTU size then does a standard network connection, which your company’s IT department may notice. The number of network hops can show that your farther away from the home office then you claim. I find VPN protocols like Softether are better at hiding their tracks then OpenVPN or Wireguard, but Softether is not supported by GL iNet, although with some work it can be manually loaded. There are a whole lot of ways that a skilled IT department can figure out that you are not in country.

Other things to watch for is your camera can also give you away. Different countries have different looking outlet and switches, daylight hours and outside weather can be picked up from open curtains. Same thing with microphones. In northern climates, you normally don’t here chickens clucking in winter, but this is a sound I hear often when I’m in Central or South America.

I’m on constant travel and I use a GL iNet travel router with VPN connections to cloud servers, and to physical routers at residential locations. This does a fair job of hiding my location for banking, dealing with state and federal government agencies, and some streaming. All my devices, PC, phone, tablets are all my own, and I have turned off location information on all systems, but even so, it is not perfect. Some sites still figure out I’m not where my IP address claims I am.

Unless your willing to be fired over breaking their travel rules, I would not try hiding it.

My general take on this…

OpSec is very hard to do correctly. If it’s hard for professionally trained intelligence operatives with a huge support apparatus and decades of iteration on best practices, it’s going to be harder for you. Bruce Schneier is famous for saying that it’s easy to design a security system you can’t break. But that’s not the same thing as designing a security system that can’t be broken, or one that some other smart people can’t break. I chuckle at the various people in here who confidently state, “I’ve got WireGuard and a kill switch, what else do I need? How can my employer possibly track me?” Good luck my friend.

I sit on a few cybersecurity committees and have some cyber responsibilities as part of my job, but I wouldn’t hold myself out as a clear expert, certainly in the area of trying to figure out who is skirting the “you have to work from X location” policy. So if I’m saying it here, you can probably bet that the real professionals are a few steps ahead of where I am and have better tools and tricks. You’ve been warned.

If I were thinking about this problem, I would break it down into three high level but interconnected areas:

1 - Research and analysis:

Who is your adversary? What are their capabilities? What are your gaps in knowledge about their capabilities? Where are the places you’re most likely to be wrong in your assessment? What are the consequences of being incorrect? How much does your adversary really care, and how much effort are they willing to expend to catch you? And very importantly, what feedback loops do you have in place to update your processes periodically based on new technologies and changes in your adversary’s posture/priorities?

This is where having institutional assistance can be super helpful. It’s hard to keep at the cutting edge of what is possible and what is likely unless it’s your job. I lean on our security team a lot to keep me up to date, because frankly I don’t have the time to do it myself at the level that’s required. It’s possible to roll your own solution and be effective against many opponents, but it takes a lot of time and effort, even if you have the baseline skills required. But it’s very hard to maintain success against a determined team.

2 - Build a plan:

In light of your research in step 1, what are the kinds of things you’re going to need to do to accomplish your goals? As the OP notes, it’s not just turning on a VPN. If you’re trying to conceal location, you’re also going to need to deal with a whole host of issues, particularly if you’re going to use a cell phone. And in this day and age, you kind of can’t not use a cell phone, because that raises other kinds of red flags. Your cell phone always communicates from your “home” for some period of time (when you’re out of the country), but jumps around to various IPs from your cell provider when you’re in the states? Red flag. Your cellphone always communicates from your home IP all the time? Red flag.

Let’s also talk about VPNs. You’ve got 400ms latency on your connection but you supposedly live down the street from our HQ? Red flag. You have weird packet fragmentation on our corporate VPN because you’re tunneling it inside another VPN, or because you are on a mobile network, or both? Red flag. You have problems connecting because your corporate VPN doesn’t play nice with being NATted to the VPN? Red flag.

You have a different IP block (on your travel router) than you do at home? Red flag. Your usage patterns indicate you might be located in a different time zone because you are? Red flag.

Of course, all of these problems get even more difficult if your device is managed by your employer, and become more difficult still if your employer is your adversary.

3 - Execute the plan without making mistakes

This is the one that most amateurs assume is easy, and that professionals know is impossible. Depending on how determined your adversary is and how many resources they have, you only have to mess up one time to get caught. And the truth is that humans just aren’t reliable in that way, particularly over any meaningful timescale. The longer you do it, the more complacent you get, and the more likely you are to make a mistake. Again, if spies mess this stuff up - and they do - assume that you’re going to make a mistake as well. And try your best to know the consequences of your mistakes before you make them.

This isn’t to rain on anybody’s parade, but it is to say that you are way better off to work something out with your employer if that is possible than to try to pull something over on them. A professional and competent IT department can determine that you’re in a foreign country if they want to. The question is whether they want to and whether they have the resources to do so given the 500 other things that broke last night.

Interesting responses. I hadn’t even considered the MTU sizes or monitoring of latency.

In my case, luckily my IT department isn’t a sophisticated adversary, though they would probably notice glaring (or query-able) things like errant IP addresses. This is a group that disables downloads from the Apple store but doesn’t enforce OS or browser updates, or prevent (or even have policies against) installation of unsigned software, brew, pip, etc packages, docker containers, etc. I think someone last year had the idea that foreign countries are bad and scary, and it would make a good-sounding policy to prevent it.

My prior company (one where we discussed these types of things on security-discuss@) had a more reasonable restriction on logging in from just China or Russia.

Do you offer paid advice on the subject of opsec and what it entails? I would find it useful to get real knowledge rather than just someone who scans Reddit tech pages.

I’m kind of confused about what OP is even trying to do. Does he want his employers to think he hasn’t left the country? If so and he has just personal devices then how could the company know?

I always think that if somebody truly wants to get you and they have enough power then you’re pretty much screwed, but there seem to be a few cases where this somehow hasn’t happened. Look at Dream Market on Tor. 1 admin got arrested yet the owner has NOT been identified. He was called SpeedStepper and its estimated the value of his crypto earnings must be $500,000,000USD+. Half a billion dollars, kilos of heroin flying all over the world and yet no name?

Yes. My ultimate goal is to be able to work outside of the country without my employer knowing.

More generally, I wanted to start a discussion. I’ve seen other posts on here from people with the same goal, and realize that I know more than some people but not as much as others (like Jdub and eric), so I wanted to have a discussion about best practices that might help me and others.

More specifically, I’ll have a corporate laptop. And I understand that when they control the OS then a determined investigator could figure it out. And while I realize that they could peek at my webcam or listen for roosters in the winter or exfiltrate SSIDs and subscribe to a database that gives a likely location or any other number of things, I’m not that worried about that type of detection. I want to make sure all the basic stuff is covered, especially since I’ll be on a corp device.

To your question about how the company could know, I think both eric and jdub gave signals the company could use, even coming from a personal device, to have a confidence that something is up, if not necessarily out of the country or in a specific location. One simple example that occurred to me while I was writing my post is the use of timezone. If you visit the company’s webpages then they can access your timezone.

I’m not sure but I imagine your ultimate goal is probably extremely difficult. If someone could claim their work activity of being done domestically while they’re in a different country it could perhaps be possible to use that as an alibi while actually elsewhere. If your boss says you were definitely in your own country at a certain time due work activity while you were actually in a different country then your boss would unknowingly be lying. If they own the device then you can’t hide anything anyway, they probably have rights to remotely access the device so VPN won’t really change anything

And about timezone, this site gives a good example if you use a VPN set to a different timezone than your system. IPleak.com - IP leak test

With the caveat that I’ve been out of that game a while and would not hold myself out to be a true expert, sure. And also to be clear, when I was actually engaged in stuff where real opsec mattered, the game was a lot easier than it is today. I continue to be involved in cyber-adjacent stuff professionally, but I’d never try to run a play like this… I have a long term relationship with my employer and our goals are generally aligned. There would be zero benefits to me (I can pretty much go where I want, but I can’t take corporate devices with me due to export controls), and the risks would be enormous (I would get fired if not prosecuted).

If you really want to learn about opsec (in a broader sense), the most important lessons are about avoiding (or engineering) problematic situations so they don’t become problems.

The best way to hide your location from your employer while you’re traveling in a foreign country is to build a relationship with the people who are writing the policies, figure out why the policies exist, and then get exempted from them if necessary. The best solutions here are personal, not technical. Sure, there are irrational policies at any organization, but there are also ways to get around most of them if you put the time and effort in. Why does my group have a lot of exemptions to the security regulations at my organization? Because I’ve cultivated relationships with our line IT staff, the security and networking folks, and mid level ISO personnel. I don’t shoot off emails talking about how they don’t understand the organizational culture and suggesting that they “couldn’t tell their ass from a hole in the ground” (literal email that went out on the org. listserv). I help IT/security solve their problems (partially by not being one) and they help me solve mine, often without me asking.

I get that’s not always possible, but it is always preferable.

Mossad’s gonna Mossad, as we say.

Yeah, this sounds like a group that would be easy enough to influence given the time. Lots of missing context in terms of industry, issues, etc., but I can’t imagine given the details that it’s a super security oriented place. Any export control issues? It could always just be that Barney Fife read a new magazine on the toilet.

Ultimately, be as careful as you can and decide whether it’s ok to lose the job. You can always not travel, or you can quit. Maybe not the best to be fired for being abroad, but that’s not always the end of the world either. Depending on your skillset and employability, of course.

I’d be tempted to hire you just to hear stories…

Yeah. Probably. But I don’t want to invest that time. I just joined, it’s a “full-remote” sort of place – which is one of the reasons I left my prior company – and I had actually mentioned that I spent a few weeks traveling and working from a different continent last year. They didn’t mention this policy until it came up in passing last week. I don’t have a ton of affinity toward them for this, and other reasons. No export control issues. They think they’re security oriented, but it’s mostly theatre. My first week there I found world-readable PII on 20,000 of our customers and reported it. Took 2 days for someone to respond, and then another day for the file to be taken down, and only after I suggested that they take it down while they investigate. So I’m not dealing with the NSA here. On the other hand, they send us fake phishing emails.

It doesn’t help that I came from what is probably the biggest private company target of nation-state and other actors, we had a security team in the thousands, including red- and orange-team and full-time “researchers”, and that company’s policies and security overhead were much more reasonable around foreign access and a bunch of other security things.

Fortunately most of my stories are exceptionally boring, which is kind of what you want. Even the two that sound interesting at first - a large unauthorized data exfil of data (that we legally owned) from a subcontractor and firing a suspected foreign intelligence agent - are a lot less exciting than those quick descriptions might lead you to believe. Let’s just say neither of them are fit for even the small screen. And building on my point in the previous post, the best solutions would have been to avoid those problems altogether, which would actually have been pretty easy in both cases. In hindsight, of course. You live and learn.