In terms of Zscaler, you’d connect to the Mexico DC, unless your company uses a sub cloud and only allows US DCs.
Sorry but how would Zscaler know to use a Mexico DC if your Wireguard client has created a full tunnel for your traffic using the server at home in the U.S.? Are you saying Zscaler forces his traffic outside of his Wireguard full tunnel?
The ddns setup should be trivial, that runs on the router at Home. Normally DDNS just works, even if the router is behind an ISP modem/router (say an Att device). Once setup, try to ping it from a pc to confirm it’s reachable.
For example mine is:
ping -c1 me.asuscomm.com
PING me.asuscomm.com (...) 56(84) bytes of data.
64 bytes from passthrough.attlocal.net (...): icmp_seq=1 ttl=64 time=0.344 ms
--- me.asuscomm.com ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.344/0.344/0.344/0.000 ms
In order for DDNS to work you need to have an IP. Some ISP servers (some in MX, for example) don’t provide an IP. Try a site like: https://whatismyipaddress.com/ while connected to the wifi from your PC to confirm you are able to get an IP which you can then ping. You’ll need that to work in order for DDNS to work. In the MX example I ended up switching to another house which had a different ISP provider.
Here are the docs from my GL.iNet router:
https://docs.gl-inet.com/router/en/4/interface_guide/ddns/
The Asus procedure was quite different, but they have nice instructions here
Hi, I’m Vetted AI Bot! I researched the ‘GL.iNet GL AXT1800 Slate AX Pocket Sized Wi Fi 6 Gigabit Travel Router’ and I thought you might find the following
analysis helpful.
Users liked:
Users disliked:
Do you want to continue this conversation?
[Learn more about ‘GL.iNet GL AXT1800 Slate AX Pocket Sized Wi Fi 6 Gigabit Travel Router’](Vetted | Find the Best Product & Price more about ‘GL.iNet GL AXT1800 Slate AX Pocket Sized Wi Fi 6 Gigabit Travel Router’)
[Find ‘GL.iNet GL AXT1800 Slate AX Pocket Sized Wi Fi 6 Gigabit Travel Router’ alternatives](Vetted | Find the Best Product & Price ‘GL.iNet GL AXT1800 Slate AX Pocket Sized Wi Fi 6 Gigabit Travel Router’ alternatives)
This message was generated by a (very smart) bot. If you found it helpful, let us know with an upvote and a “good bot!” reply and please feel free to provide feedback on how it can be improved.
Powered by vetted.ai
Wow…thanks! This is very helpful. Much appreciated.
Based on what i’ve read so far, I’m thinking of Slate AX as server (that stays home), and Berly as client (that I travel with). My only concern is whether Zscaler will still detect the IP of my physical location or use my home’s IP. Do you mind give your opinion or thoughts on it? Thank you 
Yeah - you and BlondeFox18 are correct - this account only covers ZPA to log into company’s internal applications.
Seems odd to be a ZIA customer but choose to bypass that. Maybe they only paid for ZPA. That sounds more likely.
I think you’re misunderstanding a bit.
In terms of Zscaler, they would connect to the closest DC in Mexico. Depending on how their company has ZIA/ZPA configured, the wireguard VPN may not work at all, might bypass ZIA/ZPA, or it might go through ZIA/ZPA.
Even if the company allowed him to spin up a full tunnel VPN, ZCC would still connect to the closest DC, which would be Mexico. And then none of the other traffic would go through ZIA/ZPA, which would mean that many of the apps may not work.
The VPN server setup can be a bit trickier. If the home router is strong (like the asus above) you can ask the ISP to configure their modem/router as a bridge and forward everything to your router. Then it’ll be straightforward.
If that’s not possible, then you’ll need to configure the ISP router to forward the port that the VPN server is configured to use. In order to do this you need to access the menu of the ISP provided router/modem, which I can’t document in a generic fashion since it varies a lot. You basically want to look for a “port forwarding” or “NAT” kinda menu.
Once the ports are set up the router normally has a section to create a server and a configuration file. Once that’s done, it’ll allow exporting the client config file. Often the client config file will include the current IP of your house/server hard coded in there. That won’t work, since home IPs are typically dynamic. At least in Uruguay. If home IPs are static here then ddns isn’t needed, but shouldn’t hurt either.
Assuming home IPs are dynamic, edit the wireguard config to change this section:
[Peer]
PublicKey = ...
AllowedIPs = ...
Endpoint = <static IP or host>:<port>
PersistentKeepalive = ...
and edit the EndPoint to your ddns host and port.
Here are the docs from my GL.iNet router:
https://docs.gl-inet.com/router/en/4/interface_guide/wireguard_server/
The Asus procedure was fairly similar
That should be fine. Internet will be accessed through the server router at your home, so IP will be what you need. Just make sure you have the killswitch enabled, a config on the travel router to only allow traffic _iif_ the VPN is working, and only through the VPN.
You can play with this by giving internet to the travel router using your phone’s hotspot / usb ethernet, or by going to a coffee shop nearby. Ensure the PC, connected to the travel router, gets the same public IP (https://www.whatsmyip.org/) you normally get in your house. If that works, then it should work if out of the country also.
Make sure to be careful if your PC has saved wifi networks from random places. Say you worked in the past from a place in Nicaragua where surf is amazing and you go again. Your laptop may chose to connect to that wifi instead of your travel router. if you don’t notice in time you’re game over. A safe way is to just disable wifi and use a wired connection to the travel router (it’s annoying but safe).
You’re not explaining how Zscaler knows to use a DC in Mexico. I’ve never heard anyone have an issue running Wireguard over top of Zscaler. When properly configured, it is a full tunnel and so OP’s traffic would not give away location via IP or DNS leakage. And it’s probably safe to assume the laptop does not have a GPS chip as that’s a very niche thing still. And we also assume OP is connecting via Ethernet to the travel router with Wi-Fi off to prevent BSSID geolocation. If you’re claiming that Zscaler blocks Wireguard port 51820, then anyone can change this server port to something different and have the full tunnel again.
Import the config file into the client. This can be tested while you are still at home, it doesn’t matter if the routers are on the same network as long as you’re using the DDNS host to reach it.
Make sure to configure the “internet kill switch”, or “no traffic outside of VPN” option. That way if the VPN connection fails for some reason your PC will never access the internet through the wrong place.
VPN client configuration file is fairly sensitive to spaces etc. When importing sometimes it’ll accept the file, other routers want field by field input. Double check that the raw config file matches what was imported.
Here are the docs from my GL.iNet router:
https://docs.gl-inet.com/router/en/4/interface_guide/wireguard_client/
The Asus procedure was fairly similar
You can give the travel router internet via multiple sources:
Import the config file into the client. This can be tested while you are still at home, it doesn’t matter if the routers are on the same network as long as you’re using the DDNS host to reach it.
Thank you so much for your input! These are very useful advice! I’m really new to all these.
I’m curious but what are your take on Starlink? Since I want to travel to Japan, Thailand, Korea, Taiwan, etc. Would you recommend getting Starlink?
You’re not explaining how Zscaler knows to use a DC in Mexico
The Zscaler client reaches out to the closest DC based on a few factors, but (like most NetSec solutions) is not going to be fooled by a VPN. Zscaler will determine that the device is in Mexico and ZCC will reach out and make that connection, even if the company were to allow Wireguard to take the full tunnel traffic. ZCC can be deployed a few different ways, but most commonly it will be at the LWF level, or route based. SO the decisions would come before traffic got routed over the VPN.
I’ve never heard anyone have an issue running Wireguard over top of Zscaler.
I don’t think anyone is saying it isn’t possible, just that the company can still see that the OP is in Mexico, and that using a consumer VPN on his corporate asset is likely not allowed. Also, working in Mexico is not allowed without a proper visa, and the company would have to pay taxes for the work performed there as well… but that’s obviously not a technical issue, but that’s why companies care about this sort of thing. So they don’t end up getting sued by the governmnet for tax violations.
not give away location via IP or DNS leakage. And it’s probably safe to assume the laptop does not have a GPS chip as that’s a very niche thing still. And we also assume OP is connecting via Ethernet to the travel router with Wi-Fi off to prevent BSSID geolocation. If you’re claiming that Zscaler blocks Wireguard port 51820, then anyone can change this server port to something different and have the full tunnel again.
Zscaler has nothing to do with anything on the endpoint. We have extremely limited visibility or control over the endpoint, it’s a network security platform.
nc -z -v <hostname> <port>The VPN will make your computer think it’s accessing the internet through your house, but there are other things you could do to expose yourself accidentally. Here are some tips from stuff that I’ve run into:
nc -z -v <hostname> <port>I heard good stuff but never used it. Can’t speak to that.
Zscaler will determine that the device is in Mexico and ZCC will reach out and make that connection, even if the company were to allow Wireguard to take the full tunnel traffic. ZCC can be deployed a few different ways, but most commonly it will be at the LWF level, or route based. SO the decisions would come before traffic got routed over the VPN.
You’ve avoided the question again. The traffic is fully tunneled by Wireguard and then goes through the Zscaler cloud. Unless you have DNS leakage, Zscaler is not seeing your location. I don’t know where you’re getting your information, but I know a guy who works in the hotel IT industry and has many clients using Zscaler + Wireguard successfully to hide their location.
I don’t think anyone is saying it isn’t possible, just that the company can still see that the OP is in Mexico, and that using a consumer VPN on his corporate asset is likely not allowed.
Again, Wireguard is not a consumer VPN. It is a VPN protocol, which a user may use to run their own VPN server on their own personal network.
Also, working in Mexico is not allowed without a proper visa, and the company would have to pay taxes for the work performed there as well… but that’s obviously not a technical issue, but that’s why companies care about this sort of thing. So they don’t end up getting sued by the governmnet for tax violations.
That’s silly. So many people go to Mexico for tourism for a few weeks. No difference really if they decide to work a little bit or not. We’ll have to agree to disagree on that one, but I assure you the government is not suing any digital nomads. They probably know it’s boosting their local economies, but I digress.
You’ve avoided the question again. The traffic is fully tunneled by Wireguard and then goes through the Zscaler cloud. Unless you have DNS leakage, Zscaler is not seeing your location. I don’t know where you’re getting your information, but I know a guy who works in the hotel IT industry and has many clients using Zscaler + Wireguard successfully to hide their location.
Zscaler isn’t using DNS to determine location. It doesn’t matter where it egresses, it’s going to use the actual location. I worked for Zscaler and several NEtSec companies, and now have my own company deploying these types of solutions for large enterprise. I’ve worked with the 3 largest hotel chains, along with the largest enterprises in the world, deploying ZS, Netskope, PAN, et cetera. As I’ve said, it’s entirely possible to use a VPN with Zscaler, it just depends on how their company has set it up. Some may allow it, some may not. ZCC is making decisions at the LWF level, before it would go down the VPN tunnel. The traffic behavior completely depends on the config, and the OP didn’t share any of that, which is why we’re all saying it depends.
That’s silly. So many people go to Mexico for tourism for a few weeks. No difference really if they decide to work a little bit or not. We’ll have to agree to disagree on that one, but I assure you the government is not suing any digital nomads. They probably know it’s boosting their local economies, but I digress.
That’s not silly, and countries like Mexico and Thailand are spending millions to catch and deport people working illegally. It destroys local economies, and robs local governments of the tax revenue that they should be getting. It’s also a violation of your terms of entry. If you visit Mexico as a tourist, you are not allowed to work. If you want to work, the income you make while in Mexico will be taxed, and you need to apply for a work visa. This is why OP’s company forbids it, because it’s illegal and they could be open to sanctions or tax implications if OP is caught.
It doesn’t matter if your egress IP is a Zscaler data center. All that matters is that the traffic up to that point has been tunneled by the Wireguard server and uses that home server’s IP. If all the traffic has indeed been tunneled by the Wireguard server, then the data center will be chosen as the same one it always is as if OP was working from home.
And if for Zscaler/Cisco Umbrella does manage to force your traffic (ex. DNS), then it’s merely a matter of blocking the data center DNS and proxy IP addresses. On Cisco Umbrella, for example, you will force it into its “open state” operation where it will still function but ignore trying to use its own DNS servers.
That’s not silly, and countries like Mexico and Thailand are spending millions to catch and deport people working illegally. It destroys local economies, and robs local governments of the tax revenue that they should be getting. It’s also a violation of your terms of entry. If you visit Mexico as a tourist, you are not allowed to work. If you want to work, the income you make while in Mexico will be taxed, and you need to apply for a work visa. This is why OP’s company forbids it, because it’s illegal and they could be open to sanctions or tax implications if OP is caught.
Actually most countries explicitly disallow working in their country for a job that’s located inside their country and taking money from within. It’s very blurry lines for people working abroad. I assure you tourism is not robbing local governments of money. I’ve traveled all over the world with my company including countries without tax treaty agreements. If it’s less than 90 days in most cases it’s completely fine without issue.
Cisco Umbrella is DNS security mostly, I’m not sure how that would be anywhere similar to Zscaler. Zscaler is essentially a NGFW in the cloud or a ZTE in the cloud. There are some DNS security features, but that would happen after the traffic gets to Zscaler, not on the endpoint. ZCC would need to identify a Zscaler DC before any traffic is forwarded. For a windows device, this happens at the LWF level, before any traffic is sent anywhere.
You absolutely can block traffic to Zscaler DCs, but then they won’t be able to get to the apps that require Zscaler to get to. Many organizations will only allow traffic to their O365, Salesforce, SNOW, et cetera through Zscaler, so even if the company allows you to tunnel traffic through a VPN and you block connections to Zscaler DCs, then you won’t be able to work anyways.
Again, there are lots of ways for a variety of VPNs to work with Zscaler. There are lots of Zscaler customers that run VPNs, sometimes multiple VPNs. The issue is that the company will still be able to see where you are coming if they really want, and doing things like this is illegal and puts the company and the user at risk of sanctions, fines, deportation, et cetera.