Working abroad with a portable router + local home VPN. Let's summarize the risks

Many employees have a contract that doesn’t allow them to work abroad. A possible approach is to set up a local VPN at home and travel with a portable router that forwards all the traffic to their home connection.

There are already many discussions about this approach, however, not many discussions about the risks of this approach. In this thread I would like to make a list of possible ways your employer can pinpoint your position and how likely/difficult it is for your IT department to do so. Let’s have a discussion about every aspect of it.

Here is a list that I will update. Please also discuss possible solutions to these problems.

  • GPS Data: Laptop could send Location Data to your employer.
    • SOLUTION: make sure you have GPS localization services disabled.
  • MFA app: they could simply enable GPS coordinates for conditional access on an MFA app like Microsoft Authenticator
    • SOLUTION: it doesn’t look easy. You should enlist someone in your home country to respond to such requests on a mobile device. At any time of the day, possibly several times a day. Assuming this isn’t an enterprise-only device.
  • BSSID: They may have other endpoint management software installed that can see what wifi networks you are near and do geolocation on the wifi BSSIDs.
    • SOLUTION: If you use a dedicated box that provides you with the VPN you could use cable, keeping WIFI disabled.
  • Latency variation: the variation in latency and MTU size could be a hint that would raise suspicions, however it doesn’t constitute a real proof.
    • SOLUTION: start out with an artificial higher latency before the move.
  • They could directly ask you to prove your location somehow. (e.g. sending a GPS signal or through video-call)
    • SOLUTION: ?
  • …?

For EU Workers who may wonder whether GDPR allows your employer to track you:

They can trace you, it does not violate any GDPR compliance rules in most cases. The company just needs to outline the policy of what they collect, how it’s collected and why it’s collected. So if a company has a policy that employees cannot work outside the country for more than 10 days, that is a requirement for collecting the location info.

Source

Of course there will be always a way for your employer to catch you. The goal of this post is to make a list of ways he can do it so that you can make a cost/benefit analysis and see if it is convenient for you to do so.

I can imagine, for example, that many companies wouldn’t put too much effort into this. Your job is to figure out: “How much effort should your company put in to do this” and “How much effort does it actually put in”.

Your post appears to be a very commonly asked question or thread here relating to VPNs and/or hiding your location. Please check out the VPN Wiki for common answers to these common questions. You can also find other recent posts related to this topic here

I am a bot, and this action was performed automatically. Please contact the moderators of this subreddit if you have any questions or concerns.

I didn’t use a VPN during early 2021 travels, and after about a month got a warning from IT and a talking to from my manager.

Come home, shifted to VPN/router and went back to same travel patterns. No warnings or talking to yet

Either way, be ready to be fired no matter what

The risk I can’t stop thinking about is just plain old laptop theft to be honest. How do you explain that one without a local police report?

GPS Data: Laptop could send Location Data to your employer.
SOLUTION: make sure you have GPS localization services disabled.

Or sit in a faraday cage

For EU Workers who may wonder whether GDPR allows your employer to track you:

Gdpr allows a lot of shit as long as it is “legitimate interest”, which means it comes down to court per individual case.

BSSID: They may have other endpoint management software installed that can see what wifi networks you are near and do geolocation on the wifi BSSIDs.
SOLUTION: ?

If you use a dedicated box that provides you with the VPN you could use cable, or with WIFI let it rotate BSSIDs randomly?

…?

They could directly ask you to prove your location somehow?

They could look at packet size and wonder why your MTU is so low / ask why you use (another) VPN.

They could wonder about your latency and guess a different geographic location.

Btw how do you handle changing video backgrounds and shitty upload at home?

not many discussions about the risks of this approach

The risk is you get terminated if found out. Worse, they could peruse you for damages if they feel that your fraud caused them to breach a contract (eg about only allowing people nationality or geographical area) get access to information.

As others have said, this is way too easy to detect.

The biggest challenge is latency. Especially during things like screenshare, there can be a bit of a delay. My explanation is always going to be my home router encrypts all my traffic using a vpn, so their might be some latency.

The other scenario is that IT support was trying to transfer a piece of software to my computer obviously its going to take a bit longer than normal.

MFA is solved by having a dedicated cell with your home countries phone number. Mobile data off. Air plane mode on. It only connects to the vpn.

Work from where you’re staying, and you greatly minimize the risk of exposing yourself. As you don’t have to set up your client router every single time.

This is not a complete list, they could simply enable GPS coordinates for conditional access on an MFA app like Microsoft Authenticator.

Is it foolproof? Not necessarily, but it will make it very hard for you. You’d need to enlist someone in your home country to respond to those prompts on a mobile device. At any time of day, possibly multiple times per day. Likely while you sit in a different time zone.

That is if you’re allowed to use a personal device for Microsoft Authenticator. If it’s corporate devices only you’d be very screwed, unless you go to absurd lengths.

Your MFA app could give you away easily, based on source IP or GPS.

Don’t forget to activate a router VPN killswitch (disconnects if VPN is not available)

Bonus: Have a backup VPN service (e.g. Mullvad VPN) set for you country, besides your home VPN.

Or you could 1) be honest with your employer and try to work a remote work contract adjustment 2) find a new job.

Live honestly. You don’t want the stress of being one mistake away from being caught. Once you get caught, and you will get caught, you’ll lose your job and reputation. Only one of those is easy to fix.

I’d just leave the work computer home or at a relatives place and access it over the internet using an IP KVM like PiKVM or similar (https://www.kickstarter.com/projects/mdevaev/pikvm-v4). No matter what, your computer will appear to be at home.

what do you do on the laptop for work? is it a VDI or VPN or just regular internet?

is it a personal or work laptop? what software installed?

Downvoted. I’d rather have employers trust remote workers when they agree to terms or else opportunities for the non lying fraudsters go away. Companies have legal and financial consequences to what you are doing and that affects the rest of us. Find a job with terms you can actually agree to.

quarrelsome kiss pause thumb attraction wasteful bright dog murky grandiose

This post was mass deleted and anonymized with Redact

I could build some simple software that pulls log entrees from the time an employee is using a company laptop or company software, then guesses what time zone the employee is most likely in based on those trends over any 2 or 3 week period. It is very unlikely, for instance, that an employee is routinely getting a lot of work done at 2 AM but is very inactive at 2 PM (local to the employer).

Edit for clarification: This scenario is mainly to demonstrate that you might be giving off more information than you think without even knowing it, rather than demonstrating a common real-life scenario; the point being, if you care about keeping your job, and perhaps more importantly, not violating various regional laws regarding the storing and processing of confidential data, don’t do this.

There are already many discussions about this approach, however, not many discussions about the risks of this approach. In this thread I would like to make a list of possible ways your employer can pinpoint your position and how likely/difficult it is for your IT department to do so.

Simply put: If I was in charge of preventing this, catching the employees that still did it, you’d get caught.

No ifs or buts. I would catch you. (Gen X nerd here.)

You can NOT add distance and processing and simply hide it.

Given enough time to prepare, and knowledge about what’s going on on the inside, I would be very hard to catch; but, once again, if I was on the inside of that business I would still get caught. :laughing:

There are no foolproof ways of generically just solving that the fundamental laws of physics come into (measurable) play at these distances.

You all put way too much thought into this shit. This sub has become more of an IT sub.

As someone who used to manage a couple thousand employees on VERY popular MDM… I’m just going to sip my Nitro Cold Brew and smile.

If you have to use multi factor authentication, you could be required to use an app eg Microsoft Authenticator or SMS, it might be harder to control your location leaking

I just schedule random meetings with my employees.

“Joe, good news. We’re having a company get-together next week. I’ve booked a white water rafting adventure for us in Colorado. I’ll book your plane tickets and hotel room…”