So, my friend has a fully-remote job, but his employer only allows him to work within the state the company is based in. He is planning to move outside of that state, but isn’t prepared to quit his job yet.
To evade detection from IT, this friend wants to set up some sort of VPN tunnel to leave with a relative within the original state, to route the traffic from his work laptop (which is locked down via JAMF software) through. The family he’s leaving this setup with isn’t tech savvy, and wouldn’t be able to troubleshoot anything beyond powercycling a device or plugging in an ethernet cable.
What would he need to do to set up such a tunnel, ideally with remote access to adjust settings/troubleshoot, and how does he ensure that his work laptop never exposes an out-of-state IP to his employer?
Apologies, mods, if this post falls under Rule 3 for “professional” help.
What I would do is find a router that allows a VPN to be set up on it like an ASUS AX6000 (quick search found it would support it, probably shop around to find something that’s quality). Then I would set it up to broadcast for the personal use and a separate wifi name like WORK WIFI and set a password on it that’s different than the rest of the wifi you broadcast for home use. Only connect to the work wifi with his work device and all the traffic will go through that VPN. He can get a cheap dedicated IP address for the state he needs from someone like Private Internet Access. They have deals like 3 years for $79 for their dedicated IPs (so less than $3 a month, not 79 a month) So really he can go cheaper if he thinks he only needs it for a year and his IP would always stay the same in that state. You just want to make sure the router has a decent enough processor to ensure the VPN can work nicely. Hopefully someone will throw in a mention of one they have used.
Apparently they also have something called fusion that is just VPN split tunnels that you can proscribe to devices, so you could just reserve the IP for the work device and set that to a tunnel instead of broadcasting a separate SSID (wifi name) for it.