So, my friend has a fully-remote job, but his employer only allows him to work within the state the company is based in. He is planning to move outside of that state, but isn’t prepared to quit his job yet.
To evade detection from IT, this friend wants to set up some sort of VPN tunnel to leave with a relative within the original state, to route the traffic from his work laptop (which is locked down via JAMF software) through. The family he’s leaving this setup with isn’t tech savvy, and wouldn’t be able to troubleshoot anything beyond powercycling a device or plugging in an ethernet cable.
What would he need to do to set up such a tunnel, ideally with remote access to adjust settings/troubleshoot, and how does he ensure that his work laptop never exposes an out-of-state IP to his employer?
Apologies, mods, if this post falls under Rule 3 for “professional” help.
The company’s rule isn’t arbitrary; it’s due to state income taxes being paid based on where the employee actually works, not where the company is located. It’s payroll, not IT, who are going to be coming after your friend, because the state tax collectors are going to be coming after everybody when your friend’s lie causes them to not file the taxes correctly.
TL:DR this is tax fraud.
I think you are trying to solve a legal issue using a technological solution. The issue isn’t where his connections are coming from, the issue is where he’s a resident. It’s probably related to taxes or some other legal thing.
No matter what sort of technology you apply, you ain’t solving the legal issue.
It is 100% related to his company’s income tax footprint. If they have an employee in a state, they almost always have to file corporate income taxes in that state.
If they don’t have an employee there, they may have very good and legal reasons to not file there.
The issue is as someone who’s not exposed to corporate taxes and works on the company’s tax returns, you have no idea just how much of an issue this can be. Say your salary is $100,000; you think what’s the issue, I only cost the company that much… Your dumb ass just moves into a state where your employer said you can’t work there. All of a sudden, the company owes $1+ million in taxes they weren’t on the hook for before because they have to file a combined unitary tax return. You didn’t being just your stupid ass into the state, you brought 20 other companies into the state.
Go ahead and absolutely move. When your corporate tax department finds out, your ass will get canned.
First, this approach is going to fail at some point. Depending on how far away it is, that could be a major issue. It also makes some very bold assumptions about connection speed and latency that are probably not true.
Second, IP doesn’t reliably show location. My cable ISP is typically geolocated to Chicago, despite it being 2 states away. Same for T Mobile connections.
Third, it’s incredibly unlikely that the employer is going to be looking at IP addresses to determine location. Even if they wanted to use tech for this purpose, they would use location services/GPS/etc. Which a VPN won’t conceal.
Fourth, changing the physical mailing address on file would be a bigger flag. But presumably he’ll list that family’s address, which could create other implications.
If it was me I would purchase two gl inet routers. Their super easy gui can setup VPN servers and Tailscale. Can also use Luci for Openrouter. All my routers are this brand. I use them for Tailscale but I know the VPN server exists for both OPENVPN and wireguard. Very plug and play and if they installed Tailscale they could easily troubleshoot out of state as long as there’s power and internet
Hmm, not sure if this will help, but I bought an Asus router a couple years ago and discovered last year it had this functionality built in. Really easy to setup on the router, installed openvpn client on phone and laptop and now I have access to my home network.
Works pretty flawlessly for me, but I should mention that Asus has had some security issues in the past, but they did release updates pretty quickly
Id just setup a Tailscale exit node on the old address. That can ran even on an apple tv device even when it’s off. And a tailscale subnet router on the new address. The docs on it pretty informative so should be a hassle. Ive done something similar in the past let me know if you need further help.
Tailscale is by far the easiest way. Zerotier works as well.
What I would do is find a router that allows a VPN to be set up on it like an ASUS AX6000 (quick search found it would support it, probably shop around to find something that’s quality). Then I would set it up to broadcast for the personal use and a separate wifi name like WORK WIFI and set a password on it that’s different than the rest of the wifi you broadcast for home use. Only connect to the work wifi with his work device and all the traffic will go through that VPN. He can get a cheap dedicated IP address for the state he needs from someone like Private Internet Access. They have deals like 3 years for $79 for their dedicated IPs (so less than $3 a month, not 79 a month) So really he can go cheaper if he thinks he only needs it for a year and his IP would always stay the same in that state. You just want to make sure the router has a decent enough processor to ensure the VPN can work nicely. Hopefully someone will throw in a mention of one they have used.
Apparently they also have something called fusion that is just VPN split tunnels that you can proscribe to devices, so you could just reserve the IP for the work device and set that to a tunnel instead of broadcasting a separate SSID (wifi name) for it.
Raspberrypi with pivpn. Put it right next to the router. Can possibly be powered by the routers usb port as well. Connect with ssh to administer. Easy as pie.
For always staying on the vpn: Get a pfsense router and configure it to always connect to the vpn and route all traffic through it.
Oracle cloud free tier?
