I travel and sometimes work from abroad - without my employer’s permission. I work for a large corp so I have to be careful to not get caught. Here’s how I do it.
High Level Diagram
Strategies
Colleagues & Social Media
No matter how much you trust your colleagues, if you have any of them on your social media, don’t post anything that could indicate you’re not in your home country. This is a dumb way to get caught.
You should prepare cover stories and lie about any absences.
Travel Destinations
You will need a good internet connection to work from abroad. Expect the VPN to half your internet speed.
For example, if you go to Tunisia where the average speed is 7.46 Mb/s, you’ll likely get 3.73 Mb/s which is 0.46 MB/s - you will struggle.
Whereas on the European mainland in Spain the average speed is 89.59 Mb/s and half of that is 44.7 Mb/s which is 5.59 MB/s - a lot more comfortable but maybe not for internet-intensive workloads.
Source for internet speeds: https://www.visualcapitalist.com/mapped-the-fastest-and-slowest-internet-speeds-in-the-world/
Lastly, note that VPNs are illegal in some countries: https://protonvpn.com/blog/are-vpns-illegal
Hardware VPN
This is one of the key parts of staying undetected. A hardware VPN is a dedicated device (for example a travel router) that you connect your laptop to using an Ethernet cable. The device should support WireGuard for highest throughput.
Your laptop will not know that it’s connected to a VPN because this is done on the hardware VPN exclusively. This is also why you don’t want to install a VPN client directly on your laptop because it would be immediately detected.
Laptop
Your work laptop (or any computer) has to have Wi-Fi, Bluetooth and location turned off. Forget all Wi-Fi networks.
Never enable Wi-Fi (even if you don’t connect to anything) because location services use nearby Wi-Fi SSIDs to find your location.
Never enable Bluetooth due to similar reason given for Wi-Fi.
Never enable location due to obvious reasons.
Phone
No work-related apps should be on your personal phone. Opening Teams on your phone whilst on a beach in Guadeloupe is the fastest way to get caught.
Enable call barring or international call barring. If someone calls you and your phone is abroad, you’ll probably have a different dial tone (the beeps you hear when you call someone) to what you would have at home and this could lead to suspicion if someone calls you from work. You could also disable your home SIM if you’re using a local one.
Work Phone
You don’t know what kind of tracking and policies this phone has so taking it with you abroad is dangerous.
If you really need it, try enabling airplane mode and connecting it to your hardware VPN using a USB-to-Ethernet adapter. (I’ve never tried this)
2FA
My employer uses a popular and well known 2FA provider, we’re required to set it up on a device such as a phone or a tablet using the provider’s app. This introduces a problem because if you’re online abroad and you open the app, it will log your IP and see you’re in a different country. (this is how I got partially caught - see below)
You want offline methods of 2FA like:
- SMS
- Slight risk if the provider’s SMS service sends back your location but I don’t know if it would. I used this a handful of times and never got caught.
- TOPT (Time-Based One Time Password) (the six digit codes)
- Consider a dedicated separate tablet/phone for this with airplane mode turned on (Wi-Fi, Bluetooth, location, NFC all off) Never turn airplane mode off.
- Make sure your time zone and time are synced to your home location.
- If you use a phone that is going to be online: enable airplane mode, open the app, get the code, close the app, disable airplane mode. Make absolutely sure the app is not running in the background.
- WebAuthn/FIDO Key (most convenient)
- Plug into your laptop and go to your 2FA provider to setup. Use it everywhere where 2FA is required.
Configure at least 2 of these so you have a backup in case you lose your phone or your FIDO key.
Avoid push-based 2FA at all costs.
How I got partially caught
I was working from Porto in Portugal when I was prompted for 2FA. Without thinking, I opened the 2FA app on my phone and clicked the push-based prompt to confirm. Within 30 minutes I received an email from our cyber security team asking why I’m on AirVPN.
The email they sent was preceded by the automated alert they received from our 2FA provider that noticed my laptop’s IP was on a commercial VPN (AirVPN) and my 2FA device was in Portugal. I’m not sure how they didn’t pick up on the latter, and they left me alone when I lied about my VPN use.
I was lucky not to get reported.
What I learnt: Avoid commercial VPNs, online 2FA methods and be mindful of your habits.
Other
- Avoid Bluetooth peripherals. Use a wired keyboard, mouse and headset or get ones with dongles.
- Consider your home and destination time zones and don’t slip up when talking about times. Don’t let daylight saving times trip you up. Helpful tool: https://whena.re
- If using video in your meetings, consider what’s in your background and get in the habit of using a blur or fake background before
you leave.
- Match the lighting conditions that you would have at home.
- Don’t have foreign electrical sockets in your background - or anything identifiably foreign in general.
- Avoid getting sun burnt/tanned suddenly as that may raise suspicion.
Part 2
Go to Part 2.