My work banned my personal VPN on my personal laptop on their guest network

When I connect to the guest network at my office with my phone and hotspot to my laptop with WIFI sharing, I am able to use my VPN on my laptop over their guest network again.

Why ? Why don’t they see my VPN this way? I assume everything is still encrypted and hidden from view ? What IP address are they seeing?

This comment thread has been interesting.

The original question was a bit difficult to parse on first read, so half interpreted it as “why are they blocking the VPN” (policy question) and half interpreted it as “why are they capable of blocking it from a single device” (technical question)

You can definitely tell the respondents who have worked in IT/Security and had users that peed all over their network policies.

I’m gonna try to answer a little of both here.
Technical: It is possible to block a VPN from passing through by blocking the ports necessary for it to negotiate the secure tunnel.

Technical: VPN connections being blocked only from a specific device? That sounds like at some point, that particular device raised some warning flags to a sharp eyed IT tech or security software, and it’s MAC got put on a Naughty List™.

Policy: If the inability to connect to a VPN is truly limited to only your specific laptop, then that means that either you or your laptop raised some flags and IT placed a block on it.

Policy: Blocking things like VPNs or specific devices, even on a “Guest Network” is a valid security precaution for multiple reasons stated elsewhere in the thread (malware, preventing data leakage, etc.)

Anecdote: At a former employer, IT got a request to flag an employee. Every single device that touched business owned networks was monitored and logged, even personal devices on the guest network. After the cops made the arrest, that data was used to put the employee in prison for a decade, and put him on a registry for the rest of his life.

When I connect to the guest network at my office with my phone and hotspot to my laptop with WIFI sharing, I am able to use my VPN on my laptop over their guest network again.

Most phones disconnect from WiFi when you are using the WiFi hotspot feature, so you are really sharing your cellular connection and not your work’s guest network. Only some newer Android phones can actually share WiFi networks.

If this is a place you work and not own, then contact your IT group. They may have system policies in place that blocks non-business VPNS due to hack software

One good example, someone has download a VPN client with an VPN connection that was supposed to go to their home network and found out that it was routed to a incorrect address somewhere in India. The client downloaded was a hack version of the VPN software. Once we got the laptop, we found a remote client hack that was actively scanning and copying his files.

Just because it’s encrypted, doesn’t mean they can’t see that you’re using a VPN.

They can see traffic that isn’t port 80/443 and if it’s substantial enough they might look deeper. If they see it’s port 1194 then they’ll say you’re using a VPN.

They may also be looking at the DNS if you’re using theirs and seeing it looks suspicious.

They may also be using deep packet inspection to observe the handshake.

They may also use an IP reputation service to see if the traffic is going to a residential IP and flagging that as a risk.

They may also just flag anything that doesn’t look like browsing activity.

They may also detect who logged in via WiFi credentials, then detect an unknown MAC address if your phone isn’t doing NAT.

Are you confident your phone is simultaneously being a hot spot and connected over wifi to your work guest wifi? It could be something this simple.

For very good reasons.

VPN’s can be used for streaming, gaming etc, which will bypass firewall rules.

They can be used to inadvertently hop on dubious sites, and potentially be another malware access point, or they can evade traffic logging of file transfers.

There’s a hundred simple reasons, and I certainly wouldn’t allow vpn’s outside company ones, on any network of mine!

Have you tried not fucking off at work?

It’s their guest networks isn’t it? You probably agreed to terms and conditions before accessing it. What’s the big deal?

If your work banned something you should not be trying to find a workaround, that could get you fired :eyes:

Why don’t they see my VPN this way?

Their network, their rules. Period.

As soon as you turn this from black and white into shades of grey, the whole thing spirals out of control.

Not sure what you are trying to accomplish, but whatever it is could be adjacent to things they don’t want happening.

I’d just leave this one alone.

They don’t want you connecting a laptop that has two NICs (perhaps one wired on the corporate LAN, another wireless on the guest network), VPNing to an outside point such that they can’t monitor the traffic, and then siphoning out intellectual property. Deal with it.

Most likely reason is so they can detect/monitor usage and therefore, throttle the bandwidth allocated to a client device depending on what the client device is doing (downloading, youtube, netflix, etc.)

In other words, QOS

Since vpn “masks” all of this, then they cannot do such and the client device using their internet bandwidth could definitely abuse the company’s internet connection

Most work place will see your vpn as a security risk. They can’t see that you are browsing to a forbidden site. They can see that you are trying to use a vpn. You do not have privacy at work.

eh go ask the same question at r/sysadmin watch the hilarity begin!!!

Why do people bring in personal laptop to work? Nothing good (for the company) will happen… Bring your phone and do your work then go home and use your laptop…

Short answer? It’s their network, and they can say wha is allowed on it.

Iirc, WiFi hotspot from your phone will not pass through the VPN, only traffic from the phone itself.

I would guess that it put’s suspicious traffic across the Guest to internal link that it probably warning that guest wireless is talking to internal machines. Which is exactly what the guest network shouldn’t be doing.

Its their network, they can block or allow anything they want.

My work blocks basically everything except ports HTTP and HTTPS outbound on their networks and if you need an exemption have to provide a business justification for it. And then they block a huge number of domain names too…the most annoying of which is imgur which an annoying number of things use for screenshots.

If you don’t like their network rules, don’t use their network. Not sure why you need a personal laptop when you are supposed to be at work anyway?

Control, companies want to watch and control what you’re doing on their network/ time.