For a long time I have been using Wireguard to connect into my local network remotely. That has been working flawlessly.
The problem is, that one of the primary devices I need access for is my iPhone. The phone is provided by my employer. The cost of the deal is that device is under corporate management. My employer is implementing ”Endpoint protection” which is basically vpn connection that will be forced quite soon on my device and this will make me unable to use any other VPNs.
It’s important for me to access my local network remotely, but not happy to expose anything publicly for obvious reasons.
What are my options to do this securely without vpn?
Get another phone for private use and turn the company phone off when off duty. You can thank me later when you got a better work life balance. Otherwise the other commenters have great recommendations.
Be very clear about both the letter and spirit of the restrictions that your employer places on your device usage, and act accordingly. In most cases this means not “working around” the “problem”.
For uses that are not contrary to either the letter or spirit of their requirements, expose the service publicly either on your IP or tunneled through something like cloudflare or a VPS, and put strong and reliable authentication in front of it.
Something like requiring mTLS, for example, is vaguely “equivalent” to a VPN in terms of authentication security, assuming the underlying services are properly configured.
If it’s applications on your local network you are accessing you could set up Cloudflare tunnels. It would allow HTTPS access to internal applications.
What types of things are you wanting to access on your local network? I assume you do not need full access to everything. You can selectively expose different services through a reverse proxy. Just note, depending on the monitoring your company has, it may block unconfirmed sites.
My company uses Microsoft Defender on iOS, which sets up a ‘VPN’ to block certain connections or perform other network filtering. I haven’t looked into the specifics, but I do know it allows temporarily disabling the VPN for a set period (hours or days) before the device is marked non-compliant.
To work around this, I set up an iOS Shortcut that automatically disables the Defender VPN when I leave my home WiFi and enables my WireGuard VPN instead. When I return home, it switches back—WireGuard off, Defender back on. The only downside I’ve found so far has been my notifications getting littered with ‘you shortcut ran’ messages, which AFAIK you can’t disable.
for the ‘just use two phones’ suggestion, I’ve tried it. For me, it was more hassle than it was worth. My current setup prioritizes my personal convivence overall else.
I’ve never understood why people ditch a personal laptop/phone/electronic device as soon as they get a company one.
Ive carried two cell phones for 20 years to keep things separate, and two laptops for 15. This way no matter what I know the company doesn’t see any of my personal stuff and I’m not worried about violating company policy by doing something.
Neither can I, but by choice. I put my work stuff in its own vLAN with only access to the internet. I know they have a bunch of different scanners and network monitoring/management that they do. Let them try it in their own little echo chamber.
Hell at this point I’m surprised they haven’t pulled me from the GP that allows USB ports to work with the last go round. Work phones are locked down. I don’t do anything not work related on anything work owned. Had the opportunity to do hybrid with eSIM so I don’t have to carry 2 phones. Nope, no thanks.