Can your employer see what you do on VPN?
The remote-work era produced a generation of employees doing personal browsing on company devices, work browsing on personal devices, and various combinations on various networks. The "can my employer see what I do?" question has different answers depending on the specific setup, and most generic VPN content gets it wrong.
This is the matrix. Every reasonable combination of device, network, and VPN, and what your employer can or cannot see in each.
Quick rule
If your employer owns the device, assume they can see everything. A VPN does not change that.
If you own the device, the answer depends on the network and what VPN is running.
The longer version below.
Scenario 1: company-owned device
Modern corporate devices ship with monitoring infrastructure baked in. The categories:
Mobile Device Management (MDM). Intune, Jamf, Kandji, Workspace ONE. Allows IT to push policies, install apps, monitor device state. Most corporate laptops and phones in 2026 are MDM-enrolled.
Endpoint Detection and Response (EDR). CrowdStrike Falcon, SentinelOne, Microsoft Defender for Endpoint, Carbon Black. Continuous monitoring of process behaviour, network activity, file access. Designed to catch malware; sees everything in the process of doing so.
Data Loss Prevention (DLP). Symantec, Forcepoint, Microsoft Purview. Monitors file transfers, clipboard, screenshots, email. Designed to catch data exfiltration.
Browser-level monitoring. Some companies install browser extensions or use managed browser policies that log every URL visited. Some go further with full-content recording.
Screen recording. Less common but exists. Continuous or sample-based screen recording for compliance or productivity monitoring.
Keystroke logging. Rare but documented. Mostly in financial-services and high-security contexts.
A VPN running on a company device does not bypass any of this. The VPN encrypts traffic between the device and the VPN server. The monitoring agents see input, screen content, file activity, and network destinations BEFORE encryption happens. The VPN is downstream of the monitoring.
Effective answer for company-owned devices: assume your employer can see everything you do on the device, regardless of what VPN you have installed. If the job is sensitive, behave accordingly.
The narrow exception: a VPN can hide some destination metadata from the corporate network if the corporate monitoring is purely network-based (no endpoint agents). In 2026, this is rare. Most corporate setups use endpoint-based monitoring as the primary control.
Scenario 2: personal device on company Wi-Fi
You own the laptop. You bring it to the office (or your home is on a corporate VPN tunneling all traffic through company networks). What does the employer see?
Without a VPN: the company network sees DNS queries, SNI in TLS handshakes, destination IPs, traffic patterns. They do not see HTTPS content, but they know you visit Reddit at 2pm and watch YouTube during meetings.
With a personal VPN: the company network sees encrypted VPN tunnel traffic. They cannot identify destinations. They CAN identify that you are running a VPN. Some companies allow this; some block known VPN providers' IPs; some have policies prohibiting VPN use on company networks.
The honest framing: on a company network, your traffic is the company's network problem, not yours. They have legal authority to monitor and (in most US jurisdictions) to act on what they observe. A VPN obscures content but does not exempt you from their network policies.
If your company's policy prohibits VPN use on the corporate network, using a VPN may itself be the policy violation regardless of what you do through it. Read the AUP.
Scenario 3: company VPN on personal device
You work from home. Your employer requires you to connect through the company VPN (Cisco AnyConnect, GlobalProtect, Pulse, custom OpenVPN setup) to access internal resources.
When the company VPN is up, all your traffic typically routes through it. The company sees:
- Every website you visit through the company VPN
- DNS queries (the company VPN provider's resolvers)
- Traffic patterns
- Time spent on each destination
Your home ISP sees encrypted traffic to the company VPN. Your employer sees the unencrypted destinations (or TLS-encrypted sites with company-managed certificate inspection — some setups install a corporate root CA on the device for full TLS inspection).
If you also run a personal VPN on top of the company VPN: technically possible (split-tunneling, or running personal VPN inside company VPN tunnel) but usually detected. The company sees an unexpected encrypted tunnel inside their tunnel; this is itself a flag and is usually against policy.
The cleanest separation: company VPN for work activities, full-tunnel; personal VPN ONLY when not connected to the company VPN, for personal-device personal-network use.
Scenario 4: personal device on home network, no company VPN
You work from home. Your employer does not require company VPN — they provide cloud-based work tools (Slack, Microsoft 365, Salesforce) that you access through your home internet.
What your employer sees:
- Activity within company applications (Slack messages, email, document edits, time spent in apps)
- IP address you connect from (your home IP, or VPN exit IP if you run one)
- Login times and durations
What your employer does not see:
- What you do outside company applications
- Your personal browsing
- Your personal email, personal apps, anything not signed into company accounts
What your home ISP sees:
- All your network traffic destinations (your work tools and your personal browsing)
- The company applications you use (via SNI and IP)
A personal VPN on this setup hides your traffic from your ISP but does not change what your employer sees through their applications. You still log into Slack as you, sending Slack messages as you; the VPN does not anonymise you to services where you authenticate.
Scenario 5: personal device, personal network, company SaaS
The most common modern setup. You sign into Microsoft 365 or Google Workspace from your personal laptop on your home Wi-Fi. The company is your employer; the device and network are yours.
What the employer sees: activity within their applications. Sign-in time, what documents you accessed, what emails you sent.
What the employer does not see: what else you did on your laptop. Your personal browsing, personal email, anything outside their applications.
What a personal VPN adds: privacy from your home ISP. Your ISP does not see which sites you visited or how long you spent. Your employer sees no change because they only see what you did inside their applications anyway.
What about Always On VPN policies?
Some companies require always-on VPN — the company VPN stays connected whenever you are working, sometimes whenever the device is online at all. The company-side monitoring assumes this; everything routes through their tunnel.
Always-on VPN policies are typical for financial services, healthcare, defence contractors, government employees. They are increasingly common for general corporate IT for security reasons.
Implications:
- All your traffic routes through the company. They see everything.
- You cannot use a personal VPN on top without it being detectable and almost certainly against policy.
- For personal browsing, use a personal device on your personal network, not the corporate device.
The legal questions about whether always-on VPN policies are appropriate vary by jurisdiction. In most US contexts, employers have broad authority over employee-monitoring on company-owned devices. EU employees have somewhat stronger protections under GDPR and national labour laws, but employer monitoring of corporate devices is still broadly permitted.
What a personal VPN actually does for remote workers
The honest summary:
On a personal device on a personal network, a personal VPN:
- Hides your traffic from your home ISP
- Does not change what your employer sees through their applications
- Is a privacy benefit for personal browsing, neutral-to-irrelevant for work activity within company SaaS
On a personal device on a company network:
- Hides specific destinations from the company network
- May trigger policy violations regardless of what you do through it
- Cannot bypass endpoint monitoring if any is installed
On a company device:
- Provides almost no privacy benefit because endpoint monitoring sees everything before VPN encryption
- Does not bypass corporate monitoring infrastructure
- May be detected as a policy violation
With company VPN required:
- Personal VPN on top is usually detectable and against policy
- Use the company VPN for work; use personal VPN only when not on company VPN
Frequently asked
Can my employer see my personal email if I check it on my work laptop?
Yes. Endpoint monitoring sees the application activity, sometimes the content. Even if you use HTTPS to access Gmail, EDR or browser-level monitoring may capture URL or content.
Can my employer see my home browsing if I work from home with their VPN?
Yes for traffic that routes through their VPN. If they require always-on VPN, all your traffic goes through them. If split-tunneling allows your personal traffic outside the VPN, that traffic is your home ISP's problem, not your employer's.
Will my employer know I am using a VPN?
On a company device or company network, yes. On a personal device on personal network, they have no way to know unless you sign into a company application from a VPN-routed IP that flags as commercial-VPN range (some companies log this).
Can I get fired for using a VPN at work?
Possibly, depending on company policy. Many companies prohibit VPN use on corporate networks. Violation typically results in IT contacting you first, then disciplinary action if the violation is repeated or interpreted as data-exfiltration-related.
Should I use a VPN on my personal home network to protect from my employer?
A personal VPN on personal device on personal network does not affect what your employer sees through their applications. The threat model is your ISP, not your employer. A VPN is appropriate if you want privacy from your ISP; the employer angle is irrelevant in this scenario.
Try Fexyn free for 7 days — for personal-device personal-network privacy. VPN for remote work security covers the broader remote-work security picture; What your ISP sees covers ISP-level privacy specifically.
Last reviewed 2026-05-09.