Fexyn
Fexyn
All posts

VPN for remote work security: beyond the office network

Fexyn Team··9 min read
remote-workcorporate-securitysplit-tunneling

The remote-work boom that started in 2020 produced a generation of workers whose primary work environment is not the corporate office. Coffee shops, home offices, hotel rooms, co-working spaces, conference centres, airports. Each of these networks has different security characteristics. The "use a VPN" advice has propagated widely; the technical detail of what the VPN actually has to do has not.

This is the practical version. What goes wrong on remote-work networks, where a VPN actually helps, where it does not, and what corporate-VPN deployments specifically need to handle.

What goes wrong on remote-work networks

Three classes of risk:

1. Network operator visibility. Whoever runs the network you are connected to can see your traffic patterns. Coffee-shop Wi-Fi: the cafe owner. Hotel Wi-Fi: the hotel's network operator and their ISP. Co-working: the building. Conference Wi-Fi: the event organisers and their providers. None of these are inherently malicious, but all of them have varying levels of monitoring, retention, and (occasionally) commercial use of traffic data.

2. Rogue access points. A laptop running airbase-ng or similar at a coffee shop can broadcast a Wi-Fi network with the same name as the legitimate one. Devices that have previously connected to "Hilton Honors" or "Boingo Free" auto-connect to the rogue. The attacker now sees all unencrypted traffic and can MITM HTTPS where TLS pinning is absent. This is not theoretical; documented attacks at security conferences specifically target visiting attendees who are reasonably privacy-aware in their professional lives but auto-connect to familiar Wi-Fi names.

3. Targeted corporate espionage. Senior executives, lawyers in active litigation, M&A practitioners, and finance professionals at trading firms are real targets. The targeting can be opportunistic (capture whoever connects to a network in a specific high-value location like a major airport) or specific (follow a person and connect to whatever Wi-Fi they connect to). The latter is rare in practice but documented; the former is more common.

A VPN addresses all three at the network layer. The network operator, rogue AP, and any opportunistic attacker on the same network see encrypted traffic to the VPN provider. They do not see the destination websites, the content, the credentials being typed.

Split tunneling: when and when not

Split tunneling is the feature that lets you route some traffic through the VPN and some traffic outside it. The question of when to use it splits along two axes:

Performance vs security tradeoff. Routing all traffic through a VPN adds latency and bandwidth overhead. For traffic that does not need encryption (Spotify streaming a podcast, Netflix on a known stable connection, a video game on the LAN), routing outside the VPN preserves speed. For traffic that does need encryption (work email, document management, anything containing client data or company IP), routing through the VPN matters.

Geographic vs all-traffic split. Some users want VPN for everything except local-network resources (printer at home, NAS, smart home devices). Others want VPN only for specific apps (VPN on for the work browser tab, off for everything else).

For corporate use, split tunneling is sometimes mandated and sometimes prohibited. Mandated: companies that route all corporate traffic through their own VPN, but exempt SaaS apps (Slack, Salesforce) that the corporate VPN cannot inspect anyway. Prohibited: companies that require every byte to be visible to corporate monitoring.

For personal-VPN remote-work use, the right answer is usually:

  • VPN on for work-related traffic (corporate email, document management, internal tools)
  • VPN on for any privacy-sensitive personal traffic (banking, healthcare portals, journalism, any communication with sensitive contacts)
  • VPN off for streaming, gaming, and casual browsing where privacy is less critical and performance matters

Fexyn supports per-app split tunneling on Windows. We do not currently support it on macOS or Linux. For users whose remote-work setup demands per-app routing, Mullvad and ProtonVPN both have more mature split-tunneling implementations across platforms today.

Always-on VPN policies

Some corporate setups require always-on VPN — the VPN is up before any other traffic and never goes down. The implementation:

  • VPN client launches at boot, before user login
  • Kill switch (kernel-level firewall rules) enforces no-traffic-without-VPN
  • The user cannot toggle the VPN off through the UI
  • The VPN reconnects automatically on any drop

Fexyn supports always-on for personal-account use: the kill switch can be configured to stay active across reboots, the client can launch at startup, and the WFP rules persist. We do not currently have centralised IT-managed always-on with policy enforcement (the kind a company IT department deploys to all employee laptops). For that, NordLayer or Perimeter81 are the right business-tier products.

For solo remote workers and small teams, the personal-account always-on configuration is usually enough. Configure once, leave on, forget about it.

What a personal VPN does not cover for corporate work

A personal VPN encrypts your traffic between your device and the VPN provider's exit. It does not:

Provide access to internal corporate resources. If your company has a corporate VPN that gates internal resources (file servers, internal apps, dev environments), you need that corporate VPN to reach those resources. A personal VPN does not replace it. Some setups require running both: corporate VPN for internal access, personal VPN for outside-the-corporate-tunnel privacy.

Comply with corporate monitoring policies. If your employer requires DLP (data loss prevention) monitoring on your work laptop, a personal VPN does not change that. The DLP agent runs on the device and sees traffic before it gets encrypted by the VPN.

Protect against compromised endpoints. A keylogger or screen-recorder on your laptop reads your input before any encryption. The VPN is downstream of these compromises.

Comply with regulatory requirements that need specific vendor relationships. HIPAA Business Associate Agreements, ABA 477R reasonable efforts that need documented vendor compliance, ISO 27001 control mapping. These need vendor relationships that personal VPN providers may or may not provide.

For those needs, layered solutions are required. A personal VPN as one piece of a broader security posture, not as the complete answer.

Corporate VPN vs personal VPN

These are different products even though both have "VPN" in the name:

Corporate VPN (Cisco AnyConnect, GlobalProtect, Pulse Secure, OpenVPN-based corporate setups). Provides access to internal corporate networks. The corporate IT team manages it. The connection is to the company's own infrastructure, not a third-party VPN provider. Logging policies are whatever the company sets (typically high logging for compliance). Used to reach things only the company can provide.

Personal VPN (Fexyn, NordVPN, ProtonVPN, etc.). Provides privacy from third-party network observers and access to public internet from a different IP. Used to add a privacy layer over public networks; not used to reach corporate internal resources.

For remote workers, the question is often whether to run both simultaneously (corporate VPN for work resources, personal VPN for privacy from the public networks the corporate VPN is running over). Most corporate VPN clients allow this; some do not. Some companies have policies on it; some do not.

For business-tier-VPN-with-personal-features (which is what NordLayer or Perimeter81 sell), the same provider provides both: your IT department's centralised access management plus modern VPN protocols and consumer-style features. For solo and small-team remote workers without IT-department backing, personal-VPN-with-corporate-VPN-on-top is the more common pattern.

Where Fexyn fits

For remote-work security, Fexyn covers:

  • WireGuard (Bolt) for low-overhead encryption on typical home and coffee-shop networks
  • VLESS Reality (Stealth) for the rare case where you are travelling somewhere with active VPN filtering and need to maintain access
  • Kernel-level WFP kill switch on Windows to prevent traffic exposure during VPN drops
  • No-logs operation for the privacy posture
  • Per-app split tunneling on Windows for performance-sensitive split policies
  • Always-on configuration for individual users who want it

What we do not cover:

  • Centralised IT-managed deployment (for that, use NordLayer or Perimeter81)
  • Corporate-VPN replacement (for internal corporate resources, you need your company's VPN)
  • DLP, EDR, or endpoint security (separate categories of product)
  • BAAs or other compliance vendor relationships beyond what we currently offer

Frequently asked

Should I use my personal VPN with my work laptop?

Depends on your employer's policy. Some employers prohibit it (DLP and corporate monitoring need to see your traffic). Some allow it. Some require it for non-corporate-network connections. Read your employer's acceptable-use policy or ask IT.

Does a VPN protect against my employer monitoring my work laptop?

Generally no. Corporate monitoring agents (Endpoint DLP, MDM tools, certain antivirus suites) run on the device and see traffic before any VPN encryption. Some agents specifically detect and may interfere with personal VPN use; some do not.

Should my company use Fexyn for remote workers?

For solo or small teams without dedicated IT, Fexyn is a reasonable choice. For larger companies with IT teams that want centralised provisioning, policy enforcement, and compliance reporting, business-tier VPNs (NordLayer, Perimeter81, ZeroTier for some use cases) are better fits. Fexyn does not currently offer the IT-management features.

What about Zero Trust replacing VPN?

Zero Trust Network Access (ZTNA) is a different model: instead of VPN to a trusted network, ZTNA evaluates each request individually with strong identity-and-context checks. Some companies are migrating from VPN to ZTNA for corporate access. For privacy from public-network observers, both VPN and ZTNA provide encryption in transit. ZTNA is not a replacement for personal-VPN use cases like coffee-shop privacy; it is a replacement for some corporate-VPN use cases.

Is it safe to do banking on hotel Wi-Fi?

With a VPN, generally yes. Without a VPN, the network operator and any opportunistic attacker on the same network can see traffic patterns; HTTPS-pinned banking apps mitigate the worst attacks but not all of them. With a VPN, the network sees only encrypted traffic to your VPN provider; the bank's TLS connection is the inner layer, with the VPN's encryption outside. Defence in depth.

Try Fexyn free for 7 days. Kernel-level kill switch, no-logs, WireGuard for typical networks, VLESS Reality with Vision for restricted ones. The How to choose a VPN guide covers the broader buying decision; Kill switch explained covers the WFP-based implementation.

Last reviewed 2026-05-09.

VPN for remote work security: beyond the office network | Fexyn VPN