“New legislation mandates that we no longer offer the VPN connections necessary for our remote workers to access the company intranet off premises. Starting immediately, all employees are to return to office 7 days a week. If this does not work for you, please reach out to HR and they will accept that as your resignation in lieu of a written document.”
— Meta (the corp pushing the age verification laws), probably.
Legal, probably. Whichever corporations push that hypothetical bill are going to write it very specifically to ensure that it excludes their use cases.
Here’s an example of how they could do it:
S.A.V.E.K.I.D.S: Support Age Verification Environments Keeping Internet Detectable Signals
Blah blah pretext and background information…
Blah blah surface-level purported reason for the bill is to prevent kids from bypassing age verification checks by using a VPN to pretend they’re a resident of another country…
No entity operating in or doing business within <jurisdiction> may provide services or make available technology that irreversibly redirects, masks, or otherwise obscures internet-destined traffic to appear as originating from any source other than the internet-connected network in which it was generated.
Site–to-site VPN? Fine, it’s destined for the intranet.
NAT? Also fine, it is the originating internet-connected network.
HTTP reverse proxies? Still fine, they pass the origin IP along.
VPN that routes all traffic through it? You’re getting locked up and they’re throwing away the key.
“New legislation mandates that we no longer offer the VPN connections necessary for our remote workers to access the company intranet off premises. Starting immediately, all employees are to return to office 7 days a week. If this does not work for you, please reach out to HR and they will accept that as your resignation in lieu of a written document.”
— Meta (the corp pushing the age verification laws), probably.
What about all of the site-to-site VPNs?
Legal, probably. Whichever corporations push that hypothetical bill are going to write it very specifically to ensure that it excludes their use cases.
Here’s an example of how they could do it:
Site–to-site VPN? Fine, it’s destined for the intranet.
NAT? Also fine, it is the originating internet-connected network.
HTTP reverse proxies? Still fine, they pass the origin IP along.
VPN that routes all traffic through it? You’re getting locked up and they’re throwing away the key.