Can an untrusted VPN client monitor my network activity?
My scenario is:
- This is my own Windows 10 machine.
- The client has installed a VPN that connects me to their servers. The VPN is auto-connected when my Windows 10 machine is booted up.
- If I am not on the VPN, I am unable to connect to their servers.
- My IP address is different when I am connected to their VPN.
My question is, when I am connected via their VPN, can the client monitor what I am doing on my machine (like viewing YouTube, or screen sharing, or working on another client's project)?
Can I prevent the client from monitoring my other tasks? (I use this particular machine for multiple client projects.)
Solution 1:
when I am connected via VPN, can the client monitor what I am doing on my machine
It depends on what they actually installed, and on how the VPN client is configured.
A normal VPN client doesn't transfer information about what you're doing in general – the server doesn't know that you're editing a file, and it doesn't know which file you're editing.
But it does handle your network traffic (obviously) and a lot of information can be determined from that traffic. For example, the VPN server's administrator can know if you're using TeamViewer (but not the actual data – that's encrypted), or if you're watching YouTube (but not the actual video URL – that's encrypted), or if you're sending an email (but not the actual email contents). In other words they'll see everything that your ISP would see, but usually nothing more.
So first, a VPN client can be configured to either route all traffic through the tunnel, or just specific traffic. (It is very common to use VPNs which connect only to school/company networks while leaving everything else untouched, aka "split tunnel" VPNs.)
If the client is honest (and not lazy), they can configure the VPN to only catch traffic to that client's servers, and nothing else. However, they can also configure the VPN client to capture all your traffic (or just traffic to their competitor's website, etc). Of course, enabling the VPN for all traffic is not malicious in itself at all, but it does allow your client to monitor you.
And in your case, "My IP address is different when I am connected to their VPN" is a strong indication that everything goes through the VPN.
But second, you're not 100% sure whether they installed just a VPN. They could have installed other software, e.g. something that specifically logs all your browser visits or tracks which program is currently active.
Can I prevent the client from monitoring my other tasks?
You allowed the client to install software on your computer – you've already lost.
It is possible to use a VPN for connecting to the client's network while still remaining safe; however, exactly how to do this depends on what VPN client you're required to use.
For a start, you would need to download and configure the VPN client yourself from provided information (instead of letting the client do it), and you would need to make sure the VPN client doesn't have any "remote provisioning" features which would allow it to locally install more components.
If in doubt, only install any client-provided software to a separate machine (maybe a VM) – never to your main computer.
Solution 2:
client has installed a VPN,
Yes, they can conceptually do anything they want to you, including spying. If you do not absolutely trust them, it is already too late for preventative measures. Since they are probably not actually malicious just wiping the machine (ie. reinstalling the OS/software) is probably sufficient.
My question is, when I am connected via VPN, can the client monitor what I am doing on my machine (like viewing YouTube, or screen sharing, or working on another clients project)
Besides that they already rooted your machine, looking at this from just a networking perspective there are several ways to configure a VPN. One of them is to route all traffic through the tunnel such that the VPN endpoint connects you to the internet. In this case they could see metadata about what sites you are visiting and when, but the encrypted payloads of HTTPS connections or SSH connections should be secure. Well, besides the fact that they might sabotage encryption such that they can snoop deeper... some enterprise style networking tools do this by default when installing client endpoint software.
Preventative measures for next time
Do not allow clients to install software on your machine. Ever. Particularly if you feel uneasy about it. If having control over your development machine is deeply important to them ask for one to be provided. Otherwise, buy a copy of good virtualization software (basically VMWare Workstation) and configure the VPN within a development VM by yourself.