Privacy Concern & Question

I work remotely from my own device. I have a dedicated work browser and have to connect to a work tool in that browser. They decided today that we have to install Twingate and use it while working.

I read through this: FAQ | Docs

And How Twingate Works | Docs

Networking stuff is a bit over my head. Say I forget to close this while I’m using my device for personal reasons. Can they see everything I’m doing on my device?

The “support” department in my company does not know how to answer this question. A friend suggested I check to see where the configuration is stored on my device, but I don’t know how to do that.

Hi there,

I can’t tell you about the configuration of your organization specifically, but the way Twingate works by default is called “Split Tunnel”.

What this means, is that the Twingate client only interacts with/cares about things that it has been told to care about, and everything else it basically ignores.

As an example - you mention a work tool. Lets say it’s hosted at work.tool (very unique).
Lets also assume that Twingate is running, that work.tool is a Twingate resource and you’re signed in.

If you access work.tool - Twingate will intercept that request, provide a CGNAT IP address in response and route the traffic via the Twingate infrastructure run by us and by your company.

However, if you access the Twingate client will see that it is not something it cares about, and forward the request on to be handled by whatever DNS servers were set on your machine prior to you connecting to Twingate, whether it’s your ISP or custom defined public servers like Google or Quad9. No record of this is kept either in your local log files or on our end, because it’s not a Twingate resource.

So in most situations, there is little to no way that you can be “spied on” via Twingate.

There are two caveats to this, however:

  1. Twingate CAN be configured with *.* or as Twingate resources, this will essentially make Twingate a “Full Tunnel” VPN, where any and all traffic destined for anywhere on a network will be intercepted by, and routed through Twingate.
  2. Twingate does also provide the ability to enforce DoH (DNS over HTTPS) on machines where the client is running. This means that theoretically, if this were enabled by your organization, any hostname you looked up while connected to Twingate would be potentially logged by the DoH provider they are using. This means that your employer could see that you visited – they won’t be able to tell what you did there, but they know you looked up how to get there and thusly visited it.

Again, I cannot tell you whether either of those two caveats apply to your situation, so my recommendation is to do work stuff during work hours and when you’re done for the day choose to “Log out and Disconnect” from Twingate – don’t just “Quit”, as this will leave the service running in the background.

Hope this helps and please don’t hesitate to reach out if you have other questions.



1 Like