I did a VPN experiment recently where I

1. set up a client - server wireguard tunnel
2. ran an ssh service on the client with an open port for it
3. ssh from the server to the client via the wg tunnel. You do this by specifying the client’s private network, wg IP address, not its public IP.

This worked, meaning a few things.

It confirms wg tunnels are bi directional.

You can also set up a wg client on a network that blocks all INPUT packets having NEW states, and you’ll be able to access the client via the server. No open ports or port forwarding is needed on the client’s LAN.

So unless the network at work, school, the cafe, etc. outright blocks the wireguard protocol, this should work. And if needed, you can conceal the wg protocol as tcp traffic using ws-tunnel. Here is an excellent video tutorial by 402 Payment Required for that,

https://www.youtube.com/watch?v=fM2cJQ8lRjM

This made me realize - if you pay for a VPN and you have some ports open on your computer, you could be getting your LAN scanned by the VPN provider. They might do this as a way of gathering more data to sell, or perhaps there exist employees willing to yolo their careers for money or information they value. So those things, on top of already giving a VPN provider a list of all the websites you’re visiting, and installing their closed source software on your device.

The rabbit hole of network connections goes on and on.

It reminds me of how, if ISPs suspect you are torrenting using a VPN, they can reboot your modem or cut your internet for a second to knock out your VPN connection, revealing what you’re doing if you don’t have a kill switch enabled. I read about that here,

https://lainzine.org/all-releases/lainzine06.pdf

The monitoring and software updating tools your work uses could also be scanning your network, and “stuff”, so if you work from home, consider putting your work machine on a VLAN to isolate it from your home network.

Just some thoughts I wanted to share.