GitLab does not use a corporate VPN, but does allow for personal VPNs to be used and expensed by team members.
A VPN (Virtual Private Network) is the extension of a private network across a public network, allowing the users of the private network a level of protection and privacy to their network traffic that might be lacking if crossing a public network. Typically the private traffic is "tunneled" and encrypted with safeguards built in to prevent leakage of data that could lead to compromising situations with the public network, such as network-based attacks or private data being revealed. Corporations with centralized headquarters and private internal networks in their offices have used VPNs for years to allow for remote workers to access internal systems when working remotely. As a remote-only company, GitLab does not use a corporate VPN.
A personal VPN is similar to the corporate VPN in that it uses some of the same methods of tunneling, encryption, and safeguards that the corporate VPN uses, except it is intended for personal use. Instead of a corporate VPN server, the company providing the personal VPN service has its own server and simply uses it as a jump point to reach resources while protecting the user from some of the same dangers the corporate users face.
The personal VPN has a few other advantages. All personal VPN companies maintain their servers in different locations around the world, which not only helps with speed (there is a slight performance hit with using a personal VPN) but allows a user to access resources that are geographically restricted (watch a YouTube video not available in your country), avoid monitoring by your ISP (Internet Service Provider) of which websites you access, bypass Internet censorship, and many others. As a result, personal VPN service providers will compete with each other by offering enhanced privacy features, hundreds of servers in a variety of locations, support for various tunneling and communication options, end user device support, and more.
There are a few reasons why a GitLab team member might want to use a personal VPN:
GitLab's Security Team has reviewed personal VPN clients, and the main things that were looked for were ease-of-use, decent choice of features and underlying protocols, proven track record, and support for the platforms used by GitLab team members. The recommended choices are ProtonVPN, ExpressVPN, and NordVPN. All three have been used by GitLab team members and should meet the basic needs of a secure and private product. ProtonVPN may have a slight edge in preference as the clients are open source.
If you desire, you could consider using two personal VPNs, with one as the primary and a second one as a backup in the event the primary VPN failed to function properly. For example if you are using NordVPN, you might want to use the free version of ProtonVPN as your backup in case NordVPN ever fails. You should be able to expense a second one if needed. but bear in mind the guidelines for expensing items, especially "Spend company money like it is your *own* money".
It should be noted that while these particular brands were tested by the Security Team (and are the most common in use in an informal survey of Security Team members), other features may lead you to explore other offerings. These just happen to be products that Security examined. If you choose to use another personal VPN, keep in mind that ExpressVPN offers free online testing tools at their website, there are plenty of online reviews comparing products in head-to-head trials you can review, and if you have further questions feel free to ask the Security Team in the #security Slack channel.
#security as there will certainly be discussion of such issues as the Security Team hears about them.#security Slack channel.