I've seen vendors offering this technique or similar, but making it "opt-in". For example, Okta Access Gateway used to perform a reverse tunnel out to an Okta managed IP, but you had to enable the "Support VPN" option on the device. https://help.okta.com/oag/en-us/content/topics/access-gatewa... Seems like they dropped the feature, not sure if from customer backlash, or their security engineering teams finally realizing that it's risky. However, it was at least documented, and customer toggleable.