Setup VPN on kids phones while out

Comments

6 comments

  • Avatar
    Firewalla

    The only way to control phones that way is to use MDM or EMM tools to configure a special profile and inject them into those phones.   There may be some consumer MDM, we have not experienced many of them. 

    0
    Comment actions Permalink
  • Avatar
    Shaun Williams

    I realize the OP is two years old so I'm not sure if the approach I am using today was possible back then but I believe I am accomplishing this without MDM profiles. 

    To be clear, my kid devices are IOS. I am making use of the VPN on Demand feature to make this happen (not sure if Android has this).  VPN on Demand basically auto-connects to your desired VPN when the WiFI SSID is not your home SSID(s) and/or you are on the cellular network. 

    To make this work, configure WireGuard on the Firewalla then install the WireGuard app on the iOS device. Use the app to configure a tunnel. When you configure the tunnel in the iOS app be sure to scroll to the bottom and enable the On Demand activation.  In my case, I have it activated for cellular AND for all WiFI not equal to the SSID used by the kids.  At the top of this screen be sure On Demand is enabled. Then head over to the iOS settings app and select VPN. Next, tap the info icon next to the VPN tunnel you configure in the WireGuard app and enable "Connect On Demand". That's it!

    I've been testing this for the past few days on both my device and the kid device.  It works flawlessly and you wouldn't even know you were on VPN unless you catch the spit second display of the VPN icon where the normal WiFi or carrier speed icon would be as it connects to WireGuard.  When we leave the house (or if kid tries to drop off WiFi and go cellular), it very quickly and automatically connects to the VPN. You can then see the traffic from the device on the WireGuard network segment in Firewalla. 

    The most important thing to note is that a device connected via WireGuard appears to Firewalla as a different device than it does when connected via the on-premise network.  This means you'll want to copy any special rules or filtering from the on-premise kid device to the kid device in the WireGuard network segment.   

    In my tests, with the configuration mentioned above, if I (or kid) try to turn off VPN in the iOS Settings, it immediately reconnects to VPN, essentially preventing the kids from disabling the VPN.  Now, if they get curious enough to poke around in the WireGuard app I might have an issue; however, the settings are sufficiently technical enough that I believe my daughter wouldn't mess with these settings.  If it gets to that point, I believe I could use something like OurPact (which DOES use MDM profiles) to hide the WireGuard app icon from her view on the device... but I'm not there yet. For now, its all working exactly as I expected and its very seamless.

     

    0
    Comment actions Permalink
  • Avatar
    Firewalla

    Thank you for the post, this is very helpful 

    0
    Comment actions Permalink
  • Avatar
    Alex M

    Excellent stuff.

    Is there something similar for Android?

    0
    Comment actions Permalink
  • Avatar
    Shaun Williams

    I’m not sure about Android. We are an Apple household. Given that iOS and Android compete with each other I would assume they have something similar but maybe called something different than VPN on Demand.

    0
    Comment actions Permalink

Please sign in to leave a comment.