Setup VPN on kids phones while out
-
I realize the OP is two years old so I'm not sure if the approach I am using today was possible back then but I believe I am accomplishing this without MDM profiles.
To be clear, my kid devices are IOS. I am making use of the VPN on Demand feature to make this happen (not sure if Android has this). VPN on Demand basically auto-connects to your desired VPN when the WiFI SSID is not your home SSID(s) and/or you are on the cellular network.
To make this work, configure WireGuard on the Firewalla then install the WireGuard app on the iOS device. Use the app to configure a tunnel. When you configure the tunnel in the iOS app be sure to scroll to the bottom and enable the On Demand activation. In my case, I have it activated for cellular AND for all WiFI not equal to the SSID used by the kids. At the top of this screen be sure On Demand is enabled. Then head over to the iOS settings app and select VPN. Next, tap the info icon next to the VPN tunnel you configure in the WireGuard app and enable "Connect On Demand". That's it!
I've been testing this for the past few days on both my device and the kid device. It works flawlessly and you wouldn't even know you were on VPN unless you catch the spit second display of the VPN icon where the normal WiFi or carrier speed icon would be as it connects to WireGuard. When we leave the house (or if kid tries to drop off WiFi and go cellular), it very quickly and automatically connects to the VPN. You can then see the traffic from the device on the WireGuard network segment in Firewalla.
The most important thing to note is that a device connected via WireGuard appears to Firewalla as a different device than it does when connected via the on-premise network. This means you'll want to copy any special rules or filtering from the on-premise kid device to the kid device in the WireGuard network segment.
In my tests, with the configuration mentioned above, if I (or kid) try to turn off VPN in the iOS Settings, it immediately reconnects to VPN, essentially preventing the kids from disabling the VPN. Now, if they get curious enough to poke around in the WireGuard app I might have an issue; however, the settings are sufficiently technical enough that I believe my daughter wouldn't mess with these settings. If it gets to that point, I believe I could use something like OurPact (which DOES use MDM profiles) to hide the WireGuard app icon from her view on the device... but I'm not there yet. For now, its all working exactly as I expected and its very seamless.
-
It looks like Android DOES have VPN on Demand. https://docs.pulsesecure.net/WebHelp/PulseWorkspaceAppliance/2.0.1903/pws_1903_admin/Responsive%20HTML5/pws_1903_admin/Workspace_Management/Configuring_VPN_On_Demand_on_Android_Devices.htm
Please sign in to leave a comment.
Comments
6 comments