VPN Server and time restrictions on internet use

Comments

17 comments

  • Avatar
    Firewalla

    If you use WireGuard you should be able to identify the user + add policies per profile. If you can use EMM/MDM to force VPN on devices, then it should work nicely. 

     

    0
    Comment actions Permalink
  • Avatar
    Cliff Stevens

    Thanks, actually it seems I can use the Wireguard VPN server in Firewalla regardless of whether I use router mode or transparent bridge mode (it's only the VPN client feature that doesn't work in bridge mode).  Is that right?

    0
    Comment actions Permalink
  • Avatar
    Firewalla

    VPN Server part will work regardless of router or bridge mode.

    If you ever make EMM/MDM work, let me know what solutions you pick. These things are too complex to play with, and we are interested if there are any simpler solutions

    0
    Comment actions Permalink
  • Avatar
    Cliff Stevens

    Well, I was going to use Apple Configurator and the instructions here -

    https://www.howtogeek.com/218851/how-to-enable-always-on-vpn-on-an-iphone-or-ipad/

    However, it looks like you need to use an IKEv2 VPN, which I don't think Wireguard is.

    0
    Comment actions Permalink
  • Avatar
    Firewalla

    Thank you @cliff, will get some one look at this for sure.

    0
    Comment actions Permalink
  • Avatar
    okwon

    @Firewalla I am thinking about what @cliff is doing as well to manage my kid's devices.  Being able to use apple configurator to apply always on vpn so that their home policy can also apply to their cellular data.  I think you guys mentioned that you could add IKEv2 as an OOTB feature if enough people are interested.  I would be interested in IKEv2 VPN and think it would be a killer feature.

    In theory, this should work and it would be a compelling feature for folks looking for a complete parental control feature at home and away.

    Apple Configurator + Firewalla + IKEv2 VPN

    1.  Assuming that the kid's phone can still make phone calls or SMS texts for emergencies.

    2. Assuming that I am able to associate the device so that the parental control policy can apply both to my home network and when the kid is using LTE data.

    3. I am ok with the kid's device not able to connect to the internet if the VPN server is down for whatever reason.

    4.  Add apple screen time as needed for finer iOS control

    Assuming that this is true, I am sure other parents would want this feature if you can make this straightforward within firewalla.

    Just a thought I have been thinking about and I am glad I found this post and firewalla.

     

     

    1
    Comment actions Permalink
  • Avatar
    Cliff Stevens

    That would be awesome if Firewalla added IKEv2 VPN.  @okwon, another option I plan to try is just set up a strongswan vpn server and use that instead of the Firewalla VPN server options.  But I'd prefer not to have to deal with that, as would most Firewalla users I imagine

    0
    Comment actions Permalink
  • Avatar
    okwon

    Most definitely, while everything is possible with enough time and google I would rather not be spending time worrying about if I did it correctly.  This was a reason why I almost consider something like pcWRT that has it (IKEv2 VPN) built in, but It lacked many of the firewalla features that I am looking for.

    I know that @firewalla team needs to prioritize feature requests and I don't think I have read anywhere that presented this configuration for this use case in simple words other parents can understand.  I get the Apple Configurator might be a bit much for most parent, but there are many how too online that makes it not so scary.  We own our kid's devices so adding always-on VPN policy is not an issue.

    If someone from @firewalla can take a look at this request and vet out the technical soundness of this approach.  If it all checks out then I think you can then look at how you can market it as a complete home and away parental control solution.  I have yet to see something for consumers that is marketed this way that didn't include some kind of subscription and app that you need to install on iOS.  iOS makes it hard, but if you control the network you can accomplish what most parents really want.  While screen time kind of works, I am just frustrated with its UI and how it sometimes just stops working until I reboot the iOS.

    Another wish list on turning on / off the internet is to be able to provide data for core iOS features.  Example, disable the internet but not the following services:

    • iMessage
    • Facetime
    • Apple or Google Maps

    This way they can still have their phone without internet but have the other features for navigation and basic communication on their iPhone.

    I feel like all the pieces are here, we just need to make it simple.  @firewalla If you build it, he will come :)

    0
    Comment actions Permalink
  • Avatar
    Firewalla

    Let me esclate the ikev2 VPN that works with mobile devices, and see if we can do anything. This will be a server only feature, if we do anything. I have kids too, they are getting smarter 

    0
    Comment actions Permalink
  • Avatar
    Firewalla

    BTW, IKEv2 will be server only function, there is no client, if we decide to build it

    2
    Comment actions Permalink
  • Avatar
    GP

    Count me in for this request. The ability to enable an always-on VPN for mobile devices using Apple Configurator would be a very valuable feature for parents.

    1
    Comment actions Permalink
  • Avatar
    Firewalla

    I am curious if anyone of you used the apple configurator. and share some experience on the usability part.

    0
    Comment actions Permalink
  • Avatar
    okwon

    Here is a step-by-step article for anyone interested.  

    https://www.perfect-privacy.com/en/manuals/ios_ipsec_alwayson_supervised

    It's pretty straightforward, well-documented, and supported by apple.  While it's not as easy as the current FW Server VPN options, it is something that folks will do if they know the level of control that is possible with this approach.

    @Firewalla, all you need to do is add ikev2 VPN Server and a quick how-to that reference the above article.  I am sure your marketing team can come up with some end-to-end parental control material that will resonate with parents that are only buying FW for parental control.

     

    0
    Comment actions Permalink
  • Avatar
    okwon

    Please upvote this thread at the very top if you are interested.  The more upvote this thread gets it will help Firewalla prioritize this feature request.  Thank you in advance for upvoting!

    1
    Comment actions Permalink
  • Avatar
    Shaun Williams

    I don't think Apple Configurator and IKE2 is required to support this use case.  Please see my post today in the "Setup VPN on kids phones while out" thread. It's working for me (forcing kids iOS device to connect to VPN and preventing child from disabling VPN) without any of that stuff mentioned above.

    0
    Comment actions Permalink
  • Avatar
    okwon

    @shaunwilliams thank you for providing an alternative approach.  However your comment, "if they get curious enough to poke around in the WireGuard app I might have an issue; however, the settings are sufficiently technical enough that I believe my daughter wouldn't mess with these settings" is a cat and mouse game my friend :).  I still want to see IKE2 as an out-of-the-box feature and I really don't think it will be hard for Firewalla to do.  It will benefit this use case and other folks that are looking for more VPN options.

    Personally, I would use the WireGuard VPN for my use without any parental control at the network level.  I would then only use the IKE2 VPN network with parental control.  

    0
    Comment actions Permalink
  • Avatar
    Shaun Williams

    @okwon - I agree with you on the cat and mouse game for most kids; however, unfortunately, my daughter isn't known for trying to find solutions to problems, especially technical ones.  She gives up real easy. I would love for this to change and for me to need to up my game with her in this regard. In fact, I welcome the challenge :) But at this point she still doesn't even have any idea that she is connecting back to the home network when she is not on the kids WiFi network. It's that seamless.

    If necessary, I can disable the WireGuard app icon from her view of available apps with OurPact if I need to do so. But for now I have a working solution without waiting on Firewalla to release something new. 

    I haven't done any research on IKE2 (which I need to do now that it has been mentioned here) and I have been an iOS developer and all around Apple fanboy since about 2008ish but I haven't used Apple Configurator either.

    If Firewalla releases support for this it's definitely something I will look into since it has been brought to my attention.

     

    0
    Comment actions Permalink

Please sign in to leave a comment.