VPN Server and time restrictions on internet use
Hi, I just bought a Firewalla purple and am starting to think about how I will set it up, whether in transparent bridge mode or as my router. Currently I use Omada SDN including the Omada router, switches, and wireless access points.
So my first question is - if I use the Firewalla in router mode and can thus use its VPN server, when users are logged in, are all the Firewalla device-based restrictions applied? In other words, say I have my kids iPhones restricted on the network (e.g., no internet after 2 am) using Firewalla. If the kids turn off wifi and go to cellular data, but I have forced them to use the Firewalla VPN on the iPhones, will their traffic be routed back through my Firewalla-restricted home network with all of the time restrictions? I realize Firewalla can't force an iPhone to use a VPN, but I believe apple's own enterprise mgmt software will let me do that.
Same question if I use the transparent bridge mode for Firewalla - then I can still use the VPN server on my Omada router, and if I force all the kids phone internet traffic into my home network that way, will all of the Firewalla time restrictions work?
-
Well, I was going to use Apple Configurator and the instructions here -
https://www.howtogeek.com/218851/how-to-enable-always-on-vpn-on-an-iphone-or-ipad/
However, it looks like you need to use an IKEv2 VPN, which I don't think Wireguard is.
-
@Firewalla I am thinking about what @cliff is doing as well to manage my kid's devices. Being able to use apple configurator to apply always on vpn so that their home policy can also apply to their cellular data. I think you guys mentioned that you could add IKEv2 as an OOTB feature if enough people are interested. I would be interested in IKEv2 VPN and think it would be a killer feature.
In theory, this should work and it would be a compelling feature for folks looking for a complete parental control feature at home and away.
Apple Configurator + Firewalla + IKEv2 VPN
1. Assuming that the kid's phone can still make phone calls or SMS texts for emergencies.
2. Assuming that I am able to associate the device so that the parental control policy can apply both to my home network and when the kid is using LTE data.
3. I am ok with the kid's device not able to connect to the internet if the VPN server is down for whatever reason.
4. Add apple screen time as needed for finer iOS control
Assuming that this is true, I am sure other parents would want this feature if you can make this straightforward within firewalla.
Just a thought I have been thinking about and I am glad I found this post and firewalla.
-
Most definitely, while everything is possible with enough time and google I would rather not be spending time worrying about if I did it correctly. This was a reason why I almost consider something like pcWRT that has it (IKEv2 VPN) built in, but It lacked many of the firewalla features that I am looking for.
I know that @firewalla team needs to prioritize feature requests and I don't think I have read anywhere that presented this configuration for this use case in simple words other parents can understand. I get the Apple Configurator might be a bit much for most parent, but there are many how too online that makes it not so scary. We own our kid's devices so adding always-on VPN policy is not an issue.
If someone from @firewalla can take a look at this request and vet out the technical soundness of this approach. If it all checks out then I think you can then look at how you can market it as a complete home and away parental control solution. I have yet to see something for consumers that is marketed this way that didn't include some kind of subscription and app that you need to install on iOS. iOS makes it hard, but if you control the network you can accomplish what most parents really want. While screen time kind of works, I am just frustrated with its UI and how it sometimes just stops working until I reboot the iOS.
Another wish list on turning on / off the internet is to be able to provide data for core iOS features. Example, disable the internet but not the following services:
- iMessage
- Facetime
- Apple or Google Maps
This way they can still have their phone without internet but have the other features for navigation and basic communication on their iPhone.
I feel like all the pieces are here, we just need to make it simple. @firewalla If you build it, he will come :)
-
Here is a step-by-step article for anyone interested.
https://www.perfect-privacy.com/en/manuals/ios_ipsec_alwayson_supervised
It's pretty straightforward, well-documented, and supported by apple. While it's not as easy as the current FW Server VPN options, it is something that folks will do if they know the level of control that is possible with this approach.
@Firewalla, all you need to do is add ikev2 VPN Server and a quick how-to that reference the above article. I am sure your marketing team can come up with some end-to-end parental control material that will resonate with parents that are only buying FW for parental control.
-
I don't think Apple Configurator and IKE2 is required to support this use case. Please see my post today in the "Setup VPN on kids phones while out" thread. It's working for me (forcing kids iOS device to connect to VPN and preventing child from disabling VPN) without any of that stuff mentioned above.
-
@shaunwilliams thank you for providing an alternative approach. However your comment, "if they get curious enough to poke around in the WireGuard app I might have an issue; however, the settings are sufficiently technical enough that I believe my daughter wouldn't mess with these settings" is a cat and mouse game my friend :). I still want to see IKE2 as an out-of-the-box feature and I really don't think it will be hard for Firewalla to do. It will benefit this use case and other folks that are looking for more VPN options.
Personally, I would use the WireGuard VPN for my use without any parental control at the network level. I would then only use the IKE2 VPN network with parental control. -
@okwon - I agree with you on the cat and mouse game for most kids; however, unfortunately, my daughter isn't known for trying to find solutions to problems, especially technical ones. She gives up real easy. I would love for this to change and for me to need to up my game with her in this regard. In fact, I welcome the challenge :) But at this point she still doesn't even have any idea that she is connecting back to the home network when she is not on the kids WiFi network. It's that seamless.
If necessary, I can disable the WireGuard app icon from her view of available apps with OurPact if I need to do so. But for now I have a working solution without waiting on Firewalla to release something new.
I haven't done any research on IKE2 (which I need to do now that it has been mentioned here) and I have been an iOS developer and all around Apple fanboy since about 2008ish but I haven't used Apple Configurator either.
If Firewalla releases support for this it's definitely something I will look into since it has been brought to my attention.
Please sign in to leave a comment.
Comments
17 comments