I have a hardware firewall Protectli vault running pfSense which is enforcing an always-on ProtonVPN connection and NextDNS to filter websites. My youngest child is not the admin of his machine and appears to be protected. My older kids are admins of their machines and have just installed free VPNs which seem to magically undo all my hard work. Enabling “block bypass methods” in NextDNS doesn’t work. I’m able to just turn on a local VPN on my machine and access all blocked websites.
My philosophy is that it’s my network including ISP service that I pay for, and it’s their machine. So they can do what they want outside my network, but on my network there are some things I want to make sure are blocked. So philosophically, I’m willing to do whatever I need to on the network to block certain sites without touching their machines. Thirty minutes of searching seems to suggest I’m powerless. Is it really true that with my setup there’s nothing I can do to block specific websites for VPN users on my own network? Can this be right? What options do I have?
I’m going to be mean here: you’re looking for a technical solution to a parenting problem.
Kids are like prisoners. They have ALL DAY to try and figure out a way to ‘escape’. No matter how much time you put into devising a technical solution, they will find a way around it. The harder you make it, the harder it’ll be to detect what they’re doing
This is a parenting situation. You need to have some honest talks with your kids, tell them what the boundaries are, why they are important, and what the consequences of breaching those boundaries are
Kids are sponges for information. They are probably curious of various things, sexuality, their bodies, relationships, etc. give them that information. Much better coming from you then some random source on the net.
Avoid ‘forbidden fruit’, especially with information. As an example, alcohol was never a forbidden fruit in my house growing up. If I wanted a taste of wine or beer, my parents would let me. The liquor cabinet was never locked. The boundaries were clear. When I hit college I didn’t go on a binge like so many of my classmates did. Beer wasn’t this thing I was curious about for years but was never allowed to touch. Obviously not everyone would react as I did, an alcoholism is a real thing, but the approach is often sound
Is it really true that with my setup there’s nothing I can do to block specific websites for VPN users on my own network? Can this be right? What options do I have?
Your only real option is to not “parent by technology”. As you have found, trying to lock everything down will result in them finding ways around all of your blocks and not having open and honest discussions with you as they try to hide things.
Sure, you can block VPNs in various ways, but then they can SSH tunnel to a free VPS and get around your blocking. So you block SSH outbound, but they then SSH tunnel over 443 and you can’t stop that unless you get a far more capable firewall and do layer 7 filtering. How do I know? because this is how I got around blocks at school over 20 years ago.
So they can do what they want outside my network, but on my network there are some things I want to make sure are blocked. So philosophically, I’m willing to do whatever I need to on the network to block certain sites without touching their machines.
Then don’t give them access to your network. You essentially have “untrusted” endpoints on your network so you can’t stop them running stuff that will get around your controls. Even restricting outbound access to very few permitted ports won’t stop them getting around stuff.
enforcing an always-on ProtonVPN connection
I’m curious what benefit you think forcing all of your home traffic through a VPN gives you, other than increased latency and decreased throughput.
You mention your philosophy and a lack of power. Have you considered reading Michael Foucault?
Some others have given you direction on the wack-a-mole. Others have talked about approaching this as more of a social/parenting problem. Both have merit, but I think you need to come to terms with the limits of control.
In a work scenario, I prefer not to block VPNs, but detect them. Action it as an HR issue. But that’s work, and people putting VPNs on the network is a risk to company, and in some cases, national security assets. It’s not because I’m blocking porn. Because I tend to try to talk people out of that idiocy too; if it’s really an issue, logging it and dealing with it at the human resources level is far more constructive. Anyone that’s watching porn instead of working will presumably do something else instead or working as well. And if someone is getting their work done while listening to porn in the background? Weird, but what the fuck do I care?
Free VPN software is all it takes to destroy my firewall rules?
Consider: why is the Chinese government frowning upon the use of VPNs? :)
My philosophy is that it’s my network including ISP service that I pay for, and it’s their machine. So they can do what they want outside my network, but on my network there are some things I want to make sure are blocked.
There’s really no such thing as a “network” (it’s just a convenience term). Rather, there’s connectivity (physical wires or airwaves that connect devices) and addressing (DNS, DHCP, and whatnot). And they are very much separable. You can overlay a whole new addressing system (more than one, if you must) on top of a physical network (that’s what virtual networking is all about). So your kids are using your connectivity with their own addressing.
What options do I have?
You have the option of facing the root cause of the problem: something is broken in your relationship with your children. So consider therapy… Whether it has to be therapy for you, the kids, or the whole family, I don’t know (that’s where professionals come in)… What worries me in your telling of the situation is the incessant use of proprietor’s language: “service that I pay for”, “my network”, “things I want to make sure are blocked”. This is indicative of authoritarian tendencies. And in the long-run, those tend to resolve in one of two ways, (1) the parent abandons or relaxes authoritarian attitudes, or (2) children, once they reach adulthood, abandon the parent. There’s also a third, more extreme: children act out by running away or attempting self-harm…
which is enforcing an always-on ProtonVPN connection
Why do you have all your traffic going over a VPN? What benefits are you realizing? Privacy aside, not all traffic really needs to go through a VPN.
Have you considered the added latency which could be affecting game play?
Instead of parenting by technology, why not reward their resourcefulness? What about actually parenting and talking to them, you know, that thing our parents had to do?;
You are going about this the wrong way. This is the perfect chance to teach them, challenge them, reward them. Not trying to use technology as a replacement.
You give admin access to your children’s laptops? First move that’s a problem then. Secondly, why not just turn off their access to the internet completely at specific times? Then, I assume you give them phones with phone contracts, they’ll have parental controls too.
Even then they’ll find a way, so, it’s what it is.
That is how VPNs work. Tunnels all traffic through your gateway to a remote machine that connects to the internet. As others have suggested you would have to block use of VPNs.
What you are fighting against really was always the beauty of VPNs. Without touching their machine, you can’t even do deep packet inspection well. You can try blocking known VPN IPs, but there might be thousands, and there will always exist a way around it if they are motivated.
They could even start using Tor with bridges for entry nodes, and then you’re really SOL.
So, yeah, you lost.
How old are we talking about? What’s going to stop them from tethering to their phone? Have you not sat down and had a talk about this? If your kids are in their 20s or 30s well, that’s a whole different thing that you face.
If they’re younger by blocking stuff, you will actually get them interested in technology, though. This was how I first got into “hacking” and proxies. I had to figure out how to get around the blocks lol
Listen, you’ve protected them well from what they can access until now. However, such measures should only be used to buy time to teach them good judgement and understanding they can access unlawful things if they try. By the age they install VPNs they should be well aware that they should not access such things regardless of capability. This remains in place even after considering “complete anonymity” and “total security” promises from VPN companies. Also, I’m not proposing an alternative to teaching this or delaying it now, I reckon you and many people answering here had to learn good judgment with online activities.
As others have clearly stated, this isn’t a technology problem. You can’t replace good parenting with barriers.
I don’t know why anyone would spend so much time and effort trying to keep their kids in a jail when they could easily track what they’re doing and have honest conversations with them about it.
They can just unplug your firewall and plug modem directly into your router and if they don’t have access they can just factory default the router. I worked for netgear for 10 plus yrs and common complaint we got from parents who tried was eventually their kids would just reset router to factory settings and reset it up bypassing all things they had. If you are looking to block access on mobile devices you would need a mdm solution then restrict the apps they can install and download. The MDM would be effective even if they use other networks. In your mdm configuration to block VPNs and such things from being installed.
I recently had case where a boss had similar situation and he was looking for a cheapest solution I told him ask employee to come to office and sit next to him that’s your best solution. Any other option they will find way around it.
Install monitors monitor their online activity have a talk with them about what’s acceptable what isn’t and outline punishment for violations of agreement. If you wanna prepare them for real world make them sing an acceptable usage policy.