Make them go touch grass?
This is why you block all the ports you don’t need . Generally, people are more worried about ingress than egress.
you can use DPI to check out the packet headers and filter based on that. Some of the more clandestine VPN connections won’t be caught with this method, but it should filter out most of the big ones and from there just add the pfblocker rules as an extra layer of protection.
Use something like DNSFilter.com on your networks and use it to block things like VPN services. But if you’re older, kids are intelligent enough and they probably are eventually they’ll figure a way around it. There’s nothing you can completely do that. Won’t be able to be gotten around one way or another. You can block common VPN ports like 500 but they can just use a VPN that supports the VPN over 443 which is what she needs to have open for secure websites.
I used the Circle with Disney Parental Controls and Filters device. I used it with pfSense but I wasn’t using a VPN so I can’t speak to how well it would block traffic over a VPN. I know it works by using ARP Poisoning.
There is an additional service for phones available by subscription.
You have a misunderstanding of how a VPN works, and it is WHY your firewall rules are *broken*, but not really.
A VPN establishes a connection between the device and the server. You have a connection between your firewall and Proton. This bypasses everything between those 2 devices.
You also have individual devices that have established their own connections between the device and the server hosting the VPN connection. How your firewall traffic bypasses the general internet is how the kids devices bypass your firewall and its rules.
Block the kids from creating their own VPN to utilize the firewall VPN. Or create a VPN tunnel to your firewall for the devices to use and base your rules on that interface.
Everyone’s also talking about addresses when you really should block ports. For example you could create a deny rule for port 51820 which is typically what NordVPN uses.
The nature of VPNs nowadays means that blocking by domain or IP is basically useless. You could use DPI for SSL which would block the certificates but that might not be needed.
My older children are 18+ and my philosophy at that point is to generally let them make their own decisions, but there are some things I’d like to block in my house and on my network for users of any age, including but not limited to my children. I realize this philosophy won’t be shared by everyone else and that’s ok. I wasn’t looking for parenting advice but for technical help. And it appears I have received an emphatic answer to my question. I had thought that because I pay the ISP bill and physically control the router and firewall that I would have more control over what happens on my network. I was apparently wrong. I’m dumbfounded that a free VPN can undo all the other work I’ve done, but am grateful for the education I received quickly here on reddit, even if it did come with a heaping helping of insults along the way.
Start with pfblockerng and block all known DNS over TLS services. Then find a vpn endpoint list and block them. Then block all the usual vpn ports.
My original intentions were misunderstood, and I accept responsibility for not communicating more clearly. I am interested in blocking some activities on the network I own, even if my older children choose to do those same things on other networks or on their phones, which they own.
I curse and drink like a sailor, guess what was 100% off limits in my house growing up…
Nope. I was asking for technical answers about what is possible with networking hardware and software. And I received that answer from others, not from you.
Reminds me of my days of bypassing N2H2/BESS in high school. It was a constant cat and mouse game of them blocking stuff and me figuring out ways around it. They blocked personal email, games, and anything else they deemed was a waste of time, which was absolutely maddening.
Methods used:
- Setup a web based SSL proxy at home, tunneled all traffic through it (both via standard and nonstandard ports)
- Would rotate my public IP with a simply DHCP release/renew whenever they blocked it
- Eventually got tired of limited SSL proxy, and switched to Remote Desktop
- Used built-in mstsc client in Windows until they blocked it
- Used ActiveX Remote Desktop hosted at home, until they blocked ActiveX
- Carried a floppy with mstsc on it, later a USB drive
- Eventually they started blocking port 3389/TCP on outbound, so I switched to a random port on my home machine, and rotated it when blocked
I would also teach the other nerdy kids how to do it themselves. Eventually, one of the computer teachers pulled me aside. They told me to keep it to myself, don’t do anything stupid using school computers, and that they don’t want to see it. I agreed and they agreed not to take the issue further.
The computer teacher was a good guy. Took a few computer classes with him as they were easy. Would occasionally correct his technical mistakes in front of class. Had no scruples back then…
Thank you for the honest help and technical explanation unlike the parenting lectures I’m receiving from others. I obviously had a naive understanding of networking that you and others have helped to correct.
That just moves the arms race on a step and doesn’t do anything to address the underlying “problem” of Op trying to parent by technology.
I don’t disagree with you at all.
But I just want to highlight the focus on porn - I use a VPN on all my devices at work - not because I have ever sat to consume porn but simply because I don’t want tracked. That, and I usually just dial in home - for file shares and what-not too.
I use the public network and don’t use their stuff. (And when I really need to, I dial into a work Remote Desktop)
Bottom line is they lock down their machine so much that for the last 6 years I’ve just used my own devices. I need to regularly update my software and install drivers, compile firmware, do a whole lot of embedded electronics stuff - and their draconian lock down on IT equipment would mean I’d practically need an IT guy sat by my side for most of the shift some days.
That, and they just don’t understand why I need it all sometimes. So, working on my personal device it is. And no, they don’t get to pry, because that’s my choice. And if they really don’t like it, I have the built in 4G modem.
So, it’s not all about porn - I’m just a privacy nut.
Except giving them space to figure out new and innovative methods to defeat your security rules.
Red Queen’s race and they have to motivation to win it.
Dad, are you going to lock down the BIOS as well?
Even without admin circumventing blocks is relatively trivial.
Wow. That escalated quickly. Amazing how much insight you got into my worth as a human being from a simple question about pfSense.