I’m open to blocking the use of VPNs. Is there a relatively simple way to to do this, or is it a whack-a-mole game of blocking ports, URLs, etc and they only need to find one sleazy free VPN I didn’t think of and it’s game over?
And it would break so many other things making a modern machine almost useless online
And that wouldn’t work in this case, so there’s that…
Plus route traffic through a proxy, only allowing http/https after having been decrypted to pass through.
What are you going on about?
I’m sure I misunderstand, which is why I was asking for help. 
“create a VPN tunnel to your firewall for the devices to use and base your rules on that interface.” I’m afraid I don’t understand this either. If you’re willing to explain, I’d be grateful.
subsequent relieved punch dam tie hateful apparatus pet aloof deer
This post was mass deleted and anonymized with Redact
And then the kids move onto SSH tunnelling over port 443.
This is just prolonging the arms race and making the kids even more likely to hide things from op and increase their distrust/disdain for them.
Interesting, thanks! I tried using pfblockerng to block specific websites (instead of NextDNS) and it was also undone by VPNs (which is apparently a surprise to no one but me). I will look into what you’re suggesting. If you have any recommended how-to’s for what you’re describing, I’d be grateful for any pointers.
I love anecdotes like this - got one too:
A hostess who was 15 at the restaurant I worked at once told me her parents tracked her on her phone 24/7. I remember being baffled and letting her know.
She would later go off to college and got fucking pregnant IN THE FIRST SEMESTER… all I could do was shake my head at that one. It was in the cards.
On the plus side, she’s now a teacher, finished her degree and is married to her baby daddy, but not all stories have happy endings like that.
DON’T HELICOPTER PARENT your kids.
It’s a shame you didn’t accept the message, hopefully you find a solution
Eventually, one of the computer teachers pulled me aside. They told me to keep it to myself, don’t do anything stupid using school computers, and that they don’t want to see it. I agreed and they agreed not to take the issue further.
Sort of how it went with me during 6th form, though I told the IT guys what I was doing and they took the stance of “we know you, we don’t care, don’t do anything stupid, don’t tell anyone else” and it was all good.
The only reason I was doing it was to have access to my files and music stored at home on my personal laptop over the WiFi they gave us in the 6th form block XD
Secondary school never really worked out who was getting around their blocks, or how I ended up setting the homepage of all of the computer room PCs to Astalavista…
You are most welcome, but really this does come down to the fact that you are currently trying to parent by technology because of that naive understanding. You really would be far better served by having open and honest converstations with them, enhancing understanding & respect and then the tech can be far lighter touch.
A potentially better approach would be having comprehensive monitoring so you can see if they have been excessively doing what you don’t want them to do.
I’m still coming back to the question of why are you forcing all of your traffic through a VPN?
Personally, I intend to do exactly this.
And every time my kiddo manages to get by it, they’ll get rewarded.
Bonus award if a month goes by and they tell me.
And if you were working in the industries I’m thinking of, loading your work files onto a personal device may be a criminal offense in and of itself. No, you do not have the right to load F22 blueprints to whatever device you feel most comfortable working on.
And yes, my answer is to relax the strings on the device and focus on detecting true problem behavior, rather than trying to nanny-PC the shit out of the workers.
Edit: even without the sort of “defense contractor, your preference may be minor treason”, using your own device and bypassing security may be a problem. Another good example? The big stock brokerages absolutely will try to have you prosecuted for that shit. But it’s generally not your call where your company’s data is safe, unless you’ve been told as much. There are companies out there that have combined the locked-down nanny-pc with a wild west BYOD. They tend to be the ones shouting from the rooftops that BYOD is “just better”. And yeah, if you have a 5-10 year lifecycle for PCs, and insist on running a suite of agents, and software that measures productivity, and go with the lowest bid PC you can get that will supposedly run your software, the actual user productivity will be in the toilet. My personal favorite are a couple companies that perennially get it in their head to more closely monitor their CSRs. These are relatively small, busy support departments, and every fucking time their call throughput (measured through the existing PBX and CSR software) drops by more than 10%. Pull the owner aside and say “look, if there’s one department you have that doesn’t need the nannying, it’s the goddamn CSRs”; for some reason, they’re never trying to nanny the sales or art department, which are heavily populated with family members.
I have no desire to engage in a Red Queen’s Race or game of whack-a-mole. I assumed that wouldn’t apply in a situation where I pay the ISP bill and physically control the router and hardware firewall. And apparently I was wrong.
No kidding
I dual-booted our family PC when I was in high school
My parents had no idea that I wasn’t even using the software that they set up
I actually think your worth as a human being is immense and worth protecting, including the use of self-reflection and therapy when needed. So is the worth of your children. With that in mind, I would like to encourage you to self-reflect.
As to the purported insight, I have none. I only observed what was there to observe, which wasn’t much.
Imagine you have a nosebleed. Maybe it’s nothing (you were trimming your nose hair and scratched the inside of your nose). Maybe you slipped and fell face forward. Maybe you have a cold sore up your nose. Maybe you have a life-threatening tumor developing in your nasal cavity. I have no idea; all I can see is a nosebleed. So I all I have to say is, you ought to have it looked at…
The Chinese firewall hasn’t accomplished it for decades now, sorry, you have no hope
Pretty much the latter. There are common ports and protocols you can block, which will stop most VPNs - but you’re basically trying to play the role of “totalitarian state” while they play “dissident seeking information online”, without you having the ability to disappear them into a gulag (hopefully).
Once you give up control of the endpoint device, you’ve lost control; as soon as they can get to more than an AOL-style “walled garden” subset of the Internet, they can get to the rest of it one way or another.