I’d like to put a managed VPN on my kids iPhones. The idea is to have their internet access pipe back through the house so they are hardcoded to use an Adguard server I have just for them. I already tried WireGuard, but that was a PIA and not as reliable. Tailscale doesn’t seem to give me the option to specify a DNS server. What else has anyone used? I like the idea of forcing the phones to NOT use VPN when connected to a specific SSID since DHCP hands out the DNS server already.
You probably want a proper MDM so you can set the relevant policies are enforce VPN.
If it’s just for ads you could just stick ProtonVPN on there, it has servers which block ads too.
I learned a long time ago, kids are canny. They will invest a lot of time and effort into bypassing whatever you put in their way.
Far better to try to educate and have some honest conversation’s about what’s out there.
kids dont need an iphone buy them old nokia. and dont let thrm use tiktok or instagram if you love yourkids
Check out Desktop Central from ManageEngine. It’s free for up to 25 devices and includes an MDM, so you can force a vpn connection via the MDM in the interface. It also does location tracking and tons of other policies for mobile devices
Edit: I forgot they changed the name to Endpoint Central
OpenVPN is a lot easier to set up and manage then Wireguard.
A few years ago you used to need VPN running ikev2 protocol to be able to have always on VPN.
This was super easy to setup following directions
Circle content filtering is the way.
Tailscale would be easier for the kids, but they’ll probably hate you for it because VPN can be flakey when the signal is mediocre.
Why was WG a PIA and in what way was was it not reliable? I have WG running on my phone and a couple of other phones 24/7 (unless connected to home WiFi) and never had any problems with it. I have AdGuard running at home and it works fine blocking adds on my mobile devices when out and about.
Tie the iPhone macs to a VLAN. Specify your own DNS to the specific VLAN. This takes care of on LAN traffic. WG is notorious for killing batteries on phones. But you could use DynDNS to tie back a site to site tunnel and still route/monitor traffic but then again will be rate limited by your home upload speed. Similar setup with a travel router. Not the snappiest performance but workable.
In this case, you don’t need VPN. Use AdguardHome server and installed DoH profile in iPhone or DoT in Android.
Tailscale absolutely allows you to change DNS. Go to https://login.tailscale.com/admin/machines, select DNS, add a Global Nameserver and enable Override Local DNS.
As for the “Connect to VPN under specific conditions”, enable the VPN on demand feature inside the app in iOS
I use an IPsec VPN server on pfSense because both macOS and iOS have native clients. No 3rd party clients are needed.
However, this likely is not the best solution for you. I don’t know how you could…
- make the VPN client connect automatically when the phone is powered on,
- keep the VPN from connected when on specified SSIDs, or
- keep the kids from simply disconnecting.
You should be looking at parental control software, or as u/TheDiaryofaSoyBean suggests, an MDM solution.
WireGuard is extremely reliable, so something was likely configured wrong, I have many devices that have been running WG for well over a year through OS updates etc… and they stay persistently connected. I do exactly what you are wanting for my setup though and it works quite well, have WG setup with a VPN persistently and just tunnel 100% of my traffic back home for pfBlocker etc…
Jamf now gives you the first 3 devices for free. I’m not sure what it’s limitations are as the last time I used Jamf it was an enterprise plan.
Might be worth a test if you only have a few iphones to manage!
Another vote for MDM if you really want to have control of the device
I used OpenVPN in the end as I needed tcp/443 to drill through daughter’s college Wi-Fi firewall - wireguard does work that way. But enforcement of VPN is an mdm problem iirc manage engine may do a free one for home use??
Another subscription? Pass.
Huh? The adguard home server is in my lab at home.