Your IP:

Our Forums Have Moved!

Visit our new forums at http://community.opendns.com/forums/ to post on topics and read the latest content. These forums are now read-only archives.

K-12 Forums

Talk with other K-12 network administrators in your state.

Or see all states.

Categories

Vanilla 1.1.4 is a product of Lussumo. More Information: Documentation, Community Support.

This discussion has been inactive for longer than 30 days, and is thus closed.
    • CommentAuthorsirwnstn
    • CommentTimeAug 29th 2012
     permalink
    After a long bout with messing around with squid proxy server settings, iPhone configuration profiles, APN settings, and whatnot, I've got an iPhone 4S whose 3G network is secured. For all you parents out there who want to lock down your kid's iPhone, it can be done!

    What did I use?

    - hosted linux server (yes, I know, it's not free)
    - squid proxy configured to use FamilyShield DNS servers
    - iPhone profile configured with AT&T's regular APN settings but also with settings for my proxy
    - locked the iPhone profile with a password so it can't be removed

    Now the Safari web browser is protected by FamilyShield! I need to do more testing, but SpeedTest app seemed to show no significant slowdown. Google maps still works. Email works. Facebook app doesn't seem to work though, and I don't know why. I'll fill you all in with more details after a week or more of usage. Wifi is still not locked down, but you can do that on your own router at home. Now at the library or at Starbucks? No joy there yet. I'm waiting for iOS 6 and the "global http proxy" feature. We'll see if that allows for locking wifi down. Let me know what you guys think.
    • CommentAuthorrotblitz
    • CommentTimeAug 29th 2012
     permalink
    "Now the Safari web browser is protected by FamilyShield!"

    Not sure why a web browser would need to be protected... :wink:

    1. "iPhone profile configured with AT&T's regular APN settings but also with settings for my proxy"
    2. "Now at the library or at Starbucks?"

    Hmm, why would you expect the library or coffee shop network being able to deal with "AT&T's regular APN settings but also with settings for my proxy"? At least they don't care a bit about your settings...
    I wouldn't either in my networks...
    Would you?
    Thankful People: sirwnstn
    •  
      CommentAuthorjedisct1
    • CommentTimeAug 29th 2012 edited
     permalink
    Administrator
    On a jailbroken device, you don't even need to change your APN, you can just install GuizmoDNS in order to change the DNS settings on 3G.

    The only problem with your setup is that you are probably running an open proxy. Spammers are quickly going to use your linux server for spamming the world.

    I'm using a similar setup (custom APN + proxy: https://00f.net/2012/06/02/mod-pagespeed-as-a-proxy-for-your-phone/ ), but with a dedicated iPhone app in order to avoid opening the proxy to the world ( https://github.com/jedisct1/knockknock ).

    The APN settings are constantly used on 3G.
    But when using a Wifi hotspot, the proxy has to be manually entered. Or, if you want to use FamilyShield and not a proxy when on Wifi, you need to manually change the DNS settings. Everytime you use a new hotspot. This is quickly getting painful.

    So, yes, it works. But it has some serious caveats. Including not being very secure and not being very easy to setup.
    That said, there are no real alternatives for parental controls on a non-jailbroken iPhone and this is a serious problem.
    Thankful People: sirwnstn
    • CommentAuthorsirwnstn
    • CommentTimeAug 29th 2012 edited
     permalink
    @rotblitz
    I guess in my sleepless excitement I wasn't too clear. You're right. 3G APN setting have nothing to do with wifi settings. I was addressing a parent's possible concern for having no control over what the wifi networks at a library or Starbucks allows.

    @jedisct1
    I unfortunately want to avoid any sort of jailbreaking, so the awesome app you mentioned won't work for me. But you're absolutely right about the open proxy. This setup is certainly insecure at the moment and a work in progress. I just wanted to prove to myself it was possible. I'm hoping that I can add ncsa_auth to the mix and close the hole. As for wifi you are also correct. There is indeed no solution at this point. (I even played with PPTP VPN but that can be disabled) I'm hoping the new feature coming in iOS 6 - "global http proxy" list in the 2nd to last paragraph here: http://www.macworld.com/article/1167240/ios_6_features_you_might_have_missed.html will address this.

    Testing updates:
    Pandora, App store and iTunes seem to be working. Facebook seems to be very slow and times out. Could be an issue with the squid settings or the location of my proxy server.
    •  
      CommentAuthorjedisct1
    • CommentTimeAug 29th 2012
     permalink
    Administrator
    KnockKnock doesn't require jailbreaking your phone. Not a perfect solution but it makes your open proxy a bit less open.
    • CommentAuthorsirwnstn
    • CommentTimeAug 29th 2012
     permalink
    I'm having lunch and I'm reading about mod_pagespeed and knockknock. Awesome stuff. Thanks for the pointers! I'm rethinking my solution already.
    • CommentAuthorsirwnstn
    • CommentTimeSep 9th 2012
     permalink
    I've been looking over your code. Any thoughts about using a port knocking solution? When things quiet down at work, I'll look at augmenting your code to use port knocking for authentication.
    •  
      CommentAuthorjedisct1
    • CommentTimeSep 9th 2012
     permalink
    Administrator
    Port knocking doesn't really bring much security and has two major drawbacks:
    - It can take quite a lot of work to make it work on most operating systems
    - It doesn't cope well with carriers that are blocking everything except ports 80 and 443. Oh sure, you can do port knocking even with a single port, but then comes another issue: the number of packets this requires, combined with the latency of 3G (or worse) networks.
    • CommentAuthorsirwnstn
    • CommentTimeSep 10th 2012
     permalink
    Got it. I shouldn't waste time with port knocking on 3G networks. Did you think about any other security measures other than the "super dumb token based on the current time and a shared secret key" that you've implemented in your app? Honestly, to me that doesn't sound that "super dumb" but what do I know. What about OTP? Any thoughts? My initial findings aren't too promising.
    • CommentAuthorrotblitz
    • CommentTimeSep 10th 2012
     permalink
    Just reading belated:

    "I was addressing a parent's possible concern for having no control over what the wifi networks at a library or Starbucks allows."

    Yes, good concerns. They do not have control over anything not owned by them (which is a good thing in a good democracy). And library and Starbucks networks are not owned by them. You wouldn't want that *these* parents control all library and Starbucks networks worldwide (or country wide), would you? :shocked:

    Therefore again: OpenDNS is for *your* networks, not for your devices in other networks.
    •  
      CommentAuthorjedisct1
    • CommentTimeSep 11th 2012 edited
     permalink
    Administrator
    The authentication protocol is super basic, but fine in this context. The real problem is that people sharing your IP can use the proxy, too. But there's not much we can do considering iOS limitations.

    roblitz: when using a non-transparent proxy, DNS queries are sent by the proxy (which is usually much much much faster than over 3G). So the IP address remains the same no matter where the device is.
    Thankful People: rotblitz
    • CommentAuthorrotblitz
    • CommentTimeSep 11th 2012
     permalink
    Ah yes, it was not clear to me how this proxy is implemented and what its exact role is in this context, and still is.
    •  
      CommentAuthorjedisct1
    • CommentTimeSep 20th 2012
     permalink
    Administrator
    iOS 6 brings support for a "global proxy", and a username and password can be specified: https://developer.apple.com/library/ios/#featuredarticles/iPhoneConfigurationProfileRef/Introduction/Introduction.html#//apple_ref/doc/uid/TP40010206-CH1-DontLinkElementID_1

    Much better, but still no support for HTTPS or SPDY, and this requires creating a MDM profile.
    • CommentAuthorcoveyduck
    • CommentTimeOct 19th 2012
     permalink
    Assuming I can figure out how to create a MDM profile, a Configuration profile, and successfully point my kids' mobile devices to a proxy server... what proxy server would I use?
    •  
      CommentAuthorjedisct1
    • CommentTimeOct 19th 2012
     permalink
    Administrator
    You need to set up a proxy yourself.

    By the way, Google have made some improvements to mod_pagespeed to better fit this scenario, and mod_pagespeed has hit version 1.0.
    • CommentAuthorsirwnstn
    • CommentTimeOct 23rd 2012
     permalink
    Now that global http proxy is out for iOS6, I'm going to see what I can do to create my own mod_pagespeed proxy (and ditch squid) with TurnKey Linux and Amazon EC2 in the next two weeks. I'll let you all know what results I get.

    jedisct1, have you tried the new global http proxy out with username and password on your setup?
    •  
      CommentAuthorjedisct1
    • CommentTimeOct 25th 2012
     permalink
    Administrator
    Nope, I'm quietly waiting for Chrome for iOS to support SPDY proxies.
    Thankful People: sirwnstn
    • CommentAuthorsirwnstn
    • CommentTimeOct 25th 2012
     permalink
    jedesct1, you never cease to surprise me with your knowledge on this subject. Well, I can't be Sun Tsu and wait forever, so I'll try my hand at global http proxy, and when SPDY proxies and all the fixin's arrive at a broader level for iOS, I'll certainly welcome them.

This discussion has been inactive for longer than 30 days, and is thus closed.