As the father of two boys both now in high school, and having been in the Security and Bandwidth Management space for quite some time, my home WiFi network is pretty buttoned up. Between Parental Controls on the multiple routers, end point content filtering, and exhaustive time of day policies tied to layer 7 signatures on my home Exinda, (not a big fan of Tumblr during homework time) no one who lives here argues that I alone hold the keys to a good home WiFi experience. WiFi access is giveth and WiFi access is taketh away regularly based upon a variety of normal parental expectations.

You Might Also Like: [Video] Is Your E-Rate Funding at Risk?

I noticed recently that they are able to access Facebook, and more to my disdain, access my Netflix account during school hours. I naturally found this surprising as I typically hear that those services are managed by the school firewall. Here’s what I was told –“oh, they block that, we use Open VPN to proxy our connection to bypass the firewall.” I’d be lying if I didn’t say a small part of me was very proud of these guys.

During that time, I happened to be working with a school district in Texas, so as it was fresh in my mind, I asked how they manage Open VPN traffic within the high school, as they have been an Exinda customer for a few years now. I was curious if they had a policy on the Exinda to do that. They replied they were not able to block it with their firewall, but had been meaning to ask if and how they could leverage the Exinda policies to control Open VPN only to the student networks, and only during school hours.

Controlling Open VPN

We first used the real time monitor to check if we were even seeing Open VPN traffic.



Sure enough, there it was. So we created a schedule based upon active school hours.


We then created a policy using several attributes to be very specific as to what we wanted to do – namely, limit Open VPN access for the student Wi-Fi networks, during school hours.

Here’s what the Exinda policy looks like:


And here’s what it did:



The lesson to be learned here is that in order to prevent students from bypassing your firewall, you first need visibility into how they are using your bandwidth. Once you’ve identified the users, applications and devices on your network, you can set policies to block Open VPN traffic or any other recreational traffic that may be disrupting your network. Rest easy knowing that you too can taketh away access, at least during school hours.

Join Our Next Live Webcast

Having trouble with network compliance in your school? Join our next K12 live webcast and learn how to enforce appropriate use of the network.