I tamed Roblox with a Raspberry-Pi proxy that let my kids “top-up” Internet minutes with printable vouchers. It worked… until every new app decided to skip the proxy altogether. 🙄

Version 2 flips the script: the Pi is now a full-tunnel WireGuard VPN. If the tunnel isn’t up—or if the timer hits 00:00—packets simply never leave the house. Period.

What changed

Proxy Model (v1)

  • Only HTTP/HTTPS + ports I remembered to block
  • Squid ACL starts/stops traffic
  • Apps could ignore proxy
  • Hassle-free (no profiles)

VPN Model (v2)

  • All TCP / UDP / QUIC, IPv4 & v6
  • Node API adds/removes WireGuard peers
  • Device can’t reach the WAN without the tunnel
  • Requires WireGuard app + QR code (10 sec)

🚀 Why it’s better

  1. Zero escape hatches – Roblox launcher, DoH, QUIC, Fortnite … everything is in the tunnel.
  2. One timer to rule them all – my Node API flips a single wg set wg0 peer … remove when balance = 0.
  3. Battery-friendly – WireGuard idles at 0 % CPU; handshake every 25 s.
  4. Automatic reconnection – On-Demand in iOS ↔ tunnel re-establishes after sleep.
  5. Clean firewall – MASQUERADE + two FORWARD rules; no more spaghetti NAT for port 443.
Kid Device ── WireGuard ➜ Pi (wg0 10.9.0.0/24)
                          │
              Node API ⟷ SQLite  ←▶  Voucher UI
                          │
          wg set peer enable/disable
                          │
                      MASQUERADE ➜ Internet

🏖️ Early wins

  • 100 % Roblox success-rate (blocked!)
  • My 9-year-old now checks her timer before opening Youtube.
  • Quiet evenings—no “But the proxy isn’t blocking the app!” debates.

#ParentingTech #WireGuard #RaspberryPi #HomeLab #ScreenTime #SummerBreak