This was a fun bypassing the school filters to use what I wanted instead. This way I can block social media and other content kids don’t need at a young age.

You will need the following to make this work:

  • Control of a DNS server to create a static entry (your firewall with VPN preferred)
  • web server to host the cgi file

I use a firewall called Untangle. With this firewall you can create a full VPN tunnel for ChromeOS and push the DNS server to the ChromeOS.

First you will need to go to the network settings in ChromeOS

Scroll to the bottom and expand proxy and you can then see where the school proxy configuration is coming from. I am going to change the domain name in the example

https://mobile-filter.example.net/cgi-bin/pac/pac.cgi

This means I need to host the file pac.cgi on my web server following the same structure as above

On the web server create a folder called cgi-bin and a folder called pac

copy the pac.cgi file into the pac folder. Here is the code from the pac.cgi file from the school I edited:

function FindProxyForURL(url, host){

//If Chromebook or Google system domains, go Direct. Else go through proxy.

if (shExpMatch(host, "accounts.google.com") || shExpMatch(host, "accounts.gstatic.com") || shExpMatch(host, "accounts.youtube.com") || shExpMatch(host, "clients1.google.com") || shExpMatch(host, "clients2.google.com") || shExpMatch(host, "clients3.google.com") || shExpMatch(host, "clients4.google.com") || shExpMatch(host, "cros-omahaproxy.appspot.com") || shExpMatch(host, "dl.google.com") || shExpMatch(host, "dl-ssl.google.com") || shExpMatch(host, "www.googleapis.com") || shExpMatch(host, "m.google.com") || shExpMatch(host, "omahaproxy.appspot.com") || shExpMatch(host, "safebrowsing-cache.google.com") || shExpMatch(host, "safebrowsing.google.com") || shExpMatch(host, "ssl.gstatic.com") || shExpMatch(host, "tools.google.com") || shExpMatch(host, "pack.google.com") || shExpMatch(host, "www.gstatic.com") || shExpMatch(host, "gweb-gettingstartedguide.appspot.com") || shExpMatch(host, "storage.googleapis.com") || shExpMatch(host, "commondatastorage.googleapis.com") || shExpMatch(host, "www.iplocation.net") || shExpMatch(host, "*.wcr7.org*") || shExpMatch(host, "www.ipchicken.com") || shExpMatch(url, "*.mathxlforschool.com*") || shExpMatch(url, "*.interactmath.com*") || shExpMatch(url, "*.virtualnerd.com*") || shExpMatch(url, "*.pearsoncmg.com*") || shExpMatch(url, "*.pearsoned.com*") || shExpMatch(host, "*.pearsonhighered.com*") || shExpMatch(url, "*.superlibrary.com*") || shExpMatch(url, "*.pearson.com*") || shExpMatch(url, "*.istheinternetdown.com*") || shExpMatch(host, "*.googleusercontent.com") || shExpMatch(host, "*.apple.com") || shExpMatch(host, "*.icloud.com") || shExpMatch(host, "*.example.org") || isInNet(dnsResolve("selfservice.example.net"), "10.100.0.68", "255.255.255.255") )
{return "DIRECT";}

//return "PROXY mobile-filter.example.net:8080";
return "DIRECT";
}

So the first part of the code bypasses the proxy for those domains

I commented out return “PROXY and instead put return “DIRECT” meaning all traffic accesses directly through the internet instead of through a proxy. direct would then go through my firewall and I can manage my kids content from there.

On your firewall you will have to set a static DNS entry for mobile-filter.example.net to point to the website hosting /cgi-bin/pac/pac.cgi

When the device is at home the static DNS entry will redirect your traffic to the domain specified and the code will execute to bypass the proxy and flow through your firewall instead

When the device is away if will use the school proxy at first but once the VPN connects and you have full tunnel enabled it will then route all traffic through the firewall instead

Reference:

https://developer.mozilla.org/en-US/docs/Web/HTTP/Proxy_servers_and_tunneling/Proxy_Auto-Configuration_(PAC)_file