Is there a way to guarantee a mobile device or tablet can only access my own services and block all other traffic?
Is there a way to guarantee a mobile device or tablet can only access my own services and block all other traffic?
Is this possible on any modern day phone or tablet? Selfhosting as made me very privacy-consciouss and am concerned about my iphone.
On all networks, or just when on your home network?
Guarantee? You'd have to open it up and disable the cellular radio. The OS can override any settings you make.
More than just the cellular radio.
https://www.theregister.com/2023/04/27/qualcomm_covert_operating_system_claim/
I think this was built into the SOC itself, or the GPS module, but it runs 100% independently of your OS, even on custom firmware.
Remove the SIM card to ensure it doesn’t communicate with a cellular carrier. Then go into the settings for your specific WiFi network, configure IP address manually, and remove the entry for “Router” to prevent it from talking to the Internet
The answer is mTLS.
But you will run into the key distribution problem. But if your number of devices is manageable, it could be the solution
Could you expand a little please? I read this https://www.cloudflare.com/learning/access-management/what-is-mutual-tls/
It seems this is mainly for reaching the server securely not blocking others, right?
You create a (self-signed) CA certificate, put its certificate as the client ca in your web server.
Then you can create certificates using this CA that you distribute to your devices, only devices that have a certificate signed by your CA are allowed to connect.
One thing I want to bring up just so you’re conscious of it is WiFi calling.
I currently use Tailscale and a sophisticated setup to route traffic via commercial VPNs. I also do a ton of DNS ad/tracking blocking which Tailscale wasn’t really designed for (and requires a rat’s nest of routing,
iptablesand the like).I’ve noticed I never receive incoming calls now even while attempting to send traffic to my carrier’s WiFi calling server (it’s just another traditional VPN server at a technical level) through the nearest Tailscale exit node.
All this is to say, if you want WiFi calling to work you should consider this. I believe it’s the same for Android and iPhone.
As for the traditional VPN bit I kind of discovered this a few years ago when using one of those mobile cellular gateways you can plug into your LAN (I lived in a dead zone). When looking up my current carrier’s WiFi calling server (a different carrier) I realized the port matches the same VPN thing they were doing on the cellular gateway, so I think it’s fairly common for wireless carriers to just use a VPN to get you into their backend.
On iPhones and iPads there are several technologies available for monitoring and filtering network traffic. Filter network traffic from the Apple Deployment Guide has an overview of the technologies and their trade-offs.
I have an iPhone and a gl.inet gl-e750 portable cell router, and my SIM card stays in the router. I don’t actually restrict my phone the way you’re talking about, but this gives me vpn to my home network without needing the vpn running on each client device. And if I wanted to block connections to big tech company services, I could do that.
Can never guarantee anything but you got some options for decent security. I've used Tailscale and also Cloudflare with blocking all ips except for my known devices.