1) VPN server, the implementation has to be natively supported by IOS and Android devices, for example IKEv2
2) Multiple VPN users, each user has it's own login and pass. Users' login and pass in are stored in DB (for example MySQL). Only authorized users can establish VPN session.
3) Users are added, altered and removed during run-time. In the DB there might be few thousand users or more.
4) User's network traffic is monitored, this includes http and https. The requirements for filtering module:
a) has static blacklisted URLs database, over 1M records, the URLs are grouped into few categories, each category can be enabled/disabled for each user
b) has static white-listed URLs database, the URLs are grouped into few categories, each category can be enabled/disabled for each user. URLs from white-list are not blocked, are not altered, SSL filtering is bypassed
c) contains list of keywords/phrases which are prohibited in the content of request or response, enabled/disabled for each user
d) might alter the URL addresses, for example to force safe search on [login to view URL], enabled/disabled for each user
e) if a URL should be blocked, the content of the web page will be replaced by a custom message. Displayed message is configurable for each user.
f) time schedule, configurable for each user.
g) in addition to static URLs database lists, there are also short dynamic URL lists, configurable for each user. Each list might be marked as blacklist or white-list.
History of visited web pages is stored in DB. History is stored per user, in other words, we know what was the network activity of each of the users. Only metadata is stored: URL, timestamp, user name/ID, allowed/blocked, reason of blocking, referrer URL.
The history of visited URL should be preprocessed, for example, if user visits [login to view URL], than the history of visited URL contains only [login to view URL], without all the URLs of images, scripts, etc.
5) System can limit access to some URLs, IP addresses, ports, protocol (TCP/UDP). Each user has its own rules. Rules for blocking traffic are modified during run-time.
6) The VPN module should be based on an Open Source project, the filtering module can be based on Squid Proxy.