So currently they have no blocking or filtering?
that would give you control on the router and allow for exceptions for teacher machines. (you would have to whitelist the teacher pcs and force any new devices to use the most restrictive profile aka kid safe search etc) It can also block services like TikTok etc.
You would also have to enforce dns redirection to AGH and also block/deny any other encrypted dns from passing to the internet (requires firewall rules).
that would reduce things down and make it harder but it is not a filtering firewall solution would would block ip address bypasses. Ideally for a situation like this you want a proxy cache with proper filtering with a restricted/filtered dns. That would reduce the load on the VDSL and provide a much better filtering solution.
That being said. I will repeat what others have said. This is a legal minefield and I'd be insisting on written authorisation and a clear definition of roles/responsibilities.