Page 1 of 1

Always connect except on "home" network

Posted: Thu Aug 29, 2019 8:30 pm
by jeff3820
brianjmurrell posted this message in the Openvpn Connect (android) forum. I am also interested in exactly the same solution...how can I pause openvpn connect when the WiFi is connected to the "home" network(s)? The 1.1.1.1 app which is a "VPN" for DNS only does this exactly...it allows specific SSIDs to be entered and if connected to those SSIDs then the VPN connection is paused. When moving to cellular or other WiFi SSIDs then the VPN resumes. Seems this would be a very valuable addition to OpenVPN Connect for iOS.

Here is the post from the android forum: <<How can I make OpenVPN automatically connect when I am on any network (mobile or WiFi) that is not the network that the OpenVPN server is gatewaying to (i.e. the network that is "behind" the OpenVPN gateway)?

So to be clear, I want to automatically always connect to my OpenVPN server except when I am on the network that is behind the OpenVPN server since that doesn't work and seems pointless anyway. I trust my local network.>>

Any solutions or workarounds would be great.

Re: Always connect except on "home" network

Posted: Thu Aug 29, 2019 9:49 pm
by TinCanTech
You can either, try to convince the developer of the software you are using that this is a good idea to implement in their software or you can invest in better network equipment and configure your network to do what you want.

Re: Always connect except on "home" network

Posted: Thu Aug 29, 2019 10:02 pm
by jeff3820
The router software on the "home" internal network is Pfsense and sure, I can configure a hairpin but that is just absurd...no need for a VPN when you are already on the network the VPN connects to. It is OpenVPN Connect that needs to implement the change to disable the VPN when it senses a WiFi connection to the "home" internal network. Only seems logical...

Re: Always connect except on "home" network

Posted: Thu Aug 29, 2019 10:43 pm
by TinCanTech
jeff3820 wrote:
Thu Aug 29, 2019 10:02 pm
I can configure a hairpin but that is just absurd
the exact opposite of the truth ..

Re: Always connect except on "home" network

Posted: Wed Nov 13, 2019 11:58 pm
by SaturnusDJ
Kicking this topic.

@TinCanTech
What do you mean with your reply? Are you suggesting to deliberately *not* use a hairpin so that OpenVPN will fail to connect when being home? That would be a solution I guess, but not something that should work for the external IP always. Better would be to filter out only the VPN connection attempt, maybe by port. Hope this is possible on OpenWRT (iptables).

Re: Always connect except on "home" network

Posted: Thu Nov 14, 2019 1:04 am
by TinCanTech
You answered your own question ..

Re: Always connect except on "home" network

Posted: Sun Nov 17, 2019 12:57 am
by jeff3820
The way Cloudflare does this on their 1.1.1.1 client app is the correct solution. If the 1.1.1.1 app sees connection on a specific SSID/WiFi network (they call this a trusted connection) then 1.1.1.1 client disables itself so the connection doesn't happen. They allow multiple SSIDs to be entered. When internet connection is via a different SSID/WiFi that is not identified as a trusted WiFi connection or a cellular connection then the 1.1.1.1 client establishes a connection.

I can make a clumsy solution on the server side but it shouldn't be necessary. OpenVPN connect should implement this feature in a future release. It would simplify my network connections and I'm sure others as well. Simple is better and more reliable.

Re: Always connect except on "home" network

Posted: Fri Nov 29, 2019 6:51 pm
by SaturnusDJ
I just made an OpenWRT firewall (iptables) rule to reject traffic on the OpenVPN port received from within the LAN towards the OpenVPN server LAN ip address. This last part sounds a bit weird, but specifying the external IP as destination did not result in a reject/block. I think the firewall rule is applied after OpenWRT translated the external IP to the internal IP.

Re: Always connect except on "home" network

Posted: Sat Nov 30, 2019 8:37 pm
by jeff3820
This isn't the issue I'm referring to. When using OpenVPN Connect on iOS I use the Seamless Tunnel setting to block internet while the VPN is reconnecting...this is just more secure. However, when inside the LAN, the external IP address is not reachable so OpenVPN Connect fails and prevents the mobile device from having any internet connectivity. I can't do anything on the router to fix this as the problem is on the mobile device. The best solution is to have OpenVPN Connect recognize that the connected WiFi is a secure/identified SSID and then disconnect the VPN. Cloudflare does this on their 1.1.1.1 app. Even if I turn off Seamless Tunnel, then after 30 seconds (default) the connection attempt to OpenVPN fails and will timeout. I will have internet connectivity but OpenVPN Connect will not automatically reconnect when leaving the trusted Wifi SSID. Again, Cloudflare's 1.1.1.1 app shows this is possible and would be a terrific addition to OpenVPN Connect