Always connect except on "home" network

Post Reply
jeff3820
OpenVpn Newbie
Posts: 5
Joined: Thu Aug 29, 2019 1:55 am

Always connect except on "home" network

Post by jeff3820 » Thu Aug 29, 2019 8:30 pm

brianjmurrell posted this message in the Openvpn Connect (android) forum. I am also interested in exactly the same solution...how can I pause openvpn connect when the WiFi is connected to the "home" network(s)? The 1.1.1.1 app which is a "VPN" for DNS only does this exactly...it allows specific SSIDs to be entered and if connected to those SSIDs then the VPN connection is paused. When moving to cellular or other WiFi SSIDs then the VPN resumes. Seems this would be a very valuable addition to OpenVPN Connect for iOS.

Here is the post from the android forum: <<How can I make OpenVPN automatically connect when I am on any network (mobile or WiFi) that is not the network that the OpenVPN server is gatewaying to (i.e. the network that is "behind" the OpenVPN gateway)?

So to be clear, I want to automatically always connect to my OpenVPN server except when I am on the network that is behind the OpenVPN server since that doesn't work and seems pointless anyway. I trust my local network.>>

Any solutions or workarounds would be great.

User avatar
TinCanTech
OpenVPN Protagonist
Posts: 6248
Joined: Fri Jun 03, 2016 1:17 pm

Re: Always connect except on "home" network

Post by TinCanTech » Thu Aug 29, 2019 9:49 pm

You can either, try to convince the developer of the software you are using that this is a good idea to implement in their software or you can invest in better network equipment and configure your network to do what you want.

jeff3820
OpenVpn Newbie
Posts: 5
Joined: Thu Aug 29, 2019 1:55 am

Re: Always connect except on "home" network

Post by jeff3820 » Thu Aug 29, 2019 10:02 pm

The router software on the "home" internal network is Pfsense and sure, I can configure a hairpin but that is just absurd...no need for a VPN when you are already on the network the VPN connects to. It is OpenVPN Connect that needs to implement the change to disable the VPN when it senses a WiFi connection to the "home" internal network. Only seems logical...

User avatar
TinCanTech
OpenVPN Protagonist
Posts: 6248
Joined: Fri Jun 03, 2016 1:17 pm

Re: Always connect except on "home" network

Post by TinCanTech » Thu Aug 29, 2019 10:43 pm

jeff3820 wrote:
Thu Aug 29, 2019 10:02 pm
I can configure a hairpin but that is just absurd
the exact opposite of the truth ..

SaturnusDJ
OpenVPN User
Posts: 30
Joined: Thu Nov 24, 2011 11:17 pm
Location: Netherlands

Re: Always connect except on "home" network

Post by SaturnusDJ » Wed Nov 13, 2019 11:58 pm

Kicking this topic.

@TinCanTech
What do you mean with your reply? Are you suggesting to deliberately *not* use a hairpin so that OpenVPN will fail to connect when being home? That would be a solution I guess, but not something that should work for the external IP always. Better would be to filter out only the VPN connection attempt, maybe by port. Hope this is possible on OpenWRT (iptables).

User avatar
TinCanTech
OpenVPN Protagonist
Posts: 6248
Joined: Fri Jun 03, 2016 1:17 pm

Re: Always connect except on "home" network

Post by TinCanTech » Thu Nov 14, 2019 1:04 am

You answered your own question ..

jeff3820
OpenVpn Newbie
Posts: 5
Joined: Thu Aug 29, 2019 1:55 am

Re: Always connect except on "home" network

Post by jeff3820 » Sun Nov 17, 2019 12:57 am

The way Cloudflare does this on their 1.1.1.1 client app is the correct solution. If the 1.1.1.1 app sees connection on a specific SSID/WiFi network (they call this a trusted connection) then 1.1.1.1 client disables itself so the connection doesn't happen. They allow multiple SSIDs to be entered. When internet connection is via a different SSID/WiFi that is not identified as a trusted WiFi connection or a cellular connection then the 1.1.1.1 client establishes a connection.

I can make a clumsy solution on the server side but it shouldn't be necessary. OpenVPN connect should implement this feature in a future release. It would simplify my network connections and I'm sure others as well. Simple is better and more reliable.

SaturnusDJ
OpenVPN User
Posts: 30
Joined: Thu Nov 24, 2011 11:17 pm
Location: Netherlands

Re: Always connect except on "home" network

Post by SaturnusDJ » Fri Nov 29, 2019 6:51 pm

I just made an OpenWRT firewall (iptables) rule to reject traffic on the OpenVPN port received from within the LAN towards the OpenVPN server LAN ip address. This last part sounds a bit weird, but specifying the external IP as destination did not result in a reject/block. I think the firewall rule is applied after OpenWRT translated the external IP to the internal IP.

jeff3820
OpenVpn Newbie
Posts: 5
Joined: Thu Aug 29, 2019 1:55 am

Re: Always connect except on "home" network

Post by jeff3820 » Sat Nov 30, 2019 8:37 pm

This isn't the issue I'm referring to. When using OpenVPN Connect on iOS I use the Seamless Tunnel setting to block internet while the VPN is reconnecting...this is just more secure. However, when inside the LAN, the external IP address is not reachable so OpenVPN Connect fails and prevents the mobile device from having any internet connectivity. I can't do anything on the router to fix this as the problem is on the mobile device. The best solution is to have OpenVPN Connect recognize that the connected WiFi is a secure/identified SSID and then disconnect the VPN. Cloudflare does this on their 1.1.1.1 app. Even if I turn off Seamless Tunnel, then after 30 seconds (default) the connection attempt to OpenVPN fails and will timeout. I will have internet connectivity but OpenVPN Connect will not automatically reconnect when leaving the trusted Wifi SSID. Again, Cloudflare's 1.1.1.1 app shows this is possible and would be a terrific addition to OpenVPN Connect

Post Reply