WiFi connection management

[schwabe]

Main windows gets a new tab that does connection management.

List of conditions/actions. First action that matches will be taken.

Conditions should include Mobile network/specific WiFis or the category unencrypted WiFis.

Action should include Connect VPN x, Disconnect VPN, (and disconnect/connect only if not a specific WiFI is used.

DeviceListener already is already triggered on network reconnect.

[AlmogBaku]

How do you suggest to manage the policy enforcement?

1. To create an overlay management that decide whether to connect/disconnect you by your policy?
2. To maintain the socket connection for a few seconds after the connection change, but to detach it from the android vpn immediately? (is that even possible?)

I'd love to hear more ideas about the techy part, and not the UI part.
I have developed for my own use an "overlay" management such as in (1).. but it still not stable enough

[craftyguy]

This would be an excellent feature! There are certain networks I connect to that I trust, and having to manually disconnect openVPN when connecting to the network and then (try to remember to) connect to openvpn when leaving the network is quite cumbersome..

Alternatively, adding support for other apps such as Tasker or Automagic Premium to initiate connections/disconnections using this app would establish the same thing, since users could create rules in those apps to detect when the network changes.

[mesterj]

Hello. I can't find the new tab: Connection management. Is this available only in beta?

[AlmogBaku]

@mesterj not yet.

I've built this feature internally, but I need to find a time to contribute the code into a PR.

[OlafTitz]

I'm trying to do this with Tasker. Connecting is already possible by sending an intent.
Disconnecting or pausing is not possible this way.
AIUI, sending an intent from Tasker is the same what happens when clicking a shortcut, so another way to formulate this requirement would be: Add launcher shortcuts for pause/resume/disconnect, then automation with Tasker becomes possible.

[schwabe]

There is a 3rd party plugin for Tasker that allow full control of OpenVPN for Android. I do not want to allow general disconnect/pause etc. intents since otherwise arbitrary apps could control connections

[wifiuk]

I would love to have an option when I connect to WiFi network A or B then fire up VPN.
Or any open WiFi then fire up VPN. And disconnect when no longer on that network

[smiley]

I was just about to create a new issue to suggest this. This would be great, possibly with a switch to deny any communication on unsecured Wi-Fi networks until a connection is established. (Minus the app/service in charge of connectivity checks, to allow the user to click through captive logins)

[craftyguy]

You could allow disconnecting by intent, and make it an option that is disabled by default. This would allow folks that want to use this to have it as long as they understand the risk.

@AlmogBaku any chance you've had time to get your changes organized? :)

[tonsimple]

@schwabe
@craftyguy
@smiley

Hey, perhaps a dumb idea from a non-programmer but... hear me out :-)

In android, it's possible to have activities that are non exported (android:exported="false")

In this case, other "vanilla" applications will not be able to start this activity

HOWEVER
automagic4android and/or tasker will be able to launch this activity on a rooted device (something like su -c am start -n de.blinkt.openvpn/stuff.stuff.stuff) and get the desired behavior (disable VPN on specific connections, ensure that a specific VPN profile is launched for specific connections, etc etc)

It doesn't make the security more broken than just having rooted device does ;-)

[OlafTitz]

Requiring root for anything as simple as this, where a non root solution
already is possible, would be a real security disaster.
Am 27.06.2016 12:20 schrieb "Simply Sarah" [email protected]:

@schwabe https://github.com/schwabe
@craftyguy https://github.com/craftyguy
@smiley https://github.com/smiley

Hey, perhaps a dumb idea from a non-programmer but... hear me out :-)

In android, it's possible to have activities that are non exported
(android:exported="false")

In this case, other "vanilla" applications will not be able to start this
activity

HOWEVER
automagic4android and/or tasker will be able to launch this activity on a
rooted device (something like su -c am start -n
de.blinkt.openvpn/stuff.stuff.stuff/) and get the desired behavior
(disable VPN on specific connections, ensure that a specific VPN profile is
launched for specific connections, etc etc)

It doesn't make the security much more broken than just having rooted
device does ;-)

—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub
#370 (comment),
or mute the thread
https://github.com/notifications/unsubscribe/AQUPyqRaIjVUH6qur_4mdTs3_qiT1b5lks5qP6P_gaJpZM4FQfnu
.

[schwabe]

I don't like the Intent without restriction as it would allow arbitrary apps to break the connection. Disconnecting via is already possible but apps using that api need to prompt for permissions from OpenVPN for Android.

[craftyguy]

Allow the use of intent to be configurable, and disable it by default. I don't care, as long as the functionality exists then those of us who trust the apps on our devices and understand the risk can use it and everyone else can leave it off.

This app seems to arbitrarily disconnect itself or fail to reconnect on multiple network changes, so having it be controllable by intent might actually help us to recover from an errant disconnect by using something like Tasker

[craftyguy]

Since #103 was closed as a duplicate of this issue, are there any plans to implement a network blacklist such that openvpn won't try to connect when the device is connected to one of the networks in the blacklist? That request seems a bit unrelated to this intent discussion (triggering a disconnect vs not connecting in the first place [ie #103])

[priceaj]

The OpenVPN Tasker plugin does not work with OpenVPN for Android at present, and has not been working since version 0.6.60, based on the google play comments, it looks like there have been a number of times in the past where this has broken, but the plugin has not been updated since 2014.

Since I'd imagine the thing most people are trying to do with Tasker is to configure the VPN to connect on any WiFI networks that are not their home network, this feature would be very useful. Certainly better than relying on a 3rd party plugin app which contains ads and in-app purchases

[schwabe]

Yes, but I have had not time and motivation to implement this yet. Keep in mind that OpenVPN for Android is a spare time project for me.

[craftyguy]

Is there anything we could do to motivate you to work on this? it's literally the only thing keeping this app from being usable for me.. since it essentially breaks every time I wander to my local network (where my VPN server is located). I could configure my router to loopback, but having to VPN from within the network where my server is located to the same network is silly.

[GregoryGoodnight]

I use the CyberGhost VPN Android app and really like how it handles the network settings. E.g., it is possible to exclude my two trusted home WLANs (SSIDs House LANister + It Hurts When IP) and automatically start the VPN on other networks. If interested, you can download the app and test it for a week.

[craftyguy]

@GregoryGoodnight I don't think a proprietary application is an appropriate replacement for this one..

[GregoryGoodnight]

Sorry for the confusion @craftyguy, I did NOT mean to replace this app with another one. I just like the way that the Cyberghost VPN Android app handles the WiFi connection management and that we could take it as an inspiration.

[daltonch]

Bummer, I really thought this would be a basic function, REALLY like the app include/exclude list, that ROCKS! But I really need a way to...when on home WiFi connect to Work VPN, when on work WiFi connect to Home VPN, seems like a logical thing people do...

[uniquesuresh]

I am having the same issue. I want to disable the VPN on home and Work network for various reasons. So tried using E-Robot app to control the connections but the expressions and conditions make it more complicated and triggering multiple events to enable or disable the VPN connection.
It would be very valuable feature enhancement if we can add Wifi connection management to this app to enable/disable or pause/resume functionality.

[bjo81]

Did someone get such a bevahiour with Autoset? So far, it can start OpenVPN when I leave my home WiFi, but I did not figure out how it could stop the VPN connection when I arrive at home.

[neoatomic]

Would also like to request this feature.
The setup i want to use is "always on VPN" for all my WiFi/4G connections, with the exception of my home network.

[mvastola]

FYI, intents were enabled per f014940, bb3c4ae, and 3eca5f7.

The workaround that was implemented seems to be an approval mechanism to allow the app sending the intents to do so.

[TheCherry]

is there a way that we get that feature soon?
I think a simple line in the client config can help here.

something like:
disable if gateway 192.168.1.1
or better:
disable remote route 192.169.1.0 255.255.255.0 if gateway 192.168.1.1

there is a soltuion at the moment that works (only tested on linux, ubuntu)
add this to your client config:
route 192.169.1.0 255.255.255.0 192.168.1.1
if the client is in the local network, this rule will apply and the server can't push the route anymore.

if the client is not in the local network, the rules gives a error and you can connect though the VPN to your local netowork:

/sbin/ip route add 192.169.83.0/24 via 192.168.50.1
Error: Nexthop has invalid gateway.
ERROR: Linux route add command failed: external program exited with error status: 2

but that seems only to apply on the initial connection and its not tested with windows / mac / android / etc

[schwabe]

Not likely. It is on my TODO list since 2015 and there has never been enough motivation to implement it.

[Meetsch]

The motivational use-case is very well explained in OpenVPN's support forum:
https://forums.openvpn.net/viewtopic.php?f=36&t=28794

Hope you reconsider the motivation !

[schwabe]

@Meetsch I see the use case. It is just not something that I personally use or really interested in. It is also not something that is very easy to implement or simple.

[gitlot6]

this is getting more and more important and has to be implemented in the app without funny tasker.
in the faq https://ics-openvpn.blinkt.de/FAQ.html you advise how to block non vpn connections.
consider this makes vpn useless for many when we need connect phone to android auto or garmin dash cam or drone wifi spot and so on, there are more and more devices accessible only with local wifi hotspots.
excluding routes option does not work.
if you do not add such option you will leave no choice for us but negative feedback for your app.
other app had at least option to use vpn either over mobile data or wifi but begining with android 8 even that was removed.
p.s.
lack of such option is privacy violation.
what is so difficult to check list of whitelisted wifis and connect or allow pass-thru.

[schwabe]

@gitlot6 if you go by the privacy argumentation then this feature would not be for you either. There is simply no way to implement this without leaking data as the app can only react AFTER the WiFi has connected but at that time, you will already have data flowing.

So again a half-baked implementation is also nothing that I am happy with and the current APIs just don't allow any "Use VPN always on certains WiFI but not on other" in any proper way that doesn't leak traffic.

Also trying to pressure me into developing something with the threat of negative feedback is not helping.

[datdamnmachine]

I saw this article while searching for this feature as well as another article here:

https://directaccess.richardhicks.com/2020/03/24/always-on-vpn-trusted-network-detection/

The implementation, in this case, is by reading the domain suffix of an adapter and connecting/disconnecting/reconnecting based on that. Perhaps this method would be something easier to implement than SSID or Cellular detection as it would be connection agnostic.

No ideas on the data leak aspect other than some hook where all is halted by the VPN (perhaps with a blackhole route) until this detection is performed. That would mean having the client not disconnect but "paused"...

[schwabe]

That is Windows. If there was a viable way on Android I would have implemented it. Unless Google gives me something that allows me to implement it, I will not implement the feature since I don't want a half-broken feature that cannot be fixed.