Enable VPN automatically only on blacklisted SSID and Disable VPN automatically on whitelisted SSID

[githupper]

Duplicate a feature on iOS where user is able to define the whitelisted / blacklisted SSID to ensure the VPN runs accordingly. My particular use case is that I self host a Wireguard server with self hosted Unbound and Pi-Hole. I use this method extensively to block ads systemwide and to prevent DNS leakage to my ISP.

On iOS, I do not need to manually switch on/off my Wireguard as I had defined the SSID accordingly and it automatically activates as needed.

On Android, as Wireguard connects to my home network, I have to manually disable Wireguard when on WIfi and manually enable it when I am outside.

Beside for my use case, it can be useful when a user is using public wifi in coffeeshop or other public areas and need to connect to their personal VPN.

Not sure if this can be done within GrapheneOS rather than using 3rd party app like Tasker for example which works also as I have tested in other roms before.

If there is a security concern on this function, please do advise.

Thank you

[thestinger]

It might be possible for a VPN app to implement this already. I'm not sure if they can obtain the necessary information. VPN apps are allowed substantially more access to network information if the user has accepted them being a VPN.

[githupper]

It would be ideal if it is implemented system wide since that would mean all VPNs can support it without being explicitly coded for such function.

Of course VPN doesn't make one's connectivity more secure since it just mean passing on the trust from the telco/network provider to the VPN provider but for scenario such as myself, it means that my phone's DNS are properly secured, with system wide adblocking enabled and with access to stuff hosted on the home network.

Assuming my suggestion is implementable, thank you for considering this enhancement

[ypid]

@githupper For a long time I wanted to have the same thing as you. But as I am currently switching to WireGuard, I can redesign my VPN setup from scratch.

Why not have WireGuard always on? When you are home, it terminates on your home server so not much latency is added. And when you are away, it also works. Plus you don’t have to put trust into SSIDs.

[thestinger]

If you're using your own VPN server, you can be tracked across networks based on that.

[ypid]

I fully agree with you and that is also not acceptable to me. So I guess it is worth talking about this. And here I am documenting yet another part of my OpSec in the public Internet, yeah.

On Android, common VPN apps like WireGuard and OpenVPN cannot setup nested VPN connections which would prevent this information leak. Also, a nested VPN would have the issue that when you are at home with always on you would also for acceccing your home network need one round trip to a public VPN service. Not ideal.

To solve this, have your phone connect via a port forwarding that some public VPN services provide back into your home network running a WireGuard server. This way, you can have the best of both worlds. Well, not the best because you would still connect to a unique socket (IP + port) and not a generic VPN endpoint from a network perspective. So I would prefer the nested VPN setup. But this port forwarding approach allows you to intercept those connection attempts in your home network and redirect them without the internet round trip to your VPN server.

phone ---(public Internet)-> public VPN service port forwarding --(VPN tunnel)-> Home network -> Private VPN server

Edit: I even thought about how to mitigate the unique socket. You could use TOPT or similar to automatically switch the socket for each connection. But this would require support on both sides (phone and VPN service). I would prefer the nested VPN. (At this point, just do it properly: Nested VPN)

And concluding, with the nested VPN it would be helpful to only enable the (outer) VPN when you are not in your home network, which brings us back to this issue :)

[thestinger]

On Android, common VPN apps like WireGuard and OpenVPN cannot setup nested VPN connections which would prevent this information leak

They choose not to implement it. Nothing prevents VPN service apps from supporting forwarding their traffic.

[thestinger]

This belongs in the VPN app and we don't develop one.