search

netbirdio / netbird

Connect your devices into a single secure private WireGuard®-based mesh network with SSO/MFA and simple access controls.
https://netbird.io
BSD 3-Clause "New" or "Revised" License
9.81k stars 425 forks source link

VPN on-demant activation for mobile clients #1781

Open pax0707 opened 3 months ago

pax0707 commented 3 months ago

Is your feature request related to a problem? Please describe. Prevent activation of VPN while connected to the local environment.

Describe the solution you'd like Implement on-demand VPN activation with the option to exclude WiFi networks at locations that Netbird clients already cover to prevent unnecessary network overhead.

Describe alternatives you've considered Manually enabling/disabling the VPN is tiresome, especially for other, less technically inclined users.

Additional context Wireguard client (and some other wireguard-based solutions) already support this option.

braginini commented 3 months ago

Hi @pax0707 What kind of network overhead are you experiencing? Do you use network routes feature?

aho-amiblu commented 2 months ago

Hi, if I may add a comment here: In our corporate network we have a ton of subnets that is routed quite efficiently via the local "default gateway". If we deploy routes via the "network routes" feature, they will always be prefered, so all the traffic is running via that routing peer, instead of the (more efficent) direct way. So it would be nice if those network routes are only active if they cannot be reached directly.

braginini commented 2 months ago

Hi, if I may add a comment here: In our corporate network we have a ton of subnets that is routed quite efficiently via the local "default gateway". If we deploy routes via the "network routes" feature, they will always be prefered, so all the traffic is running via that routing peer, instead of the (more efficent) direct way. So it would be nice if those network routes are only active if they cannot be reached directly.

Thank you for sharing your case @aho-amiblu. You might be able to achieve the suggested behaviour by using posture checks. You can create one that is blocking access when peer is connected to a specific network (peer network range check) and add it to a policy that allows access to your routing peers. Once the client is in the network with more efficient routes, the posture check will remove access to that routing peer and therefore the NetBird route.