Auto-disconnect OpenVPN when a physical connection to the corporate network is established

[Pleusch]

Dear maintainers,

I am currently experiencing an issue where I need to manually disconnect from OpenVPN every time I physically plug into my office's corporate network. This manual step is necessary to avoid redundant connections and access the office network resources.

Here's what typically happens:
When I connect directly to my corporate network, I need to manually disable OpenVPN once, and then re-enable it immediately. Thankfully, OpenVPN does not establish a connection as long as I'm physically connected to the corporate network, which is good.

However, it would be an improvement if OpenVPN could automatically detect when I'm physically connected to the corporate network and disconnect on its own. Additionally, once it detects that the physical connection is no longer present, it should attempt to reconnect automatically.

This auto-detect and disconnect/connect feature would enhance usability significantly, as it would remove the need for manual intervention every time I transition between network environments.

I look forward to your thoughts on this.

Thanks for your time and consideration.

Pleusch

[selvanair]

I had thought of implementing such a feature but I haven't found a reliable method to detect "trusted networks". Any form of auto-disable comes with a risk. The easiest may be to specify a list of DNS suffixes but that's not really fool-proof. You may end up having your VPN disabled in an insecure network.

[Pleusch]

I had thought of implementing such a feature but I haven't found a reliable method to detect "trusted networks". Any form of auto-disable comes with a risk. The easiest may be to specify a list of DNS suffixes but that's not really fool-proof. You may end up having your VPN disabled in an insecure network.

The Solution is very Simple.

You just need to determine in which cases your connection should established

1. Your physical or WiFi connection in the Office.
2. WWAN Cellular Connection to the Internet.
3. Your Home Network in your Home Office.

I wrote this script that will run every minute with the Windows scheduler:

$vpnService = 'OpenVPNService'
$homeNetworkMac = "HomeNetworkRouterMac"
$officeNetworkMac = "officeNetworkRouterMac"
$cellularConnection = Get-NetAdapter | Where-Object { $_.Name -like "Cellular" -and $_.Status -eq 'Up' }

# Check if the computer is connected to the home network.
$arpTable = arp -a
$connectedToHomeNetwork = $arpTable -match $homeNetworkMac

# Check if the computer is connected to the office network.
$connectedToOfficeNetwork = $arpTable -match $officeNetworkMac

if ($connectedToHomeNetwork) {
    Start-Service -Name $vpnService
}
elseif ($cellularConnection -and !$connectedToOfficeNetwork) {
    Start-Service -Name $vpnService
}
elseif ($connectedToOfficeNetwork -and $cellularConnection) {
    Stop-Service -Name $vpnService
}
elseif ($connectedToOfficeNetwork) {
    Stop-Service -Name $vpnService
}
else {
    Stop-Service -Name $vpnService
}

Would be easier if someone would integrate it into the code from openvpn-gui!

Thanks

[selvanair]

As I mentioned, the issue is not "ease of implementation" but lack of a secure method of detecting networks. If that script works for you continue using it. I cannot integrate such a solution as its not safe enough in my opinion. Its easy to spoof MAC address.

[lraikhman]

@selvanair this would be an incredible feature to have. Worth pointing ou that Microsoft's Always-On solution detects networks by simple DNS suffixes. This is fine in 99% of cases.

What about something more complex? I could envisage OpenVPN having a client option such as multiple statements of "trusted network". Each would have hash of {gateway MAC, a custom string delivered via DHCP Option 200}.

Since it's encrypted client side, it cannot be ripped out of the config file. Only people who know the unencrytped value can create the network required.

This would be a fantastic addition to the product.

[EbroRuano]

This would be a fantastic addition to the product.

I agree. Even for service mode, without gui.

TLS verification of OpenVPN server in a local IP address would be another option, but would not be bullet proof (a malicious computer on a foreign network could tunnelize that traffic to the public interface of the home network).

A more robust method to check if we are connected to the home network could be as follows.

1- Connect to the VPN.
2- Send a packet, through the VPN, to the local (not VPN) IP address. (Execute this step only if local IP is in predefined home network ip subnet range, otherwise it makes no sense, we are not in home network).
2- If that packet is received through the local network interface then we are in the same network that the VPN server, so disconnect the VPN.

This would only work to check for the home network, not for other secure networks.

Caveats:
Home network must be a secure network, otherwise two malicious computers, one on each end, could allow validation on a foreign network. The fact that the home network is a secure network means that there can not be malicious computers on it. This makes sense so that the VPN is not necessary on the home network.

Would this solution be good enough?