Specific VPN usage (macOS, iOS)

Ryan Sebo
Ryan Sebo used Ask the Experts™
on
How to make a mac/iOS device connect to a VPN (ExpressVPN) only when not connected to a specific wifi network (our company network)?
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
David FavorFractional CTO
Distinguished Expert 2018

Commented:
This is a highly specialized case, best handled manually.

1) Contact ExpressVPN + ask for instructions about how to leave your VPN installed, just completely disable VPN packet flow.

2) When you'd like to connect at a faster speed (usual reason for doing this), run a script which runs the disable command (which can usually be committed to a command line script).

3) If ExpressVPN doesn't provide this feature, you'll likely have to change VPNs.

Note: Most VPNs provide a simple way to do this.
Distinguished Expert 2017

Commented:
As David covered.

Usually, you do not want remote vpns to auto connect to work networks.

Other VPN clients when they see a request to an ip range defined in the VPN client policy that would then trigger the initiation of the connection, commonly prompting the user for credentials.

I'll rely on David's knowledge in regards to the mentioned VPN client.
Ryan SeboSystem Administrator

Author

Commented:
Do you know of any VPN services that allow you to set connection rules?
Distinguished Expert 2017

Commented:
VPN connection is up to the user. with remote VPN is commonly from anywhere, but you can on your resource/FW restrict from where a remote VPN connection can be made, though in this situation you would have to continually update when the users whose WAN IP is randomly changed by their provider.

much depends on the options on the device you manage.
Ryan SeboSystem Administrator

Author

Commented:
I'm looking for a way to have the company laptops connect to a VPN service whenever they are not connected to the company access point and disconnect from the VPN service whenever they are connected to the company access point.

The purpose is security, they do not need to remotely connect to the company network.
Distinguished Expert 2017

Commented:
Usually, you would not want to have laptops have automatic credentials to access the corporate VPN.
Usually, you would want the user to authenticate as a second step.

Depending on the Firewall and VPN client in use. A Cisco client includes the policy that defines what traffic should flow over the VPN and when that traffic is seen on the system, it triggers the application that will prompt the user for credentials.
I do know that Cisco AnyConnect will automatically disconnect when you're on the internal corporate network as does GlobalConnect for PAN networks.  That's because DNS is set to not resolve the external VPN link and the IP is also blocked from internal connections.

You could set the DNS to express VPN to resolve to nothing or to resolve to a dummy link.  That way, you force the connection to drop.  You could also set a firewall block on expressVPN hosts, although there may be too many to easily list.  This would be a work around since you're not using a PAN, or Cisco ASA, or Fortigate, or other local firewall/gateway/VPN/etc... device that you have more direct control over.  You basically have to block express VPN's entire network address ranges.
System Administrator
Commented:
VPN must be manually turned on and off

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial