Allow for Connect on Demand on iOS app

[andrewtlove]

Is your feature request related to a problem? Please describe. I'm frustrated when I've joined my iOS device to a ZeroTier network, connected it, and then find that it has disconnected after some time of inactivity or link drop.

Describe the solution you'd like I'd like to be able to configure ZeroTier networks as Always On, or Connect on Demand on my iOS device so that every request is made through my chosen ZeroTier network.

Describe alternatives you've considered Building my own app is an option, but seems like an unnecessary duplication of effort.

Additional context n/a

[adamierymenko]

If connect on demand is supported by iOS/Apple it's possible. We can take a look.

[joseph-henry]

It looks like at least as of 11.4.1 iOS supports a VPN mode that appears to connect on demand.

Set Settings -> VPN

I tested with only ZT installed and one network. When attempting to access something on my network it started ZT and connected to my network automatically. I then tried with two networks and set the default network to the second network. When trying to access the same resource it started ZT again and connected to the second network. I haven't yet tested if this affects the longevity of the connection.

It would be nice to have some finer grained control but maybe this will work for you? @andrewtlove

[andrewtlove]

Unfortunately I don't see an option for Connect on Demand for ZT.

Attached are two screenshots:

• Zerotier Entry in VPN deatail view, no Connect on Demand option available
• Algo VPN entry installed using .mobileconfig file, including Connect on Demand

[joseph-henry]

I see. Maybe behavior I see only works if you have (one) VPN installed. Otherwise it doesn't know which to one to start. We'll look into this.

[andrewtlove]

Hello, just checking back on this issue and (hopefully) providing some useful information: https://developer.apple.com/documentation/networkextension/nevpnmanager#topics

Is there any other way I can help get this prioritized for the next iOS release?

[Intensity]

@joseph-henry Is this a possibility for an upcoming iOS release? Some more documentation about VPN on demand is at: https://developer.apple.com/documentation/networkextension/personal_vpn/vpn_on_demand_rules

The code for Wireguard for iOS may be of help: https://github.com/WireGuard/wireguard-apple/search?q=isOnDemandEnabled

[jameslovallo]

I'm also curious if any progress has been made on this. There are several dev servers I keep running behind a firewall that I'd like to access from my phone and would love if always-on was available.

[eskimo]

Add this or I'll cry

[laduke]

Which ConnectionRule could be used for a zerotier network? I don't see how it'd work.

[eskimo]

I'm not sure how the on demand VPN thing is implemented. I just know that nearly every other VPN app implements it. The idea is that you enable it, and it'll always connect before doing any network calls, this way you don't have to keep manually toggling the VPN on, and it can disconnect if it's not doing anything.

[Intensity]

@laduke Could you clarify your question further?

[suderman]

Please add Connect on Demand.

Or at the very least, please add Shortcuts support and/or URI scheme so I can automate a VPN connection in my workflow.

...but Connect on Demand would be better.

[Intensity]

Which ConnectionRule could be used for a zerotier network? I don't see how it'd work.

@laduke :

Would an answer to the above be "class NEOnDemandRuleConnect"?

For your second comment, I'm not sure of its nature or scope. Are you suggesting that something about ZeroTier would make connect on demand inherently difficult? Or that it's unclear how to provide certain parameters to iOS that it is expecting?

I believe ZeroTier automatic connection could work in a way nearly identical to other VPN applications on iOS. The trigger for connection I believe is any network activity, so that could be the same in ZeroTier as it is in other applications. Whether there is a default route named for a ZeroTier network that device has joined or if the ZeroTier configuration only provides access to internal networks, it would be valuable to not have to open the application or manually reconnect. That manual step takes extra work, and having ZeroTier drop at unexpected times when the destination for default traffic is meant to be redirected to an exit gateway would cause an information leak, thus making it difficult to rely upon ZeroTier (also) as a traditional VPN.

Since the co-existence of ZeroTier and a traditional VPN is either not possible or complicated, I'd prefer to see if it's possible for the ZeroTier user experience be on par with that of other VPN iOS applications, especially if the overhead to implement that is small. I don't know for sure all the steps that are involved, but the WIreGuard reference may be of help in assessing the scope. Then ZeroTier can function also as a traditional VPN with little to no risk of information leakage. It may be a matter of naming the preferred reconnection strategy to the iOS interfaces.

[laduke]

OK, I guess "Any time there is any network traffic" would be possible.

"Any time I try to access something via a zerotier network" seems less possible.

[ayr-ton]

On-demand support would be awesome. Is someone already working on creating a Pull Request for this? :D

[stefandesu]

Maybe the Passepartout code can be used as reference. It has worked very well for me and having something like that (options for "always stay connected" and "disconnect on sleep") for ZeroTier would be awesome.

[joshourisman]

In the latest Tailscale release they closed a memory leak that was responsible for their vpn connection getting shut down when inactive. Now they say it should remain active indefinitely, I once you’re connected. I wonder if there’s a similar fix to do the same here. https://tailscale.com/blog/2020-06-newsletter/

[paul-nameless]

Hello, is there any progress on it? How can I help to implement it?

[szethh]

Same here. Willing to help, this feature is a must!

[andrewtlove]

Keep hope alive!

[miwagner1]

Is the IOS app open source so I can add this feature myself and do a pull request?

[paul-nameless]

I can't find it as well( anybody know where it can be found?

[seanhelling]

IMO, this is almost a use-case breaking omission on iOS. Please implement this.

[kwladyka]

Waiting for this too. Without this feature zerotier networking with iPhones is useless :( It will be awesome if you can add this to the app ❤️

[fillwe]

Yes please add this! Have a lot of issues with iOS clients disconnecting😞

[craSH]

Just another request for this feature - it's something that other protocols including Wireguard support, and without it I can't use it to replace my existing Wireguard system at home. Thanks!

[cjones26]

I would also like to add a +1 for this feature--I can't use WireGuard for my use case and I need my non-tech wife to be able to connect on demand with her iPhone.

[thefactremains]

Hi all, our team has built a working beta of Connect On Demand and we'd like to invite those interested to help us test it.

If you're interested in testing this feature, please fill out this form and apply to join our iOS test flight team.

[linuxrecon]

Hi all, our team has built a working beta of Connect On Demand and we'd like to invite those interested to help us test it.

Thank you for the invitation. I‘ve installed the beta via Testflight. However, I can set „On Demand“ for all networks, but I‘m unable to configure the rule(s) whether ZeroTier should connect to VPN or not. The system settings are referring to the ZeroTier app and the app itself only has a switch for enabling the feature. Unfortunately there are also no test information / notices in Testflight for the ZeroTier beta. Can you describe how to configure the app to only connect to VPN when for e.g. mobile data is in use?

[miwagner1]

Finally, I can dump WireGuard as soon as I’m in the beta