How to Exclude Certain WiFi Networks from OnDemand VPN on Apple Devices (IKEv2 or Other VPN Types)

When using IKEv2 or any other VPN on Apple devices (iPhone, iPad, macOS) with the OnDemand feature, the VPN will automatically connect under specified conditions, such as when your device connects to WiFi or cellular networks. However, there are certain situations where you might not want the VPN to connect automatically—for example, if you’re connected to the same local network as your VPN server.

I spent HOURS trying to find a way to do this dynamically. The goal was to essentially have it check if it could locally access the server and then connect to the VPN if it couldn’t see it. The issue was that it would check before it connected then after it connected and it was never accurate. In the end I found that the best option was to do it based on the SSID. The good news is you can easily do this by adding a few lines to your MobileConfig file, specifically in the OnDemandRules section.

Step-by-Step: Exclude Specific SSID(s) in MobileConfig

To exclude certain WiFi networks from automatically triggering the VPN, you’ll need to modify your MobileConfig file by adding a rule that tells your VPN client to ignore those networks.

Here’s what you need to do:

  1. Open your VPN configuration (.mobileconfig) file.
  2. Locate the OnDemandRules section.
  3. Add a rule to ignore certain WiFi networks based on their SSID (the WiFi network name).

Here’s an example of what this rule would look like:

<!-- Rule 1: Disconnect VPN connection on specific WiFi networks -->
<dict>
    <key>InterfaceTypeMatch</key>
    <string>WiFi</string>
    <key>SSIDMatch</key>
    <array>
        <string>WiFiNetwork1</string> <!-- Replace with actual SSID -->
        <string>WiFiNetwork2</string> <!-- Add more SSIDs as needed -->
    </array>
    <key>Action</key>
    <string>Disconnect</string>
</dict>

Explanation of the Rule:

InterfaceTypeMatch: This key tells the VPN client to apply this rule when the device is connected via WiFi.

SSIDMatch: The SSIDMatch key lists the names of the WiFi networks (SSIDs) where you don’t want the VPN to automatically connect. Replace WiFiNetwork1 and WiFiNetwork2 with the actual network names you want to exclude.

Action: This is the action you want to take, in this case “Disconnect” which means when you’re connected to these specific networks, the VPN will not automatically disconnect.

Use in context

Below is an example of how this would look in the context of you other OnDemandRules within your .mobileconfig file.

<key>OnDemandRules</key>
<array>
  <!-- Rule 1: Ignore VPN connection on specific WiFi networks -->
    <dict>
        <key>InterfaceTypeMatch</key>
        <string>WiFi</string>
        <key>SSIDMatch</key>
        <array>
            <string>WiFiNetwork1</string> <!-- Replace with actual SSID -->
            <string>WiFiNetwork2</string> <!-- Add more SSIDs as needed -->
        </array>
        <key>Action</key>
        <string>Disconnect</string>
    </dict>

  <!-- Rule 2: Check if we are waiting for a wifi login -->
  <dict>
	<key>InterfaceTypeMatch</key>
	<string>WiFi</string>
	<key>URLStringProbe</key>
	<string>http://captive.apple.com/hotspot-detect.html</string>
	<key>Action</key>
	<string>Connect</string>
  </dict>

  <!-- Rule 3: Disconnect VPN when using Cellular -->
  <dict>
	<key>InterfaceTypeMatch</key>
	<string>Cellular</string>
	<key>Action</key>
	<string>Disconnect</string>
  </dict>
  
  <!-- Rule 4: Do nothing if no other rules apply -->
  <dict>
	<key>Action</key>
	<string>Ignore</string>
  </dict>
</array>

Setting up your own VPN:

If you are looking to setup your own private VPN Lin Song has setup an incredible set of scripts that will do all the leg work for you. You can check it out here: https://github.com/hwdsl2/setup-ipsec-vpn/

Leave a Reply