Client Network List (CNL)

The VPN SDK allows you to configure client network lists (CNLs) to control when the VPN enables or disables based on the device's current network connection. This article explains how to set up client networks and utilize the CNL feature in your VPN app.

What are Client Network Lists?

A client network list defines rules for enabling or disabling the VPN connection depending on the type of network the device is currently connected to. The supported network types are:

  • Wi-Fi

  • Wireless WAN (WWAN)

  • Local Area Network (LAN)

For each network type, you can specify an action to either enable or disable the VPN when the device connects to a network matching that type.

Setting Up Client Networks

To configure client networks:

  1. Sign in at pango-cloud.com.

  2. Navigate to Settings -> VPN -> Client Networks, click on the Add button.

  3. Edit the settings for the client network rule: - Select the network Type (Wi-Fi, WWAN, or LAN) - Choose the Action (enable or disable the VPN)

Practical Use Cases and Configuration Examples

Common CNL Configuration Scenarios

Here are some practical examples of how to configure CNL rules for common use cases:

1. Enable VPN on All Open/Public WiFi Networks

To automatically enable VPN when connecting to any open (unencrypted) WiFi network:

  • Type: WiFi

  • SSID: (leave empty)

  • BSSID: (leave empty)

  • Authorized: False

  • Action: Enable

This configuration will activate the VPN whenever your device connects to an unsecured WiFi network, providing protection on public hotspots.

2. Disable VPN on Cellular/Mobile Data

To conserve mobile data and battery by disabling VPN when on cellular:

  • Type: WWAN

  • Action: Disable

This is useful when you trust your mobile carrier's network and want to avoid the additional data overhead of VPN tunneling.

3. Disable VPN on Trusted Home/Office Networks

To disable VPN on specific trusted networks:

  • Type: WiFi

  • SSID: "MyHomeNetwork"

  • BSSID: "AA:BB:CC:DD:EE:FF" (optional, for extra security)

  • Action: Disable

Adding the BSSID ensures the rule only applies to your specific router, preventing spoofed SSIDs from bypassing VPN protection.

4. Always Enable VPN on Specific Public Networks

For known public networks where you always want protection:

  • Type: WiFi

  • SSID: "Starbucks WiFi"

  • Action: Enable

5. Corporate Network Configuration

For enterprise deployments where VPN should be disabled on corporate LAN:

  • Type: LAN

  • Action: Disable

Best Practices

  1. Security First: When in doubt, default to enabling VPN. It's better to have unnecessary protection than to expose sensitive data.

  2. Use BSSID for Critical Networks: For networks where you absolutely want to disable VPN (like home networks), include the BSSID to prevent SSID spoofing attacks.

  3. Test Your Rules: Always test CNL configurations in different network scenarios to ensure they behave as expected.

  4. Consider Battery and Data: Balance security needs with practical considerations like battery life and data usage, especially for mobile users.

Configuration Priority

When multiple rules might apply, the SDK evaluates them in the following order:

  1. Most specific rules (with both SSID and BSSID) take precedence

  2. Rules with only SSID come next

  3. Generic rules (no SSID/BSSID) are applied last

  4. If no rules match, the VPN state remains unchanged

Enabling Client Network Lists

To utilize client network lists in your app, first enable the feature by setting isClientListEnabled to true in your ModulesConfiguration:

let modulesConfiguration = ModulesConfiguration(
    isClientListEnabled: true, 
    // other configuration...
)

Retrieving CNL Rules

The SDK will automatically fetch the configured CNL rules before enabling the VPN. You can access the retrieved rules through the `clientNetworkList` property on the `HydraSDK` instance:

let clientNetworkList = hydraSDK.clientNetworkList

The clientNetworkList will contain an array of ClientNetworkRule objects representing the matched rules for the current network.

VPN Disabled

When a matching CNL rule with the action: .disable is found for the current network's SSID and BSSID, the VPN SDK will enter disable mode. In disable mode, the SDK automatically stops the VPN if it's running or prevents it from being enabled. Network traffic will go directly through the device's network connection without passing through the VPN.

This allows you to selectively disable the VPN on trusted networks.

VPN Enabled

The SDK provides a VPN Enabled feature that allows for seamless VPN connectivity. When this feature is active, the SDK will automatically handle connecting or reconnecting to a VPN service using either the default or last used VPN profile or configuration.

Code Samples

Configure using HydraSDK:

import VPNApplicationSDK
// ...

let groupData = VPNGroupData(groupID: "group.com.yourcompany.vpnsdk-demo", usesSystemExtension: false)

let hydraConfiguration = HydraConfiguration(
    carrierID: "YOUR_CARRIER_ID",
    extensionBundleID: "com.yourcompany.vpnsdk-demo.neprovider",
    groupData: groupData,
    fireshieldConfig: FireshieldConfig(mode: .disabled, groupData: groupData),
    modulesConfiguration: ModulesConfiguration(isClientListEnabled: true)
)

let hydraSDK = HydraSDK(configuration: hydraConfiguration)

hydraSDK.start(location: VirtualLocation.optimal(), proxy: nil, completion: { error, credential in
    if let error = error {
        print("Failed \(error)")
    } else {
        print("Success")
        let clientNetworkList = hydraSDK.clientNetworkList
        // Now we have access to the clientNetworkList, which contains data about available networks
    }
})

Last updated

Was this helpful?