Zerotierone: Allow for Connect on Demand on iOS app

If connect on demand is supported by iOS/Apple it's possible. We can take a look.

It looks like at least as of 11.4.1 iOS supports a VPN mode that appears to connect on demand.

Set Settings -> VPN

I tested with only ZT installed and one network. When attempting to access something on my network it started ZT and connected to my network automatically. I then tried with two networks and set the default network to the second network. When trying to access the same resource it started ZT again and connected to the second network. I haven't yet tested if this affects the longevity of the connection.

It would be nice to have some finer grained control but maybe this will work for you? @andrewtlove

Unfortunately I don't see an option for Connect on Demand for ZT.

Attached are two screenshots:

• Zerotier Entry in VPN deatail view, no Connect on Demand option available
• Algo VPN entry installed using .mobileconfig file, including Connect on Demand

I see. Maybe behavior I see only works if you have (one) VPN installed. Otherwise it doesn't know which to one to start. We'll look into this.

Hello, just checking back on this issue and (hopefully) providing some useful information: https://developer.apple.com/documentation/networkextension/nevpnmanager#topics

Is there any other way I can help get this prioritized for the next iOS release?

@joseph-henry Is this a possibility for an upcoming iOS release? Some more documentation about VPN on demand is at: https://developer.apple.com/documentation/networkextension/personal_vpn/vpn_on_demand_rules

The code for Wireguard for iOS may be of help: https://github.com/WireGuard/wireguard-apple/search?q=isOnDemandEnabled

I'm also curious if any progress has been made on this. There are several dev servers I keep running behind a firewall that I'd like to access from my phone and would love if always-on was available.

Add this or I'll cry

Which ConnectionRule could be used for a zerotier network? I don't see how it'd work.

I'm not sure how the on demand VPN thing is implemented. I just know that nearly every other VPN app implements it. The idea is that you enable it, and it'll always connect before doing any network calls, this way you don't have to keep manually toggling the VPN on, and it can disconnect if it's not doing anything.

@laduke Could you clarify your question further?

Please add Connect on Demand.

Or at the very least, please add Shortcuts support and/or URI scheme so I can automate a VPN connection in my workflow.

...but Connect on Demand would be better.

Which ConnectionRule could be used for a zerotier network? I don't see how it'd work.

@laduke :

Would an answer to the above be "class NEOnDemandRuleConnect"?

For your second comment, I'm not sure of its nature or scope. Are you suggesting that something about ZeroTier would make connect on demand inherently difficult? Or that it's unclear how to provide certain parameters to iOS that it is expecting?

I believe ZeroTier automatic connection could work in a way nearly identical to other VPN applications on iOS. The trigger for connection I believe is any network activity, so that could be the same in ZeroTier as it is in other applications. Whether there is a default route named for a ZeroTier network that device has joined or if the ZeroTier configuration only provides access to internal networks, it would be valuable to not have to open the application or manually reconnect. That manual step takes extra work, and having ZeroTier drop at unexpected times when the destination for default traffic is meant to be redirected to an exit gateway would cause an information leak, thus making it difficult to rely upon ZeroTier (also) as a traditional VPN.

Since the co-existence of ZeroTier and a traditional VPN is either not possible or complicated, I'd prefer to see if it's possible for the ZeroTier user experience be on par with that of other VPN iOS applications, especially if the overhead to implement that is small. I don't know for sure all the steps that are involved, but the WIreGuard reference may be of help in assessing the scope. Then ZeroTier can function also as a traditional VPN with little to no risk of information leakage. It may be a matter of naming the preferred reconnection strategy to the iOS interfaces.

OK, I guess "Any time there is any network traffic" would be possible.

"Any time I try to access something via a zerotier network" seems less possible.

On-demand support would be awesome.
Is someone already working on creating a Pull Request for this? :D

Maybe the Passepartout code can be used as reference. It has worked very well for me and having something like that (options for "always stay connected" and "disconnect on sleep") for ZeroTier would be awesome.

In the latest Tailscale release they closed a memory leak that was responsible for their vpn connection getting shut down when inactive. Now they say it should remain active indefinitely, I once you’re connected. I wonder if there’s a similar fix to do the same here. https://tailscale.com/blog/2020-06-newsletter/

Hello, is there any progress on it?
How can I help to implement it?

Same here. Willing to help, this feature is a must!

Keep hope alive!

Is the IOS app open source so I can add this feature myself and do a pull request?

I can't find it as well( anybody know where it can be found?

IMO, this is almost a use-case breaking omission on iOS. Please implement this.

Waiting for this too. Without this feature zerotier networking with iPhones is useless :( It will be awesome if you can add this to the app ❤️