Automagic Forum

I was checking the wifi conditions but couldn't find any differentiation between open or password protected WLAN. I would like to activate a vpn when connect to an open WLAN like in a cafe.

We can do that already.

There are commonly 3 wifi security method : Open, WEP and WPA/WPA2. Open is of coz not secure, WEP is considered broken security. So we prefer to connect only to WPA/WPA2.
You can use condition Wifi Available to check the security.

Trigger : Wifi Connected : All SSID
Condition 1 : Wifi Available : {ssid}
Condition 2 : Expression : contains(capabilities,"WPA")
Action false : will be your action to activate the VPN.
All elements are in series. So your flow will be : Trigger >> Condition 1 >> Condition 2 >> Action

The flow first check if the phone connected to wifi AP. This will supply the variable {ssid}, which is the name of the connected wifi.
Condition 1 will probe the same {ssid} for its supplied variables. One of them is {capabilities}, which determine the security level.
capabilities can be
[ESS] = open wifi
[WEP][ESS] = wifi with WEP protection (easy to be hacked, so almost same as open wifi)
[WPA2-PSK-CCMP][ESS], [WPA-PSK-TKIP+CCMP][WPA2-PSK-TKIP+CCMP][WPS][ESS], or any combination of the WPA/WPA2 = WPA secured wifi, considered "safer", not everybody can connect easily.

So the password protected WLAN must has at least "WPA" in its capabilities, thus condition 2 check for it.
If there is (true), then the Wifi is secure, no need to activate VPN.
If no (false), then wifi is not secure, use your action to activate the VPN.

Hi Desmanto,

thanks for your quick and detailed answer.

but i see some problems with that flow.

Problem with Trigger:
the trigger only fires if i go from not connected to connected, not if i just switch the access point.
so if my phone would auto switch from a secure wifi with low signal to a open wife with stronger signal, the trigger wont fire.


Problem with Condition 1:
help text indicate that the variables depends on the strongest signal available.

so what if i connect to open wifi Y but closed wifi Z has a stronger signal ?
or wont that be the case, cause we uses {ssid} for the SSID List ?

also i just did some tests. my router is actually providing 3 wifi access points,

a. Jui@2,4ghz (secured)
b. Jui@5ghz (secured)
c. Jui@Gast (open for 2,4 and 5 ghz)

if my phone is set to auto band selection, it will list all available networks, 2,4 and 5 ghz.
now connecting to either a or b will result condition 1 to fail, the flow wont even go to condition 2.
but connecting to c let condition 1 pass.

now if i set my phone to either 2,4ghz or 5ghz only, then a and c or b and c will pass condition 1.


and finally now i need to figure out how to activate vpn since secure settings app wont work anymore

Juido wrote:Hi Desmanto,

thanks for your quick and detailed answer.

but i see some problems with that flow.

Problem with Trigger:
the trigger only fires if i go from not connected to connected, not if i just switch the access point.
so if my phone would auto switch from a secure wifi with low signal to a open wife with stronger signal, the trigger wont fire.

Seems your phone handle the wifi switching under the hood, to maintain the user experience. At mine, even though reconnecting to same SSID with different BSSID will trigger the wifi connected (means the phone report about the reconnecting event). The trigger works fine at my phone.

Try to check in the wifi setting for any option of smart switching. Try to disable that (so the phone report the reconnecting event to automagic).

Problem with Condition 1:
help text indicate that the variables depends on the strongest signal available.

so what if i connect to open wifi Y but closed wifi Z has a stronger signal ?
or wont that be the case, cause we uses {ssid} for the SSID List ?

For condition 1, I have tested it with the same SSID with different BSSID. It seems there is something that delays report of the BSSID change. When I move from BSSID 1 to BSSID 2 (same SSID), half of the time when I am connected to BSSID 2, it still shows up I am connected to BSSID 1 (especially if I move quickly); and vice versa. But if it is different SSID, it is correct all the time, the BSSID changed immediately, even though it is not the strongest signal. (I even stick my phone to the wifi router )

So in your case of open wifi Y, then connected to closed wifi Z, the change of capabilities should be immediate (try debug dialog to check it). But if the SSID name is the same, you probably will have the same result as mine; half of the time it will report the old capabilities. There are request already to have additonal option to connect directly to selected BSSID, not just SSID. We can only wait it to be implemented.

I don't know if this is automagic's problem or android's. I ever saw how my phone still report I am connected to my home wifi even though I have arrived at office. Other workmate also ever experienced it; he had arrived at home, 10+ Km from office, but the phone report it still has 3 bar wifi, connected to office wifi.

also i just did some tests. my router is actually providing 3 wifi access points,

a. Jui@2,4ghz (secured)
b. Jui@5ghz (secured)
c. Jui@Gast (open for 2,4 and 5 ghz)

if my phone is set to auto band selection, it will list all available networks, 2,4 and 5 ghz.
now connecting to either a or b will result condition 1 to fail, the flow wont even go to condition 2.
but connecting to c let condition 1 pass.

now if i set my phone to either 2,4ghz or 5ghz only, then a and c or b and c will pass condition 1.

To check why condition 1 failed, try to attach a debug dialog to check the SSID name got from the trigger. Check what is the value of SSID and the BSSID. Probably the phone assign the same name for both 2,4 and 5,0 Ghz; but the {ssid} add the additional @ for it. My phone only has 2,4 Ghz, so I can't test this.

and finally now i need to figure out how to activate vpn since secure settings app wont work anymore

If you are using automagic already, I don't think you need the plugin secure setting anymore. It has almost all of that plugin's feature built-in.

So in your case of open wifi Y, then connected to closed wifi Z,

thats not what i meant..
i only connect to Y, but Z has the stronger signal

and help text for "Wifi available" says that the variables of the scan depends on the strongest signal available.

so i hope that wont be the case since we use the {ssid}

edit:

To check why condition 1 failed, try to attach a debug dialog to check the SSID name got from the trigger.

i did and i found something what appears to be a bug.

Condition 1 has trouble with the ssid = Jui@2,4ghz , especially with the comma, because ssid Jui@24ghz or Jui@2.4ghz work fine.
same false result with ssid = test,test

since my phone displays the ssid correct and is able to connect, i suppose the bug is on automagic's side to handle ssids that contains a comma

Juido wrote:i did and i found something what appears to be a bug.

Condition 1 has trouble with the ssid = Jui@2,4ghz , especially with the comma, because ssid Jui@24ghz or Jui@2.4ghz work fine.
same false result with ssid = test,test

since my phone displays the ssid correct and is able to connect, i suppose the bug is on automagic's side to handle ssids that contains a comma

I answer the comma problem first, since it is shorter. Yes, that is a semi bug (probably we can call like that), since automagic SSID list use comma to separate SSIDs. So if the SSID contain a comma, it will treated as two SSID. So "Jui@2,4ghz", will be parsed by the condition as check if "Jui@2" or "4ghz" exists.

Ugly work around is change the wifi name to have no comma, which is impossible to do with public wifi. The correct solution is to double quote the variable {ssid}. So you have to put in as This way, the {ssid} will be evaluated once only, not treated as separate 2 SSID. Try it out. I don't know about this semi bug until you encounter it. There are still other trigger/action/condition, which utilize the similiar method to separate list of choices; most of them need to be done this way too (if there is comma). I don't think this will be fixed, since it is the way automagic handle the SSID variable. But maybe need to put extra note at the help to put Double quote for SSID with comma.

thats not what i meant..
i only connect to Y, but Z has the stronger signal

and help text for "Wifi available" says that the variables of the scan depends on the strongest signal available.

so i hope that wont be the case since we use the {ssid}

Y and Z has the same SSID? If yes, then you will have problem. If no, then it is working fine. The help text for "highest signal strength" apply only for AP (BSSID) with the same wifi name (SSID) we have defined in the option. As long as we are using the {ssid} variable as the scan option, then it will always pick up the current connected one.

This is my test. I have 3 wifi AP here, AP 1 and AP 2 has the same SSID, but of course different BSSID. AP 3 is wifi hotspot from my other phone, set to Open security. SSID name and BSSID are just examples.
AP 1 = SSID : ABC, BSSID : 00:00:00:AA:BB:01, signal : -55 dBm (3 bar)
AP 2 = SSID : ABC, BSSID : 00:00:00:AA:BB:02, signal : -70 dBm (2 bar)
AP 3 = SSID : XYZ, BSSID : 00:00:00:DD:EE:03, signal : -15 dBm (4 bar)

I am now connected to AP 1. I then manually switch to AP 3 (XYZ), the wifi available dialog will show me the info from the AP 3, BSSID : 00:00:00:DD:EE:03, signal -15 dBm, which is correct. Since it has different ssid, and you maybe say it is the strongest currently (my phone literally kiss the tether phone ).

So to test the "highest signal strength" statement, whether it is still searching for the strongest available even though we have put {ssid} in the option; I now switch from AP 3 to AP 1 again. If the "highest signal strength" statement always search for strongest regardless of {ssid} we put in, then I should still get the info from AP 3. But when I switch to AP 1, it shows me all the info from AP 1, BSSID : 00:00:00:AA:BB:01, signal : -55 dBm. Even though the signal from AP 3 still -15 dBm. So, if we use it in this case (by retrieving {ssid} from the trigger) the "highest signal strength" statement refers to the strongest from the same SSID that I use to connect.

But if I fill in manually SSID ABC,XYZ (both SSID), not using {ssid}, and execute the flow manually; yes it will always show the strongest, which is AP 3 XYZ, -15 dBm. Even though I am currently connected to AP 1 ABC.

So to get info only from current connected one, we must use the {ssid} from the trigger. Or if we need to use it inside flow with other trigger, we can get the {ssid} from Condition : Wifi connected. That's the same result, just the difference between event (trigger) and state (condition). The trigger only happen once (when connected), the condition can be checked for a period of time (while connected).

Same SSID
The problem arise when we have same SSID from different BSSID. When I roam around from AP 1 to AP 2, sometimes it change the info perfectly, directly show info from AP 2. But it often show 2 disconnect/reconnect (debug dialog appear twice), before showing the correct info from AP 2. I confirm the connected AP using wifi 360 overview. I don't know how android handle same SSID, but it seems my phone report randomly when the signal from AP 1 too low and switch to AP 2. Can't see any pattern, but mostly it switch when the signal is below 2 bar. That's the problem I still don't know how to solve.

Since you only need different SSID separation to activate VPN, this should not give you problem (ideally). If same SSID, one of them is protected, the other should have been configured as protected as well, to ensure roaming. The wifi capabilities should have "WPA" in all BSSID. Only when you change SSID, the capabilities will change, and it works properly with this flow (as long as you use the {ssid}).

Security Issue
However, in real world, there are other problem as well. If I know the public wifi password, which is usually easy to get it from the receptionist or waiter/waitress; I can just setup my portable wifi hotspot in the middle of the crowd, with the same SSID and same password. Because I made it the same, all device that used to connect to that secured wifi, can connect to mine as well. Other clients will never know that they have connected to my rogue wifi hotspot, since the SSID and password match. I can run wireshark/wi.cap and log all unencrypted traffic (non-https) from all connected client. They won't know I am logging the data, no certificate error warning shown. Everyone can set this up, but only the one who understand networking can read the log.

A good setup of multiple wifi, usually include rogue wifi detection as well. But this can easily avoided by changing the mac to one of the AP.

The other way around, I can just simply connect to the same wifi and perform MITM to neighbor client. But usually in public wifi, this has been mitigated by AP isolation. And MITM will generate error certificate warning to https site, so less practical. Creating rogue wifi hotspot is easier.

TLDR version : Treat all wifi as hostile, except the one we manage (because we mostly don't tell our password everywhere)

Well, it is not happening everyday. Most of the time, generally a WPA secured wifi is far more secure than open wifi. But if you concern until wanna use VPN, I believe you concern also about these possible security hole. So that we don't fall into false sense of security (believing all WPA secured wifi is safe), which is far more dangerous than not setting up any protection at all (because we can be more careful). It means all other wifi outside of our own managed one should be treated as not secure. You should activate VPN even they are WPA secured.

Simplified flow
If that is the case, then the flow will be simplified a lot. Just need to check if we are connected to our own wifi (or list of whitelisted wifi). If not (false), then activate VPN. No need to check the capabilities anymore.

Additional check
If you want more secure, you can add additional check to the BSSID, to make sure it is the correct AP station, not the rogue one (less likely since we don't give our password freely). Another additional setup will be to use Https request to check for certificate error. You can still add..... Well, this can goes even further . I don't why I can't stop typing

Desmanto wrote:Try it out.

Hey Desmanto, i really appreciate your dedication
The "{ssid}" did the trick should have thought about that :/

and ofc you are right, VPN should be active whenever im not connected to a trustworthy connection.

unfortunately i couldn't figure out yet how to activate the VPN.
tried a lot of apps, i even tried vpncilla with no joy

kind regards

So the wifi part is solved. Only left with the VPN.
Maybe we should discuss about the VPN at the other thread.
http://automagic4android.com/forum/view ... f=6&t=2369

I think that OpenVPN should works properly, since it support tasker plugin.