Get Tunna
Settings

Tunnel Settings

Control when Tunna connects and what traffic enters the system VPN tunnel.

Updated

Tunnel settings control the Apple VPN tunnel lifecycle. They are separate from Routing. Tunnel settings decide what enters the VPN tunnel; Routing decides whether matching traffic uses Proxy, Freedom, or Blackhole after it is inside Tunna. On-Demand and sleep behavior are where Tunna's automation and battery-aware design meet Apple's Network Extension system.

Tunnel and Routing are two different decisions

  1. System traffic enters the tunnel

    The Apple Network Extension decides what traffic Tunna receives.

  2. Some traffic can stay outside

    Private subnets, push notification service traffic, cellular services, or device communications can stay outside the tunnel unless you turn their controls on.

  3. Routing chooses the outcome

    Inside Tunna, rules choose Proxy, Freedom, or Blackhole.

Power also creates the system VPN entry

If Tunna has no Apple Network Extension entry yet, tapping Power saves one first. This is normal first-run behavior. Approve the VPN permission prompt, then start the tunnel again if the system did not connect immediately.

Controls on the Tunnel screen

Connection Lifecycle

These segmented pickers decide automatic start and sleep-stop behavior. Never is the disabled-looking default segment because it means no automation for that side.

Connect

Choose Never, Always On, or On-Demand. Use Never while proving a node; use automation only after manual start is reliable.

Disconnect

Choose Never or On Sleep. On Sleep asks the system to stop the VPN tunnel when the device sleeps.

Trusted Networks

Opens a child sheet on iPhone and iPad. Save commits trusted Wi-Fi or cellular entries; Cancel leaves the list unchanged.

Network Routing

These toggles decide which Apple traffic categories enter the VPN tunnel. Entering the tunnel does not automatically mean the traffic is proxied.

Private Subnets

Controls local subnet traffic such as routers, printers, NAS, and home services.

Platform-gated toggles

Push Notification Service, Cellular Services, and Device Communications appear only on supported iOS versions.

Enable IPv6

Controls IPv6 traffic through the VPN tunnel. Leave it off until the network, provider, and rules support the IPv6 path you expect.

Connection lifecycle choices

Never

Tunna connects only when you start it manually.

Good fit You are testing, diagnosing, or only use the tunnel sometimes.

Not ideal You expect Tunna to reconnect automatically after network changes.

Always On

Tunna tries to keep the tunnel connected.

Good fit You want the tunnel to return after wake or interruption.

Not ideal You are still proving a node works.

On-Demand

The system can start the tunnel when Apple evaluates a matched domain from eligible routing material. Tunna refreshes these Apple On-Demand rules when routing changes. On mobile devices, Apple's On-Demand behavior can also cause tunnel failures and restarts; if that happens, return to manual start, prove the node, then re-enable On-Demand only for a stable domain-triggered plan.

Good fit Your unpaused Proxy rules include ordinary host, base, or full domain entries, or non-RegEx GeoSite records that Tunna can give to the system.

Not ideal Your plan relies on Default Route, RegEx patterns, short keywords, IP ranges, ports, TCP or UDP rules, application-protocol rules, direct rules, or drop rules; those are not reliable wake triggers.

Disconnect choices

The Disconnect control decides whether the Apple VPN tunnel should stop when the device sleeps. Use it as part of battery-aware operation, not as a fix for a bad node.

Never

Tunna does not ask the system to stop the tunnel on sleep.

On Sleep

Tunna asks Apple's Network Extension to disconnect when the device sleeps. Use it when you do not want the tunnel kept ready across sleep and wake.

Network Routing controls

Turn a control on when you want that traffic category to enter the VPN tunnel. Leave it off when that traffic should stay outside Tunna and go direct.

Private Subnets

Available in this section by default. Turn on when local routers, printers, NAS, or home services should enter the tunnel. Leave off for normal direct local access.

Push Notification Service

Shown on iOS 16.4 and later when Apple exposes the control. Turn on only when Apple push notification traffic should enter the tunnel. Leave off for the quieter reliability default.

Cellular Services

Shown on iOS 16.4 and later when Apple exposes the control. Turn on only when carrier service traffic should enter the tunnel. Leave off when mobile behavior is sensitive.

Device Communications

Shown on iOS 17.4 and later when Apple exposes the control. Turn on only when Apple device-to-device communication should enter the tunnel. Leave off for normal nearby-device behavior.

Use Trusted Networks when a place should stay direct

Trusted Networks appears inside Tunnel settings on iPhone and iPad. The Settings row summary is reserved for non-default Connect and Disconnect choices, so open Tunnel to review trusted places.

  1. 1
    Open Tunnel settings

    Use the Tunnel page when you want a known Wi-Fi or cellular network to pause automatic startup.

  2. 2
    Choose Trusted Networks

    The sheet shows saved trusted entries and the current available network. Add the available Wi-Fi or cellular entry only when this place should stay direct.

  3. 3
    Save the list

    Save commits the sheet changes. Cancel leaves the trusted list unchanged. Delete entries you no longer trust before saving.

  4. 4
    Let it pause auto-connect

    Trusted networks are checked before automatic startup. When you return to one, Tunna disconnects and ignores Always On or On-Demand until the network changes.

Practical On-Demand uses

Wake for known work domains

Use On-Demand when specific unpaused Proxy domain rules should let the system start Tunna automatically.

Good fit The route plan contains ordinary host, base, full-domain, or non-RegEx GeoSite domain material for the traffic you want to wake the tunnel.

Not ideal The plan depends on Default Route, RegEx, keywords, ports, IP ranges, direct rules, or block rules.

Avoid loops during diagnosis

Set Connect back to Never when On-Demand restarts the tunnel while you are testing.

Good fit The tunnel fails and starts again on mobile networks.

Not ideal Manual start with one known node has not been tested yet.

Pause automation at trusted places

Trusted Networks are checked before automatic startup, so a trusted place can keep Always On or On-Demand quiet until the network changes.

Good fit Home, office, or cellular service should stay direct.

Not ideal You need the tunnel active on that network.

Enable IPv6 only when the route plan is ready

If sites behave inconsistently after enabling IPv6, test again with IPv6 disabled. Your network, provider, and rules all need to support the path you expect.

Reset the Network Extension only when the system entry is stuck

If Power stays in connecting or disconnecting and the visible control accepts a long-press, the long-press reinitializes the Apple Network Extension. If Power is off, failed, quiet, or cannot be long-pressed, use Reset Network Extension from the Reset settings page.

Tunnel saves when you leave

Connect, Disconnect, Network Routing, and IPv6 choices save when you leave Tunnel settings. Trusted Networks is a child sheet with its own Save and Cancel before the parent page saves the final tunnel settings.

Static index
No backend
  • Suggestions
⌘K

Open

esc

Close