Get Tunna

Tunnel Lifecycle

Choose how Tunna starts and stops, including manual Power, Always On, On-Demand, sleep disconnect, and first-run VPN approval.

326 words 2 min
Settings Tunnel, Lifecycle, Sleep

Use this page when Power works manually and you are deciding how much automatic connection behavior Tunna should ask Apple to maintain.

Disconnect choices

The Disconnect control decides whether the Apple VPN tunnel should stop when the device sleeps. Use it as part of battery-aware operation, not as a fix for a bad node.

Use these cards as a map of the visible labels in this view. Each card names one field, control, or status item and explains what it is for before you change it or rely on it.

Visible choices

These are controls, states, or measurements in the view. Read them as reference, not as feature claims.

Never

Tunna does not ask the system to stop the tunnel on sleep.

On Sleep

Tunna asks Apple's Network Extension to disconnect when the device sleeps. Use it when you do not want the tunnel kept ready across sleep and wake.

Connection lifecycle choices

Never

Tunna connects only when you start it manually.

Good fit You are testing, diagnosing, or only use the tunnel sometimes.

Not ideal You expect Tunna to reconnect automatically after network changes.

Always On

Tunna tries to keep the tunnel connected.

Good fit You want the tunnel to return after wake or interruption.

Not ideal You are still proving a node works.

On-Demand

The system can start the tunnel when Apple evaluates a matched domain from eligible routing material. Tunna refreshes these Apple On-Demand rules when routing changes. On mobile devices, Apple's On-Demand behavior can also cause tunnel failures and restarts; if that happens, return to manual start, prove the node, then re-enable On-Demand only for a stable domain-triggered plan.

Good fit Your unpaused Proxy rules include ordinary host, base, or full domain entries, or non-RegEx GeoSite records that Tunna can give to the system.

Not ideal Your plan relies on Default Route, RegEx patterns, short keywords, IP ranges, ports, TCP or UDP rules, application-protocol rules, direct rules, or drop rules; those are not reliable wake triggers.