Get Tunna

Tunnel Settings

Control when Tunna connects and what traffic enters the system VPN tunnel.

463 words 3 min
Settings Tunnel, On-Demand, Network Extension, IPv6 en

Tunnel settings control the Apple VPN tunnel lifecycle. They are separate from Routing. Tunnel settings decide what enters the VPN tunnel; Routing decides whether matching traffic uses Proxy, Freedom, or Blackhole after it is inside Tunna. On-Demand and sleep behavior are where Tunna's automation and battery-aware design meet Apple's Network Extension system.

Network Extension is the system tunnel entry

Apple shows Tunna as a VPN because the app uses Network Extension to receive traffic. That system entry only decides whether traffic can enter Tunna; your Routing rules still decide whether the traffic is proxied, sent direct, or blocked.

Tunnel and Routing are two different decisions

  1. System traffic enters the tunnel

    The Apple Network Extension decides what traffic Tunna receives.

  2. Some traffic can stay outside

    Private subnets, push notification service traffic, cellular services, or device communications can stay outside the tunnel unless you turn their controls on.

  3. Routing chooses the outcome

    Inside Tunna, rules choose Proxy, Freedom, or Blackhole.

Power also creates the system VPN entry

If Tunna has no Apple Network Extension entry yet, tapping Power saves one first. This is normal first-run behavior. Approve the VPN permission prompt, then start the tunnel again if the system did not connect immediately.

Controls on the Tunnel screen

Use these cards as a map of the visible labels in this view. Each card names one field, control, or status item and explains what it is for before you change it or rely on it.

Connection Lifecycle

These segmented pickers decide automatic start and sleep-stop behavior. Never is the disabled-looking default segment because it means no automation for that side.

Connect

Choose Never, Always On, or On-Demand. Use Never while proving a node; use automation only after manual start is reliable.

Disconnect

Choose Never or On Sleep. On Sleep asks the system to stop the VPN tunnel when the device sleeps.

Trusted Networks

Opens a child sheet on iPhone and iPad. Save commits trusted Wi-Fi or cellular entries; Cancel leaves the list unchanged.

Network Routing

These toggles decide which Apple traffic categories enter the VPN tunnel. Entering the tunnel does not automatically mean the traffic is proxied.

Private Subnets

Controls local subnet traffic such as routers, printers, NAS, and home services.

Platform-gated toggles

Push Notification Service, Cellular Services, and Device Communications appear only on supported iOS versions.

Enable IPv6

Controls IPv6 traffic through the VPN tunnel. Leave it off until the network, provider, and rules support the IPv6 path you expect.

Tunnel saves when you leave

Connect, Disconnect, Network Routing, and IPv6 choices save when you leave Tunnel settings. Trusted Networks is a child sheet with its own Save and Cancel before the parent page saves the final tunnel settings.