Working From Home, the final chapter?

Up until 5 months ago, I worked from home for 17 years. For a number of reasons, I took a job working in an office and tried to make the best of it. Going into an office everyday was quite tough for me; even though the commute was an easy 30 minute drive each way, that was still an hour out of my day. In order to avoid traffic, I had to wake up at 6 am and got to the office no later than 7:30. I hadn’t used an alarm clock regularly in years, so waking up with an alarm was not pleasant. I’ve written about working from home and 8 years ago, I wrote that I couldn’t work in an office full time!

Some may think that working from home is a luxury or that they couldn’t do it because of all the distractions. For me, it isn’t a luxury, but the only way I can work. I’m more focused at home and more relaxed. There is a sense of freedom for me not being confined to an office. I’m sure working from home causes me to work more, but I’ll take that in exchange for flexibility.

Article after article I read, including this one talks about letting people work from wherever they work best. Unfortuantely not all companies are on board with this. I’m now back in a position that affords me this opportunity and with all the collaboration tools available today such as Slack and Google Hangouts, I can still feel like part of a team.

Blocking IP Cameras from Talking to the Internet

The recent distributed denial of service attack is said to have been caused by the Mirai botnet which basically turns IoT devices in attackers. One of the devices that is vulnerable is an IP camera that has a default username and password. While I don’t have that brand of camera, my cameras have accounts that I can’t remove and apparently one ONVIF account with a username/password that can’t be changed. I’m pretty good at securing my network from people coming in, but what about things going out? A lot of these IoT devices talk to a server for firmware updates or whatever. Since my IP cameras only need to talk to my server that is recording video, there is absolutely no need for them to connect to the Internet. I decided to see what I could do to isolate the traffic; this is something I’ve wanted to do for 3.5 years ever since I got a Cisco router that did VLANs, but couldn’t figure out a reason and didn’t have the knowledge to do it. However, times have changed.

In my case, I now have managed switches UniFi Switch 8 and the 16 port version as well as an EdgeRouter Lite. Using this equipment, I was easily able to separate out the camera traffic on a VLAN that has no access to the Internet. Here’s what I did:

  1. On the EdgeRouter Lite, setup a new VLAN. From the Dashboard, click on Add Interface and then Add VLAN.
    Screen Shot 2016 10 23 at 1 17 50 PM
  2. Setup the VLAN similar to the picture. The 1002 is the VLAN ID. Select the Interface for your LAN port. Enter the IP address for this subnet.
    Screen Shot 2016 10 23 at 1 20 31 PM
  3. Click Save.
  4. Switch to the Firewall/NAT tab. Select Firewall Policies.
    Screen Shot 2016 10 23 at 1 22 08 PM
  5. Click Add Ruleset.
  6. Set it up similar to this picture.
    Screen Shot 2016 10 23 at 1 22 54 PM. Repeat for CAMERAS_OUT and CAMERAS_LOCAL (in is for data coming from the camera subnet, out is for data going to the camera subnet, and local is data to and from the router.
  7. After the rules are saved, select Actions to the right of the IN rule. Choose Interfaces.
    Screen Shot 2016 10 23 at 1 25 40 PM
  8. Select the VLAN (ethernet port + VLAN ID) and the direction. Click on Save Ruleset. Then close the dialog.
    Screen Shot 2016 10 23 at 1 26 20 PM
  9. Repeat the above steps for the OUT and LOCAL rulesets.
  10. IN and OUT are now complete; basically we have just made all traffic from this new VLAN never goto the Internet or receive data from the Internet.
  11. To the right of the LOCAL ruleset, click on Actions and select Edit Ruleset.
  12. Click Add New Rule.
  13. Enter NTP for the description and select Accept. Select UDP for the Protocol.
    Screen Shot 2016 10 23 at 1 33 02 PM
  14. Click on Destination. Enter 123 for the port.
    Screen Shot 2016 10 23 at 1 33 12 PM
  15. Click Save.
  16. Create a new rule for DNS using UDP port 53.
  17. Create a new rule for DHCP using UDP port 67.
  18. Click Services at the top of the Edge Router interface.
  19. Click Add DHCP Server.
    Screen Shot 2016 10 23 at 1 42 13 PM1.
  20. Set it up like in this picture.
    Screen Shot 2016 10 23 at 1 43 24 PM
  21. After setting up the DHCP server, you may want to Configure Static Map to assign specific IP addresses for each MAC address.
  22. Before leaving this area, click on DNS and add the VLAN as a Listen Interface and click Save.
  23. Now move over the UniFi Controller.
  24. Goto Settings and choose Networks.
    Screen Shot 2016 10 23 at 1 31 23 PM
  25. Click Create New Network. Set it up similar to this picture.
    Screen Shot 2016 10 23 at 1 32 00 PM
  26. Click save.
  27. Goto Devices and select the UniFi Switch. Click Ports and locate a port with a camera. Click the Pencil.
  28. Change the VLAN to the Cameras VLAN. Click save.
    Screen Shot 2016 10 23 at 1 40 39 PM
  29. Power cycle that port and the device will come up on the new VLAN.
  30. On my Mac (the machine recording video), go into Network settings, click the gear and select Manage Virtual Interfaces.
    Screen Shot 2016 10 23 at 1 45 26 PM
  31. Click the + button and select New VLAN.
    Screen Shot 2016 10 23 at 1 46 12 PM
  32. Enter the VLAN ID for the Tag and give it a name.
    Screen Shot 2016 10 23 at 1 47 16 PM
  33. Click Create and then click Done.
  34. Select the new interface, select Configure IPv4 Manually. Alternatively you can use DHCP.
    Screen Shot 2016 10 23 at 1 48 58 PM
  35. Re-configure your security software (in my case SecuritySpy) with the new IP addresses.
  36. I also changed the NTP address in the cameras to be as the router will now block all traffic trying to go outside. The EdgeRouter Lite happens to be running an NTP server which is quite convenient.

Yes, there are a lot of steps here, but this makes me feel a bit safer. Without a managed switch and a router that can handle VLANs, this would be difficult, if not impossible. Unfortunately most people won’t be able to do this and their IoT devices will be targets. I have no idea how we’re going to solve the problem of IoT devices getting hacked, used to launch hacks, or generally cause havoc on the Internet.

Please let me know if I missed anything or there are any mistakes.

Native vs Web App for IoT Devices

Recently I was chatting with a friend about a new WiFi router. I hadn’t heard of it and he sent me a link to it. The first thing I noticed about it was that the configuration was done via an iOS or Android app. As an iOS developer, I know that a native app is going to generally provide a better user experience than a web app. However, as a consumer, I shy away from devices that only have a native app interface. If the app stops working, isn’t updated quickly when an OS gets updated, or the company stops supporting the app, I’d be out of luck. In addition, I like being able to configure devices using my desktop machine and most devices don’t have a Mac app for configuration.

The native apps are great, but they have to be secondary to a web interface for any IoT device. I mentioned this to my friend and he understood right away my point. I look at the serial to Ethernet gateway I have that I bought used 3.5 years ago and is likely not made any more and am glad that it has a web interface. Granted it is a very specialized device on my network, but the web interface is the only reason that I’m still able to use it. If it were a device that I wanted to look at more often, like a router that I needed to control various aspects of it, the lack of a web interface makes the device a no go in my opinion.

I wish that more companies would implement web interfaces first for their IoT devices and have native apps as secondary interfaces. I’m not saying that all apps should be web apps; in fact, I believe that native apps provide a better user experience. I am saying that web apps should always be a backup option in case the native app isn’t available or doesn’t work.

Keeping Network Devices Updated

Some time ago, IPv6 disappeared from my home network. After a bit of research, I found out that Time Warner Cable had a problem with my cable modem (Motorola SB 6183) and IPv6 so they pushed out a firmware that disabled IPv6. Recently I read in the Time Warner forums that a firmware update would be out soon that has this fixed.

This got me thinking about IPv6 on my home network. While I’m not sure exactly why I need it, I’m curious about it. Do all my devices support IPv6? Should I move everything to IPv6? Both of these questions are not my focus right now as my IPv4 network is fine, and I don’t want to put my head around it. What this did bring up, however, is the availability of updates for devices on my network; not just IPv6 support, but security and stability fixes.

My network has a large number of devices from a number of manufacturers. I have 7 video cameras, 7 Squeezebox devices, 3 Macs, 3 iPhones, 5 iPads, a sprinkler controller, Apple TV, Fire TV, Amazon Echo, serial to Ethernet adapter, 3 WiFi access points, 2 managed switches, printer, a Vera, and a partridge in a pear tree. These devices range from being a few months old to some being many years old. How do they get updates? Are they still made? As a tech person, I try to keep on top of all the updates and keep my network secure.

One of the problems with keeping all these devices updated is that some of the manufacturers are no longer around or the devices are no longer supported. Does this pose a security risk? Devices that update their firmware automatically like the Amazon Echo make this whole upgrade issue moot (until the company goes out of business or moves on). What does the average person do with all these devices? The simplest solution for devices that don’t update their own firmware, unfortunately, is to replace them every few years. This is a complete waste, but potentially the only solution. The problem is going to get worse as more and more devices are put on the network.

What do other people do to keep devices updated? Maybe I need a quarterly update day to check all my devices.

Review: Plantronics BackBeat Fit Headphones

It seems that every year I look for better headphones for running. The last 4 or 5 years, all the headphones that I’ved used have been wireless, but something either happens to the headphones or there is something that I don’t like about them. This summer was no different than past summers in that I wasn’t satisfied with the headphones I had. My previous pair were the Plantronics BackBeat Go. They performed adequately, but I was never able to keep them in my ears and spent time on my runs adjusting them. Sometimes they stayed in and required little adjustment, but most of the time, they just kept falling out. I initially liked them and was able to have them properly positioned, but that might have just been a fluke. I had bought them at Costco so that I could try them out and if I didn’t like them, they’d go back. However, they worked OK and I ended up keeping them for about a year.

Flipping through the Costco magazine recently, I saw that they were selling the Plantronics BackBeat Fit with a $20 discount. Like last year, I decided to give them a try. With Costco’s generous return policy, I had nothing to lose. (I used to hate going to Costco, but now I go on an almost weekly basis.)

Like most Bluetooth headphones these days, pairing was pretty easy; granted not as easy to pair as Apple’s AirPods, but easy enough. I paired the headphones and the sound is decent. I’m not an audiophile and when I’m running, it almost doesn’t matter as long as they play. The controls on the side are fairly easy to work, but the volume up/down button (it is 1 button) is a little small. Skipping tracks requires a double tap of the button on the left ear. I would have rather that button just require a push and hold as I skip tracks fairly often when there is music I don’t want to hear.

One of the things I’ve noticed on the headphones is that there has been a firmware update for them; this is a first for me on running headphones. The one feature I noticed with the update is that when I goto the next track by double tapping the button is that a voice says “next track”. Also, when I power them on, a voice gives estimated play time which is great instead of just high, medium, or low battery charge.

The headphones fit well over my ears and don’t move when I run. They left small marks on my ears where they rested, but I barely noticed them. They were comfortable and I didn’t feel like I spent time futzing with them while running.


  • Comfortable.
  • Don’t move when running.
  • Voice prompt for battery usage is useful.
  • Decent play time.
  • Can be paired to multiple devices.


  • Volume button is a little small.
  • Advancing tracks requires 2 taps which is sometimes hard to do while running.


Many times when I get something new like this, I write the review during the “honeymoon phase” and have very little critical to say about it. While that is true here as well, the design of these headphones is what will keep me using them. They are similar to a pair of Motorola headphones that I had a few years ago, but those had a stiff piece of plastic connecting the sides which dug into my head. I liked the design on those as they stayed in my ears. I’m quite hopeful that these live up to the hype.

At the discounted price I got at Costco (they were on sale), buying them was a no-brainer. At regular price, I can say without a doubt that they are better than the JayBirds I had before that I couldn’t get to stay in my ears. I wouldn’t hesitate to recommend these for anyone that wants wireless headphones for use when running or working out.

Review: Feit 48ft. LED Outdoor String Lights

Recently my neighbor has been redoing his backyard and I saw that he put in low voltage lights around the perimeter of it. This made me a little jealous as I only put in low voltage lightning under parts of our deck and not around the perimeter. While I do have floodlights in the backyard, they are for security lightning and not really lighting the backyard when we use it. So, my choices for adding lights were quite limited.

I remembered that Costco had some string lights, so I looked online and found some Feit LED string lights. I ordered 2 sets of these and they arrived last week. I chose these over the cheaper incandescent ones because of the lower power consumption, plastic bulb covers, and ability to dim them. After getting the lights, I strung them up without reading the instructions (what could they say besides plug them in?). They looked nice, but there was a lot of tension in the wire and the connection between the 2 sets had a lot of stress that didn’t make it secure.

So, I decided to glance at the directions and it said that for spans over 24 feet, that the lights should be secured to a cable or wire. That made a lot of sense. This past Saturday, I prepared my parts list, went to Home Depot, and went about securing the wire rope to a pole, my house, and our deck. It was a clean install, just a bit time consuming. I then used small black zip ties to attach the string lights to the rope. One huge advantage of using the wire over just supporting the lights from the ends was that they didn’t sag.

When it finally started getting dark, I turned on the lights and lit up the backyard. Even though the lights are about 15W each strip, they put out a significant amount of light. My wife loved them and I was pretty pleased with my work. The next evening we had friends over and we got positive comments about the lights which made me feel like putting up the lights was another good decision.

The lights appear well constructed, are UL listed (the transformer/rectifier is UL listed for being rainproof, but I have it in an indoor box with a cover).


  • Put out a lot of light.
  • Dimmable.
  • Can choose from a few colors. (Not sure that is a pro.)
  • Wireless remote to turn the lights on or off.
  • UL listed.
  • Low power consumption.


  • For longer spans, an extra wire/cable is needed which adds to the expense and makes installation harder.
  • Wireless remote seems a bit flakey.
  • Colors other than the white are pretty useless.


If you’re looking for a way to light up a backyard (or even a front yard), these lights should do the trick. I noticed yesterday that Costco sold them in the warehouse which would have saved me $10 shipping. Of course with anything plugged in outside, make sure it is UL listed. This set of lights meets that requirement for me. I’m quite pleased with the results and am not sure why I didn’t think of it sooner. Buying them from Costco made the purchase a no-brainer because of Costco generous return policy; there is nothing to lose by trying them.

Final Result

Setting up an EdgeRouter Lite for an On Demand iOS VPN

Ever since I started my career, I’ve used Virtual Private Networks (VPN) to connect to a company network. My first experience is with AppleTalk Remote Access and I thought it was neat to be able to have my home computer on the work network. Over my career, I’ve used VPNs mostly as a user as I had no use for one as a home user.

When I setup cameras at my house over 3 years ago, I wanted to remotely connect to the cameras. Since I put together my own system, there wasn’t an out of the box way to view the cameras (it does have a web interface, but I didn’t want to directly expose that to the world). This gave me the first experience in setting up a VPN. I turned on Mac OS X Server’s VPN, configured my iOS devices for the VPN and I was easily able to connect.

Recently I’ve been working with mobile device management (MDM) and one of the features that I’ve been reading about is on-demand VPN. I became curious about it and wanted to see if I could set it up more of an exercise than anything else, but also it would be useful to hop on any WiFi network and automatically connect to my home network. The iOS on-demand VPN requires that the VPN use certificate authentication instead of just a username and password. Unfortunately, the OS X Server’s L2TP IPSec VPN doesn’t support certificates, so I had to look to other options. Luckily, my EdgeRouter Lite can be configured as an OpenVPN server with certificate authentication. Given that, the only obstacle to setting this up was time and some futzing to get things right. I’ve scoured the web and managed to find the pieces to get things working.

The rest of this entry will document how to setup the server as well as the iOS client side. For the server setup, I followed this article, but had to make a few changes to get things to work the way I wanted. I then used another article to setup the iOS side.

This is a really long setup, but it is straightforward. If you’re intimidated by command lines and editing text files, this process is not for you!

Certificate Setup

  1. SSH into the EdgeRouter Lite
  2. Setup a new certificate authority that will be used to create new client certificates for the VPN. Issue the following commands, one per line. Follow the prompts when you run the commands.
    sudo su
    cd /usr/lib/ssl/misc/
    ./ -newca
  3. Create a new server certificate and sign it. Follow the prompts when you run the commands; you’ll need to enter a password for the new request. We’ll remove it in another step.
    ./ -newreq
    ./ -sign
  4. Copy the certificate authority key and certificate to an area of the router that will survive a firmware upgrade.
    cp demoCA/cacert.pem demoCA/private/cakey.pem /config/auth/
  5. Also copy the server certificate to the same place.
    mv newcert.pem /config/auth/server.pem
  6. Display the certificate authority certificate using cat /config/auth/cacert.pem and then copy it into BBEdit or another text editor on your local computer; save it to your hard drive.

  7. Remove the password on the private key for the server so that the VPN server can start automatically.

    openssl pkcs8 -in newkey.pem -out /config/auth/server-pem.key
  8. Generate the Diffie-Hellman Paramters; this takes a long time.
    openssl dhparam -out /config/auth/dhp.pem -2 1024
    cp dhp.pem /config/auth
  9. The next part is generating the client certificates. The recommendation is to have 1 client certificate per client. However, this would require me to have 1 for my iPad and 1 for my iPhone complicating setup. While having 1 certificate for both may not be recommended, it is the route I chose. When prompted, enter a password for the new key and then the last line will remove it. Don’t enter a challenge password.
    ./ -newreq
    ./ -sign
    mv newcert.pem client-cert.pem
    openssl pksc8 -in newkey.pem -out client-key.pem
  10. Display the certificate using cat client-cert.pem and pasted it into BBEdit and then saved it.

  11. Do the same thing with the key using cat client-key.pem and saved it to my Mac.
  12. On my Mac, do the following in Terminal (make sure you’re in the same directory as where you saved the certificate and key). When exporting, set a password that you’ll use later.

    openssl pkcs12 -export -out client1.p12 -inkey client-key.pem  -in client-cert.pem

OpenVPN Server Setup

  1. SSH into the EdgeRouter Lite if you haven’t already.
  2. Exit out of sudo mode using exit if you’re still using the same session as before.
  3. Enter configuration mode:
  4. Start editing the VPN tunnel (I didn’t know that by entering a full path to an object, you didn’t have to enter a full command for subsequent items):
    edit interfaces openvpn vtun0
  5. Setup the server.
    set mode server
    set local-port 1194
  6. Select a subnet. Choose a subnet that doesn’t overlap with other subnets on your LAN. Notes have also indicated that you should pick an IP range that isn’t used on other networks as you could have routing problems, but I’m not completely positive that is true. If you’re routing everything over the VPN, the device should use that route first.
    set server subnet
  7. Configure the TLS parameters
    set tls ca-cert-file /config/auth/cacert.pem
    set tls cert-file /config/auth/server.pem
    set tls key-file /config/auth/server-pem.key
    set tls dh-file /config/auth/dhp.pem
  8. The notes indicate for EdgeMax 1.8 firmware and higher, you can turn on IPv6 support. I’m not running that, yet, so I didn’t do this.
    set protocol udp6
  9. For my purposes, I want all the traffic to go over the VPN. I’m not sure if the second line is strictly needed.
    set openvpn-option "--push redirect-gateway"
    set server push-route
  10. Since I run Pi-hole for blacklisting advertising, I want to continue to do that even when connected to my VPN. (Yes, I know websites make money off the ads, but the ads really need to get better and more relevant before I’ll turn this off.) I set my DNS to the same entries that I set on the EdgeRouter’s DHCP server.
    set openvpn-option "--push dhcp-option DNS"
    set openvpn-option "--push dhcp-option DNS"
  11. Now a few extra OpenVPN options. I allow the same certificate to be used by multiple clients, so I have that option as well as one to enable compression.
    set openvpn-option --comp-lzo
    set openvpn-option --duplicate-cn
  12. Next up are the firewall rules to allow clients to connect from the outside to the EdgeRouter Lite.
    edit firewall name WAN_LOCAL 
    set rule 4 action accept
    set rule 4 description “OpenVPN”
    set rule 4 destination port 1194
    set rule 4 protocol tcp_udp
    set rule 4 log disable
  13. If you have an IPv6 firewall, you might add something like this.
    edit firewall name WANv6_LOCAL 
    set rule 4 action accept
    set rule 4 description “OpenVPN”
    set rule 4 destination port 1194
    set rule 4 protocol tcp_udp
    set rule 4 log disable
  14. That’s it for the server setup! Finally do:
  15. Check that the OpenVPN server is running using:
    ps -ef | grep openvpn
    show openvpn server status

The last line can be used when clients are connected to monitor it.

Good work if you’ve followed along this far! Next up is the client setup which has a bunch of steps as well.

iOS Client Setup

  1. Locate the p12 file that you created on your Mac.
  2. Download Apple Configurator from the Mac App Store.
  3. Select New Profile from the File menu.

    New Profile

  4. Fill out the General information for the profile. You can leave the Identifier as is.

  5. Click on Certificates and then press Configure. Select the .p12 file you created way back in the first part of the instructions.
    Select Certificate
  6. Give the certificate a name and enter the password you used when exporting the p12 file.
    Certificate Selected
  7. Select the VPN section and click Configure.
    Configure VPN

  8. Enter a name for the connection.

  9. Select Custom SSL for the Connection Type.
  10. Enter net.openvpn.OpenVPN-Connect.vpnplugin for Identifier.
  11. Enter the hostname for the Server. I recommend your Dynamic DNS hostname here. I wouldn’t recommend a CNAME as I’ll explain later.
  12. Enter some username for the account; it won’t be used.
  13. Enter a placeholder key/value pair. You’ll edit this by hand later.
  14. Select Certificate for User Authentication and then pick the certificate you added earlier.
  15. Enable VPN On Demand. You’ll hand edit this later as well.
  16. Select a Disconnect on Idle value; I selected Never.
  17. Save the profile to your Desktop (or somewhere else). Don’t sign it as signing it will prevent you from editing it by hand which is needed to properly setup the VPN On Demand. Configurator doesn’t handle all the options present in current iOS versions.
    VPN Setup
  18. Open the .mobileconfig file in BBEdit. BTW, if you haven’t bought BBEdit, you should definitely buy it. While the current version offers basic functionality for free, this is a tool that should always remain in your tool belt.
  19. Look at the section called VPN. Mine is basically below. You’ll need to change a few entries.

                        <string>My Network 5 GHz</string>
                        <string>My Network</string>
            <string> 1194</string>
            <string>-----BEGIN CERTIFICATE-----\nMIID...bAqZZCQYgHwAh9bW\n-----END CERTIFICATE-----\n</string>
  20. Change the PayloadCertificateUUID to whatever is already in your config file.

  21. Change the references to your VPN address.
  22. For the section that starts with BEGIN CERTIFICATE, find the cacert.pem that you saved to your hard drive. Open that in BBEdit and remove all the returns in the file. After the first line replace the return with \n. Before the last line put a \n and then another one after the line. You should end up with a big long line!
  23. The OnDemandRules are described in Apple’s documentation. My setup basically says that if I’m on a trusted network, disconnect the VPN. When on cellular, also disconnect the VPN (I trust the cellular network for now). If I’m on any other network, connect the VPN. The last item just falls through, but I suspect it will never get there. In my example, change the names of the trusted SSIDs.
  24. The VendorConfig section are the OpenVPN options that should match the server.
  25. Save the file.
  26. Transfer the .mobileconfig file to your iOS device. I drop the file on AirDrop to my devices. If the formatting of the file is correct, the iOS device will ask you to install the file.
  27. In the VPN section in iOS Settings, Connect and cross your fingers. That’s it! Now when you wonder onto an unknown WiFi network, the VPN should automatically connect. It may take a few seconds for the connection to come up.

If you’ve made it this far, congratulations! I spent a few days working on this and hopefully I captured all the steps. Please send me corrections or feedback.


  1. I mentioned earlier that a CNAME entry for my VPN server caused a problem and that is because if I’m connecting from inside my firewall (yes, I know it isn’t needed), the client tries to go to the external IP address. By using an A DNS entry and doing the following on the EdgeRouter Lite:
    set system static-host-mapping host-name inet

    You can have your client connect to the VPN from inside the firewall. This is useful if iOS gets confused and wants to connect to the VPN when it shouldn’t.

  2. I’ve noticed that sometimes iOS connects to my VPN even when it is on my network. The On Demand connection is evaluated when the network changes and I suspect iOS gets confused and starts evaluating the On Demand rules prior to getting an SSID. This isn’t a big deal as my clients can connect to the VPN even on my own network.

  3. The default certificates are good for 1 year. So you’ll need to renew then after a year. I’ll cross that bridge when I come to it.
  4. If the certificate is compromised, I don’t know how to do certificate revocations.
  5. Treat the certificate and keys just as if they were passwords. This goes for the .mobileconfig file as well. The mobileconfig file has the password to the p12 file in clear text and anyone with that file can connect to your VPN and access your network.
  6. The OnDemand rules are evaluated when the device changes networks and may take a few seconds to bring up the VPN. I always wait for the VPN icon to come up before doing anything on my device.
  7. OpenVPN runs on UDP port 1194 by default. You can configure it for TCP 443, but I won’t go into that because it seems like a pain and requires more changes.