Automating Wireguard Connection Based On SSID

I’m currently on holiday with this Debian laptop, a GL.iNet Puli XE300 and a villa full of random network SSIDs. The Puli establishes a WireGuard VPN connection back home using whatever network connection it can. This laptop also has a WireGuard config back home.

What I didn’t want to happen was for the VPN to run on this laptop if I was connected to the Puli as I’d then be tunneling within a tunnel. However I didn’t want to accidentally go naked if I wasn’t connected to the Puli.

After a little bit of hackery and conversations with Gemini, I came up with this script to drop into /etc/NetworkManager/dispatch.d

#!/bin/bash

if [[ "$2" != "up" ]]; then
	echo "Not UP, exiting"
	exit 0
fi
if [[ "$1" == "wg0" ]]; then
	echo "Don't mess with wg0"
	exit 0
fi

# Define the SSIDs where WireGuard should NOT be run
EXCLUDED_SSIDS=("Home" "HomeFromHome" "Home-ios" "Home-guest" "Home-work")

# Get the current SSID
CURRENT_SSID=$(iwgetid -r)

# Check if the current SSID is in the excluded list
for EXCLUDED_SSID in "${EXCLUDED_SSIDS[@]}"; do
  if [[ "$CURRENT_SSID" == "$EXCLUDED_SSID" ]]; then
    # If on an excluded SSID, stop WireGuard
    if wg show wg0 2>/dev/null; then
      sudo wg-quick down wg0
      echo "WireGuard VPN disconnected on $CURRENT_SSID" 
    fi
    exit 0  # Exit the script
  fi
done

# If not on an excluded SSID, start WireGuard
if ! wg show wg0 2>/dev/null; then
  sudo wg-quick up wg0
  echo "WireGuard VPN connected on $CURRENT_SSID"
fi

Basically I have a whitelist of ‘safe’ SSIDs where I don’t want to run WireGuard and if I’m ‘up’ on one of those WireGuard gets shut down. Everywhere else, WireGuard is set up.

Handy it you need it.