Private Internet Access network whitelisting for MacOS

README.md

Usage:

1. Save the attached .plist file to ~/Library/LaunchAgents/local.YOUR_USER.pia.plist
2. Change all of the YOUR_USER markers to your computer's username
3. Save pia-control.sh to ~/.local/bin/pia-control (or save it elsewhere and update the LaunchAgent)
4. Create the file ~/.pia_trusted_ssids with the SSIDs (wireless network names) of each of the networks you'd like to trust, one per line
5. Run launchctl load ~/Library/LaunchAgents/local.YOUR_USER.pia.plist; launchctl start local.YOUR_USER.pia

local.YOUR_USER.pia.plist

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>Label</key>
    <string>local.YOUR_USER.pia</string>
    <key>LowPriorityIO</key>
    <true/>
    <key>ProgramArguments</key>
    <array>
      <string>/bin/bash</string>
      <string>/Users/YOUR_USER/.local/bin/pia-control.sh</string>
    </array>
    <key>WatchPaths</key>
    <array>
      <string>/var/run/resolv.conf</string>
      <string>/Library/Preferences/SystemConfiguration/NetworkInterfaces.plist</string>
      <string>/Library/Preferences/SystemConfiguration/com.apple.airport.preferences.plist</string>
    </array>
    <key>RunAtLoad</key>
    <true/>
    <key>StandardOutPath</key>
    <string>/Users/YOUR_USER/Library/Logs/Local/pia-control.stdout.log</string>
    <key>StandardErrorPath</key>
    <string>/Users/YOUR_USER/Library/Logs/Local/pia-control.stderr.log</string>
</dict>
</plist>

pia-control.sh

#!/bin/bash
# The launchagent runs this when any of the files listed under WatchPaths change (at least one of these will change when the networks changes)
# Note: this does not support whitelisting wired networks

RESOLV=/var/run/resolv.conf
AIRPORT="/System/Library/PrivateFrameworks/Apple80211.framework/Versions/Current/Resources/airport"
TRUSTED_SSID_FILE="$HOME/.pia_trusted_ssids"
PIA_PROCNAME="Private Internet Access"
PIA="/Applications/Private Internet Access.app/Contents/MacOS/Private Internet Access"
PIDFILE="/tmp/pia-control.pia.pid"

## Logging helpers
log () {
    echo "[$(date)] $*"
}

log_info () {
    log "INFO - $*"
}

log_err () {
    log "ERRO - $*"
}

current_ssid () {
    echo $($AIRPORT -I | egrep '\bSSID' | cut -d ':' -f2 | xargs | tr -d '\n')
}

connected_to_trusted_network () {
    local ssid=$(current_ssid)
    while read -r trusted_ssid; do
        # Remove newlines and extra spaces
        trusted_ssid=$(echo "$trusted_ssid" | perl -ne 'chomp and print')
        if [[ "${ssid}" = "${trusted_ssid}" ]]; then
            return 0
        fi
    done < "${TRUSTED_SSID_FILE}"
    return 1
}

vpn_running () {
    if pgrep "${PIA_PROCNAME}" &>/dev/null; then
        return 0
    else
        return 1
    fi
}

if ! test -f "$PIA"; then
    log_err "Private Internet Access is not installed, so we've nothing to do!"
    exit 0
fi

if test -f "${RESOLV}"; then
    log_info "We're connected; checking if we're on a trusted wireless network"
    # If the resolv file doesn't exist then we're not connected to a network
    # So who cares what we do?
    if connected_to_trusted_network; then
        # Kill PIA if its running AND only if this script started it, which will disconnect the VPN
        log_info "We're connected to trusted network '$(current_ssid)'"
        if test -f "${PIDFILE}"; then
            log_info "Killing current PIA process"
            PIA_PID=$(pgrep "${PIA_PROCNAME}")
            test "${PIA_PID}" && kill "${PIA_PID}"
            rm "${PIDFILE}"
        elif vpn_running; then
            log_info "PIA was enabled manually, so we'll leave it alone"
        fi
    else
        # Don't start if its already running
        if ! vpn_running; then
            log_info "Starting PIA VPN client!"
            nohup "$PIA" > $HOME/Library/Logs/Local/private-internet-access.log 2>&1 &
            echo "$?" > "$PIDFILE"
        fi
    fi
fi