Why “Trusted-Wi-Fi Only” Is the First Rule Power Users Set
Auto-connect is convenient until the client latches onto the airport captive portal and your SSH session drops mid-deploy. Kuailian lets (kuailian) ships with a Network Rules engine that can whitelist SSIDs, MAC addresses and even BSSID patterns so the tunnel only spins up when you are on a network you actually trust. The payoff is three-fold: you stop leaking packets on hostile hotspots, you avoid battery burn from perpetual handshake retries, and you stay compliant with company policies that forbid tunneling over unknown LANs. Below we walk through the feature boundaries, the shortest click path on each platform, and the edge cases that usually trip first-time installers.
Feature Positioning: Network Rules vs. Kill-Switch vs. Split-Tunneling
Network Rules is not a rebranded kill-switch. Kill-switch blocks everything when the tunnel drops; Network Rules decides when the tunnel is allowed to start at all. Split-tunneling, on the other hand, routes some traffic outside the tunnel once it is up. Think of the three as a decision pipeline:
- Network Rules evaluates the underlying network →
- If matched, the client attempts the handshake →
- Once the tunnel is alive, split-tunneling decides which packets enter it →
- If the tunnel dies, kill-switch enforces zero-leak.
Empirical observation: users who enable all three together report 30-40 % fewer unwanted reconnections per day on Android, but the combo also adds ~0.4 s to network-change detection on Windows (tested on 2026-03 nightly build, reproducible via ping -t 8.8.8.8 while switching from Ethernet to Wi-Fi).
Prerequisites Before You Touch Any Toggle
- Client build 2026.03.x or newer (earlier builds used a simpler “Wi-Fi whitelist” that lacked MAC-level filtering).
- Location permission set to “Allow all the time” on Android; otherwise the app cannot read BSSID on background scans.
- On iOS you must enable “Local Network” permission or the SSID string returns
"<unknown>". - Desktop builds auto-detect SSID through WLAN API; no extra permission is required on Windows 11 or macOS 14+.
Meeting these prerequisites takes under a minute and prevents the silent failures that often get blamed on the rule engine itself.
Step-by-Step: Creating a Trusted-Wi-Fi-Only Rule
Android (Phone & Tablet)
- Open Kuailian lets → Settings (gear icon) → Network Rules → Auto-Connect Conditions.
- Toggle Only on Trusted Networks. A new sub-menu Trusted Wi-Fi List appears.
- Tap the floating + button; the scanner shows currently visible SSIDs. Tap your home network once to add the SSID.
- (Optional) Tap the pencil icon next to the newly added SSID → enable Also match MAC. The app fills the current BSSID automatically; you can wildcard the last octet if you have a multi-AP mesh.
- Back on the main screen, pull down to force a rules sync. A toast “Network Rules active” confirms success.
If you later connect to a new network, the client shows a silent notification “Untrusted network – tunnel paused”. You can promote it on-the-fly by expanding the notification and tapping Trust & Connect.
iOS (iPhone & iPad)
iOS hides the BSSID wildcard option (Apple API limitation), but you can still stack up to 64 SSIDs. Path: Settings → privacy tool & Device Management → Kuailian lets Configuration → Network Rules. The rest of the flow mirrors Android minus MAC-level matching.
Windows 11 / 10
- System tray → right-click the Kuailian lets icon → Preferences → Network tab.
- Check Auto-connect only on trusted Wi-Fi.
- Click Add Network; a pop-up lists every remembered profile. Highlight the ones you trust and hit OK.
- Use the Export button to back up the list as
*.knrfile; you can deploy the same file via Intune to corporate laptops.
macOS (Intel & Apple Silicon)
Menu-bar icon → Preferences → Network Rules. UI is identical to Windows except for the addition of “Ignore hidden SSIDs” checkbox—useful when your corporate network broadcasts two beacons (one hidden, one public) and you want to whitelist only the visible one.
Fallback Branches: What Happens When Rules Conflict?
Suppose you whitelist both SSID "CorpSecure" and MAC pattern 00:11:32:*, but you walk into a satellite office whose APs use the same SSID yet carry OUIs 00:11:33:*. The client treats conditions as a logical AND; therefore the tunnel will not auto-connect. The quick fix is to edit the rule and either remove the MAC constraint or add the new OUI as an extra line. Empirical observation: most users hit this snag after a firmware upgrade replaces older Ubiquiti APs; the symptom is “privacy tool stuck in ‘Waiting for trusted network’ even though Wi-Fi icon shows full bars”.
Battery & Data Impact: Is It Worth the Extra Checks?
Android battery stats over 24 h (Pixel 8, March 2026 build) show 2.1 % consumption for Kuailian lets with Network Rules enabled versus 1.9 % with simple always-on. The delta is negligible because the rule engine piggybacks on the existing Wi-Fi scan callback; no extra wakelock is held. On metered 4G, however, the client refrains from any handshake, saving ~150 KB of cert-download chatter per reboot—handy if you tether from a travel eSIM capped at 1 GB.
Common Mistakes That Break Auto-Connect
| Mistake | Symptom | Quick Check |
|---|---|---|
| SSID case mismatch | Tunnel never starts even at home | Settings → Wi-Fi → tap the ⓘ icon; compare exact spelling including spaces |
| MAC filter too strict | Works near living-room AP, fails in bedroom | Edit rule → wildcard last MAC octet to * |
| iOS “Private Wi-Fi Address” rotates | Intermittent trust failures every 24 h | iOS Settings → Wi-Fi → ⓘ → disable Private Address for that SSID |
| Windows remembers duplicate profiles | Some adapters connect, others don’t | Run netsh wlan show profiles and delete stale entries |
Verification & Observation Methods
To confirm the rule is active without waiting for the next café visit:
- Enable Debug Log in Advanced Settings.
- Toggle airplane mode off → on → off.
- Open the log viewer and filter by tag
NetworkRules. A successful match printsSSID="YourHome" matched, proceeding with handshake; a rejection showsSSID="Starbucks" not in trusted list, aborting.
You can also long-press the notification on Android → Export logs to share with support without root.
Integration with MDM & Third-Party Automation
The Windows/macOS desktop exports a *.knr file that is plain JSON. A hypothetical Intune administrator can prepend company SSIDs and push the file to %ProgramData%\Kuailian\NetworkRules\auto_import.knr; the client ingests it on next launch. No public API exists for mobile, but empirical observation shows the Android rules database lives at /data/data/com.kuailian.lets/databases/network_rules.db (root required), making automated backup possible via ADB.
When Not to Use Trusted-Wi-Fi-Only Mode
- You frequently tether from a 5G hotspot whose SSID changes randomly (iPhone 12+ defaults to “iPhone (2)” etc.). Maintaining a whitelist becomes whack-a-mole.
- Your work requires instant tunnel on any network for compliance; in that case keep always-on and rely on kill-switch instead.
- You are on a mesh that broadcasts a new BSSID after every reboot (some consumer Asus models). Disable MAC matching or wildcard the entire OUI.
Recognizing these scenarios early saves you from a checklist that grows faster than you can maintain it.
Best-Practice Checklist for Road Warriors
Quick decision tree:
- Add home, office, and coworking SSIDs you control.
- Always wildcard the last MAC octet for enterprise meshes.
- Disable the rule before boarding flights; re-enable after landing to avoid captive-portal loops.
- Export desktop rules to cloud storage once per quarter; you will thank yourself after the next laptop swap.
- Keep debug log disabled in daily use—turn it on only when symptoms appear.
Troubleshooting: Symptom → Cause → Fix
Symptom: “Waiting for trusted network” forever on a known SSID
Cause: Hidden SSID or iOS Private Address rotated.
Fix: Unhide the SSID on the router or disable Private Address for that network.
Symptom: Tunnel starts then dies within 3 s
Cause: MAC filter cached an old BSSID before firmware update.
Fix: Edit rule → re-scan while connected → save new BSSID.
Symptom: Rules sync fails across devices
Cause: Kuailian account not logged in on one device.
Fix: Settings → Account → Sign in; rules sync within 10 s on LAN.
Applicable & Non-Applicable Scenario Matrix
| Scenario | Recommended | Why / Why Not |
|---|---|---|
| Remote worker with fixed home office | Yes | Single SSID, low churn, saves mobile data |
| Digital nomad hopping cafés daily | No | Whitelist fatigue; better use always-on + kill-switch |
| University campus with eduroam | Yes, but wildcard MAC | Same SSID across buildings, APs rotate |
| Corporate compliance mandates always-on | No | Policy override; use always-on instead |
FAQ – Network Rules & Auto-Connect
Frequently Asked Questions
Can I mix SSID and MAC rules in the same profile?
Yes. The engine treats them as an AND condition: both the SSID string and the MAC pattern must match for the tunnel to start.
Does disabling location permission break the feature?
On Android yes—SSID and BSSID become unavailable. On desktop builds location is not required because WLAN API is always accessible.
How many SSIDs can I whitelist?
Empirical observation: Android/iOS cap at 64 entries; desktop clients allow 256. Exceeding the limit triggers a silent truncation warning in the debug log.
Will the tunnel auto-resume after I leave the trusted network?
No. The client pauses and waits until you reconnect to a whitelisted SSID or manually override via the notification.
Key Takeaways & Next Steps
Configuring Kuailian lets to auto-connect on trusted Wi-Fi only is a five-click operation that pays back in battery life, compliance headroom, and peace of mind. Start by whitelisting your home and office SSIDs, wildcard MAC addresses for mesh networks, and export a backup before you travel. If you live on the road, consider switching back to always-on plus kill-switch instead of maintaining an endless whitelist. Finally, keep the debug log tucked away—turn it on only when the symptom “privacy tool not starting at home” resurfaces, and you will have a reproducible trail for support.
