So I can then trigger actions based on VPN connection or not.
If you create the rule while the VPN is connected is tun0 then available? That interface is dynamically created as is the list that CP has available during rule create.
No. I got on VPN (tun0 now exists), and checked and it only showed en0 still. I then restarted the app and checked again, but no tun0.
tun0 doesn't exist unless the VPN is up though. Not sure if that matters.
Yes, tun0 needs to visible on the system before CP can see it.
It's only visible when it is active. I restarted CP while it was active and CP didn't see it then either though.
Create a small script and use this as evidence source. It works fine for me using Cisco Anyconnect VPN client.
If utun0 is UP the script evidence is true
ifconfig utun0 inet|grep UP 2>/dev/null >/dev/null