tag:blogger.com,1999:blog-2600354524922709185.post2651631646390249764..comments2023-07-23T15:35:04.984+00:00Comments on Tech Biter: How to do VPN on Demand for iOS at zero cost despite Apple's best efforts to prevent thisJohn Lockwoodhttp://www.blogger.com/profile/15899717580146455869noreply@blogger.comBlogger26125tag:blogger.com,1999:blog-2600354524922709185.post-11302748771432767602018-07-30T06:47:57.226+00:002018-07-30T06:47:57.226+00:00Please Let me know how to connect VPN server with ...Please Let me know how to connect VPN server with our iOS app using swiftAnonymoushttps://www.blogger.com/profile/05121992196863353757noreply@blogger.comtag:blogger.com,1999:blog-2600354524922709185.post-50091225444445755842018-01-09T15:05:10.859+00:002018-01-09T15:05:10.859+00:00Hi,
I have same problem,
I use StrongSwan + IKEv2....Hi,<br />I have same problem,<br />I use StrongSwan + IKEv2.<br />Notification from Exchange 2013 on iOS does not work if Im connected via VPN.<br />On Android device works great.<br />Android and iOS have same settings on server side.<br /><br />I not found solution for this :-/.<br />MaxMax Devainehttps://www.blogger.com/profile/04504554709257651347noreply@blogger.comtag:blogger.com,1999:blog-2600354524922709185.post-74560798216765146692017-06-01T07:47:39.191+00:002017-06-01T07:47:39.191+00:00This comment has been removed by a blog administrator.Anonymoushttps://www.blogger.com/profile/08682681337625902723noreply@blogger.comtag:blogger.com,1999:blog-2600354524922709185.post-16320814313617132652017-05-30T08:37:16.297+00:002017-05-30T08:37:16.297+00:00goodgoodAnonymoushttps://www.blogger.com/profile/18082889841154259118noreply@blogger.comtag:blogger.com,1999:blog-2600354524922709185.post-86641986206858802342017-05-02T10:27:07.938+00:002017-05-02T10:27:07.938+00:00This comment has been removed by a blog administrator.Stephanie Goodrichhttps://www.blogger.com/profile/03082693364102872714noreply@blogger.comtag:blogger.com,1999:blog-2600354524922709185.post-86212747723561318032017-02-15T12:49:17.068+00:002017-02-15T12:49:17.068+00:00There are two different password uses you could be...There are two different password uses you could be referring to. Firstly the .p12 file itself should normally be password protected, this is ok as when you add the .p12 to the mobileconfig file you can specify the password in the mobileconfig file to unlock the .p12 file.<br /><br />The other possible password use is for allowing the user of the iPhone or iPad to 'login' to the VPN server. Now here is where it gets tricky, normally you cannot add a user password like this to the mobileconfig file. Certainly iPhone Configuration Utility, Apple Configurator and Profile Manager do not allow this. This is why I chose to use Xauth-noauth on the StrongSwan server, this is a special dummy Xauth module which does not ask the device for a user name and password. However if you hand edit the XML in the mobileconfig file you can add a user password to it as follows.<br /><br />(I had to inert spaces in to the XML below to get it to be accepted in this reply.)<br /><br />< key>XAuthPassword< /key><br /> < string>myVPNuserPassword< /string><br /><br />This would follow the standard<br /><br /> < key>XAuthEnabled< /key><br /> < integer>1< /integer><br /> < key>XAuthName< /key><br /> < string>VPN< /string><br /><br />Obviously you would put your own values in.<br /><br />Either using Xauth-noath or hand editing the mobileconfig file will solve the problem of the iOS device otherwise having to repeatedly ask you for the password. However each has their own disadvantages. Using Xauth-noauth means it is slightly less secure since you are turning off one type of security, hand editing the mobileconfig file means the password has to be stored as plain text in that file and if the password is changed by the user you have to generate a new mobileconfig file with the new password.John Lockwoodhttps://www.blogger.com/profile/15899717580146455869noreply@blogger.comtag:blogger.com,1999:blog-2600354524922709185.post-44477184054484970272017-02-15T12:33:43.405+00:002017-02-15T12:33:43.405+00:00Hi John, Thanks for all the insights. However, whe...Hi John, Thanks for all the insights. However, when I embedded the p12 into the mobileconfig, my iphone prompts me for a password. This is on IOS 7. Did you face such an issue. I added a dummy password into the XML, but it does not work.Timothy Noelhttps://www.blogger.com/profile/07466133936835875212noreply@blogger.comtag:blogger.com,1999:blog-2600354524922709185.post-22669053014854564712016-08-04T13:19:43.244+00:002016-08-04T13:19:43.244+00:00If your using the built-in mail client on the iPad...If your using the built-in mail client on the iPad all you see is the unread message count increase and either a beep or a vibrate. We use Exchange Active Sync for mail on iPhones/iPads and I know that works fine via the VPN and EAS is a push system although it uses its own push system rather than Apple's.<br /><br />In fact now that I think about Gmail would not use Apple Push Notifications either unless that is a feature of a Gmail specific client rather than the built-in client.<br /><br />LinkedIn is a good app to test Apple push notifications with. It will show messages on screen, in the notifications centre, and as a number (badge) on the icon.John Lockwoodhttps://www.blogger.com/profile/15899717580146455869noreply@blogger.comtag:blogger.com,1999:blog-2600354524922709185.post-967091757983808952016-08-04T11:05:35.068+00:002016-08-04T11:05:35.068+00:00Thanks. I'm testing push notifications to my ...Thanks. I'm testing push notifications to my iPad by sending email to my gmail account which is set up on the iPad - normally, an alert is shown for new emails, however when connected via VPN consistently I get no email alerts.<br /><br />We want to use our VPN as an internet gateway, it does not allow access to an office network. I tried that tool, push notifications to our Mac were successful outside the VPN, and were also successful when connected via the VPN. So it does seem to be an iOS-specific problem. <br /><br />If you are able to verify that push notifications are received by iOS devices connected to your VPN server, that would be really helpful to me. I'm still hopeful that there is some "magic" StrongSwan configuration option that I can enable that will make this work for me.<br />Anonymoushttps://www.blogger.com/profile/18025772390857786845noreply@blogger.comtag:blogger.com,1999:blog-2600354524922709185.post-59122767549052230342016-08-04T08:53:47.979+00:002016-08-04T08:53:47.979+00:00Interesting question. I have not seen any issue my...Interesting question. I have not seen any issue myself or had this reported by my users. What makes you think push notifications are not working?<br /><br />As far as I can see the following should happen.<br /><br />If not connected to the VPN then push notifications should go from Apple directly to the phone, this would then I suspect trigger Internet activity by the phone why in turn would trigger the 'VPN on Demand' to connect to the VPN.<br /><br />If already connected to the VPN the way I have mine configured is to route all traffic via the VPN connection, this means the 'public' IP address of the phone becomes the public IP of the office network. As long as the office network allows push notification traffic this should then still work but like all the other Internet traffic would flow via the office and the VPN connection.<br /><br />It might be worth doing a test using a Mac on the office network to confirm push notifications work there - this would not involve the VPN. See this free tool for a way to test push notifications - http://twocanoes.com/products/mac/push-diagnosticsJohn Lockwoodhttps://www.blogger.com/profile/15899717580146455869noreply@blogger.comtag:blogger.com,1999:blog-2600354524922709185.post-69298280861273965092016-08-04T08:31:53.575+00:002016-08-04T08:31:53.575+00:00I also need VPN-on-demand, I have been going throu...I also need VPN-on-demand, I have been going through a similar exercise to you (great job, by the way). I have tried StrongSwan using IKEv2, I have been able to connect from my iPad successfully using either PSK or certificate authentication. I am now having trouble where Apple push notifications do not reach my iPad whilst the VPN is active. Does this work for you with your setup? Did you have to configure anything particular for that? TIA<br />Anonymoushttps://www.blogger.com/profile/18025772390857786845noreply@blogger.comtag:blogger.com,1999:blog-2600354524922709185.post-46958271129725279392016-02-08T08:04:30.284+00:002016-02-08T08:04:30.284+00:00This comment has been removed by a blog administrator.Anonymoushttps://www.blogger.com/profile/17165246189173189209noreply@blogger.comtag:blogger.com,1999:blog-2600354524922709185.post-9129676531699405622016-01-27T15:06:35.754+00:002016-01-27T15:06:35.754+00:00Your comment appeared to be an advert for a commer...Your comment appeared to be an advert for a commercial VPN service and I have previously been pestered by a large number of such adverts masquerading as comments. The whole point of this article was not to create a standard VPN server for iOS users but to specifically create a VPN on Demand solution more appropriate for corporate environments and this is something non of those typical paid-for VPN services offer.<br /><br />I apologise if I have unfairly considered your post as such a 'advert'.John Lockwoodhttps://www.blogger.com/profile/15899717580146455869noreply@blogger.comtag:blogger.com,1999:blog-2600354524922709185.post-39376657484262571692016-01-27T15:00:25.997+00:002016-01-27T15:00:25.997+00:00why you removed..?why you removed..?jameshouston135https://www.blogger.com/profile/02114543241035990018noreply@blogger.comtag:blogger.com,1999:blog-2600354524922709185.post-28100309647250450742016-01-27T09:49:16.890+00:002016-01-27T09:49:16.890+00:00This comment has been removed by a blog administrator.jameshouston135https://www.blogger.com/profile/02114543241035990018noreply@blogger.comtag:blogger.com,1999:blog-2600354524922709185.post-11579383736714014662015-03-10T04:04:51.962+00:002015-03-10T04:04:51.962+00:00As mentioned above, I used iPhone Configuration Ut...As mentioned above, I used iPhone Configuration Utility to create a mobile config file. Like Apple Configurator, Profile Manager and I believe most/all MDM solutions this only has built-in very limited VPN on Demand rules that you can define. I then hand-edited the mobile config file using Text Wrangler. The mobile config file is just an XML file which can be edited. I was then able to replace the VPN on Demand rules section with a rule that better matched my requirements.<br /><br />As per my article above again, the Apple documentation lists the different VPN on Demand rules you can define - including ones which as mentioned you cannot do via iPhone Configuration Utility itself.<br /><br />Once the mobile config file was complete I then told Meraki Systems Manager to use it to create an MDM Profile by using the mobile config file which I uploaded to Meraki Systems Manager. I then told Meraki Systems Manager to only push that profile to a single specific device - the one it is intended for by setting which tags to match against. I add an extra tag for each device and use the devices serial number for the tag so as to ensure it is unique and simple to follow.<br /><br />The mobile config file therefore contains the client device SSL certificate as a p12 which includes the client devices private key, the in my case self-signed rootCA certificate as a pem, the VPN settings i.e. address and type, and the hand edited rule for VPN on Demand.John Lockwoodhttps://www.blogger.com/profile/15899717580146455869noreply@blogger.comtag:blogger.com,1999:blog-2600354524922709185.post-86362871384263654522015-03-09T23:05:51.684+00:002015-03-09T23:05:51.684+00:00You mentioned pushing this out via Meraki System M...You mentioned pushing this out via Meraki System Manager. What setting did you select? How did you push this URL out?havikkhttps://www.blogger.com/profile/02288563136037153741noreply@blogger.comtag:blogger.com,1999:blog-2600354524922709185.post-71157987773216012952014-11-20T20:36:39.180+00:002014-11-20T20:36:39.180+00:00Once the VPN server is setup which is perhaps the ...Once the VPN server is setup which is perhaps the more difficult part, adding additional devices is merely a matter of generating a new client certificate, creating a mobileconfig file (I use iPhone Configuration Utility) and using an MDM to push it out to the iOS device.<br /><br />I agree it is always nice to have a simpler solution and I have found all the gotchas and listed solutions. Unfortunately if one wants a free solution one often has to put more work in. There are plenty of existing commercial VPN solutions which will do more of the work for you and would be proven working solutions, they do however cost a considerable amount, e.g. Cisco, SonicWALL (aka. Dell), Juniper and others.John Lockwoodhttps://www.blogger.com/profile/15899717580146455869noreply@blogger.comtag:blogger.com,1999:blog-2600354524922709185.post-48072174455351182582014-11-20T17:52:42.260+00:002014-11-20T17:52:42.260+00:00I would certainly pay for an iOS on demand VPN sol...I would certainly pay for an iOS on demand VPN solution.Anonymoushttps://www.blogger.com/profile/16101875399912179869noreply@blogger.comtag:blogger.com,1999:blog-2600354524922709185.post-18710079827677813992014-11-20T17:51:52.287+00:002014-11-20T17:51:52.287+00:00Great work. However this sounds very complicated e...Great work. However this sounds very complicated even for a knowledgeable software engineer like myself. Is there any way this could be simplified? Perhaps you could even monetize this.Anonymoushttps://www.blogger.com/profile/16101875399912179869noreply@blogger.comtag:blogger.com,1999:blog-2600354524922709185.post-66933358329118351272014-11-12T17:35:21.882+00:002014-11-12T17:35:21.882+00:00It's been a long while now since I originally ...It's been a long while now since I originally did all this work but I do seem to recall seeing that option back then. I vaguely recall trying it by itself and because the VPN server was then still asking for XAuth it did not help. So it might be worth trying along with xauth-noauth but probably not without. One needs to ensure the VPN server is not asking for Xauth as well as ensuring the client does not send it.<br /><br />Have you added the fragmention=yes entry to your ipsec.conf? I found after a while that the O2 mobile data network had a problem with the packet size needed to send SSL certificates but EE and normal broadband did not, when changing network connections you maybe changing to a network that hits this.<br /><br />If you use the Contact form it maybe easier to discuss this more directly.John Lockwoodhttps://www.blogger.com/profile/15899717580146455869noreply@blogger.comtag:blogger.com,1999:blog-2600354524922709185.post-37588285641934399952014-11-12T15:30:13.988+00:002014-11-12T15:30:13.988+00:00Great post. A couple of questions:
1] You mentio...Great post. A couple of questions:<br /><br />1] You mentioned using xauth-noauth. I've been using that for the same reason. However, today I just read that there is an XAuthEnabled=0 setting<br /><br />https://developer.apple.com/library/ios/featuredarticles/iPhoneConfigurationProfileRef/Introduction/Introduction.html<br /><br />Have you tried this? If so could you share your experiences? <br /><br />2] since I started using xauth-noauth I've noticed that IOS clients can sometimes get in a wedged state when switching networks. This didn't seem to happen at all previously. Have you noticed anything like this?Raoul Dukehttps://www.blogger.com/profile/16839230690126965994noreply@blogger.comtag:blogger.com,1999:blog-2600354524922709185.post-55134629015037767072014-08-18T19:13:09.435+00:002014-08-18T19:13:09.435+00:00The "Action, Connect, URLStringProbe" me...The "Action, Connect, URLStringProbe" means that if the probe is successful it will initiate an attempted VPN connection and will keep trying to do so as long as the probe reports a success.<br /><br />So if you set it to probe to www.google.com that is likely to always going be online and it will therefore always keep trying to initiate the VPN connection even if the VPN server is down.<br /><br />You want instead to have it look for a URL on the VPN server, then if the VPN server is down the probe will fail and it will revert to using the public Internet.<br /><br />A simple hello webpage is sufficient for this and can and should be run in the same Linux server. You can use Apache in Linux to do this. It does mean you need to open a port for the webserver through any firewall.John Lockwoodhttps://www.blogger.com/profile/15899717580146455869noreply@blogger.comtag:blogger.com,1999:blog-2600354524922709185.post-4012363929735723632014-08-18T14:36:47.733+00:002014-08-18T14:36:47.733+00:00Action Connect it is working fine in iOS 7 but wh...Action Connect it is working fine in iOS 7 but when VPN server is down the device has to use public internet so I turned it like this Action ConnectURLStringProbe https://www.google.com But it doesn't even establishing VPN connection.Any help is appreciated ! Anonymoushttps://www.blogger.com/profile/16445321710176450650noreply@blogger.comtag:blogger.com,1999:blog-2600354524922709185.post-90082125917126127302014-04-10T15:04:22.327+00:002014-04-10T15:04:22.327+00:00Hi John!
This is an amazing job.
But I want to ...Hi John!<br /><br />This is an amazing job. <br /><br />But I want to ask you one question. <br /><br />You wrote: "I therefore used iPhone Configuration Utility to build a mobileconfig profile containing the client certificate and the VPN settings, I then exported it and edited this as per Apple's documentation above to use the URLStringProbe option to check for the ability to access a URL on my VPN server and if found to be true to trigger a VPN connection". <br /><br />Is possible next scenario: I build mobileconfig profile and publish it on some URL; then when app starts, it takes this profile and applied? Main goal - all works should be in automated mode for final user. He has no need to go to Settings and make some manipulations for activation of VPN. He simply runs the app and enjoys of life with VPN :)<br /><br />If it possible, can you publish some link for learning this question, because I don't know how to apply mobileconfig profile (or maybe how run it)?<br /><br />Thank you for any help you can provide in this questionMykola V.https://www.blogger.com/profile/04420954547884745931noreply@blogger.com