I have been working on a Packet Tunnel Network Extension that establishes a VPN connection with a server. The main purpose is to block websites that the VPN server considers safe websites when resolving the DNS. If the website is considered as safe it will resolve the website and allow traffic.
This solution is implemented by establishing a VPN tunnel using the OpenVPN protocol.
As per reading the documentation I see there is a difference being made between always on VPN and on demand VPN. What I can see is that I can implement an on demand VPN for example by distributing my app in the App Store. What I can't do is implement an always on VPN if it's not by managing devices. This coulnd't be an option for us.
I would like to know if there are specifications or part in the documentation that can answer some of these questions:
* Are the VPN connections shut down when the device goes to sleep? I can see this because my device does it but haven't seen this in the documentation.
* Can I establish an always on VPN without having supervised devices? I can reset my VPN when my network interface changes and try to have my "always on" implementation.
* In some part of the documentation they mention that for iOS devices there are two virtual interfaces, one for Cellular and the other for Wi-Fi. My NEPacketTunnelProvider does not differentiate between two `tun` interfaces, so is this only for managed devices?
* Are the VPN tunnels time restricted? I don't know if I am having too many problems with this or this is something hard to work with but the tunnel seems to disconnect after a while when the device goes to sleep.
* If I cannot establish an always on and I cannot force my traffic to go out of my tun interface, would establishing an IPSec tunnel another viable option? AFAIK an IPSec tunnel would not have to touch anything below the network layer so we wouldn't have a problem when the traffic is not routed via the tunnel interface.
There are several apps in the App Store like Bear Tunnel and NordVPN and they have/sell an always on service. Is this some kind of special entitlement we have to get to have this capabilities?
Thank you.