Limits for always on/on demand VPN?

I have been working on a Packet Tunnel Network Extension that establishes a VPN connection with a server. The main purpose is to block websites that the VPN server considers safe websites when resolving the DNS. If the website is considered as safe it will resolve the website and allow traffic.


This solution is implemented by establishing a VPN tunnel using the OpenVPN protocol.


As per reading the documentation I see there is a difference being made between always on VPN and on demand VPN. What I can see is that I can implement an on demand VPN for example by distributing my app in the App Store. What I can't do is implement an always on VPN if it's not by managing devices. This coulnd't be an option for us.


I would like to know if there are specifications or part in the documentation that can answer some of these questions:


* Are the VPN connections shut down when the device goes to sleep? I can see this because my device does it but haven't seen this in the documentation.

* Can I establish an always on VPN without having supervised devices? I can reset my VPN when my network interface changes and try to have my "always on" implementation.

* In some part of the documentation they mention that for iOS devices there are two virtual interfaces, one for Cellular and the other for Wi-Fi. My NEPacketTunnelProvider does not differentiate between two `tun` interfaces, so is this only for managed devices?

* Are the VPN tunnels time restricted? I don't know if I am having too many problems with this or this is something hard to work with but the tunnel seems to disconnect after a while when the device goes to sleep.

* If I cannot establish an always on and I cannot force my traffic to go out of my tun interface, would establishing an IPSec tunnel another viable option? AFAIK an IPSec tunnel would not have to touch anything below the network layer so we wouldn't have a problem when the traffic is not routed via the tunnel interface.


There are several apps in the App Store like Bear Tunnel and NordVPN and they have/sell an always on service. Is this some kind of special entitlement we have to get to have this capabilities?


Thank you.

Up vote post of javierdemartin Down vote post of javierdemartin
2.2k views
Posted by
javierdemartin
Reply
Add a Comment

Accepted Reply

but for some cases, pe kids, it will block websites such as adult content or gambling. So the user wants the protection provided by the VPN.

Ah um, I guess that depends on your definition of user. In my experience a kid rarely installs a content filter [1]. It’s installed by an adult and applied to the kid, and thus the kid may well be actively subverting the filter.

Would I be able to establish an always on VPN without a Network Extension Tunnel Provider? Or is this only for managed devices?

Always-on VPN requires IKEv2 on a supervised device.

I cannot see the radar you mentioned

Indeed. As a rule, you can only see info about bugs you file. However, I still post bug numbers, just for the record (and for the benefit of other Apple folks reading this thread, including Future Quinn™).

Returning to the questions in your previous post:

Are the VPN connections shut down when the device goes to sleep?

See this post.

Can I establish an always on VPN without having supervised devices?

We’ve covered this in depth already.

In some part of the documentation they mention that for iOS devices there are two virtual interfaces, one for Cellular and the other for Wi-Fi. My NEPacketTunnelProvider does not differentiate between two 

tun
interfaces, so is this only for managed devices?

Can you point me to the documentation in question? I’d like to read the comment in context before I offer an opinion.

Are the VPN tunnels time restricted?

No.

If I cannot establish an always on and I cannot force my traffic to go out of my tun interface, would establishing an IPSec tunnel another viable option?

iOS has no mechanism for third parties to configure IPsec in this way.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware 

let myEmail = "eskimo" + "1" + "@apple.com"

[1] Although there are edge cases. I was once helping a developer whose content filter was targeted ******* who wanted to block triggers, and thus there was only an adult and they weren’t trying to subvert the filter.

Posted by
eskimo
Up vote reply of eskimo Down vote reply of eskimo
Post marked as solved
Add a Comment

Replies

First up, it’s not currently possible to implement Always-on VPN in a NetworkExtension tunnel provider (r. 21363342).

The main purpose is to block websites that the VPN server considers safe websites when resolving the DNS.

Is this actually a VPN? Or is it a content filter? The key difference is one of user intent. With a VPN, the user wants the protection provided by the VPN, and actively works to keep it running. In contrast, in a content filter, someone imposes the filter on the user and, at least in some cases, the user actively tries to subvert the VPN.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware 

let myEmail = "eskimo" + "1" + "@apple.com"
Posted by
eskimo
Up vote reply of eskimo Down vote reply of eskimo
Add a Comment

It is a VPN service to tunnel the connections, but for some cases, pe kids, it will block websites such as adult content or gambling. So the user wants the protection provided by the VPN.


Would I be able to establish an always on VPN without a Network Extension Tunnel Provider? Or is this only for managed devices?


Is there any info relating referencing the questions about the interfaces above?


I cannot see the radar you mentioned (http:/ / openradar.appspot .com/ 21363342)

Posted by
javierdemartin
Up vote reply of javierdemartin Down vote reply of javierdemartin
Add a Comment

but for some cases, pe kids, it will block websites such as adult content or gambling. So the user wants the protection provided by the VPN.

Ah um, I guess that depends on your definition of user. In my experience a kid rarely installs a content filter [1]. It’s installed by an adult and applied to the kid, and thus the kid may well be actively subverting the filter.

Would I be able to establish an always on VPN without a Network Extension Tunnel Provider? Or is this only for managed devices?

Always-on VPN requires IKEv2 on a supervised device.

I cannot see the radar you mentioned

Indeed. As a rule, you can only see info about bugs you file. However, I still post bug numbers, just for the record (and for the benefit of other Apple folks reading this thread, including Future Quinn™).

Returning to the questions in your previous post:

Are the VPN connections shut down when the device goes to sleep?

See this post.

Can I establish an always on VPN without having supervised devices?

We’ve covered this in depth already.

In some part of the documentation they mention that for iOS devices there are two virtual interfaces, one for Cellular and the other for Wi-Fi. My NEPacketTunnelProvider does not differentiate between two 

tun
interfaces, so is this only for managed devices?

Can you point me to the documentation in question? I’d like to read the comment in context before I offer an opinion.

Are the VPN tunnels time restricted?

No.

If I cannot establish an always on and I cannot force my traffic to go out of my tun interface, would establishing an IPSec tunnel another viable option?

iOS has no mechanism for third parties to configure IPsec in this way.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware 

let myEmail = "eskimo" + "1" + "@apple.com"

[1] Although there are edge cases. I was once helping a developer whose content filter was targeted ******* who wanted to block triggers, and thus there was only an adult and they weren’t trying to subvert the filter.

Posted by
eskimo
Up vote reply of eskimo Down vote reply of eskimo
Post marked as solved
Add a Comment

Thank you for such a detailed answer, Quinn. It solved many of the questions I had!

Posted by
javierdemartin
Up vote reply of javierdemartin Down vote reply of javierdemartin
Add a Comment