VPN configuration

Is it possible to configure by code or via Apple configurator a profile with VPN payload, which uses my custom VPN (my implementation for Packet Tunnel Provider),

And will be ondemand or always-on, and will allow traffic from Captive Networking ?

Accepted Reply

Earlier I wrote:

I don’t know if it’s possible to implement similar functionality using a Network Extension provider …

I spent some time looking into this and confirmed that it’s not currently possible for third-party VPN transports to connect up to the Always-On VPN infrastructure (r. 21363342). If you'd like to see that supported in the future, I encourage you to file an enhancement request describing your requirements. While we have seen similar requests before, a fresh bug report will allow you to express your needs in your own terms, and allow iOS engineering to gauge the level of demand.

Please post your bug number, just for the record.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

Replies

Earlier I wrote:

I don’t know if it’s possible to implement similar functionality using a Network Extension provider …

I spent some time looking into this and confirmed that it’s not currently possible for third-party VPN transports to connect up to the Always-On VPN infrastructure (r. 21363342). If you'd like to see that supported in the future, I encourage you to file an enhancement request describing your requirements. While we have seen similar requests before, a fresh bug report will allow you to express your needs in your own terms, and allow iOS engineering to gauge the level of demand.

Please post your bug number, just for the record.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

Good to know, thanks again!

Here we go, enhancement request number 29899053 filed, it contains a reference tot his post and the DTS request.

Actually, I just realised that the support for Alway-On is not just unavailable for custom VPN transports created via PacketTunnelProvider (which is what I originally got from Quinn's reference to third-party VPN transports in the reply to my DTS), but for any VPN setup programmatically via the API ( including the supposingly supported IKEv2 setup via NEVPNManager). Unless I have missed something, the only way to setup an "enforced" VPN tunnel from an app seems to be to get the app to point to the URL where an IKEv2 VPN configuration profile is host in order to install VPN via a profile. The latter can be set to "Always-On', which in turn applies to supervised device. This seems a much harsher limitation of the VPN API than I oriiginally thought.

Is this analysys correct or have I missed a potential combination of NEVPNManager and supervised device configuration that would allow us to enforce a tunnel created programmatically?

Given that Always-On VPN requires a supervised device, there’s very little point in providing an API for enabling it because the user of the device is unlikely to have the privileges to enable it.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

Hey Quinn, I don't agree with the interpretation here.

In the same ways at the "AlwaysOn" VPN tickbox on the configuration profile states "Supervised Devices Only", so it can be configured ahead but it will only kick in when the profile is installed on uspervised devices, exposing it via the API could follow the same behaviour and allow the developers in conjunction with the device "Supervisor" (usually the IT admind which are our enterprise customers) to create an app that enforces a tunnel on the end user's device.

With the current limitation, the only solution for a developer is to create an app that downloads and install a configuration profile , which is viable but fairly limiting in terms of dynamically chaning the tunnel configuration...something better achieved with the API approach. This is the same problem described in the OpenVPN for iOS app, where the lack of AlwaysON support in NEVPNManager is identified by the developers as the root cause for the issue raised by the end user: https://forums.openvpn.net/viewtopic.php?t=20820.

I don't agree with the interpretation here.

Well, the good news here is that I’m not the one you have to convince (-:

If you want the VPN subsystem to support something that it currently doesn’t, you need to make that argument to VPN Engineering via an enhancement request.

Please post your bug number, just for the record.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

Eheh absolutely, the comment was more for the sake of the conversation than anything else 😉. I've already filed an enhancement requets for PacketTunnelProvider follwing the DTS outcome you may remember, I will udpate that to address the issue as a generic VPN API's limitation.

Any news on the feature? Is it implemented? Is it going to be implemented?

I have tried to find 29899053 enhancement request without success. Either it is hidden/is not accessible for ordinary users or I do not know where to search.