Algo: iOS Always-On

Created on 25 Mar 2017  路  5Comments  路  Source: trailofbits/algo

From #270:

What you're doing is in fact "On Demand" rules, not Always-On, Always-On mode is different and will completely block the network traffic if there is no VPN (it also block the local network etc).

That Always-On mode sounds awesome and exactly what I want and never managed to get on iOS...

@pwnsdx how would that work?

wontfix

Most helpful comment

Hello @FiloSottile, glad you're asking. I attached the file, just replace the informations with yours.

Server.mobileconfig.zip

Always-On have many benefits like:

  • The ability to completely block the outgoing traffic to the local network (say goodbye to your Philips Hue bulbs or alike if you have any, Bluetooth obviously still works on the other hand)
  • And the incoming one as well (this will also block the iTunes Wi-Fi Sync port 62078 which is a great thing, however the VPN server will still be able to access it like usually, except when using it over cellular)
  • It will create 2 VPN connections if you are connected to cellular network and Wi-Fi network, iOS prefer cellular connections for push notifications as according to Apple "they are more reliable" unlike On-Demand which can only handle one connection at a time.
  • It will connect as soon as a network is up
  • It can block AirPrint and VoiceMail (and they are in the config file, you can reenable them if you want)

However I noticed some issues while using it that Apple never fixed it. I don't know if the problem is a misunderstanding between Strongswan and iOS but after 5 minutes in sleep the VPN will disconnect and you will not receive notifications anymore (by default On-Demand VPN will bypass the VPN for the push notifications, making your real IP address available all the time to Apple). There is supposed to be a NAT Keepalive interval but it does not seems to work at all. However, if you have a music player running in the background or your phone is plugged to a power supply then it will keep the VPN connection alive. Also, you _need_ to have your device supervised by using Apple Configurator so you may have to erase your iPhone before being able to use Always-On VPN.

Regards,
Sabri

All 5 comments

I would be interested in adding this feature. There are some docs here:
https://developer.apple.com/library/content/featuredarticles/iPhoneConfigurationProfileRef/Introduction/Introduction.html#//apple_ref/doc/uid/TP40010206-CH1-SW613

In the meantime, you should be able to create an AlwaysOn mobileconfig with Apple Configurator or by hand-editing the ones generated from Algo.

I'll change the wording on the install script so it's more accurate given the differences between On Demand and Always On.

Hello @FiloSottile, glad you're asking. I attached the file, just replace the informations with yours.

Server.mobileconfig.zip

Always-On have many benefits like:

  • The ability to completely block the outgoing traffic to the local network (say goodbye to your Philips Hue bulbs or alike if you have any, Bluetooth obviously still works on the other hand)
  • And the incoming one as well (this will also block the iTunes Wi-Fi Sync port 62078 which is a great thing, however the VPN server will still be able to access it like usually, except when using it over cellular)
  • It will create 2 VPN connections if you are connected to cellular network and Wi-Fi network, iOS prefer cellular connections for push notifications as according to Apple "they are more reliable" unlike On-Demand which can only handle one connection at a time.
  • It will connect as soon as a network is up
  • It can block AirPrint and VoiceMail (and they are in the config file, you can reenable them if you want)

However I noticed some issues while using it that Apple never fixed it. I don't know if the problem is a misunderstanding between Strongswan and iOS but after 5 minutes in sleep the VPN will disconnect and you will not receive notifications anymore (by default On-Demand VPN will bypass the VPN for the push notifications, making your real IP address available all the time to Apple). There is supposed to be a NAT Keepalive interval but it does not seems to work at all. However, if you have a music player running in the background or your phone is plugged to a power supply then it will keep the VPN connection alive. Also, you _need_ to have your device supervised by using Apple Configurator so you may have to erase your iPhone before being able to use Always-On VPN.

Regards,
Sabri

Also, you need to have your device supervised by using Apple Configurator so you may have to erase your iPhone before being able to use Always-On VPN.

Now I remember why we didn't use this feature :-/

Now I remember why we didn't use this feature :-/

You can generate both files and tell the user how to do it but he will need Apple Configurator so macOS (might work in a VM).

@pwnsdx Thanks so much for the attached Always On mobileconfig template! I tried to modify the mobileconfig that AlgoVPN spit out in both Apple Configurator 2 as well as in a text editor and I was never able to get it working. Your file worked like a charm!

I would suggest someone add this to the documentation or the build options as it is a use case some people are looking for.

Just as a reference, attached is your template file modified to be a template for AlgoVPN using Digital Ocean. Some of the encryption values are different etc. I also enforce not being able to remove the profile.

AlwaysOnVPNTemplate_AlgoVPN.mobileconfig.zip

Was this page helpful?
0 / 5 - 0 ratings

Related issues

dguido picture dguido  路  3Comments

Stanpol picture Stanpol  路  4Comments

dmwyatt picture dmwyatt  路  3Comments

mosesrenegade picture mosesrenegade  路  5Comments

RonCan picture RonCan  路  3Comments