From #270:
What you're doing is in fact "On Demand" rules, not Always-On, Always-On mode is different and will completely block the network traffic if there is no VPN (it also block the local network etc).
That Always-On mode sounds awesome and exactly what I want and never managed to get on iOS...
@pwnsdx how would that work?
I would be interested in adding this feature. There are some docs here:
https://developer.apple.com/library/content/featuredarticles/iPhoneConfigurationProfileRef/Introduction/Introduction.html#//apple_ref/doc/uid/TP40010206-CH1-SW613
In the meantime, you should be able to create an AlwaysOn mobileconfig with Apple Configurator or by hand-editing the ones generated from Algo.
I'll change the wording on the install script so it's more accurate given the differences between On Demand and Always On.
Hello @FiloSottile, glad you're asking. I attached the file, just replace the informations with yours.
Always-On have many benefits like:
However I noticed some issues while using it that Apple never fixed it. I don't know if the problem is a misunderstanding between Strongswan and iOS but after 5 minutes in sleep the VPN will disconnect and you will not receive notifications anymore (by default On-Demand VPN will bypass the VPN for the push notifications, making your real IP address available all the time to Apple). There is supposed to be a NAT Keepalive interval but it does not seems to work at all. However, if you have a music player running in the background or your phone is plugged to a power supply then it will keep the VPN connection alive. Also, you _need_ to have your device supervised by using Apple Configurator so you may have to erase your iPhone before being able to use Always-On VPN.
Regards,
Sabri
Also, you need to have your device supervised by using Apple Configurator so you may have to erase your iPhone before being able to use Always-On VPN.
Now I remember why we didn't use this feature :-/
Now I remember why we didn't use this feature :-/
You can generate both files and tell the user how to do it but he will need Apple Configurator so macOS (might work in a VM).
@pwnsdx Thanks so much for the attached Always On mobileconfig template! I tried to modify the mobileconfig that AlgoVPN spit out in both Apple Configurator 2 as well as in a text editor and I was never able to get it working. Your file worked like a charm!
I would suggest someone add this to the documentation or the build options as it is a use case some people are looking for.
Just as a reference, attached is your template file modified to be a template for AlgoVPN using Digital Ocean. Some of the encryption values are different etc. I also enforce not being able to remove the profile.
Most helpful comment
Hello @FiloSottile, glad you're asking. I attached the file, just replace the informations with yours.
Server.mobileconfig.zip
Always-On have many benefits like:
However I noticed some issues while using it that Apple never fixed it. I don't know if the problem is a misunderstanding between Strongswan and iOS but after 5 minutes in sleep the VPN will disconnect and you will not receive notifications anymore (by default On-Demand VPN will bypass the VPN for the push notifications, making your real IP address available all the time to Apple). There is supposed to be a NAT Keepalive interval but it does not seems to work at all. However, if you have a music player running in the background or your phone is plugged to a power supply then it will keep the VPN connection alive. Also, you _need_ to have your device supervised by using Apple Configurator so you may have to erase your iPhone before being able to use Always-On VPN.
Regards,
Sabri