3

I'm creating a VPN profile through my app and I have the following rules and set up:

    let newIPSec = NEVPNProtocolIPSec()

    newIPSec.serverAddress = AppConfiguration.getVPNEndPoint()
    newIPSec.authenticationMethod = NEVPNIKEAuthenticationMethod.sharedSecret
    newIPSec.username = VPNCredentialsModel.instance.vpnUserName()
    newIPSec.passwordReference = VPNCredentialsModel.instance.vpnPasswordReference() as Data?
    newIPSec.sharedSecretReference = VPNCredentialsModel.instance.vpnPresharedKeyReference() as Data?
    newIPSec.useExtendedAuthentication = true
    newIPSec.disconnectOnSleep = false
    self.manager.protocolConfiguration = newIPSec

    let connectRule = NEOnDemandRuleConnect()
    connectRule.interfaceTypeMatch = .any

    let ignoreRule = NEOnDemandRuleIgnore()
    ignoreRule.interfaceTypeMatch = .any
    ignoreRule.probeURL = URL(string:probeURL)

    self.manager.onDemandRules = [ignoreRule,connectRule]
    self.manager.isOnDemandEnabled = true
    self.manager.isEnabled = true

Update
My probeURL is a rest API call which updates the backend and returns 200 or 500 based on the user status. There is some latency since there are some sql querying being carried out. The probeURL expects a 200 OK else invalidates the ignore rule. The ignore rule becomes invalid and it tries to connect to the VPN but the user can't connect anymore since the VPN blocked the user. The iOS device keeps trying in an infinite loops and blocks the internet access from other applications pushing the device to a brick state. Is there a better way to handle this case?

Suggestion
I can update the DB with a file endpoint that points the user status like a flag - (each user has a file endpoint). If the file is available it returns a 200 OK and if its removed returns 404. This way probe url can receive a 200 OK with no latency when needed. However this might be an extra layer of implementation and file management. Whats your view on this? Can someone recommend a better way to handle this test case?

Testing
I was testing a successful scenario with the following probe URL: httpstat.us/200 for ignoreRule to be valid and not connect

httpstat.us/500 for ignoreRUle to be invalid and continue connecting to the VPN

Siddharthan Asokan
  • 4,321
  • 11
  • 44
  • 80
  • Trying to replicate this. Is your server utilizing a self-signed root CA? I can't seem to get the probeURL working even though the cert is installed and trusted. It works if I use https://www.google.com though. – DCToDaylight Dec 10 '16 at 01:32
  • The endpoint is an AWS ELB that has a SSL cert associated using the AWS Cert Manager – Siddharthan Asokan Dec 10 '16 at 08:48

0 Answers0