3

I have been investigating it's possible to achieve the following. I have both an IKEv2 VPN server and have a Swift iOS client. On the client side I have enabled the isOnDemandEnabled on the NEVPNManager and have set the rules to match anything.

var vpnManager : NEVPNManager
var protcol: NEVPNProtocol
let ikev2 = NEVPNProtocolIKEv2()
ikev2.useExtendedAuthentication = true
...
protcol = ikev2
protcol.disconnectOnSleep = false
let connectRule = NEOnDemandRuleConnect()
connectRule.interfaceTypeMatch = .any
vpnManager.onDemandRules = [connectRule]
vpnManager.isOnDemandEnabled = true

This should mean that any attempt to access the internet should match this rule and should only go over the VPN. (This is my understanding of it, I hope that's right).

The Killswitch in VPN terminology is a feature that stops all internet traffic to go to and from the device, as soon as the VPN becomes unavailable. This is so to prevent any leakage in case the VPN tunnel becomes inaccessible. This could be as simple as monitoring if the current IP address fluctuates as a trigger to do this.

What I couldn't find out is if iOS 10.3+ already does this in the background as long as the OnDemand feature is enabled?

Or is it just a way to reconnect to the VPN as soon as the VPN drops, but the traffic could still leak to the existing 4G without the VPN present?

I couldn't find any information yet this regarding. Any advice?

jscs
  • 63,694
  • 13
  • 151
  • 195
Houman
  • 64,245
  • 87
  • 278
  • 460
  • It's worth noting that the 'Connect On Demand' toggle can still be disabled via Settings -> General -> VPN -> 'Your VPN'. If the user toggles this, then the VPN will be disabled. – Jordan Johnson Feb 19 '19 at 23:43
  • 1
    Yes, but that would be his responsibility. My concern is the chance of an IP address leak if the VPN server was unresponsive. A killswitch would prevent that. But according to my research Connect On Demand is not foolproof when it comes to IP leakage in case of an outage. – Houman Feb 20 '19 at 07:41
  • I share your concern with this approach. I would test against an invalid VPN server and see what happens when the VPN connection cannot be established. As Roee84 said, rvictl with Wireshark will also be very helpful. Note that the newest generation of iPhones (XS / XS Max / XR) aren't compatible with the current rvictl, but there is a fix in Xcode 10.2 beta 2. – Jordan Johnson Feb 21 '19 at 22:06

2 Answers2

1

Yes, once the VPN is set with the above rules(and no split tunnel for example..), all traffic would go via the VPN. If the VPN is disconnected, any traffic would try to initiate it, and won't go via the device. If the VPN can't connect - the traffic won't pass.

Try it yourself - connect the VPN, then cause it to disconnect somehow (prevent network access for example), and then allow it to connect again - check that at this short time of re-connection, no traffic would pass via the device.

Witterquick
  • 6,048
  • 3
  • 26
  • 50
  • That's very reassuring, thank you for your response. Is there a tool I would utilise to check the incoming & outgoing traffic on an iOS device? This is so that I can emulate your suggestion in the second paragraph. Thanks – Houman Feb 10 '19 at 11:48
  • Yes, connect your iOS device to your Mac, and capture the packets via the remote virtual interface - see https://developer.apple.com/documentation/network/recording_a_packet_trace – Witterquick Feb 10 '19 at 12:51
0

Yes, but only if you enable includeAllNetworks , which became available in iOS 14. https://developer.apple.com/documentation/networkextension/nevpnprotocol/3131931-includeallnetworks

Without that, there are no guarantees that all traffic will go through the tunnel. There are some situations where some type of traffic could go outside the VPN, even with the VPN turned ON, leading to IP leaks.

Pahnev
  • 716
  • 5
  • 26