Total Pageviews

Monday, 23 September 2019

VPN OnDemand (for iOS and macOS)


.mobileconfig files for VPN OnDemand on both iOS and macOS
For more information, please see: https://nerd.one/vpn-on-demand-configuration-profiles-for-ios-and-macos-explained/

----

VPN ON DEMAND CONFIGURATION PROFILES FOR IOS AND MACOS


in modern times, private companies and intelligence agencies collect more and more data on our daily living, the use of your smartphones and want to know where we are, what we eat, what we buy, how we spend our free time, and much more. those companies use these data for any kind of marketing, like personalised advertising, and even individual pricing. yes, you probably spend more money on the exact same product, than your neighbour does. because of all this, the numbers of people using vpn services to improve their online privacy and security is growing.
in this blog post, i will guide you through the basic steps and some more complex on demand rules setting up vpn on demand using a .mobileconfig configuration profiles for iphone and mac.

TABLE OF CONTENTS

THE BASIC STRUCTURE

first of all, the configuration file for vpn on demand is a plain text document, with xml markup. to create one, just open up your favourite text editor, and save a new file with extension .mobileconfig. see also the official configuration profile reference.



 PayloadContent
 
  ...
 
  
 
 PayloadDisplayName
 VPN OnDemand
 PayloadIdentifier
 one.nerd.vpn.a4303bdf-0857-4f61-8eac-76d6e8a81fbf
 PayloadRemovalDisallowed
 
 PayloadType
 Configuration
 PayloadUUID
 7e674e2c-baa6-40b9-9874-712c9be856fe
 PayloadVersion
 1
there are some information already propagated. do you see those payload information? they are mandatory to let the system (ios/macos) correctly identify the configuration profile's contents once imported. feel free to change PayloadDisplayNamePayloadIdentifier and PayloadUUID, but keep in mind to use different uuids for different configuration profiles. read more about uuids on wikipedia.

ADDING VPN CONFIGURATION

using the above structure, the actual vpn configuration like vpn type, server settings, and login credentials need to be added. this example configuration profile uses ipsec for an average amount of security and speed (ipsec needs to be supported by your vpn provider and some information may vary). now back to your configuration profile:
PayloadContent
 
  
   
   IPSec
   

    

    
    AuthenticationMethod
    SharedSecret
    LocalIdentifierType
    KeyID

    
    RemoteAddress
    remote.example.com

    
    SharedSecret
    SW5zZXJ0IGJhc2U2NCBlbmNvZGVkIFNoYXJlZCBTZWNyZXQgSGVyZQ==

    
    XAuthEnabled
    1

    
    
    XAuthName
    Insert Username Here
    
    
    
    XAuthPassword
    Insert Password Here

    
    OnDemandEnabled
    1
    
    
    OnDemandRules
    
     ...
    
   
   
   
   
   IPv4
   
    OverridePrimary
    1
   
   
   
   PayloadDescription
   VPN OnDemand Settings
   PayloadDisplayName
   VPN
   
   
   PayloadIdentifier
   one.nerd.vpn.8494947c-7611-498f-9cbe-631bd9be35f6
   PayloadType
   one.nerd.vpn
   PayloadUUID
   761ec841-faae-473f-b2af-55cd6bd8374c
   PayloadVersion
   1
   Proxies
   
    HTTPEnable
    0
    HTTPSEnable
    0
   
   UserDefinedName
   VPN OnDemand
   VPNType
   IPSec
these information needs to be changed:
  • RemoteAddress should match your vpn provider's server url
  • SharedSecret is a base64 encoded string (ask your provider for that string), use duckduckgo to encode YourSharedSecret
  • XAuthName is your username
  • XAuthPassword is your password
if you prefer not to store the login credentials inside the configuration file, you can easily remove those lines. when importing the profile to your iphone or mac, you will be asked to provide those once.

ON DEMAND RULES

the on demand rules, is a set (dictionary) of different rules. this dictionary is being used to check the current network configuration. the first rule which matches is being used. based on the action described for the matching rule (action value in brackets), a vpn connection can either be established (Connect), disconnected (Disconnect), evaluated for each connection attempt (EvaluateConnection), or should remain as is (Ignore). this is the structure of an on demand rule:

 Action
 Connect
this simple rule--which always matches--consists only of a key (Action) and a value (Connect). to add more spice we can use InterfaceTypeMatch (allowed values are CellularEthernet, and WiFi).

SOME BASIC ON DEMAND RULES FOR DIFFERENT NETWORK INTERFACES

let's create rules to always connect on wifi and cellular networks, but disconnect on ethernet. since we can define two rules for cellular and wifi, we can safely skip adding InterfaceTypeMatch to the third rule. the resulting code for this scenario is this:

 Action
 Connect
 InterfaceTypeMatch
 Cellular



 Action
 Connect
 InterfaceTypeMatch
 WiFi



 Action
 Disconnect

ONLY ESTABLISH A VPN CONNECTION WHEN CONNECTED TO CERTAIN NETWORKS

let's say, you want vpn on demand for every new wifi network you connect to, but don't want to have it established on the two wifi networks you have at home and at work. this can be done using the key SSIDMatch. the rule will then look like this:

 Action
 Disconnect
 InterfaceTypeMatch
 WiFi
 SSIDMatch
 
  
  My Private Home Network
  Company WiFi SSID
 



 Action
 Connect
 InterfaceTypeMatch
 WiFi
reminder: the first rule which matches will be used. therefor it's important to have the rules in the order shown above. if it would be the other way round, the more complex rule to disconnect for certain wifi networks will never be used.

EVALUATE CONNECTION: VPN ON DEMAND FOR SPECIFIC DOMAINS ONLY

maybe you want to establish a vpn connection for some domains only. or you want to make sure, that accessing to those domains will always trigger a vpn connection. the rules for this look like this:

 Action
 EvaluateConnection
 
 ActionParameters
 
  
   Domains
   
    example.com
   
   DomainAction
   ConnectIfNeeded
now, let me explain what all that means. EvaluateConnection tells the operating system to look for ActionParameters, a list (array) of dictionaries similar to the on demand rules. allowed keys for these dictionaries are:
  • Domains, required: an array of domains that trigger the evaluation
  • DomainAction, required: ConnectIfNeeded or NeverConnect--self-explanatory
  • RequiredDNSServers, optional: array of ip addresses for resolving domain names, might be necessary for your company's internal urls
  • RequiredURLStringProbe, optional: a url to probe, if no connection code is received, a vpn connection will be established

MORE COMPLEX RULES

if you want to, you can even merge EvaluateConnection with InterfaceTypeMatch and SSIDMatch:

 Action
 EvaluateConnection
 
 InterfaceTypeMatch
 WiFi
 SSIDMatch
 
  
  Company WiFi SSID
 

 ActionParameters
 
  
   Domains
   
    example.com
   
   DomainAction
   ConnectIfNeeded
   RequiredURLStringProbe
   https://internal.yourawesomecompany.com
feel free to add as many dictionaries to your OnDemandRules array, until all your wishes and needs are mapped.

APPENDIX, OR: CONNECTIFNEEDED NOT WORKING

what i found out is, that in some circumstances my device does not establish a vpn connection for certain domain, even when i am sure, the EvaluateConnection rule is being used. therefor, i created a workaround (a nice little script on my server) to help me out.
that script is hosted on https://vpn.nerd.one and what it does is:
it takes an input ip address or range of ip addresses, then compares it to the connecting client's ip address and sends back a specific http status code. if the client's ip address is equal to the input or is within the range of ip addresses provided, that status code will be HTTP/1.1 200 Ok. if the client's ip can not be described using the input, status code HTTP/1.1 404 Not Found will be returned.
using this and knowing the possible ip addresses your vpn provider assigns, we can use the RequiredURLStringProbe key to make sure, a vpn connection will always be established when connecting to a certain domain, even if resolving the domain name works. the code snipped will look like this:

 Domains
 
  nerd.one
 
 DomainAction
 ConnectIfNeeded
 RequiredURLStringProbe
 https://vpn.nerd.one/12.34.56.78-87
assuming the possible ip addresses the vpn provider assigns is from 12.34.56.78 to 12.34.56.87, the string to use will be https://vpn.nerd.one/12.34.56.78-87. if the range is bigger than that, it's possible to change the input to something different. all this would be valid input:

SINGLE IP ADDRESSES, I.E.:

  • 95.143.172.196
  • 95.143.172.240

A RANGE OR SUBNET OF IP ADDRESSES, I.E.:

  • 95.143.172.140-250
  • 95.143.172.0-255
  • 95.143.171-172.0-255
  • 95.143.0-255.50-100
feel free to open that url in your browser and check different input, until you are happy with your input ip or range of ip addresses.
note: only one input at once is allowed. don't try input like: https://vpn.nerd.one/12.34.56.78-87,95.143.172.0-255

A SAMPLE CONFIGURATION FILE

over on github, you can find the most recent version of a sample configuration file for vpn on demand. feel free to contribute. all this has been tested and confirmed to work with ios 10 and macos sierra. finally, here is a sample configuration file you can use as a start for your very own vpn on demand configuration:




 PayloadContent
 
 
   
   IPSec
   
   
    
    
    
    AuthenticationMethod
    SharedSecret
    LocalIdentifierType
    KeyID
    
    
    RemoteAddress
    remote.example.com
    
    
    SharedSecret
    SW5zZXJ0IGJhc2U2NCBlbmNvZGVkIFNoYXJlZCBTZWNyZXQgSGVyZQ==
    
    
    XAuthEnabled
    1
    
    
     
   XAuthName
    Insert Username Here
    
    
    
    XAuthPassword
    Insert Password Here
    
    
    OnDemandEnabled
    1
    
    
    
    OnDemandRules
    
     
     
     
     
      Action
      Connect
      InterfaceTypeMatch
      WiFi
      SSIDMatch
      
       
       Name of WiFi Network Here
       Another WiFi Network
      
     
     
     
     
      Action
      Disconnect
      InterfaceTypeMatch
      WiFi
      SSIDMatch
      
       
       My Private Home Network
       Pretty WiFi for a white guy
      
     
     
     
     
      Action
      EvaluateConnection
      
      InterfaceTypeMatch
      WiFi
      SSIDMatch
      
       
       Name of WiFi Network Here
       Another WiFi Network
      
      
      ActionParameters
      
       
        Domains
        
         example.com
        
        DomainAction
        ConnectIfNeeded
        RequiredURLStringProbe
        https://vpn.nerd.one/12.34.56.78
       
      
     
     
     
     
      Action
      Connect
      InterfaceTypeMatch
      Cellular
     
     
     
     
      Action
      Disconnect
      InterfaceTypeMatch
      Ethernet
     
     
     
     
      Action
      Connect
      InterfaceTypeMatch
      WiFi
     
     
     
     
      Action
      Ignore
     
    
   
   
   
   
   IPv4
   
    OverridePrimary
    1
   
   
   
   PayloadDescription
   VPN OnDemand Settings
   PayloadDisplayName
   VPN
   PayloadIdentifier
   one.nerd.vpn.8494947c-7611-498f-9cbe-631bd9be35f6
   PayloadType
   one.nerd.vpn
   PayloadUUID
   761ec841-faae-473f-b2af-55cd6bd8374c
   PayloadVersion
   1
   Proxies
   
    HTTPEnable
    0
    HTTPSEnable
    0
   
   UserDefinedName
   VPN OnDemand
   VPNType
   IPSec
  
 
 
 
 PayloadDisplayName
 VPN OnDemand
 PayloadIdentifier
 one.nerd.vpn.a4303bdf-0857-4f61-8eac-76d6e8a81fbf
 PayloadRemovalDisallowed
 
 PayloadType
 Configuration
 PayloadUUID
 7e674e2c-baa6-40b9-9874-712c9be856fe
 PayloadVersion
 1


from https://nerd.one/vpn-on-demand-configuration-profiles-for-ios-and-macos-explained/
Posted by at
Labels: , ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)