Hi everyone, I’m researching the per-app vpn and OnDemandMatchAppEnabled feature on OpenVPN and iOS7, I couldn’t make it work.
My vpn profile can be installed on my iPhone well and everything looks ok, I had pushed my app to iPhone by MDM, and I had pushed the per-app vpn binding command to iPhone by MDM too, but the vpn did not connect automatically when the managed app is launching.
I have checked and tested everything by reading the latest iPhoneConfigurationProfileRef and OpenVPN Connect iOS FAQ.but still not success.
Could anyone please help me?
Work flow:
------------------------------------------------------------
1. Enroll my iPhone to the MDM
2. Push a managed App(com.xxx.MYAPP) to my iPhone
3. Write a OpenVPN VoD profile and install to my iPhone, to confirm the VPN settings is ok
4. Edit OpenVPN VoD profile, replace the PayloadType from com.apple.vpn.managed to com.apple.vpn.managed.applayer and some other info...
5. Install the new OpenVPN profile to my iPhone
6. Push a Setting command(contain the Per-app VPN binding info) to my iPhone.
7. Launch the managed app and check the log info in IPCU.
Result:
————
VPN did not connect automatically.
Log info in IPCU:
… ...
Mar 3 20:07:29 DafaPhone MYAPP[2347] <Notice>: App VPN rule com.xxx.MYAPP matched [signing ID = com.xxx.MYAPP] [domain = (null)]
… …
The Setting Command pushed to iPhone:
------------------------------------------------------------
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>CommandUUID</key>
<string>4e4fca64-397f-4d70-9de5-afc12bcb41bf</string>
<key>Command</key>
<dict>
<key>Settings</key>
<array>
<dict>
<key>Identifier</key>
<string>com.xxx.MYAPP</string>
<key>Attributes</key>
<dict>
<key>VPNUUID</key>
<string>b78ee624-442d-4997-a77f-dc8245109716</string>
</dict>
<key>Item</key>
<string>ApplicationAttributes</string>
</dict>
</array>
<key>RequestType</key>
<string>Settings</string>
</dict>
</dict>
</plist>
The OpenVPN mobileconfig profile installed on iPhone:
------------------------------------------------------------
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>PayloadContent</key>
<array>
<dict>
<key>IPv4</key>
<dict>
<key>OverridePrimary</key>
<integer>0</integer>
</dict>
<key>PayloadDescription</key>
<string>description...</string>
<key>PayloadDisplayName</key>
<string>VPN (openmyvpnconn)</string>
<key>PayloadIdentifier</key>
<string>com.xxx.openmyvpn.vpn</string>
<key>PayloadOrganization</key>
<string>xxx</string>
<key>PayloadType</key>
<string>com.apple.vpn.managed.applayer</string>
<key>PayloadUUID</key>
<string>5E76E316-3DB8-4AFF-9899-329F48E47A7D</string>
<key>PayloadVersion</key>
<integer>1</integer>
<key>VPNUUID</key>
<string>b78ee624-442d-4997-a77f-dc8245109716</string>
<key>OnDemandEnabled</key>
<integer>1</integer>
<key>OnDemandMatchAppEnabled</key>
<true/>
<key>PerAppVpn</key>
<integer>1</integer>
<key>SafariDomains</key>
<array>
<string>baidu.com</string>
</array>
<key>Proxies</key>
<dict/>
<key>UserDefinedName</key>
<string>openmyvpnconn</string>
<key>VPN</key>
<dict>
<key>AuthenticationMethod</key>
<string>Certificate</string>
<key>RemoteAddress</key>
<string>DEFAULT</string>
<key>PayloadCertificateUUID</key>
<string>23ACA320-985B-4E60-9DB5-E2985AB32CB6</string>
</dict>
<key>VPNSubType</key>
<string>net.openvpn.OpenVPN-Connect.vpnplugin</string>
<key>VPNType</key>
<string>VPN</string>
<key>VendorConfig</key>
<dict>
<key>auth</key>
<string>SHA1</string>
<key>ca</key>
<string>-----BEGIN CERTIFICATE-----\nMIIDVDCCAjygAwIBAgIDAjRWMA0GCSqGSIb3DQEBBQUAMEIxCzAJBgNVBAYTAlVT\nMRYwFAYDVQQKEw1HZW9UcnVzdCBJbmMuMRswGQYDVQQDExJHZW9UcnVzdCBHbG9i\nYWwgQ0EwHhcNMDIwNTIxMDQwMDAwWhcNMjIwNTIxMDQwMDAwWjBCMQswCQYDVQQG\nEwJVUzEWMBQGA1UEChMNR2VvVHJ1c3QgSW5jLjEbMBkGA1UEAxMSR2VvVHJ1c3Qg\nR2xvYmFsIENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA2swYYzD9\n9BcjGlZ+W988bDjkcbd4kdS8odhM+KhDtgPpTSEHCIjaWC9mOSm9BXiLnTjoBbdq\nfnGk5sRgprDvgOSJKA+eJdbtg/OtppHHmMlCGDUUna2YRpIuT8rxh0PBFpVXLVDv\niS2Aelet8u5fa9IAjbkU+BQVNdnARqN7csiRv8lVK83Qlz6cJmTM386DGXHKTubU\n1XupGc1V3sjs0l44U+VcT4wt/lAjNvxm5suOpDkZALeVAjmRCw7+OC7RHQWa9k0+\nbw8HHa8sHo9gOeL6NlMTOdReJivbPagUvTLrGAMoUgRx5aszPeE4uwc2hGKceeoW\nMPRfwCvocWvk+QIDAQABo1MwUTAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBTA\nephojYn7qwVkDBF9qn1luMrMTjAfBgNVHSMEGDAWgBTAephojYn7qwVkDBF9qn1l\nuMrMTjANBgkqhkiG9w0BAQUFAAOCAQEANeMpauUvXVSOKVCUn5kaFOSPeCpilKIn\nZ57QzxpeR+nBsqTP3UEaBU6bS+5Kb1VSsyShNwrrZHYqLizz/Tt1kL/6cdjHPTfS\ntQWVYrmm3ok9Nns4d0iXrKYgjy6myQzCsplFAMfOEVEiIuCl6rYVSAlk6l5PdPcF\nPseKUgzbFbS9bZvlxrFUaKnjaZC2mqUPuLk/IH2uSrW4nOQdtqvmlKXBx4Ot2/Un\nhw4EbNX/3aBd7YdStysVAq45pmp06drE57xNNB6pXE0zX5IJL4hmXXeXxx12E6nV\n5fEWCRE11azbJHFwLJhWC9kXtNHjUStedejV0NxPNO3CBWaAocvmMw==\n-----END CERTIFICATE-----</string>
<key>cert</key>
<string>-----BEGIN CERTIFICATE-----\nMIICxjCCAa4CAQAwDQYJKoZIhvcNAQEFBQAwKTEaMBgGA1UEAxMRVlBOR2F0ZUNs\naWVudENlcnQxCzAJBgNVBAYTAkpQMB4XDTEzMDIxMTAzNDk0OVoXDTM3MDExOTAz\nMTQwN1owKTEaMBgGA1UEAxMRVlBOR2F0ZUNsaWVudENlcnQxCzAJBgNVBAYTAkpQ\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA5h2lgQQYUjwoKYJbzVZA\n5VcIGd5otPc/qZRMt0KItCFA0s9RwReNVa9fDRFLRBhcITOlv3FBcW3E8h1Us7RD\n4W8GmJe8zapJnLsD39OSMRCzZJnczW4OCH1PZRZWKqDtjlNca9AF8a65jTmlDxCQ\nCjntLIWk5OLLVkFt9/tScc1GDtci55ofhaNAYMPiH7V8+1g66pGHXAoWK6AQVH67\nXCKJnGB5nlQ+HsMYPV/O49Ld91ZN/2tHkcaLLyNtywxVPRSsRh480jju0fcCsv6h\np/0yXnTB//mWutBGpdUlIbwiITbAmrsbYnjigRvnPqX1RNJUbi9Fp6C2c/HIFJGD\nywIDAQABMA0GCSqGSIb3DQEBBQUAA4IBAQChO5hgcw/4oWfoEFLu9kBa1B//kxH8\nhQkChVNn8BRC7Y0URQitPl3DKEed9URBDdg2KOAz77bb6ENPiliD+a38UJHIRMqe\nUBHhllOHIzvDhHFbaovALBQceeBzdkQxsKQESKmQmR832950UCovoyRB61UyAV7h\n+mZhYPGRKXKSJI6s0Egg/Cri+Cwk4bjJfrb5hVse11yh4D9MHhwSfCOH+0z4hPUT\nFku7dGavURO5SVxMn/sL6En5D+oSeXkadHpDs+Airym2YHh15h0+jPSOoR6yiVp/\n6zZeZkrN43kuS73KpKDFjfFPh8t4r1gOIjttkNcQqBccusnplQ7HJpsk\n-----END CERTIFICATE-----</string>
<key>cipher</key>
<string>AES-128-CBC</string>
<key>dev</key>
<string>tun</string>
<key>key</key>
<string>-----BEGIN RSA PRIVATE KEY-----\nMIIEpAIBAAKCAQEA5h2lgQQYUjwoKYJbzVZA5VcIGd5otPc/qZRMt0KItCFA0s9R\nwReNVa9fDRFLRBhcITOlv3FBcW3E8h1Us7RD4W8GmJe8zapJnLsD39OSMRCzZJnc\nzW4OCH1PZRZWKqDtjlNca9AF8a65jTmlDxCQCjntLIWk5OLLVkFt9/tScc1GDtci\n55ofhaNAYMPiH7V8+1g66pGHXAoWK6AQVH67XCKJnGB5nlQ+HsMYPV/O49Ld91ZN\n/2tHkcaLLyNtywxVPRSsRh480jju0fcCsv6hp/0yXnTB//mWutBGpdUlIbwiITbA\nmrsbYnjigRvnPqX1RNJUbi9Fp6C2c/HIFJGDywIDAQABAoIBAERV7X5AvxA8uRiK\nk8SIpsD0dX1pJOMIwakUVyvc4EfN0DhKRNb4rYoSiEGTLyzLpyBc/A28Dlkm5eOY\nfjzXfYkGtYi/Ftxkg3O9vcrMQ4+6i+uGHaIL2rL+s4MrfO8v1xv6+Wky33EEGCou\nQiwVGRFQXnRoQ62NBCFbUNLhmXwdj1akZzLU4p5R4zA3QhdxwEIatVLt0+7owLQ3\nlP8sfXhppPOXjTqMD4QkYwzPAa8/zF7acn4kryrUP7Q6PAfd0zEVqNy9ZCZ9ffho\nzXedFj486IFoc5gnTp2N6jsnVj4LCGIhlVHlYGozKKFqJcQVGsHCqq1oz2zjW6LS\noRYIHgECgYEA8zZrkCwNYSXJuODJ3m/hOLVxcxgJuwXoiErWd0E42vPanjjVMhnt\nKY5l8qGMJ6FhK9LYx2qCrf/E0XtUAZ2wVq3ORTyGnsMWre9tLYs55X+ZN10Tc75z\n4hacbU0hqKN1HiDmsMRY3/2NaZHoy7MKnwJJBaG48l9CCTlVwMHocIECgYEA8jby\ndGjxTH+6XHWNizb5SRbZxAnyEeJeRwTMh0gGzwGPpH/sZYGzyu0SySXWCnZh3Rgq\n5uLlNxtrXrljZlyi2nQdQgsq2YrWUs0+zgU+22uQsZpSAftmhVrtvet6MjVjbByY\nDADciEVUdJYIXk+qnFUJyeroLIkTj7WYKZ6RjksCgYBoCFIwRDeg42oK89RFmnOr\nLymNAq4+2oMhsWlVb4ejWIWeAk9nc+GXUfrXszRhS01mUnU5r5ygUvRcarV/T3U7\nTnMZ+I7Y4DgWRIDd51znhxIBtYV5j/C/t85HjqOkH+8b6RTkbchaX3mau7fpUfds\nFq0nhIq42fhEO8srfYYwgQKBgQCyhi1N/8taRwpk+3/IDEzQwjbfdzUkWWSDk9Xs\nH/pkuRHWfTMP3flWqEYgW/LW40peW2HDq5imdV8+AgZxe/XMbaji9Lgwf1RY005n\nKxaZQz7yqHupWlLGF68DPHxkZVVSagDnV/sztWX6SFsCqFVnxIXifXGC4cW5Nm9g\nva8q4QKBgQCEhLVeUfdwKvkZ94g/GFz731Z2hrdVhgMZaU/u6t0V95+YezPNCQZB\nwmE9Mmlbq1emDeROivjCfoGhR3kZXW1pTKlLh6ZMUQUOpptdXva8XxfoqQwa3enA\nM7muBbF0XN7VO80iJPv+PmIZdEIAkpwKfi201YB+BafCIuGxIF50Vg==\n-----END RSA PRIVATE KEY-----</string>
<key>proto</key>
<string>udp</string>
<key>remote</key>
<string>67.174.240.91 1688</string>
<key>resolv-retry</key>
<string>infinite</string>
<key>verb</key>
<string>3</string>
<key>nobind</key>
<string>NOARGS</string>
<key>persist-key</key>
<string>NOARGS</string>
<key>persist-tun</key>
<string>NOARGS</string>
<key>client</key>
<string>NOARGS</string>
</dict>
</dict>
<dict>
<key>Password</key>
<string>123456</string>
<key>PayloadCertificateFileName</key>
<string>certwithpass.p12</string>
<key>PayloadContent</key>
<data>
MIIJcQIBAzCCCTgGCSqGSIb3DQEHAaCCCSkEggklMIIJITCCA58G
CSqGSIb3DQEHBqCCA5AwggOMAgEAMIIDhQYJKoZIhvcNAQcBMBwG
CiqGSIb3DQEMAQYwDgQITvhJxrRqNn4CAggAgIIDWAnlLANfll9V
L3rWoFR4smFeP5ZnKMZ0vRJ1G8oKedjztFUZt7q+nFMBzBu8gwGN
ESV9sgVzlEUMyH4qkUbkmn9xVorYi/fKs4t6magD+vN8HAiiLhBL
yS9fCEoiTjbuN4P7fZtrJqYXJ6hgGdRXji6RzyNNTo/8uYQsEpTW
i41JqiCkicJLZUgoyIl70IAFLZ6U+L+f8cWwq2nplTrjbHJ2phR5
yl2EeCjsQ+JzPYik7dvYPT9RRnfOjkJmJnNYKzjd1FtCIH/GPqdE
cDZ7SwGDXmOynimctWrFYiT2JhIlmmVVRoN8TlbGI27l9te6H2Hv
Yb7ZpbbB/MplQ5NG5NzDaZ5UrYS6eIyBrW+IpV5KsjOoPB6GVppv
o1KcNPF1Vvdj5QAzV4P1LQ0sKyHv5++j0muOcn2bnsEqO7EgTHD6
SlnBZMfZpkxgPStc/luRVg2P9qWGDMkihU4r/Y56VHY7m/l6WrfK
+91X+GZzd8nfWVb20PXXpmHWIHsz8CF90v33IfSGcj74itb44oNO
1DvzcLo4UcIuAhjLE+JHjK5eykz2rPFtvQajw+zhwsuPGGIGRqDF
JJZafeD2APheG03vT9Pr9swG5Qb2YssJ/yIoYYkW/ZfAH3msZp+/
NKzwZ+96ClOM9ZZ0mKB4gqmx/IWjAZO8MrES9ADmvVpk8w3Pvehf
QDopTdKTETgFjq7LPj5Tdg6UIBETc36ZWpJJwoxF8Q9K6EKsUUeA
kZi/LOsozYkPwdUpQ9m30NeSLISWt2TEI93RRcjLjDkP3UJ9O5WO
fHyJ8use+pEv7URdU4J/eG0VevN9lYqrg8y/bIZk69tXxhxyOVuu
14Em0GsXTD75AJdMTQaXkSls8yMO9xs/dHU5S07u5IVOlGVVSx2R
ByWiss6WrQdP5xqCytVDY9eYsAOgz6o20x237v39DXHl7GKhLMIU
LH2Us4ACRoApC1DFrhRDU/u4S5eQvuD5jGeLSlorSAhP6iWy87+w
olDsFITfd0FArP/WJ3lJiRv59Pa7dv8/IpRqPxB0N4A5ElFzDVSq
c4tM83C0beeR6zsthKefUjXSKO2vBslfw/9zFJtX/GaA920j5qls
3v0n4iOfzdaCJu9BS8+fj3oerZx0PGytfhd71uUwggV6BgkqhkiG
9w0BBwGgggVrBIIFZzCCBWMwggVfBgsqhkiG9w0BDAoBAqCCBO4w
ggTqMBwGCiqGSIb3DQEMAQMwDgQIodW2NrpTuPsCAggABIIEyMsS
+VV3+ZNBlef7h8wNdS5wKOtUvJA7qwThogLFf4rBDhtoYmRvleqJ
tzkb1yTZ+Bx7qJ31Hr7KJxsTrlglyzNKoFyljIpfhzZfE8oy9E1n
CnPjCopTJ2KC/oQUGvuNhKXQ3X3c8gpQf3C6O336NIC+UZ9B0kuA
H8H8pnLB9453J6uPH76B76+uN7Iydq1lMR1q4QkZ7Y2qcc/+PJ1M
C7+rMfcZYfMam7+/dLYEUB6/U9jOBVcRr1gF//vtTLOu4AmxeQ4O
13AAHlRQxjvmpVgvAn8uV9Kc5LbRvZh6YHbUcV1NbIawzNH9UGPo
JV/2YPQELQ72sPheF4hL5Vvvvb2M3CYW3YO50NLDyJbMmUItyiPu
2S+hVVfgzBchYQcJ1rl1BE9tt03iB0FpbLiHQov1gO0dOWQ7wBF5
vdbWJlyKgDiuIoCWDyEov32TUTlXxLEbE99fJtLsLodA1ooRoT3N
LpCNYmY2oMur0MvGKdQsfqKoSDI8MnemCwgCRu2qZPPDgtKEm6HU
HhvpPe4NUjZZ8qBkt7JyXk/pFXHy4QWQsGttCieUOyEoW7NCzQm8
Vtp8YoTQ799egxIwDv1KlO7Bj20v4L+HmgtP9byzvAgfn1NqLaL3
C/zA983UpPM8dxB6yQOb7qLb5m0L1EH+FA7NDW/YLa0RA/4vh+yR
wmyCbMhf3RIB0RWf0RW/6K64QChtIGULbJouDofq4zSBSCPOOGN+
yz6LwKls2GwyDyd2uspfw/y1Dr3ITMTTQB7a1yNeo4rXQhNVUmIf
0ylqfqs4vb5Ht/JfvGLuh3Y2Ln4o3/kUovvW8VXTIl6/4lbnLeIM
O22/UI3PAS+OXKv3obRG9CwC5nFt1gQwFZ7IArs8aw5caA3bFrhn
P6JDT0+xYntXMKJYF5V8nl1cnJjs41dOFXluWtOJtdEKi2RykAQH
ZudQ9z4lMR0cDBMFpngM/rJs+68VIy4qpfHeQTDJ13AQoKq+2q6J
O8FIkuAhZNztTnKp+gf7lOaeX6ohKMElJVF8RUa1ZC82F3ju9egM
71fylVNeqpsBc1ZmiHLDGj7OS9gTd7Fut5/2XDuLQTlIhJ6IbTt5
MVs8S5NPyOo0GWAoDAYRNRt131Yt1xxazxtX+1iFRk9ZUB8zDTKc
OsFsEtie6CTUwRzVchOxZS/K/CBVZT4OuOrw0fIzz72ZPQUEJc2n
B4BaA9ef+QU/rIuBn1aJwQbbzpkPE39Tb4iLnhup0EwIioVvSqGB
ypYV1sOlomz5r+ldfCM010xQiEkJnUORQNrYrUv7jqf1Kjvsnayo
5jCi6BTt5LPjoggmxl9JOROZZXbrIKnOEAAmh3n+8egfOiXG7p33
9G/dbThw+F9qD+iYVSnQDR450kKQeQZoueesDOJ4uDdE2as7OkrK
C1xf3p4rn3oyBJBgtk0MzZU20Ajgogzgc5Xj7kw8jj41cln3r0Hj
fGVOr+d3UHLSAMrU2HKTG6mYpTovAulCDD0aLytLOES7cPlmsk35
bi9uwqXwhCuCUw7lOY0YFEXFs0DunXvibckwmgggYKF5JO+HycfT
fMxSl+msidND95rweis2AV8lIRcPQSgcQkA1wEqjVKK95kcMVwfD
0+4Ct50Eo0d2uxS+YTFeMDcGCSqGSIb3DQEJFDEqHigASQBtAHAA
bwByAHQAZQBkACAAUAByAGkAdgBhAHQAZQAgAEsAZQB5MCMGCSqG
SIb3DQEJFTEWBBSTW5Xy41MEGtWD4F9SprELtaE8pDAwMCEwCQYF
Kw4DAhoFAAQU/xcc0qPVkJmZHWUMVqtlmZ8mxvwECMDVDRaS0Jrs
AgEB
</data>
<key>PayloadDescription</key>
<string>my certs</string>
<key>PayloadDisplayName</key>
<string>certwithpass.p12</string>
<key>PayloadIdentifier</key>
<string>com.xxx.openmyvpn.profile</string>
<key>PayloadOrganization</key>
<string></string>
<key>PayloadType</key>
<string>com.apple.security.pkcs12</string>
<key>PayloadUUID</key>
<string>23ACA320-985B-4E60-9DB5-E2985AB32CB6</string>
<key>PayloadVersion</key>
<integer>1</integer>
</dict>
</array>
<key>PayloadDescription</key>
<string>description...</string>
<key>PayloadDisplayName</key>
<string>openmyvpn</string>
<key>PayloadIdentifier</key>
<string>com.xxx.openmyvpn</string>
<key>PayloadOrganization</key>
<string></string>
<key>PayloadRemovalDisallowed</key>
<false/>
<key>PayloadType</key>
<string>Configuration</string>
<key>PayloadUUID</key>
<string>250E8E5E-B163-4887-B0FD-95E866ED897D</string>
<key>PayloadVersion</key>
<integer>1</integer>
</dict>
</plist>
any help please? thanks a lot.
OpenVPN and Per-app VPN on iOS7
-
buscho
- OpenVpn Newbie
- Posts: 5
- Joined: Tue Jan 10, 2017 2:58 pm
Re: OpenVPN and Per-app VPN on iOS7
Hi there!
This is quite an old thread, but 'cause I was faced with the same problem and finally got the solution, I'd like to post it here:
To make "Per-App VPN" working together with an OpenVPN Server, you have to add the following key-value-pair to your .mobileconfig file inside the VPN dictionary:
The default value (if not explicit set) of "ProviderType" is "app-proxy" which doesn't run. See also my answer in the following post:
viewtopic.php?f=36&t=19944&p=67864#p67864
Regards!
Buscho
This is quite an old thread, but 'cause I was faced with the same problem and finally got the solution, I'd like to post it here:
To make "Per-App VPN" working together with an OpenVPN Server, you have to add the following key-value-pair to your .mobileconfig file inside the VPN dictionary:
Code: Select all
<key>ProviderType</key>
<string>packet-tunnel</string>
viewtopic.php?f=36&t=19944&p=67864#p67864
Regards!
Buscho