OpenVPN Conenct IOS 9.0.2 Per-App VPN

Post Reply
martinandersson
OpenVpn Newbie
Posts: 2
Joined: Thu Oct 15, 2015 7:29 am

OpenVPN Conenct IOS 9.0.2 Per-App VPN

Post by martinandersson » Thu Oct 15, 2015 8:13 am

Hi guys!

OpenVPN Connect Version: 1.0.5 Build 1.77
OpenVPN Server: PFsense 2.24
IOS version: IOS 9.02 (running on Iphone 6 Plus)

Got a very frustrating problem, that i dont seem to resolve.
Im using an MDM solution to deploy OpenVPN configurations.

When i deploy the configurations to use OpenVPN as a regular VPN, "just On/Off functions" it works corretly, the tunnels come up and all the traffic are redirected via the tunnel correctly.
I run everything thru a Proxy aswell and the logs show the Connections correctly.

But when i deploy the configuration profile to use Per-App VPN, in my case i tested Google Chrome + Opera Mini it doesnt work.
The scenario is like this:
I deploy Google Chrome + Opera mini with Per-App VPN settings (to use my correct OpenVPN on-demand profile) that works in "regular" mode.
I start Google Chrome/Opera Mini, the Per-App VPN Connection starts (can see the VPN logo up in the left corner) If i open the OpenVPN connect app i even there see that the "profile" is connected
If i check my server i can see that my tunnel is upp with username/Ip and such.
But when i try to access any site in Google chrome/Opera mini (that are on the Per-App VPN session) nothing works, i cannot access sites via DNS or without it.
Nothing seems to go thru the tunnel.

If i check the OpenVPN connect app and look att my session i can see that send/recieve in data is only about 5-6kb, so again, nothing seems to even go thru the tunnel.

So my conclusion is that Per-app VPN is breaking the OpenVPN session.
since the same profile works flawlessly with "manuall On/Off function"

Ive googled like a maniac and tested multiple things on the OpenVPN server/client, but no change..

Hope someone got any advice/solution!

buscho
OpenVpn Newbie
Posts: 3
Joined: Tue Jan 10, 2017 2:58 pm

Re: OpenVPN Conenct IOS 9.0.2 Per-App VPN

Post by buscho » Thu Feb 09, 2017 11:31 am

Hi there!

This seems to be an older thread, but 'cause I was forced with the same problem ("how to use the Per-App VPN feature of iOS with an OpenVPN Server) and I finally got the solution (after a looong research :geek: :P), I'd like to explain, how I got this to work:

Per-App VPN offers two "modes" (according to: https://developer.apple.com/library/con ... 06-CH1-SW1) for a VPN-tunnel (search the page for "vpn dictonary keys":
  • ProviderType: packet-tunnel
    ProviderType: app-proxy
Well, the second one ist the default one if you do not explicit specify this optional key. And this default one DOES NOT WORK when you connect with "Per-App VPN" to an OpenVPN Server. To make it work, you have to explicit set the "ProviderType" to "packet-tunnel". You do this, by ediing the .mobilefonfig file you deploy to the phones via your MDM solution. Add the following lines whithin the "VPN Dictionary" and deploy it to your phones again. Afterwords "Per-App VPN" works like a charm :)

Code: Select all

<key>ProviderType</key>
	<string>packet-tunnel</string>
The whole "VPN Dictionray" within the .mobileconfig file may look something like this (among all the other stuff inside the file - I don't know how familiar you are with .mobileconfig files):

Code: Select all

			
<key>VPN</key>
<dict>
	<key>AuthenticationMethod</key>
		<string>Certificate</string>
	<key>AuthName</key>
		<string>The user name</string>
	<key>RemoteAddress</key>
		<string>The remoteadress (IP or url)</string>
	<key>PayloadCertificateUUID</key>
		<string>UUID of a certificate</string>
	<key>OnDemandEnabled</key>
		<integer>1</integer>
	<key>ProviderType</key>
		<string>packet-tunnel</string>
</dict>
In my case (I use Sophos Mobile Control) the configuration GUI for "Per-App VPN" settings does not allow to select between the two modes - it useses the default option ("app-proxy") and therefore the deployed configuration does not work. I allways have to manually edit the configuration file and redeploy it to the phones. But I will raise this problem to Sophos and ask them to add possibility to select between the two options within the GUI.

Hope I could help you with my answer

Cheers!

Buscho

Post Reply