Page 1 of 1

OpenVPN AS and iOS on demand

Posted: Tue May 28, 2019 7:40 pm
by jfrench1011
I'm wondering if someone can assist me. I have my OpenVPN Access Server up and running, working fine. I have auto connect profiles for connecting my iOS devices, which work as expected. I can open the OpenVPN client and connect to my VPN and everything runs as expected.

I'm now trying to set up the iOS VPN on demand to:

- connect when device is on unsecured wifi
- connect when device is on specified wifi networks
- disconnect when device is on specified wifi networks

I know this can be accomplished with on demand profiles (.mobileconfig) but I can't seem to find and easy to understand walk thru for setting this up. Is there anything that can assist taking my OpenVPN Access Server profile (.ovpn) and turning it into .mobileconfig to do the above settings?

Re: OpenVPN AS and iOS on demand

Posted: Tue May 28, 2019 8:18 pm
by mdibella
I got OpenVPN working using .mobileconfig as a pathway to per-app VPN and memorialized my notes in this post:


Re: OpenVPN AS and iOS on demand

Posted: Wed May 29, 2019 8:30 pm
by jfrench1011
say that, but it is still a bit greek to me. I'm running Access Server so I haven't played with the under pinnings and cert generation at all. Access server handles that and generates an ovpn to autoconnect. I am trouble having finding anything that makes sense taking that and converting to a .mobileconfig. I don't have a mac to use configurator either.

I'm sure everything I need is in the ovpn file but I can't figure our what needs to be copied in there to a mobileconfig to make that work.

Re: OpenVPN AS and iOS on demand

Posted: Wed May 29, 2019 9:38 pm
by mdibella
When I was researching this issue for my solution, I reviewed this blog for ideas: ... h-openvpn/

I also came across this tool:

But I decided to use Configurator to build the scaffolding instead of that tool, so I have no experience with it.

I do think if you are going to do any serious work with mobileconfig format you need to get a Mac to build the templates using Configurator. Apple uses non-standard XML to for its plist format, so you can't use a standards-based parser to generate the XML. Either you will have to find or write a cross-platform parser, or hand-code the files using an editor. Apple also requires GUIDs to identify the various payload sections of the mobileconfg. Configurator will generate these GUIDs for you.

Unfortunately, the current Configurator version does not support GUI for the InterfaceTypeMatch and SSIDMatch dictionaries for triggering VPN activation based on interface or AP change, so you will still have to generate these sections after creating the mobileconfig template using Configurator.