VPN On Demand Not Working After iOS 7 Update

[redradioflyer]

Hi Everyone,

I have an iPhone 5, and used the iPhone Configuration Utility to setup OpenVPN "On-Demand" when connecting to certain web domains. This worked worked in iOS 6 and allowed the iPhone to automatically initiate the VPN when it visited the target web domain.

However, after I updated to iOS 7 the VPN On-Demand stopped initiating the VPN when the iPhone tires to connect to the target web domain. The VPN configuration appears to be ok because when I go to setting->VPN I can manually activate the VPN with no problems, and when I look at the configuration profile the "connect on demand" toggle is in the "on" position. It just doesn't seem to do anything...

My email server is only accessible through my VPN. So I need the ability to automatically initiate a VPN whenever the iPhone is checking for new emails or sending outgoing emails.

Is anyone else having this problem?
Any idea how to fix it?
Will the iPhone 5S OpenVPN app update address this issue?

Thanks for your help!

[manchik]

OnDemandMatchDomainsAlways
In iOS 7 and later, if this key is present, the associated domain names are treated as though they were associated with the OnDemandMatchDomainsOnRetry key.

[redradioflyer]

Hi manchik,

Thanks for the help. I have some additional questions. If you can help I'd really appreciate it.

I found the "OnDemandMatchDomainsAlways" key in my .mobileconfig XML file. It appears to have the correct array and domain strings associated with it. Are you saying the connect on demand "always" function in the iPCU has been changed to act like "establish as needed" instead?

Where did you find this information?

Is there any key/XML command that can be used to set the VPN function to be active by default for some domains?

Thanks again!

[manchik]

Hi manchik,

Thanks for the help. I have some additional questions. If you can help I'd really appreciate it.

I found the "OnDemandMatchDomainsAlways" key in my .mobileconfig XML file. It appears to have the correct array and domain strings associated with it. Are you saying the connect on demand "always" function in the iPCU has been changed to act like "establish as needed" instead?

Where did you find this information?

Is there any key/XML command that can be used to set the VPN function to be active by default for some domains?

Thanks again!

I've just updated my iPad to iOS7 and my previous VoD configuration still works. I noticed some difference though. One of the apps was not behaving correctly giving up on DNS resolution. I was able to fix it by putting real FQDN of the VPN server to "Server" attribute on the VPN payload page (iPCU).

I think I know why your configuration doesn't work. Make sure your target domain doesn't exist in public DNS. Only then VoD will work. That's one of the differences between iOS6 and iOS7.

You may also look at the new attribute "OnDemandRules". You can specify pretty much everything there. Personally I didn't test it yet, but I found some info on this and somebody says it works.

Let me know if that works for you:

<key>OnDemandEnabled</key>
<integer>1</integer>
<key>OnDemandRules</key>
<array>
<dict>
<key>Action</key>
<string>Connect</string>
<key>DNSDomainMatch</key>
<array>
<string>YOUR_TARGET_DOMAIN_GOES_HERE</string>
</array>
</dict>
</array>

Here is official iOS API reference for developers. I found it pretty useful.

[manchik]

Another good thing in iOS7 is "Per-app-VPN". That means you can specify which app needs VPN access. So in practice, whenever you tap on the app, the VPN entry associated with it is bringing up the tunnel.

Here is what MobileIron says about it
http://www.mobileiron.com/solutions/ios ... so-vpn#vpn

[redradioflyer]

Hi manchik,

I think you're absolutely right, and our domain does exist in the public DNS (not something I can really change at this point).

After my last post I started googling the info you quoted looking for hits from the apple site and also found the developer page you mentioned. I have been reading up (and dreading/procrastinating) trying to learn enough to manually write some XML code using the new OnDemandRules key into the iPCU file (because frankly I've never done it before).

Thanks for providing the sample code. I'll try it this weekend, and let you know how it works. You probably saved me a lot of trial and error effort and I really appreciate it.

Thanks Again!

[MS_Tam]

redradioflyer,
Did you figure out how to make VPN on Demand work on iOS 7?
I've tried the following block as suggested but it didn't work for me. Did it work for you?

<key>OnDemandEnabled</key>
<integer>1</integer>
<key>OnDemandRules</key>
<array>
<dict>
<key>Action</key>
<string>Connect</string>
<key>DNSDomainMatch</key>
<array>
<string>YOUR_TARGET_DOMAIN_GOES_HERE</string>
</array>
</dict>
</array>


Can anyone show me how you can make it work for you?
Much appreciate for helping on this topic.
Thanks,
-Tam

[aMakUzr]

I've put up an article on this topic that I hope will help others:

see Setting Up an iOS 7 On-Demand VPN

[redradioflyer]

Hi Tam,
Sorry for the delay in responding!
The initial suggestion from manchik pretty much worked for me. I modified it just a little to allow for backward compatibility.
In case you haven't gotten a solution yet here's what I was able to make work.

Code: Select all

<key>OnDemandEnabled</key>
<integer>1</integer>
<key>OnDemandMatchDomainsAlways</key>
<array>
	<string>YOUR_TARGET_DOMAIN_GOES_HERE</string>
</array>
<key>OnDemandRules</key>
<array>
	<dict>
		<key>DNSDomainMatch</key>
		<array>
			<string>YOUR_TARGET_DOMAIN_GOES_HERE</string>
		</array>
		<key>Action</key>
		<string>Connect</string>
	</dict>
</array>

The biggest problem I continue to have (I don't know if it's related to this) is that I can't get the iOS devices to "float" or maintain their connection to the VPN server when moving from wifi to cellular data (or vice-versa). Both my server and iOS config contain "float" and "nobind", but the VPN still has to be completely re-established. This is becoming more and more of a problem as wifi hot spots have become increasingly popular (iPhones automatically connect to some of them without ever asking the user). The current version of the iOS OpenVPN app will automatically reconnect the VPN, but users are increasingly being dropped from live connections (i.e. audio/video conferences) every time they walk/drive past a Starbucks...