Management Summary: Even though VPN-on-Demand is configured to always connect, there is a short period of time where iOS allows requests to go through the not-tunneled connection.
Steps to reproduce:
- Install the mobileconfig file on the device
- Toggle the "Connect" switch in the Settings.app to "On"
- Go into airplane mode => VPN connection terminates
- If you want, capture your iPhones network interface using the Remote Virtual Interface facility `rvictl` https://developer.apple.com/library/ios ... CH1-SECRVI
- Disable airplane-mode
- Quickly open a page in MobileSafari.app before the VPN-icon appears in the status bar
- The requests to the Apple-servers iOS makes to check whether it is behind a captive portal
- The request to the web-page you hit before the VPN-icon appeared.
I suppose if the user is able to run a request through the non-tunneled interface, other background-tasks can, too.This is a serious thread to users of OpenVPN who rely on all traffic being routed through the secure VPN.
I suspect that the routes on the iOS device are being set after the tunnel is established but in the meantime, traffic is still routed through the default gateway.
What do you think? Do you have similar problems?
Cheers!
Configuration files
Server-Config:
Code: Select all
port 1194
proto udp
dev tun
ca easy-rsa/keys/ca.crt
cert easy-rsa/keys/server.crt
key easy-rsa/keys/server.key
dh easy-rsa/keys/dh2048.pem
server 172.16.23.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 1.2.3.4"
push "dhcp-option DNS 5.6.7.8"
keepalive 10 120
comp-lzo
# Specific to my setup:
ifconfig-noexec
route-noexec
Code: Select all
client
dev tun
proto udp
remote ovpnhost.example.com 1194
resolv-retry infinite
nobind
persist-key
persist-tun
remote-cert-tls server
comp-lzo
verb 3
redirect-gateway def1
# ca, cert and key are set through the mobileconfig-file
Code: Select all
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple Computer//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>PayloadContent</key>
<array>
<dict>
<key>PayloadDescription</key>
<string>Configures VPN settings, including authentication.</string>
<key>PayloadDisplayName</key>
<string>VPN (ovpnhost.example.com/VoD)</string>
<key>PayloadIdentifier</key>
<string>com.example.ovpnhost.user_paranoid-iphone.vpnconfig</string>
<key>PayloadOrganization</key>
<string>ovpnhost.example.com</string>
<key>PayloadType</key>
<string>com.apple.vpn.managed</string>
<key>PayloadUUID</key>
<string>946532F7-193E-4CA4-97AD-2CFDBB1B7628</string>
<key>PayloadVersion</key>
<integer>1</integer>
<key>UserDefinedName</key>
<string>ovpnhost.example.com/VoD</string>
<key>VPN</key>
<dict>
<key>AuthenticationMethod</key>
<string>Certificate</string>
<key>OnDemandEnabled</key>
<integer>1</integer>
<key>OnDemandRules</key>
<array>
<dict>
<key>Action</key>
<string>Connect</string>
</dict>
</array>
<key>PayloadCertificateUUID</key>
<string>3260ABB0-FE37-45DA-BD06-20469B0F0629</string>
<key>RemoteAddress</key>
<string>DEFAULT</string>
</dict>
<key>VPNSubType</key>
<string>net.openvpn.OpenVPN-Connect.vpnplugin</string>
<key>VPNType</key>
<string>VPN</string>
<key>VendorConfig</key>
<dict>
<key>ca</key>
<string># The CA as a oneline string, replacing newlines with actual string \n #</string>
<key>client</key>
<string>NOARGS</string>
<key>comp-lzo</key>
<string>NOARGS</string>
<key>dev</key>
<string>tun</string>
<key>remote</key>
<string>ovpnhost.example.com 1194 udp</string>
<key>remote-cert-tls</key>
<string>server</string>
<key>redirect-gateway</key>
<string>NOARGS</string>
</dict>
</dict>
<dict>
<key>Password</key>
<string></string>
<key>PayloadCertificateFileName</key>
<string>user_paranoid-iphone.p12</string>
<key>PayloadContent</key>
<data>
# pkcs12 file containing certificate and private key of the user #
</data>
<key>PayloadDescription</key>
<string>Provides device authentication (certificate or identity).</string>
<key>PayloadDisplayName</key>
<string>user_paranoid-iphone.p12</string>
<key>PayloadIdentifier</key>
<string>com.example.ovpnhost.user_paranoid-iphone.credential</string>
<key>PayloadOrganization</key>
<string>ovpnhost.example.com</string>
<key>PayloadType</key>
<string>com.apple.security.pkcs12</string>
<key>PayloadUUID</key>
<string>3460D3B0-FE37-45CA-BC06-AB466B0F0629</string>
<key>PayloadVersion</key>
<integer>1</integer>
</dict>
</array>
<key>PayloadDescription</key>
<string>OpenVPN Configuration Payload for user_paranoid-iphone@ovpnhost.example.com</string>
<key>PayloadDisplayName</key>
<string>ovpnhost.example.com OpenVPN user_paranoid@iphone</string>
<key>PayloadIdentifier</key>
<string>com.example.ovpnhost.user_paranoid-iphone</string>
<key>PayloadOrganization</key>
<string>ovpnhost.example.com</string>
<key>PayloadRemovalDisallowed</key>
<false/>
<key>PayloadType</key>
<string>Configuration</string>
<key>PayloadUUID</key>
<string>D4542D76-2306-403E-AB72-A8C201ED9930</string>
<key>PayloadVersion</key>
<integer>1</integer>
</dict>
</plist>
