This small post describes how to create an On-Demand VPN profile for iOS (and macOS, too).
Public wifi is a great thing, especially if you have limited mobile data caps or are on vacation in another country. But public wifi also poses a security risk: not only can a third party monitor the websites you visit, they could steal personal information or even infect you with malware. One way to help protect you is through VPN: this is a mechanism to route all your traffic securely through another party. While there are services that offer VPN for a few dollars a month (stay away from “free” VPNs!) I do not need them often enough to justify the expense.
Luckily, my router at home allows to be used as a VPN server. All I need to do is to configure it, add the authentication details to all my devices, and toggle the VPN switch every time I connect to an unknown network. Sounds cumbersome? Because it is. Not only do I have to enter all the details a lot of times for me and my girlfriend, I would also often forget to connect, especially when my iPhones reconnects to a known hotspot without me realising. Thankfully, one can configure iOS devices and macs in a way to automatically connect to a VPN whenever they are connected to a non-whitelisted network.
The solution the problem is called Configuration Profiles. These are files you add to your Apple device that contain configuration details like wifi passwords, email accounts, SSL certificates or VPN credentials.
The easiest way to create a new profile is through Apple Configurator - a free mac app by Apple. Download it from the Mac App Store, create a new profile and setup your VPN details like the server and the authentication name.
! If you want to use your own router as a VPN server you need a way to connect to it when on the road: ! You either need a dedicated, static IP adress (most ISP don’t offer those to non-business customers) or use dynamic DNS.
Unfortunately, you cannot create an On-Demand-VPN through the GUI,
.mobileconfig files are just
XML files you can open in your favourite text editor.
<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "[www.apple.com/DTDs/Prop...](http://www.apple.com/DTDs/PropertyList-1.0.dtd)"> <plist version="1.0"> <dict> <key>PayloadContent</key> <array> <dict> <key>IPSec</key> <dict> <key>AuthenticationMethod</key> **...**
To add on-demand rules we need add some parameters directly before the
The first step is to enable on-demand vpn. Then we start add our rules:
<key>OnDemandRules</key> <array> <dict> <key>Action</key> <string>Disconnect</string> <key>InterfaceTypeMatch</key> <string>WiFi</string> <key>SSIDMatch</key> <array> <string>your-first-whitlested-wifi-ssid</string> <string>your-second-whitelisted-wifi-ssid</string> </array> </dict> <dict> <key>Action</key> <string>Connect</string> <key>InterfaceTypeMatch</key> <string>WiFi</string> </dict> <dict> <key>Action</key> <string>Disconnect</string> <key>InterfaceTypeMatch</key> <string>Cellular</string> </dict> <dict> <key>Action</key> <string>Disconnect</string> </dict> </array>
The rules are an
array of actions. The order of actions is important!
The first action is out whitelist:
Disconnect from the VPN whenever the SSID of the currently connected wifi is either your-first-whitlested-wifi-ssid or your-second-whitelisted-wifi-ssid. You can add as many names as you need there.
The second block means that the device should connect to VPN whenever it is connected to wifi. Since the order is important this will not be executed for the whitelisted SSIDs. The third block is necessary because we do not want to connect to VPN on mobile data. The last block just tells the system to disconnect from the VPN whenever no other conditions are met.
Share the profile to all devices (iOS and macOS are supported) and stop worrying about public wifi.
When you are connected to public wifi you need VPN. If you do not want to pay for a service and your router supports it you can setup an on-demand VPN on you iOS or Mac devices that automatically connects whenever you are on an unknown wifi network.
Configuration profiles in general are pretty powerful. You could for example edit the on-demand rules to automatically connect only for special hostnames. Check out the documentation at developer.apple.com.