Can I Use iOS 6+ VPN-on-Demand With OpenVPN?
Yes. VPN-On-Demand (VoD) is a new technology introduced by Apple in iOS 6 that allows a VPN profile to specify the conditions under which it automatically connects. In addition, you can connect and disconnect a VoD profile on iOS 7 using the iOS Settings App under the VPN tab (although note that on iOS 8 and higher, ordinary OpenVPN profiles can be connected using the Settings App, as long as they don't require credential entry). OpenVPN on iOS fully supports VoD with the following features:
You can create an OpenVPN VoD profile with iPCU by entering OpenVPN configuration file parameters as key/value pairs.
OpenVPN Connect supports connect and disconnect actions triggered by the iOS VoD subsystem.
OpenVPN Connect recognizes VoD profiles, shows them in the UI, and allows them to be monitored and controlled like other OpenVPN profiles (with the exception that VoD profiles cannot be manually connected from the app UI, they can only be disconnected — this is because a VoD profile is designed to be connected automatically by iOS).
As noted, you can create OpenVPN VoD profiles using iPCU. Unfortunately, it’s not a simple process because you must manually enter the directives of the OpenVPN profile as key/value pairs into iPCU.
To create a VoD profile with iPCU:
Open iPCU (these directions were tested with version 3.5 on a Mac tethered to an iPad running iOS 6.0.1).
Tap the File menu.
Select New Configuration Profile.
Edit the newly created configuration profile:
Tap General in the left pane.
Fill out the fields such as Name, Identifier, Organization, etc.
Tap VPN in the left pane.
A "Configure VPN" dialog box should appear in the main window.
Tap Configure.
Fill out the VPN settings as described:
Connection Name | Set this to a name that identifies the profile on the device. |
Connection Type | Set to Custom SSL. |
Identifier | Set to net.openvpn.connect.app. (On older versions, this used to be net.openvpn.OpenVPN-Connect.vpnplugin.) |
Server | Set to a hostname or DEFAULT to use the hostname(s) from the OpenVPN configuration. |
User Authentication | Set to Certificate, and attach the client certificate+key as a PKCS#12 file. |
VPN On Demand | Set to enabled and then define for iOS the conditions under which the VPN profile should automatically connect. |
In addition, you can define the key-value pairs in the Custom Data section rather than give these parameters in the OpenVPN client configuration file:
VoD requires an OpenVPN autologin profile, i.e., that authenticates using only a client certificate and key without requiring a connection password.
Define each OpenVPN directive as a key, with arguments specified as the value. As in the OpenVPN configuration file, arguments are space-delimited and may be quoted.
At a minimum, you must define key/value pairs for ca and remote. (Note that OpenVPN cannot get the CA list from the VoD profile; therefore, you must provide it using a ca key/value pair).
If the server requires them, define the key-value pairs for tls-auth, key-direction, comp-lzo, cipher, ns-cert-type, and remote-cert-tls.
Use "NOARGS" as the value for OpenVPN directives with no arguments.
If multiple instances of the same directive are present when entering the directive as a key, number the directives in the order they should be given to OpenVPN by appending .n to the directive, where n is an integer, such as remote.1 or remote.2.
For multi-line directives such as ca and tls-auth, where the argument is a multi-line file, we provide an escaping model to allow you to specify the file content as a single-line value. You must convert the multi-line data to a single line by replacing line breaks with "\n" (without the quotes). Note that because of this escaping model, you must use "\\" to pass the backslash itself.
For OpenVPN Access Server meta-directives such as "OVPN_ACCESS_SERVER_USERNAME", remove the OVPN_ACCESS_SERVER_ prefix, giving USERNAME as the directive.
Once you’ve defined the VoD profile, you have two options for exporting it to an iOS device:
If your device is currently tethered, click on your device name in the left pane. Then in the main window, click on the Configuration Profiles tab. You should see the name of your Configuration Profile and a button to install it on the device.
You can also save the Configuration Profile as a .mobileconfig file and make it available to iOS clients via email or the web. To do this, select your Configuration Profile, go to the File menu, and select "Export...". An Export Configuration Profile dialog box will appear. Select a Security option — "Sign configuration profile" is a reasonable choice. Press the Export button and save the profile.
When an iOS device receives a VoD profile (via Mail attachment, Safari download, or pushed by iPCU), it raises a dialog box to facilitate the profile import. After import, the profile is visible in the Settings App under General / Profiles. It is also visible as a profile in OpenVPN Connect. Note that the profile must be the currently enabled VPN profile for the VoD functionality to work.