pfSense IKEv2 for iOS/macOS - Part 4

in pfSense, Router, Networking, Firewall, Home Lab, IPSEC, IKEv2, iOS, macOS

Articles in This Series:
Part 1 - Certificate Configuration
Part 2 - VPN Configuration
Part 3 - Mobile Profile Configuration
Part 4 (Current Article)

Part 4 - On Demand VPN

So you want to get your hands dirty and force your VPN to connect based on network states? You've come to the right place! First and foremost, you'll need an editor that handles XML. I recommend Atom.

Inspired by a Reddit post1, I began to look into Apple's options for forcing VPN connections through the use of Mobile Configuration Profiles2. One resource I found that was helpful was this post from derman.com. So open up your Mobile Configuration file and let's get to work!

Here's the gist of it:
- You force connections through the use of conditions defined in the XML of the Mobile Configuration Profile.

  • The matchine criteria can include any of the following:
    • DNS Domain or DNS Server Settings (with Wildcard Matching)
    • SSID
    • Interface Type
    • Reachable Server Detection

The type of matching you want to do is really up to personal preference. Below is an example of the very simple rules I use and where you want to place your own rules:

  <key>IKEv2</key>
  <dict>
    ***IKEv2 Configuration Info***
    <key>OnDemandEnabled</key>
        <integer>1</integer>
    <key>OnDemandRules</key>
        <array>
           <dict>
               <key>Action</key>
               <string>Disconnect</string>
               <key>URLStringProbe</key>
               <string>https://vpncheckint.domain.com</string>
           </dict>
           <dict>
               <key>Action</key>
               <string>Connect</string>
           </dict>
        </array>
    ***Remainder of IKEv2 Config***
</dict>  

The most important part is the section that enables On Demand VPN:

    <key>OnDemandEnabled</key>
        <integer>1</integer>

The section that follows defines the rules you want to use. In my example, I only use two rules. Each <dict></dict> section defines one rule. Within each rule is an Action and at least one criteria. In my first rule, the action is to Disconnect when a URLStringProbe can contact a server of mine that is only accessible within my network. The final rule is the default action. This is very important. Per the Apple Developer Library, "Dictionaries are checked sequentially, beginning with the first dictionary in the array." Therefore, if none of your rules match, you need a default to fall back on. In my case, if it can't reach my internal server (is on the local network), then it should connect the VPN.

Below are some more examples of rules to give you a better idea of how they're used.:

Disconnect when I have a specific DNS server and am connected to one of two specific wireless networks, otherwise connect (default):

    <key>OnDemandRules</key>
        <array>
        <dict>
            <key>Action</key>
                <string>Disconnect</string>
            <key>DNSServerAddressMatch</key>
                <array>
                    <string>123.123.123.123</string>
                </array>
            <key>InterfaceTypeMatch</key>
                <string>WiFi</string>
            <key>SSIDMatch</key>
                <array>
                    <string>WiFi_SSID1</string>
                    <string>WiFi_SSID2</string>
                </array>
        </dict>
        <dict>
            <key>Action</key>
                <string>Connect</string>
        </dict>
        </array>

Disconnect when I have a specific DNS server and am connected to any Ethernet connection, otherwise connect (default):

    <key>OnDemandRules</key>
        <array>
        <dict>
            <key>Action</key>
                <string>Disconnect</string>
            <key>DNSServerAddressMatch</key>
                <array>
                    <string>10.10.10.18</string>
                </array>
            <key>InterfaceTypeMatch</key>
                <string>Ethernet</string>
        </dict>
        <dict>
            <key>Action</key>
                <string>Connect</string>
        </dict>
        </array>

Disconnect when I am connected to any cellular connection, otherwise connect (default):

    <key>OnDemandRules</key>
        <array>
        <dict>
            <key>Action</key>
                <string>Disconnect</string>
            <key>InterfaceTypeMatch</key>
                <string>Cellular</string>
        </dict>
        <dict>
            <key>Action</key>
                <string>Connect</string>
        </dict>
        </array>

Connect when I am connected to any cellular connection and I can reach Google.com, otherwise disconnect (default):

    <key>OnDemandRules</key>
        <array>
        <dict>
            <key>Action</key>
                <string>Connect</string>
            <key>InterfaceTypeMatch</key>
                <string>Cellular</string>
            <key>URLStringProbe</key>
                <string>https://google.com</string>
        </dict>
        <dict>
            <key>Action</key>
                <string>Disconnect</string>
        </dict>
        </array>

Disconnect when I am connected to Ethernet and I can reach an internal URL, connect if I am on cellular, otherwise disconnect (default):

    <key>OnDemandRules</key>
        <array>
        <dict>
            <key>Action</key>
                <string>Disconnect</string>
            <key>InterfaceTypeMatch</key>
                <string>Ethernet</string>
            <key>URLStringProbe</key>
                <string>https://vpncheck.domain.com</string>
        </dict>
        <dict>
            <key>Action</key>
                <string>Connect</string>
            <key>InterfaceTypeMatch</key>
                <string>Cellular</string>
        </dict>
        <dict>
            <key>Action</key>
                <string>Disconnect</string>
        </dict>
        </array>

This should give you a decent idea of what is possible with manual editing of the Mobile Configuration Profile. Once you've set the parameters you want, save the file and follow Step 4 or 5 in Part 3 - Mobile Profile Configuration to add the profile to your mobile device.


References

Web Analytics