New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add configuration option for "Always On VPN" mode without putting device into Supervised Mode #109

Closed
ndtob opened this Issue Oct 21, 2016 · 6 comments

Comments

Projects
None yet
4 participants
@ndtob
Copy link

ndtob commented Oct 21, 2016

Somewhere in the ALGO question and answer script (or as a configuration option in the configuration file) an option should exist to force "always on VPN" mode.

Normally this is only possible when the device is wiped and put into "supervised" mode.

However with the following configuration profile XML it is possible to force an Always on VPN mode.

Connect to VPN when connected to a network over Cellular or WiFi network interface:

<key>OnDemandEnabled</key>
  <integer>1</integer>
<key>OnDemandRules</key>
  <array>
    <dict>
      <key>Action</key>
        <string>Connect</string>
      <key>InterfaceTypeMatch</key>
        <string>WiFi</string>
    </dict>
    <dict>
      <key>Action</key>
        <string>Connect</string>
      <key>InterfaceTypeMatch</key>
        <string>Cellular</string>
    </dict>
  </array>

Enable "on demand" option
If interface type = wifi or cellular
Action -> connect VPN.

Alternatively the "cellular" section may be set to "Disconnect" to only force VPN when connected to wifi, for instance this would always ensure the user was connected through a VPN when on any WiFi network (starbucks, home wifi or unsecured public wifi). This is highly desirable because it would always ensure a secure connection when routing through any wifi connection.

Connect to VPN only when connected to a network over the WiFi interface:

<key>OnDemandEnabled</key>
  <integer>1</integer>
<key>OnDemandRules</key>
  <array>
    <dict>
      <key>Action</key>
        <string>Connect</string>
      <key>InterfaceTypeMatch</key>
        <string>WiFi</string>
    </dict>
    <dict>
      <key>Action</key>
        <string>Disconnect</string>
      <key>InterfaceTypeMatch</key>
        <string>Cellular</string>
    </dict>
  </array>

Since a user is always connected to WiFi or Cellular the VPN will always be on.
If user puts device into airplane mode neither interface will be enabled.

Caveat:
If the VPN cannot be reached the device will have no network connectivity.
The user will have to go into the VPN options on the device and manually turn off "connect on demand" in order to get normal connectivity back.

There may be a way configure some ruleset to drop VPN connection if VPN cannot be reached but this requires further research.

@ndtob ndtob changed the title Add configuration option for "Always On VPN" mode Add configuration option for "Always On VPN" mode without requiring putting device into Supervised Mode Oct 21, 2016

@ndtob ndtob changed the title Add configuration option for "Always On VPN" mode without requiring putting device into Supervised Mode Add configuration option for "Always On VPN" mode without putting device into Supervised Mode Oct 21, 2016

@ndtob

This comment has been minimized.

Copy link

ndtob commented Oct 24, 2016

Example configuration of disabling VPN when on a known WiFi SSID (like your home WiFi) is connected.

Auto-enable VPN when connected to any other WiFi SSID and optionally when connected to cellular.

        <key>OnDemandEnabled</key>
                <integer>1</integer>
                <key>OnDemandRules</key>
                <array>
                    <dict>
                        <key>Action</key>
                        <string>Disconnect</string>
                        <key>InterfaceTypeMatch</key>
                        <string>WiFi</string>
                        <key>SSIDMatch</key>
                        <array>
                            <string><!-- home wifi network name--></string>
                        </array>
                    </dict>
                    <dict>
                        <key>Action</key>
                        <string>Connect</string>
                        <key>InterfaceTypeMatch</key>
                        <string>WiFi</string>
                    </dict>
                    <dict>
                        <key>Action</key>
                        <string>Connect</string>
                        <key>InterfaceTypeMatch</key>
                        <string>Cellular</string>
                    </dict>
                    <dict>
                        <key>Action</key>
                        <string>Ignore</string>
                    </dict>
                </array>
@NoahO

This comment has been minimized.

Copy link

NoahO commented Oct 29, 2016

This would be pretty life-changing if it works..

However I have one question: would this stop you authenticating to public wifi captive portals?

@ndtob

This comment has been minimized.

Copy link

ndtob commented Oct 29, 2016

@NoahO it does work, I've been testing it without issue.

I have also recently tested it at Starbucks and another captive portal. It first prompts you through the captive portal first, after you connect it then auto-connects to the VPN.

Of course there may be some weird captive portal where this fails but you can also disable the VPN to go through captive portal first.

jackivanov added a commit that referenced this issue Nov 3, 2016

@jackivanov

This comment has been minimized.

Copy link
Collaborator

jackivanov commented Nov 3, 2016

OK, gentlemen.
Implemented in the OnDemandRules_mobileconfig branch

There are 3 new options:

Do you want to enable VPN always when connected to Wi-Fi?
Do you want to exclude trust Wi-Fi networks from VPN usage? (eg: Your home network. Comma-separated value, eg: HomeMeganet,OfficeSuperWifi,AlgoWiFi)
Do you want to enable VPN always when connected to the cellular network?
@jackivanov

This comment has been minimized.

Copy link
Collaborator

jackivanov commented Nov 23, 2016

Merged

@jackivanov jackivanov closed this Nov 23, 2016

@noeltimothy

This comment has been minimized.

Copy link

noeltimothy commented Feb 23, 2017

Hi, I'm new to this product but the downside of the on demand VPN is that users can easily disable it by toggling the "connect on demand" switch.
Has anyone tried the AlwaysOn vpn type on a non-supervised device? Apple don't explicitly mention supervised mode for this but other sources do.

faf0 pushed a commit to faf0/algo that referenced this issue Dec 13, 2018

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment