iOS IKEv2 MANUAL SERVER CONFIG + On-Demand

Discussion in 'Services - Questions & Answers (Q&A)' started by etacarinaecosmos, Nov 2, 2018.

  1. e

    etacarinaecosmos New Member

    Hi All,

    As I'm sure you all know, any VPN connection on iOS - whether it's a manual config, a downloaded profile/CA config, or a VPN App - that has the 'Connect On-Demand' option enabled is a leak-proof, killswitch-enabled (for all intents and purposes) VPN.

    When downloading the configuration profiles for IKEv2 on iOS, Perfect-Privacy supports On-Demand connections. However, when setting up a manual IPSec configuration, On-Demand isn't available as it isn't supported in this way by iOS. Similarly, Perfect-Privacy doesn't support manual setup of IKEv2 on iOS (only manual IPSec; IKEv2 you must download the config).

    I have no problem downloading the configs, but I'm looking for a place where I can download the config for a SPECIFIC SERVER within a city, not just the entire city hostname which puts me on a random server. Under the downloads section of the member area for macOS and iOS, the only IKEv2 profile downloads are for the city hostname. It doesn't have profiles for individual servers. The reason I'd like a specific server option is I would like to ensure I ALWAYS connect to London2, via an On-Demand connection on iOS. The only way to connect to London2 manually every time is via IPSec manual config, which has no On-Demand - or via IKEv2 London config, which has On-Demand, but will put me on either London1 or London2 randomly. I'd like London2 as it works with Netflix but London1 does not. Is it a dealbreaker? Of course not. I love PP either way. But having the IKEv2 profile for specific servers would be a desired option so that I can force an On-Demand connection to London2.

    Worst case, I use the London IKEv2 profile and just reconnect until I get London2 (easily identifiable by the IP address of the server upon connecting), however it exposes me as even with On-Demand selected, if you manually disconnect a VPN connection it will turn off On-Demand. On-Demand is leak-proof for accidental disconnects but NOT intentional ones.

    Any guidance is appreciated! For what it's worth - I know you can download the individual server configs for OpenVPN protocols and I have done this and imported it to OpenVPN Connect. The reason I'm looking for an iOS IKEv2 profile for London2 is exactly that - to have it with IKEv2 and the iOS native On-Demand VPN setup. OVPN Connect does not support On-Demand connections on iOS.

    If only it were all as simple as the Windows and macOS clients for Perfect-Privacy: In both applications, I have permanent leak protection (killswitch) enabled: meaning that even when I quit Perfect-Privacy, all network connectivity is blocked until I open the application and connect. This level 3 killswitch is very rare in the VPN-world and highly valuable, particularly for privacy protection (and in censorship countries where even a momentary leak can cause problems). And on top of the level 3 killswitch, you can select individual servers. :)

    Cheers,
    e
     
    Last edited: Nov 2, 2018
  2. e

    etacarinaecosmos New Member

    For what it's worth, there is no way to do this with IKEv2.

    However, I did find a way to create an iOS OpenVPN On Demand VPN connection. After downloading the London2 OpenVPN config file, I was able to import it to a Profile I created for iOS in Apple Configurator, and to force VPN On Demand in the profile VPN Settings. Basically, after installing this profile on my iPhone, this OpenVPN connection is now displayed in the native menu with the ability to connect on demand. Since OpenVPN isn't natively supported on iOS the OpenVPN Connect application is still required to be installed on the device, however unlike typical OVPN connections that are imported into OpenVPN Connect, this OpenVPN connection attached to the iOS device profile is able to connect on demand, which essentially is a leak-proof VPN killswitch. It is enabled/disabled from the VPN menu as opposed to the OVPN Connect app, and any time the VPN connection is disabled (manually), loses connection, cannot connect, etc. - this includes if the user manually turns it off - all network connectivity is immediately lost until the connection is reestablished.

    Finally!
     
  3. PP Stephan

    PP Stephan Staff Member

    We are preparing to provide a configuration generator where you will be able to choose specific servers for IPSec connections - but I cannot give an ETA for this at the moment.

    As for OpenVPN on iOS: If you activate "Reconnect on Wakeup" and "Seamless Tunnel" in the OpenVPN app settings, this should effectively work like on-demand.
     
  4. e

    etacarinaecosmos New Member

    Great, thanks very much for this information! The IPSec generator that you mentioned would be absolutely fantastic. Thanks for this information! Cheers