Leveraging Apple “VPN on Demand” to access hidden services


There are many services which you can setup within your local network. As soon as you want to access these services from outside your network, you can forward ports in your router to be able to access the services from the internet. In this way you can also share these services with friends and the world.

The drawback of this approach is that you carefully have to ensure that these exposed services do not have security issues. This is a very time consuming task.

If you only want to access the services with a set of private devices there is also the possibility to establish a VPN session into your network. As soon as you have an internal IP-Address you can just access the service as if you are located at home inside your local network. The drawback is that you have to start the VPN by hand each time you want to use the service. This can reduce the adoption inside your family šŸ˜‰

‘VPN on Demand’ for Apple devices

Apple is explaining the function of it’s VPN implementation in it’s Ā IOS Deployment Reference – VPN Private Network:

“VPN On Demand lets Apple devices automatically establish a connection on an asā€“needed basis. Ā VPN On Demand is configured using the OnDemandRules key in a VPN payload of a configuration profile. ”

So when is ‘VPN on Demand’ engaged? The key is the DNS resolution. In your local network you have to have a name resolution for the service you want to access. And if you are not connected to your local network the IOS device must not be able to resolve the name using the public DNS. The ‘VPN on Demand’ is instructed to automatically connect to the VPN server whenever a name resolution for the defined services is not possible. In the following I assume that you have your VPN server up and running and that your vpn server is accessible via DDNS from the internet using the address vpn.mydomain.com.

You have to know that the ‘VPN on Demand’ cannot be configures on your IOS device. You have to create a profile on a desktop computer and then to transfer this profile to the IOS device. There are a couple of possibilities to create a profile:

  1. ‘Apple Profile Manager’
    The Apple Profile Manager is part of the Apple Server which can be bought in the Apple App Store
    You can find documentation of the Profile ManagerĀ in Apples Support area.
    The Profile Manager offers the option to create a ‘VPN on Demand’.
  2. ‘Apple Configurator 2’ + manual adoption of the profile
    The Apple Configurator 2 is a free app which can be downloaded here.
    You can find documentation of the Apple ConfiguratorĀ in Apples Support area.
    The Apple Configurator 2.5 does notĀ offer the option to create a ‘VPN on Demand’.
    To get a working VPN profile you can first use the Apple Configurator 2 to create a VPN and then add the appropriate rules by hand.
  3. Create the profile by yourself
    You can create a profile with the appropriate xml structure. You can find a extensive explanation of the options here.

Using Apple Profile Manager to create the profile

In the following I will show how to create the VPN configuration profile using the Apple Profile Manager. If you want to adapt the profiles which will be generated by the Profile Manager you have to disable the option ‘Sign configuration profiles’

You then can access the Profile Manager by pressing the Profile Manager link which can be found at the last line of the App.

You can create a VPN entry in all different profiles. I will add a device and describe the necessary steps in the VPN Dialog.

Navigate to Library -> Devices and press “+”. A dialog will appear. Just enter the appropriate values for your IOS device.

Now we have created a device called Placeholder.

The next step is to edit the profile by pressing the ‘Edit’ button.

For this example I use:

Connection Name: My test connection
Connection Type: L2TP
Server: vpn.mydomain.com
User: vpnuser
Password: vpnpassword
Shared Secret: vpnsharedsecret
Enable VPN on Demand
For openhab.mydomain.com set the On Demand Action to always.

The following Screen reflects the inputs:

After pressing ‘OK’ and then ‘Save’ on the next page you will be able to download the profile:

Installing the profile on the IOS device

By pressing ‘Download’ you save a file called ‘Settings_for_Placeholder.mobileconfig’ on your computer.

Now you can send the file to the IOS device. You should use a secure connection, because you have the password embedded in the profile, so that anyone can apply the profile.

Airdrop is one very good choice šŸ™‚

Right click on the file and select “Share -> AirDrop”.

After selecting the target device and pressing “Done” the profile will be send to the IOS device.

On the IOS device you will be asked to install the profile:

After successful installation you will find the connection in the VPN section:

Using ‘VPN on Demand’

Now whenever you are not connected to your local network where you can resolve the name of your service, the ‘VPN on Demand’ will connect to your vpn server.

In our example the request to connect to ‘openhab.mydomain.com’ will trigger the VPN connection. The successful connection is indicated by the ‘VPN’ symbol in the upper right corner.

And we have successfully accessed a service which is not visible from the internet leveraging our VPN server!


Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.