By using profile files for device configuration, iPhone can be set up to automatically establish a secure VPN connection when connecting public unsafe wireless networks. This article contains an explanation and an easily customizable template.

 

Scenario: You connect your iPhone to the public hotspot of your choice, say in some café at the airport. Your iPhone connects and immediately starts sending account information, such as your email access data over the unknown WiFi, to retrieve the latest emails for you. Your actually secret access data will now be readable for everyone in this public WiFi and anyone who is technically able to read your passwords can now also log into your e-mail inbox. Of course, this is not a desirable state of affairs.

 

The remedy here is the use of a so-called VPN tunnel. The secure VPN tunnel is set up from your device to your home (or another secure endpoint) and all custom data traffic such as mail accounts, chats, eg. only reaches the Internet from the endpoint of the tunnel. The VPN tunnel thus enables secure surfing as if you were at home.

If you have ever tried to protect your iPhone data traffic through a VPN, you will have noticed that after some time of the active VPN connection the iPhone simply terminates the tunnel, for example if no data has flowed for a long time. Also, it is quite annoying to have to switch off the VPN tunnel manually at home again. But there is a more serious problem: To switch on the VPN manually, you must first be connected to the WiFi. Before you could connect the VPN manually, the iPhone would have sent data via a possibly insecure WiFi network in seconds in the background.

 

To prevent this from happening in the future, we instruct our iPhone to establish a VPN connection in every unknown WiFi before it sends data. We realize this via so-called profiles. Profiles are basically files with (XML-)structured content that tell the iPhone how to behave under certain conditions. Usually these configuration files are used in the company environment, so that you do not have to configure thousands of mobile phones manually and manually by employees. Instead, you distribute a single profile and distribute it to the employee devices with a single click. The profile configuration sometimes allows deeper interventions in the settings of our iPhone than the settings menu allows. And that’s what we’re taking advantage of.

 

 

Enrich the template with your VPN data

The following code is a template for exactly the use case described above. In this profile a VPN of the type IPsec is used, as provided by the FritzBox.

Just search for “CHANGETHIS” and replace the data in these sections with your own VPN access data.

You need the following data:

  • Your hostname
  • username
  • password
  • shared secret
  • List of WiFi networks you trust and which do not require a VPN connection (your trusted network at work or at home)

 

Simply enter all data except for the shared secret as plain text in the XML file.
Paste your Shared Secret into this generator (https://www.base64decode.org) and encode the Shared Secret to BASE64, then enter the converted Shared Secret in the appropriate place in the file.

 

Do I also have to adjust the payload data in the template?

You may ask yourself if you also have to adjust the payload data contained in the template like the PayloadUUUID. I will also deal briefly with this question and explain the background a little in this section.
Actually, Apple provides an application that can be used to create profiles for iOS devices. The tool is called Apple Configurator 2 and enables the creation of profile files via a graphical interface. When a profile is generated with this tool, the payload data is generated automatically. It is more or less a random number, or rather a checksum, generated from various variables of the created profile.

This random number is very probably unique, i.e. it will hardly happen that two profiles with exactly the same PayloadUUID are installed on one device. And this should be the case, because this unique UUID allows us to adapt the profile file later and send it modified to the end device again without the profile being created twice. If a profile with the same UUID is already installed on the mobile device, it is only updated. If you send a profile with a different UUID to the iPhone, it would be installed in addition to the already existing one, i.e. you might have installed duplicate profiles.

TLDR: No, you don’t have to adjust the payload sections of the profile.

 

 

Save the mobileconfig file and send it to the iPhone

You can save the complete file as vpn.mobileconfig. The file extension”.mobileconfig” is particularly important.
After editing and saving, send this file to your iPhone via AirDrop or e-mail and install the created profile. Done.

 

mobileconfig file to customize:

 

[code]<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>PayloadContent</key>
<array>
<dict>
<key>IPSec</key>
<dict>
<key>AuthenticationMethod</key>
<string>SharedSecret</string>
<key>LocalIdentifier</key>
<string>CHANGETHISusername</string>
<key>LocalIdentifierType</key>
<string>KeyID</string>
<key>RemoteAddress</key>
<string>CHANGETHISmy.hostname.de</string>
<key>SharedSecret</key>
<data>
CHANGETHISBUTBEFORECONVERTTOBASE64
</data>
<key>XAuthEnabled</key>
<integer>1</integer>
<key>XAuthName</key>
<string>CHANGETHISusername</string>
<key>XAuthPassword</key>
<string>CHANGETHISpassword</string>
</dict>
<key>IPv4</key>
<dict>
<key>OverridePrimary</key>
<integer>1</integer>
</dict>
<key>OverridePrimary</key>
<true/>
<key>PayloadDisplayName</key>
<string>Manual connection to home network</string>
<key>PayloadIdentifier</key>
<string>com.apple.vpn.managed.D58846D4-51B5-437E-9147-199C811ABA1C</string>
<key>PayloadType</key>
<string>com.apple.vpn.managed</string>
<key>PayloadUUID</key>
<string>D58846D4-51B5-437E-9147-199C811ABA1C</string>
<key>PayloadVersion</key>
<integer>1</integer>
<key>UserDefinedName</key>
<string>Manual connection to home network</string>
<key>VPNType</key>
<string>IPSec</string>
</dict>
<dict>
<key>IPSec</key>
<dict>
<key>AuthenticationMethod</key>
<string>SharedSecret</string>
<key>LocalIdentifier</key>
<string>CHANGETHISusername</string>
<key>LocalIdentifierType</key>
<string>KeyID</string>
<key>RemoteAddress</key>
<string>CHANGETHISmy.hostname.de</string>
<key>SharedSecret</key>
<data>
CHANGETHISBUTBEFORECONVERTTOBASE64
</data>
<key>XAuthEnabled</key>
<integer>1</integer>
<key>XAuthName</key>
<string>CHANGETHISusername</string>
<key>XAuthPassword</key>
<string>CHANGETHISpassword</string>
</dict>
<key>IPv4</key>
<dict>
<key>OverridePrimary</key>
<integer>1</integer>
</dict>
<key>OnDemandEnabled</key>
<integer>1</integer>
<key>OnDemandRules</key>
<array>
<dict>
<key>Action</key>
<string>Disconnect</string>
<key>InterfaceTypeMatch</key>
<string>WiFi</string>
<key>SSIDMatch</key>
<array>
<string>CHANGETHISTrustedHomenetworkname(SSID)</string>
<string>CHANGETHISTrustedWorknetworkname(SSID)</string>
</array>
</dict>
<dict>
<key>Action</key>
<string>Connect</string>
<key>InterfaceTypeMatch</key>
<string>WiFi</string>
</dict>
<dict>
<key>Action</key>
<string>Disconnect</string>
</dict>
</array>
<key>OverridePrimary</key>
<true/>
<key>PayloadDisplayName</key>
<string>Autoconnect via VPN in foreign WiFi</string>
<key>PayloadIdentifier</key>
<string>com.apple.vpn.managed.85284094-A9F5-47D7-A1CD-6F831B2FFAC0</string>
<key>PayloadType</key>
<string>com.apple.vpn.managed</string>
<key>PayloadUUID</key>
<string>85284094-A9F5-47D7-A1CD-6F831B2FFAC0</string>
<key>PayloadVersion</key>
<integer>1</integer>
<key>UserDefinedName</key>
<string>Autoconnect via VPN in foreign WiFi</string>
<key>VPNType</key>
<string>IPSec</string>
</dict>
</array>
<key>PayloadDescription</key>
<string>Allows to connect to your home-network to tunnel all traffic through unsecure, public WiFi-networks.</string>
<key>PayloadDisplayName</key>
<string>CHANGETHIS VPN Configurations for organization (for example company name)</string>
<key>PayloadIdentifier</key>
<string>DB.BAB78424-28FB-4654-915D-93D0CB87CC7B</string>
<key>PayloadOrganization</key>
<string>CAHNGETHIS Optional: Givenname Birthname for name of organzization (for example company name)</string>
<key>PayloadRemovalDisallowed</key>
<false/>
<key>PayloadType</key>
<string>Configuration</string>
<key>PayloadUUID</key>
<string>8CADFABC-C196-4784-948E-FB5345714B22</string>
<key>PayloadVersion</key>
<integer>1</integer>
</dict>
</plist>[/code]

 

 

All the links in this text are Amazon Affiliate Links, and by clicking on an affiliate link I will earn a percentage of your subsequent Amazon purchases. However, this circumstance does not influence the background of my product recommendation. This product recommendation is independent, honest and sincere. 

Bei allen genannten Links handelt es sich um Amazon-Affiliate-Links. Durch einen Klick auf einen Affiliate-Link werde ich prozentual an Euren darauf folgenden Amazon-Einkäufen beteiligt. Dieser Umstand beeinflusst aber nicht die Hintergründe meiner Produktempfehlung. Diese Produktempfehlung erfolgt unabhängig, ehrlich und aufrichtig.