iOS - supervised mode and always-on VPN
It is rather possible to activate "always-on" VPN activating the "Connect on demand" option via a VPN profile both in iOS and OSX/MacOS.
For instance, some commercial VPN providers do that.
However that only applies to any kind of VPN done/configured via the native client, and not 3rd party VPNs like OpenVPN.
The behaviour of the Connect on demand VPNs, is that as soon a TCP/IP packets try to leave the iDevice, the VPN goes up.
I have been using it with VPNs with IPsec with IKEv1 in iOS 8 and iOS 9, so the IKEv2 requirement does not seem to apply. I also been using it without supervised mode.
The profile file is a xml file, that can be written by hand, or with the help of Apple tools. The file has to have an extension .mobileconfig, and has to be loaded by the Safari browser in iOS.
As an example, I am using this file, for a full VPN tunnel, "Cisco" IPsec with group password and user XAUTH authentication.
I put "Cisco", because in my case, the VPN servers are respectively, a PfSense firewall, and a Linux Debian server.
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>PayloadContent</key>
<array>
<dict>
<key>IPSec</key>
<dict>
<key>AuthenticationMethod</key>
<string>SharedSecret</string>
<key>LocalIdentifier</key>
<string>*group_name*</string>
<key>LocalIdentifierType</key>
<string>KeyID</string>
<key>RemoteAddress</key>
<string>*11.11.11.11*</string>
<key>SharedSecret</key>
<data>
*ksjksdjksdf*
</data>
<key>XAuthEnabled</key>
<integer>1</integer>
<key>XAuthName</key>
<string>*username*</string>
<key>XAuthPassword</key>
<string>*password*</string>
<key>DisconnectOnIdle</key>
<integer>0</integer>
<key>OnDemandEnabled</key>
<integer>1</integer>
<key>OnDemandRules</key>
<array>
<dict>
<key>Action</key>
<string>Connect</string>
</dict>
</array>
</dict>
<key>IPv4</key>
<dict>
<key>OverridePrimary</key>
<integer>1</integer>
</dict>
<key>PayloadDescription</key>
<string>Configures VPN settings, including authentication.</string>
<key>PayloadDisplayName</key>
<string>*VPN (MyHOME)*</string>
<key>PayloadIdentifier</key>
<string>*com.myhome.pt.vpn*</string>
<key>PayloadOrganization</key>
<string>*MY-HOME*</string>
<key>PayloadType</key>
<string>com.apple.vpn.managed</string>
<key>PayloadUUID</key>
<string>D758D99C-7CCE-44DC-8CAE-B2A5FFC86985</string>
<key>PayloadVersion</key>
<integer>1</integer>
<key>Proxies</key>
<dict/>
<key>UserDefinedName</key>
<string>*VPN My-HOME*</string>
<key>VPNType</key>
<string>IPSec</string>
</dict>
</array>
<key>PayloadDescription</key>
<string>*VPN provisioning for My-HOME*</string>
<key>PayloadDisplayName</key>
<string>*MY-HOME*</string>
<key>PayloadIdentifier</key>
<string>*com.myhome.pt*</string>
<key>PayloadOrganization</key>
<string>*MY-HOME*</string>
<key>PayloadRemovalDisallowed</key>
<false/>
<key>PayloadType</key>
<string>Configuration</string>
<key>PayloadUUID</key>
<string>A8E086BE-C9B1-4EA8-9E6A-F25001E0A293</string>
<key>PayloadVersion</key>
<integer>1</integer>
</dict>
</plist>
As you correctly suspect, there are downsides to this approach. While the connect on demand profile is active, the regular wake ups for fetching data seem not be done (at least until iOS 9, still have to test iOS 10), and as such FaceTime calls are not always received while the device is "sleeping").
The Apple documentation about this directives is here. "IPSec Dictionary Keys" is of particular interest.