How can I make my iPhone automatically connect to a VPN when connecting to a WiFi?
When connecting to public WiFi networks, I prefer to have more privacy and also want to be sure that really every network packet is encrypted1. You can achieve that by connecting to a VPN, for example.
On an iPhone, you can only connect to a VPN if you already have an internet connection. Well, that's trivial and always the case, but on iPhone you have to connect to a WiFi first, to manually connect to a VPN afterwards. So there will be a short moment, where your apps (background sync etc.), will send the traffic without using a VPN. Furthermore, if you put your iPhone aside or lock it immediately, the WiFi will disconnect and thus the VPN will disconnect. If you unlock your iPhone again or your iPhone wants to perform some background synchronization, WiFi will reconnect, but VPN will not. Again, sensitive data might leak.
So, how can I make my iPhone automatically connect to a VPN when connecting to a WiFi?
1Most data will be encrypted nowadays anyway, but:
- there might be an app with security issues in their protocol
- or there might be an app that just does not encrypt every data
- or there might be encrypted data accompanied by unencrypted metadata
The good news is, you can configure it! The bad news is, it cannot be configured easily through the GUI. It looks like such a VPN configuration is considered to be a thing for organizations and not for consumers.
Btw.: The keywords for such a VPN configuration are VPN On Demand or Always On VPN.
To implement such a VPN configuration, you need to write a configuration profile and install it on your iPhone.
Configuration profiles (in the Apple universe) can be seen as the equivalent of Group Policy Objects (GPO) in the Microsoft world. They are basically XML files and therefore quite human readable. They can be created:
- with a mobile device management (MDM) solution
- with Apple Configurator 2
- or manually
They can be deployed:
- with a mobile device management (MDM) solution
- with Apple Configurator 2
- by hosting them on a webserver
- by sending them by e-mail
As a consumer, you might not have access to MDM or Apple Configurator (runs on macOS only). So, I'll cover how you can write your configuration profile manually. If you need all the details, I recommend to read this excellent blog article that I used as my main source.
To establish a VPN connection as soon as your iPhone connects to WiFi you need a configuration profile, that looks similar to the following (save it to a file that ends with .mobileconfig):
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>PayloadContent</key>
<array>
<dict>
<key>UserDefinedName</key>
<string>VPN if WiFi</string>
<key>PayloadDisplayName</key>
<string>VPN if WiFi</string>
<key>PayloadIdentifier</key>
<string>any.unique.looking.name</string>
<key>PayloadUUID</key>
<string>05b44261-a564-4e3a-8026-ae5e3089c326</string>
<!-- VPN security config -->
<key>VPNType</key>
<string>IPSec</string>
<key>IPSec</key>
<dict>
<key>RemoteAddress</key>
<string>CHANGE_ME_IpAddressOrDnsNameOfTheVpnServer</string>
<key>AuthenticationMethod</key>
<string>SharedSecret</string>
<key>XAuthName</key>
<string>CHANGE_ME_Username</string>
<key>XAuthPassword</key>
<string>CHANGE_ME_UserPassword</string>
<key>XAuthEnabled</key>
<integer>1</integer>
<key>LocalIdentifier</key>
<string>CHANGE_ME_Username</string>
<key>LocalIdentifierType</key>
<string>KeyID</string>
<key>SharedSecret</key>
<string>CHANGE_ME_SharedSecret</string>
</dict>
<!-- VPN on demand config -->
<key>OnDemandEnabled</key>
<integer>1</integer>
<key>OnDemandRules</key>
<array>
<!-- SSID exceptions when not to establish a VPN connection (trusted WiFi's) -->
<dict>
<key>InterfaceTypeMatch</key>
<string>WiFi</string>
<key>SSIDMatch</key>
<array>
<string>CHANGE_ME_MyHomeWiFiSsid</string>
<string>CHANGE_ME_MyTrustedFriendsWiFiSsid</string>
</array>
<key>Action</key>
<string>Disconnect</string>
</dict>
<!-- Establish a VPN connection on any other WiFi connection -->
<dict>
<key>InterfaceTypeMatch</key>
<string>WiFi</string>
<key>Action</key>
<string>Connect</string>
</dict>
<!-- Default action (e. g. on cellular): No VPN -->
<dict>
<key>Action</key>
<string>Disconnect</string>
</dict>
</array>
<key>OverridePrimary</key>
<true/>
<key>IPv4</key>
<dict>
<key>OverridePrimary</key>
<integer>1</integer>
</dict>
<key>PayloadType</key>
<string>com.apple.vpn.managed</string>
<key>PayloadVersion</key>
<integer>1</integer>
</dict>
</array>
<key>PayloadDisplayName</key>
<string>VPN Configurations</string>
<key>PayloadIdentifier</key>
<string>1d195bcb-752a-44ec-b0c1-8d91af9ef1ed</string>
<key>PayloadRemovalDisallowed</key>
<false/>
<key>PayloadType</key>
<string>Configuration</string>
<key>PayloadUUID</key>
<string>e95c8935-e963-4609-bd24-cd57af79f7f4</string>
<key>PayloadVersion</key>
<integer>1</integer>
</dict>
</plist>
This configuration profile is designed to establish a VPN connection to a FRITZ!Box router which uses IPSec with Mutual PSK + XAuth. If you use different security settings, you have to modify the "VPN security config" block. In any case, adjust all strings prefixed by CHANGE_ME according to your infrastructure.
The "VPN on demand config" block can be adjusted to exclude WiFi SSIDs where no VPN connection should be established (e. g. your trusted WiFi's).
The three GUIDs are random, replace them by your own random GUIDs (e. g. with New-Guid in PowerShell).
After you deployed and installed this configuration profile on your iPhone, you'll find an entry called "VPN if WiFi" in your VPN connections. Select it, and from now on your iPhone will automatically establish a VPN connection if you are connected to WiFi (except your trusted WiFi's).
Instead of adjusting the above configuration profile, you can also use the html file of this project on GitHub to generate a configuration profile for you.