TL;DR: A DigitalOcean droplet, strongSwan, and a custom Configuration Profile for iOS routes all the traffic from my iPhone via my droplet. Why? Just because I can.
Note: This setup does not require you to download Apple Configurator and switch your iPhone into Supervised mode (we will create a configuration profile by hand instead, and install it on the iPhone).
Configure strongSwan by following all the instructions here
- Ignore the part about configuring the firewall, we’ll do this later
- Ensure strongswan starts on boot via chkconfig
chkconfig --add strongswan chkconfig strongswan on # Verify chkconfig --list strongswan
- You don’t need to install any certificates on your iPhone/iPad/Mac as we’re using a pre-shared key (PSK) instead of a certificate based client authentication mechanism
Allow traffic to be forwarded from your server by adding the two iptables rules here
Be sure to modify the network in the two iptables commands (it should match the one specified in your strongSwan config)
Save the two rules which you’ve just added
service iptables save
Open up UDP ports 500 and 4500 for your instance if required (AWS/DigitalOcean/etc)
Adapt the following Configuration Profile for your iOS device
Replace the following variables with reasonable values for your setup:
MY_PROFILE_NAME - Only used for display purposes MY_DOMAIN - Just for scoping MY_STRONGSWAN_SERVER_IP_ADDRESS - Your server's IPv4 address MY_ACCOUNT_NAME - See /etc/strongswan/ipsec.secrets MY_ACCOUNT_PASSWORD - See /etc/strongswan/ipsec.secrets MY_INITIALS - Your initials (eg: JP)
Once you’ve updated the content of the XML file above, rename the file to VPNConfig.mobileconfig. Then, either AirDrop it to your iPhone/iPad, or transfer it by some other means.
Since we’re using a PSK, as soon as you install the profile, it’ll prompt you for the PSK. This can again be found in /etc/strongswan/ipsec.secrets.
All done! :)
Cheers on your newly established, always on VPN tunnel between your iOS device and your server!
The Configuration Profile was inspired from Thomas’s blog post here.