Category Archives: iPhone

OpenVPN for iOS

Today, OpenVPN Technologies released OpenVPN Connect for iOS. Finally, we can use OpenVPN on all major platforms. I know many of my blog readers have been waiting for this: my article on the iOS VPN API is one of the most popular articles on my blog.

OpenVPN Connect is not based on the classic GPL OpenVPN software (supposedly GPL and App Store are not compatible), but supposed to be fully compatible with any OpenVPN server running version 2.1 or higher (including IPv6 support with servers running the recently-released version 2.3). Supposedly it can even be managed using the “Custom SSL” option in iPhone Configuration Utility.

Two points I’d like to mention which might temporarily disappoint some people:

  • It currently requires client certificates (but the help promises that that’ll change soon).
  • Layer 2 tap interfaces are not supported. As I noted in my VPN API blog post, iOS provides a utun interface, which only does layer 3.

Go check it out on the App Store or have a look at Gert Döring’s Google+ post.

Update December 2013: Version 1.0.2 (just released) finally works for me. 1.0.0 didn’t work without client certificates and 1.0.1 had some weird SSL library issue where it would reject my server certificate. In 1.0.2 I was  able to just drop my .ovpn file into iTunes and was up and running immediately, including IPv6 support.

iOS 4.1: Undocumented VPN API, used by Cisco AnyConnect

A few days ago, Cisco AnyConnect was admitted to the App Store. This was mentioned by a few blogs, but they didn’t seem to notice the relevance of it. AnyConnect is an enterprise SSL VPN technology by Cisco, so this may not seem relevant to all that many people at first sight.
However, in order to implement a VPN client to provide VPN connectivity for other apps, you need to hook into the operating system’s network stack. On the iOS App Store, everybody knows that Apple is rather strict on what a developer can do — hooking into the OS kernel and providing network functionality to other apps isn’t something they provide APIs for (and therefore don’t allow).

Wondering how Cisco got around these App Store limitations, I took a closer look at the AnyConnect app. Upon first starting it, it asks whether you want to let it “extend… the Virtual Private Network (VPN) capabilities of your device”.

Cisco AnyConnect Secure Mobility Client extends the Virtual Private Network (VPN) capabilities of your device. Do you want to enable this software? Don’t Allow / OK

After entering a VPN server name etc., I switched over to the Settings app and noticed that the newly created AnyConnect VPN showed up as a system-wide VPN (though if you try to edit it from there, it’ll just say that you should use the AnyConnect app instead).

To configure the settings for ….., use the app provided by Cisco.

Odd, how would an app be able to do any of this if it’s not allowed to get involved with iOS deeper than the App Store guidelines would allow?

Moving on and digging deeper into the .ipa bundle:

The Payload contains AnyConnectDataAgent.vpnplugin, in addition to the AnyConnect.app:

AnyConnectDataAgent.vpnplugin

AnyConnect.app‘s Entitlements.plist contains an entitlement named com.apple.networking.vpn.configuration:

com.apple.networking.vpn.configuration

Neither vpnplugin bundles nor the com.apple.networking.vpn.configuration entitlement are documented anywhere (at least not in a way that can be found through Google). Since this appears to be a special iOS API created by Apple specifically for Cisco, the question is whether it’s also open to other developers. The only other app I’ve found that uses it is Juniper Junos Pulse, which was posted a few weeks before the AnyConnect app. Since both Junos Pulse and AnyConnect have in common that they require iOS 4.1, I think it’s safe to assume that 4.1 introduced the API they use.
Personally, I’d be interested to see an OpenVPN client for the iPhone. I’m not sure whether that will ever happen though if this VPN API only exits semi-officially, especially since OpenVPN is not backed by a big company like Cisco or Juniper.

Update 2011: The German computer magazine c’t wrote about the API, but couldn’t make much sense of it either.

Update 2012: The current list of apps using this API consists of: Juniper Junos Pulse (released September 2010, requires iOS 4.1), Cisco AnyConnect (released September 2010, requires iOS 4.1), F5 BIG-IP (released December 2010, requires iOS 4.2), SonicWall Mobile Connect (released December 2011, requires iOS 4.2), Aruba VIA (released December 2011, requires iOS 4.3) and CheckPoint Mobile VPN (released March 2012, requires iOS 5.0).

Update 2012: Googling for the VPN entitlement now not only finds my blog post, but also configd source code at Apple: first in OS X 10.7 sources and later in OS X 10.8 sources (but not in OS X 10.6, which iOS 4 was based on). In the older version, inside an ifdef checking for iPhone OS, a constant named kSCVPNFilterEntitlementName is declared containing that entitlement, but the constant never gets used. In OS X 10.8, it is no longer ifdeffed to the iPhone OS and actually gets used for allowing limited access to the global preferences.plist.

Update 2012: Playing around with AnyConnect again, I noticed that it now uses a generic utun network interface, which is similar to a Linux-style layer 3 tun interface. utun is used for example by Mac OS X’s Back to my Mac feature: the kernel implementation in Mac OS X 10.8.2 can be found in the XNU source at bsd/net/if_utun.c. Some details can be found in Levin, Jonathan. Mac OS X and iOS Internals: To the Apple’s Core. Chapter 17, Layer II, Case Study: utun. Wiley, 2012.

I have received several more reports of unsuccessful attempts to get access to the VPN API. Apparently despite now offering a generic utun interface, Apple continues to be very strict about it. And to date, there still isn’t an OpenVPN client for iOS.

Update 2013: OpenVPN Connect was released today. It supports tun-style OpenVPN connections. Hooray, finally we can use OpenVPN on iOS! Apparently it can even be managed using the “Custom SSL” option in iPhone Configuration Utility.

3rd party Exchange ActiveSync servers

I’ve recently been looking for a comprehensive list of mail/groupware servers/services that offer Exchange ActiveSync integration, e.g. for the iPhone or Windows Mobile. Since I couldn’t find one, I’m putting together a list myself. (I’m not including Microsoft Exchange Server and all those Hosted Exchange solutions, since they’re pretty obvioius choices.)

Article last updated on 2013-08-01.

Note that Google Mail and the (discontinued) free tiers of Google Apps for Business dropped EAS support for new devices in January 2013.

Services:

  • Google Apps for Business
  • Outlook.com (free)
  • MyKolab, which is protected by Switzerland’s strong privacy laws
  • Rackspace
  • Zoho
  • Office 365
  • Atmail
  • NuevaSync Premium: works with any IMAP mail server
  • MailEnable

Groupware software: (many of these are also available as hosted solutions from various hosters)

  • Kolab
  • Zarafa (uses Z-Push)
  • Horde
  • Tine 2.0

IMAP bridges:

The best-looking free solutions are Kolab (if you need a complete groupware) and PHP Push 2 (if you already have IMAP, CalDAV and CardDAV servers or want to run Owncloud for the latter two, have an existing IMAP server and run Roundcube as webmail).

If you know any others, please go ahead and add them to the comments, and I’ll add them to this list.