How to automatically connect your iOS device to a VPN when joining an unknown WiFi network by setting up an OnDemand profile Thomas Witt Follow Oct 7, 2017 · 4 min read

Photo by Markus Spiske on Unsplash

You might be familiar with that situation: You’re at a coffee shop, and airport or wherever and want to connect to a WiFi.

But once you do so, your iOS device starts broadcasting data over that insecure network, for example with apps which are using background refresh. Things get worse when you fire up your web browser and browse on insecure http-Sites.

Congratulations, you just made yourself a target for hackers (and your device will be automatically equipped with Malware). At least anyone on the network can trace which sites you are connecting to. And worse, your iPhone will still continue to broadcast data over this insecure connection, even when it’s on standby in your pocket or it reconnects to a forgotten WiFi-Network you once signed on.

Danger #1 to IT security is connecting to the Internet via public WiFi. Don’t be tricked to think that’s a problem only existing in shady internet cafes: Criminals have been targeting business travelers in Asia in 5* Hotels since at least 2009. Similar things were reported about Russia.

Wherever it is, it can happen everywhere around the world, as soon as you connect your device to an unknown WiFi network. The tools are widely available, and it’s a matter of minutes to manipulate networks, intercept connections in order to to take over your unpatched computers with malware or steal passwords (online banking, anybody?).

There might be even whole countries (China, anyone?) where you want to use your connection always with over a VPN enabled, because most web-sites and service won’t reachable anyway.

So in general: you always want to use a VPN (except in your WiFi network at home maybe) — and in an ideal world you want to make sure that no single byte is transferred without an active VPN when connecting to a WiFi network. This is called an OnDemand VPN.

On the Mac I highly recommend to use Little Snitch and its profile functionality to achieve exactly that (I’ve wrote an article about Internet security while traveling before). On iOS devices, it’s unfortunately not that straightforward.

Luckily, iOS devices like iPhones and iPads have a functionality built in which allows you to do exactly that: Always connect to a VPN except for certain WiFi networks. Unfortunately it’s only achievable throught a so called profile, which you have to install manually on your phone — and there’s no graphical user interface to create such an sophisticated OnDemand profile. So you have to use your text editor.

So what I did is, I created an easy-to-install profile which gives me access to three different VPN options:

An IPSec connection to my home router (a FRITZ!Box), so I can connect to my home network (especially useful if you’d like to connect to firewalled devices such as webcams)

An L2TP conncetion to our company network router (a Cisco Meraki)

An L2TP connection to an Streisand powered VPN at Amazon Web Services — if you’re not familiar with Streisand, it’s an open source tool which creates a cheap AWS EC2 instance with all kinds of way to access it as a VPN. This is also my default profile, because AWS obviously has the highest data throughput.

For each of these three VPNs I created three options:

Always: Always connect to this VPN, regardless whether you’re on Cellular or WiFi and regardless of the WiFi network. That’s the most secure option.

WiFi: Only connect to this VPN when you’re an WiFi and if the network name isn’t from a specific set of WiFi network names (so you won’t use VPN at home or in your company).

Manual: Never automatically connect to a VPN, unless you switch it on manually. That’s your backup, in case you NEED to connect but everything is blocked.

The following profile does all of that. To use it, you have to perform the following steps:

Get rid of the sections you might not need.

Change the passwords, usernames and shared secrets to your personal access credentials (look out for CHANGEME).

Change the SSIDMatch strings in the WiFi profile to your WiFi network names you’d like to exclude from the VPN-obligation.

Save this text file as VPNConfigurationProfiles.mobileconfig (the suffix is important).

Upload the profile via AirDrop to your iPhone or iPad (you have to enter your device passcode to install).

I usually leave my devices at “AWS: WiFi”. So at home, I’m surfing without a VPN, same applies to any cellular connections, but whenever I connect to a WiFi, my Streisand AWS VPN is used.

What are the downsides? Not many. There might be some strange WiFis with a splash page, which is not correctly recognized by your iOS device as such. So the VPN tries to connect but gets blocked because you haven’t confirmed on the splash page. So either you don’t use the WiFi or switch to manual, confirm the splash and switch back to the original WiFi VPN profile. Needless to say, that’s not perfectly secure.

You can actually set even more options in the profile, such as limiting VPN usage to certain domain names or to certain apps. You’ll find all parameters in the (very long) Configuration Profile Reference documentation at Apple.

So stay safe and always use a VPN — here is the profile: