I am trying to create a config file for my iPhone 11 running IOS 14 to connect my L2TP VPN setup on my UDM Pro. I found a few blog posts with sample configs and I found a PowerShell utility on the UI forums to create one however, I have only gotten “Bad Profile. This profile is corrupted and cannot be read” whenever I try to load them. Digging around Apple’s documentation, it looks like the iPhone has to be “managed” using their Configurator 2 program AND the VPN has to be IKEv2 in order to have an always on VPN. Am I missing something? Does this mean that an always on VPN is not possible with UDM Pro and current IOS devices? Any help would be greatly appreciated.
While not an always on VPN, you can find some information for configuring it on my blog Setting up a UniFi Security Gateway for an On Demand iOS VPN | Scott Gruby’s Blog
You do use Configurator, but the device does not have to be managed. You save the profile and then install it on your phone (email, AirDrop, etc.).
AFAIK always on VPN requires management profile configured and installed.
Consider using Private Relay feature of iOS 15 instead.
Awesome. Thank you. I’ll give it a try this evening. Glancing over you blog, It looks as though I can choose to auto connect to the VPN when outside a predefined WiFi. Is that correct? Or would it still be a manual process of connecting? I gotta get this set up wife friendly.
Thanks for the reply. It seems Private Relay is a privacy related feature. I’m looking to connect back to my home network to access resources like my security cameras that I have blocked from the internet.
Yes, you can have it auto connect based on certain rules. In the entry, I have to connect on demand if it isn’t on certain networks. I’ve since modified it so that it connects on demand when connecting to certain domains so that I can connect to my Home Assistant instance. Apple’s documentation https://developer.apple.com/business/documentation/Configuration-Profile-Reference.pdf#page95 gives more information about the rules you can specify for on remand.
In the past on demand would only work with certificate based VPN authentication, but it changed a few OS versions back and works quite well.
Oh I see. Sorry for misunderstanding.
So, I used your blog and the Apple docs a reference. I can’t seem to import the profile. I get a “Bad Profile” error. Here is my config file. Any ideas? I’m terrible at code.
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>PayloadContent</key>
<array>
<dict>
<key>IPSec</key>
<dict>
<key>AuthenticationMethod</key>
<string>SharedSecret</string>
<key>LocalIdentifierType</key>
<string>KeyID</string>
<key>SharedSecret</key>
<data>
MYSAHREDSECRET-ConvertedtoBASE64
</data>
</dict>
<key>IPv4</key>
<dict>
<key>OverridePrimary</key>
<integer>0</integer>
</dict>
<key>PPP</key>
<dict>
<key>AuthName</key>
<string>USERNAME</string>
<key>AuthPassword</key>
<string>PASSWORD</string>
<key>CommRemoteAddress</key>
<string>mypublicIP</string>
</dict>
<key>PayloadDescription</key>
<string>Configures VPN settings</string>
<key>PayloadDisplayName</key>
<string>VPN</string>
<key>PayloadIdentifier</key>
<string>com.apple.vpn.managed.C165E920-D376-4E1E-B87E-79D8F1A17845</string>
<key>PayloadType</key>
<string>com.apple.vpn.managed</string>
<key>PayloadUUID</key>
<string>C165E920-D376-4E1E-B87E-79D8F1A17845</string>
<key>PayloadVersion</key>
<integer>1</integer>
<key>Proxies</key>
<dict>
<key>Action</key>
<string>Disconnect</string>
<key>InterfaceTypeMatch</key>
<string>WiFi</string>
<key>SSIDMatch</key>
<array>
<string>myhomeSSID</string>
</array>
</dict>
<dict>
<key>Action</key>
<string>Connect</string>
<key>InterfaceTypeMatch</key>
<string>WiFi</string>
</dict>
<dict>
<key>Action</key>
<string>Connect</string>
<key>InterfaceTypeMatch</key>
<string>Cellular</string>
</dict>
<dict>
<key>HTTPEnable</key>
<integer>0</integer>
<key>HTTPSEnable</key>
<integer>0</integer>
</dict>
<key>UserDefinedName</key>
<string>IOS_OnDemand</string>
<key>VPNType</key>
<string>L2TP</string>
</dict>
</array>
<key>PayloadDisplayName</key>
<string>Untitled</string>
<key>PayloadIdentifier</key>
<string>Brads-MacBook-Air.73B6D64B-E7C5-4A10-9A71-20C653F9E892</string>
<key>PayloadRemovalDisallowed</key>
<false/>
<key>PayloadType</key>
<string>Configuration</string>
<key>PayloadUUID</key>
<string>D53D02B5-7E48-4C20-89E2-F04E99AB0006</string>
<key>PayloadVersion</key>
<integer>1</integer>
</dict>
</plist>
I figured it out. Thanks for your help. Your blog post helped a lot. I will post my version here once I get my data out of the working version. I basically copied and pasted yours, and removed the domain rules you had and added 2 new rules from the documentation.
Can you post your final version? I’m looking to do the same.