IOS – Nested VPNs on iPhone iOS 11 – Unix Server Solutions

I am developing a custom VPN client plugin for iPhone, working on iOS 11 devices. I am hoping to set up nested VPNs so that the traffic is double encrypted.

I am working with Per-App VPN, as well as both Always-On and On-Demand style systemwide VPN clients. As an example, what I would like to do is access a IPSec VPN Endpoint for Per-App connections, where the endpoint exists on a network only accessible through an SSL VPN endpoint that is connected through an Systemwide VPN.

Please refer the following diagram for further example of what I mean:

Note that the Systemwide VPN doesn't need to be SSL, as I understand Always-On VPN may be restricted to using the iOS built-in VPN client with IKEv2.

For the systemwide VPN, I have a strong preference for Always-On as it doesn't allow the user to disable it. In my testing however, it seems that when an Always-On VPN is loaded onto the iPhone, all of the other VPNs disappear from Settings and cannot be enabled. I have been able to configure a systemwide On-Demand VPN and a Per-App VPN to operate concurrently, but not yet with one passing through the other.

The part I am uncertain about, and so far haven't been able to replicate, has been marked with the dotted line. Can the Per-App VPN connect and route through the Systemwide VPN?

Best Answer

I have received a response from Apple Support:

I talked to VPN Engineering about your goals and, alas, what you’re trying to do is just not possible. We specifically prevent traffic from a VPN provider from going through some other VPN interface, so your per-app VPN provider — be it a packet tunnel provider or an app proxy provider — won’t be able to route traffic over the IKEv2 VPN interface.

As of iOS11, this is not currently possible.

Best Answer

Related Solutions

IOS – Sending All Traffic Over VPN Tunnel (IKEv2) in OS X 10.11.5

Intermittently cant connect to VPN from Laptop, but always works from iPhone

Related Question