Page 1 of 1

SSL-VPN on iOS using NETunnelProvider

Posted: Fri Oct 28, 2016 5:46 pm
by infinity
Hey,

Does anyone know if its possible to use the NETunnelProvider APIs to allow iOS to connect to a SoftEther SSL-VPN server?

Also, an unrelated question: does SoftEther provide any sort of obfuscation to prevent detection via DPI?

Thank you!

Re: SSL-VPN on iOS using NETunnelProvider

Posted: Fri Oct 28, 2016 7:32 pm
by moatazelmasry
Hi there,

NETunnelProvider is just an API that allows you to tunnel/encapsulate packages and redirect them somewhere else, which is basically that is what VPN is for. Anyone can then use it (When an entitelement is received from Apple) to implement own VPN protocol, for example OpenVPN guys used that interface to implement their app on iOS.

This aside, I'll assume your question is: "Can I connect programmatically from iOS to SoftEther"?
If I guessed your question correctly, then the answer is unfortuantely, no, not currently.

Out of the box, Apple offers vpn api for IPSec tunneling mode and IKEv2, none of these protocols are supported by SoftEther. I'm working on adding tunneling mode for IPSec in SoftEther, but can't tell when this will be finished:
https://github.com/moatazelmasry2/SoftE ... sec-tunnel

OpenVPN guys have implemented the protocol using NETunnelProvider, but unfortuantely the code is propriatery

Sorry that I don't have any better news

Cheers

Re: SSL-VPN on iOS using NETunnelProvider

Posted: Fri Oct 28, 2016 8:09 pm
by moatazelmasry
Ah and to answer the second part of your question:
"does SoftEther provide any sort of obfuscation to prevent detection via DPI"

It really depends on which VPN protocol you are using. L2TP and PPTP are quite easy to detect, and to perform man in the middle attack to read some packets attributes (not the actual contents though) and to block and the traffic

OpenVPN is more difficult to do that

SoftEther protocol (Ethernet over HTTPS) is practically impossible to detect since it just appears as normal 443 traffic

Re: SSL-VPN on iOS using NETunnelProvider

Posted: Mon Oct 31, 2016 12:00 am
by infinity
Thanks for the reply. So do you think it's technically possible to implement the SoftEther Ethernet over HTTPS protocol on iOS using NETunnelProvider? I understand this isn't currently possible, just curious if such a thing could be coded, like the way OpenVPN did.

Re: SSL-VPN on iOS using NETunnelProvider

Posted: Mon Oct 31, 2016 7:53 pm
by moatazelmasry
Certainly this is possible. The NETunnelProvider does mainly one thing, it "tunnels" your packets, which means, it encapsulates your packet into another one and set the destination IP to your vpn server. EVERYTHING else you need to program yourself. This is not an easy task tbh.
Obtaining the NETunnelProvider entitelement is not hard to obtain from Apple. I got it after well explaining my case and had to wait 4 weeks.

You have a couple of ways to go
1- Use IKEv2 on iOS which is already available without NETunnelProvider, but then you need to use strongswan or so as a server
2- Wait for me to finish the IPSec tunneling mode (1-2 months) as I have tons of other stuff to do
3- Ask Apple for tunneling entitlement and implement whatever VPN protocol you want youself

Cheers
Moataz

Re: SSL-VPN on iOS using NETunnelProvider

Posted: Mon Oct 31, 2016 8:06 pm
by infinity
According to Apple: "Except when you use the NEHotspotHelper class, you do not need to obtain entitlements from Apple to use Network Extension classes."
Source: https://developer.apple.com/reference/networkextension

Is that out-dated, or possibly a new change?

The main reason this interests me is because there does not seem to currently be a VPN for iOS that would be able to get through restrictive firewalls, the way SSL-VPN can. So to achieve this, I guess I would have to investigate coding a solution that implements SoftEther SSL-VPN on iOS using NETunnelProvider? Or, I should say, find a coder to work on this with me, as this is not my area of expertise haha.

Re: SSL-VPN on iOS using NETunnelProvider

Posted: Mon Oct 31, 2016 9:27 pm
by moatazelmasry
Cool. Looks like Apple is tolerating this now. Up until couple of months ago, for any of the four components of NetworkExntension you needed an entitlement. Now we are down to 1. Good good.

You are right, none of the two supported VPN protocols on iOS (IPSec tunneling, IKEv2) is penetrative.

SSL-VPN is indeed very penetrative.

What about OpenVPN? This should be very penetrative as well, if you change the port of communication to 443 and use TCP or so. Port 443 can't and would never be blocked and it is really difficult to detect OpenVPN traffic going through that port.

Cheers,
Moataz

Re: SSL-VPN on iOS using NETunnelProvider

Posted: Thu Feb 02, 2017 5:15 pm
by moatazelmasry
Hi Cuckoo,

no, I'm still working on it in my free time and created two pull requests that paves the road for IPSec implementation. However I haven't heard from the project maintaner(s) so far.

Cheers

Re: SSL-VPN on iOS using NETunnelProvider

Posted: Tue Oct 10, 2017 11:00 pm
by dlinemedia
Hello! How about news on this topic? It will be cool, if Softether will work on iPhone... Waiting for so long(

Re: SSL-VPN on iOS using NETunnelProvider

Posted: Sat Nov 24, 2018 11:59 am
by dvscomp
Hi Any news on this ?