If you think this writeup useful and would like to purchase a VPS to try it on, I would recommand Vultr. With this link, [http://www.vultr.com/?ref=6816672], you can do me a little favor to get me some credit from them without loosing nothing.

As it has been widely known that a lot of critical internet services had been blocked in China and using internet here is a pain in the butt [i mean ass]. So having a VPN server is very necessary to get whatever information needed. iOS has 3 types of built in VPN clients, they are PPTP, L2TP and IPSec. Any of them will work if you have a corresponding VPN server properly set up. While since the day Apple developed iOS, it has a feature that any network activities will be shutdown once iPhone goes into sleep mode, of course this includes VPN service, what’s worse is that iPhone won’t reconnect VPN automatically on waking up, hence you have to go to Settings to turn it on manually. And when the network switches between Cellular and Wi-Fi, VPN will also fail to reconnect automatically. This is absolutely not what i want. So with a lot of searches and tests been done, I come up with this final fully working guide on how to setup ondemand or always-on VPN on iOS and OS X (actually i don’t need this feature on OS X because i can easily reconnect manually, but yes the following guide also works on OS X)

The only option can be choosen is IPSec, because the other 2 modes are not allowed to get on demand or always on feature. I don’t know why but Apple Configurator said that. I use Strongswan as an IPSec server and Apple Configurator to setup iOS, there are many guides out there but none of them takes care of the very important details which are critical to make it work just as what i imagined.

What Are Needed:

  1. A VPS Server out side of China, you can choose whatever places but i recommend Japan, Hong Kong, Taiwan and USA.
  2. An iOS device, iPhone or iPad or iPod Touch, as of I'm writting, i run iOS 8 on my iPhone 5s
  3. Apple OS X to run Apple Configurator, iMac or Macbook or OS X in a virtual machine.
  4. Internet connection.

Set Up An IPSec VPN Server With Strongswan

1. Install Linux on VPS server, I use Debian Wheezy, this guide also applies to Unbutu, CentOS, Redhat or whatever, it doesn’t important, but Debian makes it easier.

2. Install the latest Strongswan which is version 5.2.0 as of i’m writting.

3. Create CA, Certs and Keys and put them to the right places. Save the code to ca.sh and make it executable by chmod +x ca.sh and run by ./ca.sh

# CA
ipsec pki --gen --outform pem > caKey.pem
ipsec pki --self --in caKey.pem --dn "C=CH, O=Justinhe, CN=Justinhe CA" --ca --outform pem > caCert.pem
#CA with crt format to pass to iphone,very important
openssl x509 -outform der -in caCert.pem -out caCert.crt
### Server Certificate
ipsec pki --gen --outform pem > serverKey.pem
ipsec pki --pub --in serverKey.pem | ipsec pki --issue --cacert caCert.pem --cakey caKey.pem \
--dn "C=CH, O=Justinhe, CN=YOUR_SERVER_IP" --san="YOUR_SERVER_IP"" \
--flag serverAuth --flag ikeIntermediate --outform pem > serverCert.pem
### iPhone Certification
ipsec pki --gen --outform pem > clientKey.pem
ipsec pki --pub --in clientKey.pem | ipsec pki --issue --cacert caCert.pem --cakey caKey.pem \
--dn "C=CH, O=Justinhe, CN=JustiniPhone" --outform pem > clientCert.pem
### iPhone P12 file to include keys and certs
openssl pkcs12 -export -inkey clientKey.pem -in clientCert.pem -name "client" \
-certfile caCert.pem -caname "strongSwan CA" -out clientCert.p12
## cp them to /etc/ipsec.d
sudo cp caCert.pem /etc/ipsec.d/cacerts/
sudo cp serverCert.pem /etc/ipsec.d/certs/
sudo cp serverKey.pem /etc/ipsec.d/private/
sudo cp clientCert.pem /etc/ipsec.d/certs/
sudo cp clientKey.pem /etc/ipsec.d/private/
## backup iphoen files to use with Apple Configurator
cp caCert.crt clientCert.p12 ~/

4. Config /etc/ipsec.conf, replace it with the following code:

config setup
uniqueids = never
#strictcrlpolicy = no
#cachecrls = yes
conn ioscert
#compress = no
aggressive = no
dpdaction = hold
dpddelay = 600s
dpdtimeout = 5s ## very important for iOS, without this option, it can have problem to reconnect
lifetime = 24h
rightfirewall = yes
leftfirewall = yes
leftallowany = yes
rightallowany = yes
ikelifetime = 240h

5. Set up DNS server to use with iPhone, edit /etc/strongswan.conf

# strongswan.conf - strongSwan configuration file
# Refer to the strongswan.conf(5) manpage for details
# Configuration changes should be made in the included files
charon {
load_modular = yes
plugins {
include strongswan.d/charon/*.conf
charon {
duplicheck.enable = no
dns1 =
dns2 =
include strongswan.d/*.conf

6. Setup username, password and PSK secrets, Edit /etc/ipsec.secrets, change bold part to your favarite.

# This file holds shared secrets or RSA private keys for authentication.
# RSA private key for this host, authenticating it to any other host
# which knows the public part.
# this file is managed with debconf and will contain the automatically created private key
include /var/lib/strongswan/ipsec.secrets.inc
: RSA serverKey.pem
: PSK “whateverPSKsecrets"
whateverusername: XAUTH “whateverpassword"
whateverusedname : EAP “whateverpassword

7. IPSec on server side setup finished, start it and enable start on boot by running:

sudo /etc/init.d/ipsec start
sudo update-rc.d ipsec enable

8. Config iptables rules to let the server route all your traffic, create a file /etc/iptables.up.rules and put the code there, actually all you need is the bold parts, then run iptables-restore < /etc/iptables.up.rules, put this comamnd to /etc/rc.local so the rules won’t be lost after server reboot, learn more about iptables from Debian Wiki

# Generated by iptables-save v1.4.14 on Mon Sep 22 16:35:43 2014
:INPUT ACCEPT [178390:68486107]
:FORWARD ACCEPT [161380:149040438]
:OUTPUT ACCEPT [200824:181706535]
# Completed on Mon Sep 22 16:35:43 2014
# Generated by iptables-save v1.4.14 on Mon Sep 22 16:35:43 2014
:PREROUTING ACCEPT [339786:217532637]
:OUTPUT ACCEPT [200824:181706535]
# Completed on Mon Sep 22 16:35:43 2014
# Generated by iptables-save v1.4.14 on Mon Sep 22 16:35:43 2014
:PREROUTING ACCEPT [2946:217086]
:INPUT ACCEPT [1033:94916]
:OUTPUT ACCEPT [2782:174581]
# Completed on Mon Sep 22 16:35:43 2014
# Generated by iptables-save v1.4.14 on Mon Sep 22 16:35:43 2014
:PREROUTING ACCEPT [339786:217532637]
:INPUT ACCEPT [178390:68486107]
:FORWARD ACCEPT [161380:149040438]
:OUTPUT ACCEPT [200824:181706535]
:POSTROUTING ACCEPT [362204:330746973]
# Completed on Mon Sep 22 16:35:43 2014
# Generated by iptables-save v1.4.14 on Mon Sep 22 16:35:43 2014
:INPUT ACCEPT [19:1276]
:OUTPUT ACCEPT [16:2128]
-A INPUT -p udp -m udp --dport 500 -j ACCEPT
-A INPUT -p udp -m udp --dport 443 -j ACCEPT
-A INPUT -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -p udp -m udp --dport 4500 -j ACCEPT
-A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
# Completed on Mon Sep 22 16:35:43 2014

9. Also edit /etc/sysctl.conf and uncomment the 2 lines and enable them by running sudo sysctl -p


Setup iOS With Apple Configurator
1. Download and install Apple Congfigurator Version 1.6 from OS X App Store

2. Run Apple Configurator and move to Supevised(监督), click the little “+” to create a new profile for iOS. Now there are 3 parts to edit:

2.1 Profile Name, use whatever name:

2.2 Install the 2 Certificates that we created on the server:

2.3 Go to VPN and config it as below:

2.4 Save and export the profile but do not check “Sign the profile(给配置文件签名)”, because we need to manually edit this saved file to set up the very important part, if you signed it, after you edit with other tools, you can’t install this profile on iPhone.

2.5 Edit the profile with TextEditor comes with OS X and replace this part:


With this part:


from Apple official document, Action — Connect means: Unconditionally initiate a VPN connection on the next network attempt.

2.6 So with the above settings, this is actually an Always on IPSec VPN for iOS, no matter what condition, as long as you have network, you can always get VPN on. Save the profile and install on iOS, you can email to your Mail.app or put the profile on a local http server and use MobileSafari to open and install.

Written with the efforts of Justin He @cattyhouse, free to distribute with original link which is this one☺

Thanks to:

Like what you read? Give Justin a round of applause.

From a quick cheer to a standing ovation, clap to show how much you enjoyed this story.