When is VPN On Demand rules evaluated?

Question

Created Oct ’20

Replies 2

Boosts 0

Views 1.7k

Participants 2

Can you tell me about the VPN on-demand network detection stage please.
I use L2TP and my VPN on-demand OnDemandRules are set up as follows:

Code Block                 <key>OnDemandRules</key>
                <array>
                    <dict>
                        <key>Action</key>
                        <string>Connect</string>
                    </dict>
                </array>

The documentation (https://support.apple.com/guide/deployment-reference-ios/stages-iordfafc6ead/web) says "VPN On Demand rules are evaluated when the device’s primary network interface changes—such as when an Apple device changes to a different Wi-Fi network, or switches from Wi-Fi to cellular (in iOS and iPadOS) or Ethernet (in macOS).".
I'd like to know when VPN on-demand rules are evaluated except in these two cases("when an Apple device changes to a different Wi-Fi network" and "switches from Wi-Fi to cellular (in iOS and iPadOS) or Ethernet (in macOS)").
What are the specific cases in which VPN on-demand rules are evaluated?
For example, "When a PUSH notification is received" or "When the device is unlocked".
I checked the behavior of "On receiving a PUSH notification" and confirmed that it changes from VPN disconnected state to VPN connected state.
Are there any other cases where VPN on-demand rules are evaluated other than "On receiving a PUSH notification"?
I want to know when the VPN will be reconnected because if the VPN is disconnected for any reason, the SIP Phone app will not be able to receive calls.

Maybe I should use a Always-on VPN, but since I can't manage my devices with MDM, I'm considering using VPN on demand instead.

Thank you.

Boost

Answer 1

Systems Engineer OP

Apple

Oct ’20

Accepted Answer

There are a lot of related questions in this post, so I am going to address the VPN OnDemand Rules related questions and let you run with how that works on your system in regards to SIP calling and Push Notifications.

You can setup OnDemand Rules for a VPN to connect, disconnect, or ignore changes to a system event based upon a set of rules you have defined for the tunnel manager. A very common example, as you mentioned in this post, is an interface change. An example of his might look like:

Code Block swiftvar rules = [NEOnDemandRule]()
rule.interfaceTypeMatch = .any

In this example if the primary interface changes at all it would trigger an NEOnDemandRuleConnect rule. The same can be done for DNS search domains, DNS server addresses, and SSIDs that identify a network.

What are the specific cases in which VPN on-demand rules are evaluated?

If you have OnDemandRules setup and you have an active VPN, then these rules are always available to be evaluated. Now, certain rules may not be evaluated and triggered if certain system conditions are not met. This would be something you need to test and observe on your end.

I want to know when the VPN will be reconnected because if the VPN is disconnected for any reason

This is something you need to test and observe on your end. A VPN cannot be disconnected because the device goes into a sleep cycle. A VPN can also be disconnected because the server disconnected it, or a VPN can be disconnected if the device goes completely offline.

Matt Eaton
DTS Engineering, CoreOS
meaton3@apple.com

1

Answer 2

ta00 OP

Oct ’20

Thank you for your reply.
I'm going to do some testing and observe on what cases the VPN will reconnect.
I have no other questions.

0