Goodday, everyone!
I want to make iOS VPN app based on NEVPNManager. I tried to use auth by certificate and passed identityData and identityDataPassword into my protocol config to use it. If I install CA manually into my system - the config and connection work fine and stable. If I tried to use this app without manual installation - I got Certificate evaluation error = kSecTrustResultRecoverableTrustFailure error.
I tried to install my certificate like SecItem into Anchor Certificates, but it is still not visible on settings and could be used to verify my self-signed cert from server.
How work with it correctly? Could I use a self-signed certificate on the server-side and install it programmatically on iPhones to verify it on client-side? How make it correctly? Please give me some advice about it! Thank you!
If you create a packet tunnel provider then you’re in charge of how your communicate with the VPN server. You can customise server trust evaluation as you see fit, or implement a protocol that doesn’t use certificates for server trust evaluation, or doesn’t do trust evaluation at all.
Having said that, this is not an easy task. You need to implement the entire VPN protocol yourself. So, whereas with Personal VPN you get to use Apple’s IKEv2 protocol implementation, with a packet tunnel provider you have to implement the IKEv2 protocol yourself. That’s not easy, and it’s a lot less easy then getting a trusted certificate for your server [1].
Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"
[1] I’m not a VPN configuration expert but my understanding is that Let’s Encrypt certificates work for this.