On demand rule in NEVPNManager

Question

Created Jul ’25

Replies 3

Boosts 0

Participants 2

Our app uses NEVPNManager with IPsec to create VPN. It uses certificate authentication(.p12) and VPN connectivity is working as expected.

Now I am trying to apply On demand rules to manage this VPN.

let onDemandRule = NEOnDemandRuleConnect()

onDemandRule.interfaceTypeMatch = .wiFi

onDemandRule.ssidMatch = ["DNET"]

NEOnDemandRuleConnect with interfaceTypeMatch and ssidMatch is starting VPN when the rule matches.

When I add onDemandRule.dnsSearchDomainMatch = ["pa.test2.com"], it is not switching ON the VPN when I browse the "pa.test2.com" in the safari. I also tried *.test2.com and *.com. None of these domains switching ON the VPN.

Can you please help me if I am missing anything?

Answered by DTS Engineer in 850465022

Just to be clear, you’re using the Personal VPN API, right? That is, you’re not building an NE provider for a custom VPN transport, but instead configuring one of the built-in VPN transports.

If so, my general advice on this front is to start by creating a VPN configuration profile. Once you get that working, I can explain how to set that up with the NEVPNManager API.

A good place to start with VPN configuration profiles is Apple Configurator. And if you get stuck, I recommend that you seek help in Apple Support Community, run by Apple Support, and specifically in the Business and Education topic area. You’re more likely to find folks with VPN configuration experience over there.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Boost

Answer 1

DTS Engineer OP

Apple

Jul ’25

Recommended

Just to be clear, you’re using the Personal VPN API, right? That is, you’re not building an NE provider for a custom VPN transport, but instead configuring one of the built-in VPN transports.

If so, my general advice on this front is to start by creating a VPN configuration profile. Once you get that working, I can explain how to set that up with the NEVPNManager API.

A good place to start with VPN configuration profiles is Apple Configurator. And if you get stuck, I recommend that you seek help in Apple Support Community, run by Apple Support, and specifically in the Business and Education topic area. You’re more likely to find folks with VPN configuration experience over there.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

0

Answer 2

Dimple14 OP

Jul ’25

We are already using NEVPNManager with NEVPNProtocolIKEv2 to connect VPN. I verified this with VPN configuration profile as well. VPN connectivity is working fine.

Now, I am trying to start VPN based on On demand rules using NEOnDemandRuleConnect.

let neVpnManager = NEVPNManager.shared()

let IKEv2Protocol = NEVPNProtocolIKEv2()

neVpnManager.protocolConfiguration = IKEv2Protocol

let onDemandRule = NEOnDemandRuleConnect()

onDemandRule.interfaceTypeMatch = .wiFi

onDemandRule.ssidMatch = ["DNET"]

neVpnManager.isOnDemandEnabled = true

neVpnManager.onDemandRules = [onDemandRule]

With this code, VPN is starting when ssidMatch happens and interfaceTypeMatch is wifi.

But, when I try to browse "pa.test2.com" with onDemandRule.dnsSearchDomainMatch = ["pa.test2.com"] added in the VPN configuration, VPN is not starting.

0

Answer 3

DTS Engineer OP

Apple

Jul ’25

Again, I recommend that you prototype this using a configuration profile before you try setting it up in code. Configuration profiles do support VPN on demand; see the OnDemandEnabled and OnDemandRules properties here.

I don’t have the expertise to help you with VPN configuration issues. It’s possible that someone else might chime in here but, if not, you can pursue the alternative path I outlined in my previous post.

Once you get your configuration profile working, I suspect it’ll be easy for you to figure out how to set that up in the API. But, if not, feel free to reply here with the details and I can help you with the API side of this.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

0