
MacOS VPN architecture from System Preferences down to nesessionmanager - Timac
https://blog.timac.org/2018/0717-macos-vpn-architecture/
======
teilo
What boggles me about the VPN implementation on Mac is the massive amount of
functionality that is not accessible unless you are using Apple Configurator
to create a profile. Then you have to install the profile, and for any
configuration change, you have to repeat the process.

For example, even though you can create a basic IKEv2 config, most of the
parameters that are needed to actually make it work with a given router are
not accessible except in Configurator. You cannot configure the encryption or
hash algos, DH Group, group identifiers, etc.

And there is no access at all to other VPN types, such as a number of vendor-
specific options, custom SSL, etc., even though they are supported.

Why can't there be advanced options for this stuff? It makes no sense.

~~~
derefr
You're supposed to be managing the deployment/delivery of Apple Configurator
profiles through Server.app's MDM features. If that is in play, then the
workflow looks like:

1\. You navigate your device to the MDM web portal served from the Mac running
Server.app;

2\. the MDM portal recognizes your MAC address as a new device, and allows you
to register it;

3\. an MDM profile is auto-generated for you, which you download and install;

4\. the MDM profile transparently manages/updates a _real_ (Apple
Configurator) profile, which has been customized by the MDM for any settings
keyed specifically to your computer's MAC address.

Using Apple Configurator without MDM, just using Configurator .profile files,
would be like using Windows Group Policy without Active Directory, just using
GPO .cab files. It's _possible_ , but just kinda silly.

~~~
auslander
> It's possible, but just kinda silly.

Why silly? In one .mobileconfig file, I created complex VPN config for my
provider, with my own preferences, and loaded it without any MDM, to all my
macs and iPhones.

~~~
derefr
Because, what happens when you want to update that config? Even if you're just
doing it for your personal stuff, MDM means centralized push-based management.

~~~
auslander
I'm not centralized, I will just update my config myself. Simply clicking on
new myvpn.mobileconfig file :)

~~~
derefr
I guess I just don't like the idea of forgetting to update a device that I
rarely touch (e.g. my iPad) and then being unable to VPN home with it later
when I do go to use it, from a café on vacation or something.

Much easier to just leave Server.app running on my iMac. (It's basically what
Server.app is built for; it's certainly not targeted at enterprises!)

------
dguido
This might be useful for Algo! It's been a pain in the ass that IKEv2 has been
a second class citizen on macOS.

[https://github.com/trailofbits/algo](https://github.com/trailofbits/algo)

~~~
striking
Algo already provides .mobileconfig files. Works great.

[https://github.com/trailofbits/algo#apple-
devices](https://github.com/trailofbits/algo#apple-devices)

------
closeparen
Are there any reasonably straightforward open source VPN servers compatible
with Apple’s clients? For cloud and VPS setups, I always end up mucking around
with OpenVPN/Tunnelblick.

~~~
latchkey
I tried the OSX VPN stuff and gave up really quickly. It all just felt really
clunky, without much control.

Tunnelblick and [http://www.pivpn.io/](http://www.pivpn.io/) work great. PiVPN
targets Pi installations, but I found it works just fine on any modern ubuntu
install. The cli tools to generate / revoke configs are very easy to use.

~~~
auslander
Apple does not provide native support for OpenVPN protocol, only IPsec. It'll
take third party app to support OpenVPN, risky.

------
blacksmith_tb
Interesting - do I remember that macOS 10.12 (or maybe 10.13) was supposed to
allow for per-app VPN access? Does that use this API, or something else
(assuming it actually exists)? Also, quite the cliffhanger on VPNStatus, which
sounds promising (any chance it could also support Wireguard?)

~~~
pvg
The Network Extension framework mentioned in the post is that API. It's been
an iOS thing for a while and came to macOS more recently (10.12, I think).

~~~
orbitur
The docs say 10.11 for most of the APIs. A few are still (and forever?) iOS
only.

~~~
pvg
Yes, I counted counted versions/WWDC videos wrong - the macOS version popped
up in 2015 along with the El Capitan/10.11 announcement.

------
dqh
It's possible to build a macOS app that manages an IKEv2 connection using the
public NEVPNManager, NEVPNProtocolIKEv2 and related APIs. This also gives you
full control over DH group, algorithms, dead peer detection etc.

------
sargun
Does anyone know if there are any plans to standardize (d)TLS VPNs?

~~~
oneplane
I highly doubt it. Most vendors try to sell it as an USP and as an "it is easy
because it is TLS and runs over 443 so inflexible environments will allow you
to work"-type of solution which is trying to fix symptoms instead of causes.

For anyone who is reasonable at *nix configuration, setting up OpenVPN, IKEv2
or classic IPSec tunnels is not 'easier' than any SSL/TLS VPN, which makes it
lose a lot of it's value vs. other VPN options.

~~~
rmwaite
IPSec provides unique problems when it comes to NAT traversal - something that
is extremely common.

~~~
auslander
Not so sure. All current implementations have Nat-T on as default. Could you
give an example, please? IKEv2 preferred.

