Lead Image © fckncg, 123RF.com

Lead Image © fckncg, 123RF.com

VPN clients for Android and iOS

Tunnel Constructor

Article from ADMIN 36/2016
By
Smartphones and tablets using hotspots and mobile data connections are susceptible to spying. iOS and Android each supply a tunneled VPN connection out of the box. We take a look at their apps, as well as third-party apps to see if they offer more.

Data transmitted over the Internet needs protection. In particular, smartphones and tablets, which generally use hotspots and mobile data connections, are most at risk. To establish a secure tunnel connection, the mobile end device needs to have a VPN client to connect to a VPN server. In the research for this article, I needed to distinguish between clients that only allow connections to a single peer or a manufacturer-specific device and those that support open protocols and remote sites.

For the test, I set up the Microsoft VPN server in Windows Server 2012 R2 and an OpenVPN server in Ubuntu 14.04. I also established connections to a third-party server using the IPsec protocol. The test devices were an Apple iPad with the latest iOS 9 and a Samsung smartphone with Android 4.0.4, which at the time were the most widely used OSs between 18 and 24 months old.

Apple iOS

If you search for VPN clients in Apple's App Store, you are shown a long list. However, a closer look shows that almost all of them are for establishing a secure connection with a fixed server. This is used on the one hand for masking your own IP address when out and about and on the other for encrypting data transmission – at least up to the VPN server. However, I wasn't able to establish a connection to the corporate server using any of these apps. Other apps only allow a connection to remote sites of certain providers. For example, an IPsec connection using LANCOM myVPN requires VPN gateways from LANCOM, and Cisco AnyConnect requires a Cisco Adaptive Security Appliance. The selection of independent VPN clients is therefore limited in iOS.

As a reference, I first took a look at the native VPN client in iOS 9. It is located under Settings | General | VPN . In addition to PPTP, it supports IPsec, L2TP, and IKEv2. (However, PPTP was removed in iOS 10 for security reasons [1].) I chose PPTP for the VPN connection to the Windows server, entered the IP or public URL to the server, and stored the account in the domain/username format. I then had the choice of entering the password using RSA SecureID, saving it permanently, or always being asked for the password (Figure 1). Another switch gave me the option to have all traffic run via this connection. Otherwise, the client would only direct the data packages that correspond to the client IP routing via the VPN. This is a very useful measure to ensure that not all Internet traffic is run through the corporate VPN. A final option makes it possible to set up proxy servers. Other than selecting a different protocol, the procedure was the same to set up the IPsec connection. Using this native iOS VPN client, I was not able to establish a connection to my OpenVPN server.

Figure 1: The settings for the native VPN client in iOS are clear and uncomplicated.

OpenVPN Connect for iOS

To proceed, I needed to install the free OpenVPN Connect app (Figure 2) on my device via the App Store. The app's welcome screen points out that you need an OpenVPN profile file to set up a secure connection. I created this beforehand on the server as an OVPN file. To load this file to the device, I downloaded it via a Private Tunnel profile [2], which is a website where I could store the profile. Alternatively, I was also able to download the profile directly from an OpenVPN Access Server or access it with iTunes Sync.

Figure 2: The OpenVPN Connect app establishes a connection to the OpenVPN server.

The option I chose to use was to receive the file attached to an email message. To this end, I switched to the Mail app, opened the email with the OPVN file, and copied the attachment into the OpenVPN app. At this point, the app provided the profile for importing, after which, I was able to access the profile and set up the connection by setting the connection switch to ON . A few seconds later, the connection was established, and all traffic ran via the VPN tunnel. Unlike the Apple VPN client, it is not possible to send only the data packets via the tunnel, which should be assigned to the secure network according to the IP routing.

Android

The range of VPN clients is more diverse with Android. Here, I focused on Google Play and, for security reasons, didn't look at any clients that had to be downloaded and installed as an APK file outside of the store. Even with Android, it was necessary to filter out the clients for establishing secure VPN connections to a provider server and to exclude apps that required the product of a particular manufacturer.

As a reference, I also took a look at the VPN client included with the Android OS. Depending on the device manufacturer, the client can be easily slightly different; however, the functions are always the same. I accessed the VPN configuration in the advanced options and configured the connection to the Windows VPN server via PPTP. Other protocols are still available in the form of L2TP/IPsec with PSK or RSA authentication, IPsec Xauth PSK, IPsec Xauth RSA, and IPsec Hybrid RSA. I entered the IP address of the server or domain and was even able to define a DNS search domain, a DNS server, and a route for the VPN.

After saving, I opened the connection for the first time and stored my credentials, which can be saved for future use, if desired. A short time later, the tunnel was set up. Because I didn't enter an extra route, the mobile device sent all data packages to the server.

Setting up the IPsec connection wasn't really any more complicated than with iOS; rather, it was more extensive because of more configuration options. Again, I added the new connection, specified a name, selected L2TP/IPsec PSK as the type, and entered the password and the server address. The configuration provides more input fields for the IPsec identifier. After I saved the settings, I accessed the connection and entered a username and password to establish a connection.

Just like the native iOS VPN client, the Android counterpart did not innately support OpenVPN connections and IKEv2.

Buy this article as PDF

Express-Checkout as PDF
Price $2.95
(incl. VAT)

Buy ADMIN Magazine

SINGLE ISSUES
 
SUBSCRIPTIONS
 
TABLET & SMARTPHONE APPS
Get it on Google Play

US / Canada

Get it on Google Play

UK / Australia

Related content

  • Roll out hybrid clouds with Ansible  automation
    Designing your own hybrid IT structure as a digital mix of your servers and public or private clouds might be technically elegant and cost effective, but setup is time consuming. Thanks to Ansible, it might take less work than you think.
  • New versions of the Endian and Sophos UTM solutions
    UTM systems combat all kinds of dangers under the policy of Unified Threat Management. The demands and expectations of customers fuel competition. Two of the most popular manufacturers – Endian and Sophos – have now released new versions of their solutions.
  • Open source multipoint VPN with VyOS
    The VyOS Linux distribution puts network routing, firewall, and VPN functionality together and presents a fully working dynamic multipoint VPN router as an alternative or addition to a Cisco DMVPN mesh.
  • Guacamole: Remote Desktop

    HTML5 offers a range of new features, such as audio and video support, without needing plugins like Flash or Java. This opens up completely new options in terms of content delivery via the web – and for mobile access to applications on the LAN.

  • PC over IP
    Anyone who has tried to to run graphics-intensive applications using an application-sharing protocol like RDP knows how miserably these technologies fail. But the PCoIP protocol and special hardware means that even heavy-duty workstations can operate remotely.
comments powered by Disqus