[strongSwan] iOS 10: Always-On VPN and DNS

[Prashanth Prabhu]

Hi folks,

For a feature that I am exploring, I need to be able to set up VPN and
tunnel selective web-traffic through to a backend service. I have been
experimenting with the iOS Always-On VPN functionality, towards this
purpose. I am using a Strongswan server on the backend. Just in case
it matters, the VPN profile is set up for certificate based
authentication. Configuration is being pushed to the device via the
Configurator. The DNS configuration mentioned below was added manually
into the generated .mobileconfig, as the app doesn't seem to have
support for those dictionary items yet.


I have been able to successfully set up a connection and have it stay
on. However, I am having trouble getting the DNS queries to route
correctly: The server pushes the DNS server, once the VPN connection
is established. I do see, from the Xcode logs for the device (an iPad
running 10.2.1) that iOS receives the DNS server and sets it up as a
resolver. However, the wi-fi DNS resolver continues to stay on as the
primary resolver.

Following advice from
https://lists.strongswan.org/pipermail/users/2015-October/008842.html,
I set up the 'ServerAddresses' item and an empty
'SupplementalMatchDomains' [as described at
https://developer.apple.com/library/content/featuredarticles/iPhoneConfigurationProfileRef/Introduction/Introduction.html#//apple_ref/doc/uid/TP40010206-CH1-SW40]
to see if I can force the VPN-based resolver to take precedence. But,
this has had no effect.

Has anyone had success getting DNS functioning in this fashion i.e.,
for the VPN-based DNS server to take over as primary resolver?


Thanks.
Prashanth