Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

socrates324

macrumors newbie
Original poster
Sep 25, 2020
2
0
Hi everyone!

I'm using an iPhone 8 with IOS 14.0.1 (updated yesterday from 13.5.x - not an iOS version issue I guess).

I have setup VPN on Demand with below XML profile that I found online (I tried various, but this is the one that works ... somewhat).

I'm at home (for testing) and disabling my WiFi. Then I open Safari and enter http://myserver.lab.mydomain. Now I see the VPN is being established, but the webpage does not load. If VPN is established and I enter htttp://myserver, however, it works as expected.

So:
- FQDN of my host at home is required in order for the VPN on Demand rule to "fire"
- FQDN however, does not get resolved and the server is not reachable.
- hostname, however, does get resolved correctly.

I can verify the same behaviour with ping from within the Net Analyzer App.

Is this a bug or am I understanding something completely wrong here? Am I of tracks?

Thanks in advance for any feedback!



XML:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>PayloadContent</key>
    <array>
        <dict>
            <key>IPSec</key>
            <dict>
                <key>AuthenticationMethod</key>
                <string>SharedSecret</string>
                <key>LocalIdentifier</key>
                <!-- FRITZ!Box Benutzername -->
                <string>[USERNAME]</string>
                <key>LocalIdentifierType</key>
                <string>KeyID</string>
                <key>RemoteAddress</key>
                <!-- DDNS-URL der FRITZ!Box, z.B. xxxxxx.myfritz.net -->           
                <string>[DDNS-URL der FRITZ!Box]</string>
                <key>SharedSecret</key>
                <!-- SharedSecret der FRITZ!Box -->
                <data>
                [SHAREDSECRET]
                </data>
                <key>XAuthEnabled</key>
                <integer>1</integer>
                <key>XAuthName</key>
                <!-- FRITZ!Box Benutzername -->
                <string>[USERNAME]</string>
                <key>XAuthPassword</key>
                <!-- FRITZ!Box Passwort des Benutzers -->
                <string>[PASSWORD]</string>
                <!-- VPN-On-Demand Codeblock -->
                <key>OnDemandEnabled</key>
                

<!-- Die 1 im Folgenden bedeutet, dass VPN on Demand aktiviert wird -->
                <integer>1</integer>
                <key>OnDemandRules</key>
                <array>
                    <!-- VPN beim Zugriff auf Heimnetz-Adressen aufbauen -->
                    <dict>
                        <key>Action</key>
                        <string>EvaluateConnection</string>
                        <key>ActionParameters</key>
                        <array>
                            <dict>
                                <key>Domains</key>
                                <array>
                                    <string>*.local</string>
                                    <string>*.fritz.box</string>
                                    <string>fritz.box</string>
                                    <string>.lab.mydomain</string>
                                </array>
                                <key>DomainAction</key>
                                <string>ConnectIfNeeded</string>
                                <key>RequiredDNSServers</key>
                                <array>
                                    <string>192.168.0.3</string>
                                    <string>192.168.0.4</string>
                                </array>
                            </dict>
                        </array>
                    </dict>
                     <dict>
                        <!-- VPN bei einzelnen WLAN-Netzwerken deaktivieren -->
                        <key>Action</key>
                        <string>Disconnect</string>
                        <key>InterfaceTypeMatch</key>
                        <string>WiFi</string>
                        <key>SSIDMatch</key>
                        <array>
                            <string>heFritzbox</string>
                            <string>wtFritzbox</string>
                        </array>
                    </dict>
                    <dict>
                        <!-- VPN bei aktiver WLAN-Verbindung aktivieren -->

                        <key>Action</key>
                        <string>Connect</string>
                        <key>InterfaceTypeMatch</key>
                        <string>WiFi</string>
                    </dict>
                    <dict>
                        <!-- VPN im Mobilfunknetz nicht aktivieren - falls eine Verbindung auch beim Mobilfunk gewünscht ist, dann muss hier die Action auf "Connect" geändert werden -->
                        <key>Action</key>
                        <string>Disconnect</string>
                        <key>InterfaceTypeMatch</key>
                        <string>Cellular</string>
                    </dict>
                    <dict>
                        <!-- VPN Default state -->
                        <key>Action</key>
                        <string>Ignore</string>
                    </dict>
                </array>
                <!-- VPN-On-Demand Codeblock ENDE-->
            </dict>
            <key>IPv4</key>
            <dict>
                <key>OverridePrimary</key>
                <integer>1</integer>
            </dict>
            <key>PayloadDescription</key>
            <string>Configures VPN settings</string>
            <key>PayloadDisplayName</key>
            <!-- Bezeichnung, z.B. FRITZ!Box-VPN -->
            <string>[VPN-BEZEICHNUNG]</string>
            <key>PayloadIdentifier</key>
            <!-- Hier könnt ihr einfach die myfritz-Adresse hinterlegen, z.B. xxxxxx.myfritz.net -->
            <string>[DDNS-URL der FRITZ!Box]</string>
            <key>PayloadType</key>
            <string>com.apple.vpn.managed</string>
            <key>PayloadUUID</key>
            <!-- PayloadUUID, hier könnt ihr einfach die myfritz-Adresse hinterlegen, z.B. xxxxxx.myfritz.net -->
            <string>[DDNS-URL der FRITZ!Box]</string>
            <key>PayloadVersion</key>
            <real>1</real>
            <key>Proxies</key>
            <dict>
                <key>HTTPEnable</key>
                <integer>0</integer>
                <key>HTTPSEnable</key>
                <integer>0</integer>
            </dict>
            <key>UserDefinedName</key>
            <!-- Name des VPNs auf dem iPhone, z.B. FRITZ!Box-VPN -->
            <string>[VPN-NAME]</string>
            <key>VPNType</key>
            <string>IPSec</string>
        </dict>
    </array>
    <key>PayloadDisplayName</key>
    <!-- Name des VPN Profils, z.B. "VPN on Demand-Profil" -->
    <string>[PROFILNAME]</string>
    <key>PayloadIdentifier</key>
    <!-- PayloadIdentifier, Hier könnt ihr einfach die myfritz-Adresse hinterlegen, z.B. xxxxxx.myfritz.net -->
    <string>[DDNS-URL der FRITZ!Box]</string>
    <key>PayloadRemovalDisallowed</key>
    <false/>
    <key>PayloadType</key>
    <string>Configuration</string>
    <key>PayloadUUID</key>
    <!-- PayloadUUID, Hier könnt ihr einfach die myfritz-Adresse hinterlegen, z.B. xxxxxx.myfritz.net -->
    <string>[DDNS-URL der FRITZ!Box]</string>
    <key>PayloadVersion</key>
    <integer>1</integer>
</dict>
</plist>
 
Ok, this is actually a problem cause by the Fritzbox (DSL Router) as it does not pass the correct DNS server to the iPhone but always itself.
Since Fritzbox Router are mostly used in German, I showed a workaround in this german forum:


HTH :)
 
Are you doing firmware updates regularly on your Fritzbox? (Germany Berlin company)

I trashed two Fritzfons as I was living in Berlin because their Fritzon Firmware updates broke
their own phones and became totally useless. I use Siemens Gigaset CL660HX now. Works 👍

" Double NAT or straight through using Airport Express. What do you think? "

Regards,

BLACK BARON
Design / Photo / Art / Music
 
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.