VPN clients for Android and iOS
Tunnel Constructor
Data transmitted over the Internet needs protection. In particular, smartphones and tablets, which generally use hotspots and mobile data connections, are most at risk. To establish a secure tunnel connection, the mobile end device needs to have a VPN client to connect to a VPN server. In the research for this article, I needed to distinguish between clients that only allow connections to a single peer or a manufacturer-specific device and those that support open protocols and remote sites.
For the test, I set up the Microsoft VPN server in Windows Server 2012 R2 and an OpenVPN server in Ubuntu 14.04. I also established connections to a third-party server using the IPsec protocol. The test devices were an Apple iPad with the latest iOS 9 and a Samsung smartphone with Android 4.0.4, which at the time were the most widely used OSs between 18 and 24 months old.
Apple iOS
If you search for VPN clients in Apple's App Store, you are shown a long list. However, a closer look shows that almost all of them are for establishing a secure connection with a fixed server. This is used on the one hand for masking your own IP address when out and about and on the other for encrypting data transmission – at least up to the VPN server. However, I wasn't able to establish a connection to the corporate server using any of these apps. Other apps only allow a connection to remote sites of certain providers. For example, an IPsec connection using LANCOM myVPN requires VPN gateways from LANCOM, and Cisco AnyConnect requires a Cisco Adaptive Security Appliance. The selection of independent VPN clients is therefore limited in iOS.
As a reference, I first took a look at the native VPN client in iOS 9. It is located under Settings | General | VPN. In addition to PPTP, it supports IPsec, L2TP, and IKEv2. (However, PPTP was removed in iOS 10 for security reasons [1].) I chose PPTP for the VPN connection to the Windows server, entered the IP or public URL to the server, and stored the account in the domain/username format. I then had the choice of entering the password using RSA SecureID, saving it permanently, or always being asked for the password (Figure 1). Another switch gave me the option to have all traffic run via this connection. Otherwise, the client would only direct the data packages that correspond to the client IP routing via the VPN. This is a very useful measure to ensure that not all Internet traffic is run through the corporate VPN. A final option makes it possible to set up proxy servers. Other than selecting a different protocol, the procedure was the same to set up the IPsec connection. Using this native iOS VPN client, I was not able to establish a connection to my OpenVPN server.
OpenVPN Connect for iOS
To proceed, I needed to install the free OpenVPN Connect app (Figure 2) on my device via the App Store. The app's welcome screen points out that you need an OpenVPN profile file to set up a secure connection. I created this beforehand on the server as an OVPN file. To load this file to the device, I downloaded it via a Private Tunnel profile [2], which is a website where I could store the profile. Alternatively, I was also able to download the profile directly from an OpenVPN Access Server or access it with iTunes Sync.
The option I chose to use was to receive the file attached to an email message. To this end, I switched to the Mail app, opened the email with the OPVN file, and copied the attachment into the OpenVPN app. At this point, the app provided the profile for importing, after which, I was able to access the profile and set up the connection by setting the connection switch to ON. A few seconds later, the connection was established, and all traffic ran via the VPN tunnel. Unlike the Apple VPN client, it is not possible to send only the data packets via the tunnel, which should be assigned to the secure network according to the IP routing.
Android
The range of VPN clients is more diverse with Android. Here, I focused on Google Play and, for security reasons, didn't look at any clients that had to be downloaded and installed as an APK file outside of the store. Even with Android, it was necessary to filter out the clients for establishing secure VPN connections to a provider server and to exclude apps that required the product of a particular manufacturer.
As a reference, I also took a look at the VPN client included with the Android OS. Depending on the device manufacturer, the client can be easily slightly different; however, the functions are always the same. I accessed the VPN configuration in the advanced options and configured the connection to the Windows VPN server via PPTP. Other protocols are still available in the form of L2TP/IPsec with PSK or RSA authentication, IPsec Xauth PSK, IPsec Xauth RSA, and IPsec Hybrid RSA. I entered the IP address of the server or domain and was even able to define a DNS search domain, a DNS server, and a route for the VPN.
After saving, I opened the connection for the first time and stored my credentials, which can be saved for future use, if desired. A short time later, the tunnel was set up. Because I didn't enter an extra route, the mobile device sent all data packages to the server.
Setting up the IPsec connection wasn't really any more complicated than with iOS; rather, it was more extensive because of more configuration options. Again, I added the new connection, specified a name, selected L2TP/IPsec PSK as the type, and entered the password and the server address. The configuration provides more input fields for the IPsec identifier. After I saved the settings, I accessed the connection and entered a username and password to establish a connection.
Just like the native iOS VPN client, the Android counterpart did not innately support OpenVPN connections and IKEv2.
OpenVPN Connect for Android
Android also needed a separate app for connecting to the OpenVPN server. The manufacturer provides OpenVPN Connect in Google Play. After starting the app, I started the profile import. Here, too, I had the choice of retrieving the OVPN file via Private Tunnel, Access Server, or an SD card, which is what I chose. The VPN client then showed the imported profile, which I connected to the server (Figure 3). Once the app had established the connection, all traffic ran through the VPN client.
OpenVPN Client Free for Android
The manufacturer of the OpenVPN Client Free app promises more and better functions than OpenVPN Connect. After installing it from the Google Play store and opening the app, I pressed the + button to reach an extensive configuration page. After creating the remote server, I switched to authentication. Unlike the original client, you don't do this with an OVPN file; instead, you select certificate files, which open up a variety of different settings, such as encryption and routing (Figure 4). Among other things, I was able to set whether the VPN client should redirect everything or just the data traffic to the local network. The app also supports IPv6, but is not set up using mobile device management (MDM, i.e., security software used by the IT department to manage and secure mobile devices).
NCP VPN Client for Android
Another option is the use of a fee-based solution with NCP VPN Client (the basic app), which is a universal IPsec VPN client that provides compatibility with all VPN gateways commonly on the market (e.g., NCP, Cisco, Juniper/NetScreen ScreenOS, Microsoft Server 2008 R2, Check Point, SonicWALL, LANCOM Systems, Teldat, Astaro, AVM FRITZ!Box). NCP developed the app with the direct aim of accessing the corporate network (Figure 5).
After purchasing NCP VPN Client and installing it on the Android device, I launched the app. An integrated IPsec test connection makes it possible to examine and make sure that the app is working, independent of the actual settings. To create a new profile, you go to Configure | Profile configuration. After I supplied the details for the Windows VPN server, I set up the connection, which took a few seconds to establish. I really liked the Auto Reconnect Mode during the test. This features means the VPN client automatically reestablishes the tunnel after an interruption (e.g., if the user switches the Internet connection from WiFi to wireless mobile data, the app reestablishes the VPN tunnel).
As with all the other VPN clients, NCP VPN Client could not connect to OpenVPN. Anyone who needs PKCS#12 certificate or IKEv2 support will have to use the $30 Premium version. Sadly, neither of the versions offers MDM support.
Conclusions
The range of VPN clients for establishing a secure connection with a company server is limited in both iOS and Android (Table 1). I did not find a single VPN client during my research that can handle all of the common protocols, including OpenVPN. A combination of two apps therefore had to be used at all times to cover the major protocols. The iOS native client in combination with OpenVPN Connect is enough for the Apple OS.
Tabelle 1: VPN Clients for Android and iOS
|
Product |
Operating System |
Manufacturer |
Protocols |
Price |
|---|---|---|---|---|
|
Apple VPN client |
iOS from 6.1 |
Apple http://www.apple.com |
PPTP,* IPsec, L2PT, IKEv2 |
Free |
|
The Apple VPN client is stable and easy to configure. Various MDM solutions integrated into iOS help support the configuration. Establishing a connection to a Microsoft VPN server from Microsoft can be configured quickly and runs stably. Using L2TP, IPsec, and IKEv2, the app also covers the most common protocols. You only need a separate app to connect to an OpenVPN server. |
||||
|
OpenVPN Connect for iOS |
iOS from 6.1 |
OpenVPN http://www.openvpn.net |
OpenVPN |
Free |
|
OpenVPN Connect for iOS lets you set up a VPN tunnel to an OpenVPN server. The OVPN file, which you can get on devices in various ways, is required. The app is easy to use: just open and connect. The setup is a bit more complicated because it has to be done manually – an MDM solution is not supported. Both apps together cover all important protocols with the Apple VPN client. |
||||
|
Google VPN client |
Android from 1.6 |
Google http://www.android.com |
PPTP, IPsec, L2PT |
Free |
|
Google's VPN client supports PPTP, IPsec, and L2TP, but not OpenVPN or IKEv2. The connection setup allows a few more settings than the Apple client but is just as quick to configure and use. Integration with the operating system allows you to make all the necessary settings via MDM. |
||||
|
OpenVPN Connect for Android |
Android from 4.0 |
OpenVPN http://www.openvpn.net |
OpenVPN |
Free |
|
The OpenVPN Connect app does what it should: It establishes a connection to the OpenVPN server. Unfortunately, it isn't possible at this point to restrict data traffic so that only the requests targeted for the internal network run through the VPN. The app takes everything through the connection, even the Internet traffic. No MDM setup is available, which means you need to perform the setup manually on each device. |
||||
|
OpenVPN Client Free |
Android from 4.0 |
Colucci https://play.google.com/store/apps/details?id=it.colucciweb.free.openvpn&hl=en |
OpenVPN |
Free |
|
This alternative to the OpenVPN Connect app provides more extensive options. The configuration is done manually without an OVPN file and is therefore not quite as easy. You can define whether all or just internal data traffic should run through the client. The configuration is pretty confusing for simple setups, but you can perform a load of settings, particularly security-related settings – unfortunately not using MDM. IPv6 support shows that OpenVPN Client Free is a forward-thinking app. |
||||
|
NCP VPN Client |
Android from 4.0 |
NCP engineeringhttps://www.ncp-e.com/en/ |
PPTP, IPsec, L2PT, IKEv1 |
Basic/$3.35; Premium/$29.90 |
|
The Secure VPN client from NCP proved to be the most flexible VPN client in the test. With the exception of OpenVPN, it supports the common protocols, can be set up easily, and has interesting features, such as the automatic reconnection mode, which maintains the connection for a client after an interruption. |
||||
|
* Discontinued in iOS 10. |
||||
Although the range of VPN options is slightly larger in Android, the built-in VPN client combined with OpenVPN Connect covers all basic needs on iOS. OpenVPN Client Free is a good alternative for technically well-versed Android users, who receive a greater degree of control with more detailed settings. Anyone who uses a VPN connection now and then to download a file from the company server will do well with the native resources, primarily because they can be configured using MDM. The NCP client is definitely worth the money for more intensive use on Android devices.