Thoughts on life and technology ( Wireless safety at airports, libraries and coffee shops )

June, 23 2014

Wireless safety at airports, libraries and coffee shops

As an independent developer, everything I need to be productive for my projects and clients fits within my backpack. I am constantly on the move and am rarely at the same physical location throughout the entire day.

Because of that mobility and Edward Snowden’s NSA leaks, I have become increasingly aware of doing work within untrusted network environments such as airports, libraries, coffee shops, etc. Or really anywhere where there is an open wifi connection.

I use a custom .mobileconfig file that configures my mac and iOS devices to use a custom VPN tunnel to a server that I rent specifically for this purpose. Basically it works by setting up an IPSec tunnel whenever the device needs to connect to do anything on the network. That includes calendar, email, iTunes Match, web browsing, etc. This trusted VPN tunnel configuration only works outside of my home network. So when I go to the local coffee shop, the tunnel is setup. When I am at a client’s office for a meeting, tunnel is setup. I don’t have to think about it.

This isn’t for the faint of heart though. My configuration on the server is still evolving ( like how to have multiple iPSec clients from the same ip address such as the iPhone and mac are on the same coffee shop wifi ) but it is better than it was before. In fact, this configuration also works when I am tethering or just browsing on the cellular network.

This is a sample mobile config I use on my devices:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
          <key>PayloadIdentifier</key>
          <string>com.apple.mdm.identifier</string>
          <key>PayloadRemovalDisallowed</key>
          <false/>
          <key>PayloadScope</key>
          <string>User</string>
          <key>PayloadType</key>
          <string>Configuration</string>
          <key>PayloadUUID</key>
          <string>random uuid</string>
          <key>PayloadOrganization</key>
          <string>My Organization</string>
          <key>PayloadVersion</key>
          <integer>1</integer>
          <key>PayloadDisplayName</key>
          <string>My VPN Settings</string>
          <key>PayloadContent</key>
          <array>
                    <dict>
                              <key>PayloadType</key>
                              <string>com.apple.vpn.managed</string>
                              <key>PayloadVersion</key>
                              <integer>1</integer>
                              <key>PayloadIdentifier</key>
                              <string>com.apple.mdm.identifier.vpn</string>
                              <key>PayloadUUID</key>
                              <string>random uuid</string>
                              <key>PayloadEnabled</key>
                              <true/>
                              <key>PayloadDisplayName</key>
                              <string>My VPN</string>
                              <key>VPNType</key>
                              <string>IPSec</string>
                              <key>IPSec</key>
                                        <dict>
                                                  <key>RemoteAddress</key>
                                                  <string>vpn ip address</string>
                                                  <key>AuthenticationMethod</key>
                                                  <string>SharedSecret</string>
                                                  <key>SharedSecret</key>
                                                  <data>
                                                  base64 shared secret
                                                  </data>
                                                  <key>LocalIdentifier</key>
                                                  <string>vpn</string>
                                                  <key>OnDemandEnabled</key>
                                                  <integer>1</integer>
                                                  <key>OnDemandRules</key>
                                                  <array>
                                                      <dict>
                                                            <key>Action</key>
                                                            <string>Disconnect</string>
                                                            <key>DNSServerAddressMatch</key>
                                                            <array>
                                                                 <string>192.168.1.1</string>
                                                            </array>
                                                       </dict>
                                                       <dict>
                                                            <key>Action</key>
                                                            <string>Connect</string>
                                                            <key>URLStringProbe</key>
                                                            <string>http://www.apple.com/</string>
                                                       </dict>
                                                  </array>
                                        </dict>
                              <key>Proxies</key>
                    <dict/>
                    <key>UserDefinedName</key>
                    <string>My VPN</string>
                    <key>IPv4</key>
                    <dict>
                              <key>OverridePrimary</key>
                              <integer>1</integer>
                    </dict>
          </dict>

</array>
</dict>
</plist>

A few notes on this file:

The assumption is that there is an IPSec server already setup. Setting that up is outside this post's scope.
PayloadUUID should be a random uuid. You can use uuidgen on OS X to generate a new one.
Under DNSServerAddressMatch put in the ip address of the routers/dns servers that if reachable will tear down the vpn connection. Like a home router as an example.
The connect action in the OnDemandRules section will establish the VPN tunnel if www.apple.com can be reached. Feel free to change to another url if needed
OnDemandEnabled will not allow any traffic from your device unless the tunnel has been setup. If this causes problems you can disable the on demand feature in the vpn settings on iOS or disable the configuration in OS X.
OverridePrimary ensures that all traffic is transmitted over the tunnel.

I use a variation of this file on both iOS and OS X and both work fine with the exception that the on demand generates an error on iOS 7. While at WWDC 2014, I sat down with with an Apple security engineer and he reported that iOS 8 beta 2 would have it fixed ( which it did ). Hopefully this will be also fixed in the iOS 7.1.2 update.

Apple's configuration profile documentation: https://developer.apple.com/library/ios/featuredarticles/iphoneconfigurationprofileref/introduction/introduction.html

To Install:

While it was a few steps to setup, I have more confidence about my devices transmitting data securely when going about in my daily activities whether going to the grocery store, shopping or working away from home.

https://hasani.me/Br