In the How to set up an OpenVPN server and connect it to Cortado How To, we set up an OpenVPN server for Linux or Windows and made a preliminary function test with an iOS device. Now we want to go further. In this How To we will set up per-app VPN. With per-app VPN, you can set individual apps to run over a VPN connection.
Aim
In this How To we will create a per-app VPN profile, using our OpenVPN server and Cortado. This profile will let iOS devices automatically build a VPN tunnel when a managed app starts up, and also to independently close it down when the app in question is closed again. This can be especially useful for CRM apps, or apps that have to access intranet resources.
Implementation
Configuring the intranet resources
Because we opted for the TUN mode for our OpenVPN server, we need to set up static routing for our intranet resources to communicate with our clients over the OpenVPN server. (The basis for this is that TAP is not as well supported for mobile devices. You can read about the difference between TUN and TAP here.)
We will show you how to do this with Linux and Windows servers.
Setting up a static route with Linux
Open a Shell with administrator rights.
Sudo nano /etc/network/interfaces
Insert the following lines and modify the IP addresses to match with your environment.
route add -net 10.8.0.0/24
(the VPN server address, as specified in the OVPN Config)netmask 255.255.255.0 gw 192.168.192.99
(your VPN server IP)dev eth1
(your interface)
Static route for Windows
You can set up a static route for Windows as follows.
Start a CMDShell with administrator rights and modify the following command to match with your environment.
route add 10.8.0.0/24
(Ihre VLAN-Adresse des VPN-Servers)MASK 255.255.255.0 (Ihre VPN Server IP) -p
Profile and function test
After configuring our intranet resources, we can adapt the OpenVPN profile that we configured in the previous How-To, so that it no longer needs to be switched on and off by the user, but is automatically switched on when a user opens a certain application.
Do this by navigating, in the Cortado administration portal, to Administration→ Profiles. Select the OpenVPN profile here and configure it as you see in this screenshot:
Please replace the given VPN address with your own.
Now go to Administration → Apps and select an app for which a VPN tunnel should be built when it starts up. Configure the app as shown in the screenshot.
For VPN profile, select your OpenVPN profile (example in illus.).
You can now assign the app to the users. You’ll find more information on this here.
It’s time now to test the functionality. If the app is started on a user device, you should see a VPN icon next to the mobile data/WiFi status display in the notification bar. The app should now also have access to your intranet resources.