build for iOS

[mbsanchez]

Hi, it's a good news that you have shared new updates of openvpn3 on github.

I have 2 related questions:

1. What are the dependencies to build openvpn3 for iOS?
2. How can I integrate it with NEVPNManager or something else?

[mattock]

@jamesyonan knows best, but plaisthos on #openvpn-devel has also managed to build OpenVPN 3 for Android as well as integrate it to his OpenVPN for Android app.

EDIT: fixed a typo.

[mbsanchez]

Great, How can I contact they?

[mattock]

I hope @jamesyonan notices this himself. You can reach plaisthos on the #openvpn-devel IRC channel.

[schwabe]

@mbsanchez Even if you build for iOS you would not be able to publish it on the app store since the license (AGPL3) forbids it.

[mattock]

@mbsanchez : extending on the answer from @schwabe ... Apple Appstore places several restrictions on app distribution and use. It is these restrictions that are incompatible with GPL (including AGPLv3). The only way a GPL-licensed application can be published in the Apple Appstore is by relicensing the whole codebase using a different, typically proprietary, license. Relicensing is only possible for the copyright holder, that is, OpenVPN Technologies, Inc.

[chipitsine]

@mattock, it seems that relicensing is only possible for software author. i.e. if some GPL code is written by some person, only that person can relicense his own piece of code.

[cron2]

Hi,

On Mon, Sep 26, 2016 at 01:00:11AM -0700, Ilya Shipitsin wrote:

@mattock, it seems that relicensing is only possible for software author. i.e. if some GPL code is written by some person, only that person can relicense his own piece of code.

It is possible if the original author agrees, by signing a CLA or similar. Since that is not possible to achieve for all contributors to OpenVPN 2.x, OpenVPN 3 is a complete rewrite that is not sharing any code with 2.x

gert

USENET is not the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert@greenie.muc.de fax: +49-89-35655025 gert@net.informatik.tu-muenchen.de

[986444785]

i need openvpn ios demo

[cron2]

Hi,

On Wed, Oct 26, 2016 at 08:05:03PM -0700, 986444785 wrote:

i need openvpn ios demo

openvpn for ios is available in the app store...

gert

USENET is not the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert@greenie.muc.de fax: +49-89-35655025 gert@net.informatik.tu-muenchen.de

[pronebird]

@schwabe I am sure you can publish if your entire work is open sourced

[schwabe]

@pronebird nope, the GPLv3 does not allow you to put it on the app store. See also http://apple.stackexchange.com/questions/6109/is-it-possible-to-have-gpl-software-in-the-mac-app-store as starter for the problems.

[pronebird]

@schwabe bummer, that's a very frustrating choice of license giving that we live in mobile era. Are there any options to make this work available for use with AppStore?

[schwabe]

@pronebird probably the only way is to ask OpenVPN inc if they can add sell you a different license or add clause to this code stating that publishing the code on the app store is allowed as long as all other terms that do not conflict with the app store license are fullfilled (e.g. provinding source code).

[dsommers]

@pronebird One of the reasons the iOS cannot become fully open source is due to OpenVPN Technologies had to sign an NDA with Apple to get access to the needed system privileges to configure and run a VPN tunnel on iOS. This is very unfortunate, and everyone (both company and community) would want this very differently. But the entity sitting on the solution to fix this is Apple alone. As long as they prefer this closed way of working, only part of the code can be open sourced (basically what is not iOS specific). And the code which is open sourced, is the OpenVPN 3 Core here on github which is a core library for implementing OpenVPN tunnels.

So until Apple changes and becomes more friendly towards open source projects, we can't do anything else. But I am truly sorry for this, I do wish it was differently. Closing this ticket now, as we can't provide any solution for iOS as things are now.

[yegors]

@dsommers "One of the reasons the iOS cannot become fully open source is due to OpenVPN Technologies had to sign an NDA with Apple to get access to the needed system privileges to configure and run a VPN tunnel on iOS. "

That's no longer the case.

I’m responding to your question about VPN transports on iOS. You wrote:

OpenVPN Connect (…) has this capability, but it seems they were granted exclusive access to some private APIs which are not available to other developers.

Historically that was the case but, starting with iOS 9, you can create a custom VPN transport using public APIs, namely the packet tunnel and app proxy providers supported by the Network Extension framework. For an introduction to these facilities, watch WWDC 2015 Session 717 “What’s New in Network Extension and VPN”.

https://developer.apple.com/videos/play/wwdc2015/717/

IMPORTANT: At the end of that talk we say that Apple must grant you special entitlements to use these APIs. That restriction was recently lifted. Any developer can now create Network Extension providers. The following DevForums post has the details.

https://forums.developer.apple.com/thread/67613

You should also take a look at the NetworkExtension framework reference, which includes a bunch of useful info, and the SimpleTunnel sample code.

https://developer.apple.com/reference/networkextension

https://developer.apple.com/library/ios/samplecode/SimpleTunnel/

Finally, I’ve attached a small test project, QNEPacketTunnel, that I’ve created for doing simple VPN tests.

IMPORTANT: QNEPacketTunnel has not yet been formally reviewed, so it is not yet official Apple sample code. Please don't redistribute it outside of your immediate organisation.

               *                   *                   *

I should stress that creating a new VPN transport is a major undertaking. DTS can assist you with parts of that (the code that interacts with the system) but you are responsible for writing (or acquiring) the code that implements the core VPN functionality.

Share and Enjoy

Quinn "The Eskimo!" Apple Developer Relations, Developer Technical Support, Core OS/Hardware

[gardion]

Slightly off-topic but then again, may be relevant: We are currently pondering creating an open source fork of schwabe/ics-openvpn for our special needs (https://github.com/gardion/android-client), an iOS client is in the cards in the next months. While researching OpenVPN we became aware of https://www.wireguard.io. Looks like a great replacement of IPSEC/OpenVPN in certain situations. Have a look if you need secure and performant connections and you control both endpoints.

[yegors]

Wireguard looks really great, however it suffers from the same issue as OpenVPN for ios: GPL license.

[gardion]

What license would be acceptable? MIT, BSD? I'll ask the creator of WireGuard if he'll consider dual licensing.

[yegors]

MIT and BSD should work, App store specifically prohibits GPL licensed code.

[gardion]

Just had a chat with Jason from WireGuard. He is aware of this issue and says the code that will be run on/required for the iOS client won't be GPL2. I haven't found out what the license will be, but I will report back once i do @zx2c4

[zx2c4]

What I said specifically is that the current GPLv2 WireGuard code is written for the Linux kernel, which isn't code for iOS, so the current GPLv2 code doesn't need to be relicensed for iOS, since it won't run there anyway. It seems likely to me that future other code written explicitly for iOS would use an iOS-compatible license.

How this is related to OpenVPN, or what a discussion of WireGuard licensing is doing here, I do not know. So, I'll buck out of this strange thread. Just thought I'd chime in since I was paraquoted.

---

Good luck with OpenVPN 3, guys! Seems like some nice improvements are in the fold.

[dsommers]

OpenVPN Technologies, Inc have licensed the OpenVPN 3 code base under the AGPLv3 license. As far as I know, this is not going to change any time soon, if at all.

In the contributor agreement, present in the repository, there is a clause which ensures OpenVPN Technologies, Inc is allowed to re-license the code; which is there to allow this code base to be present in annoyingly strict appstores like Apple's. There is however a guarantee that all modifications done to the re-licensed code will also be added to the AGPLv3 licensed code. This re-license allowance is only permitted to OpenVPN Technologies, Inc and nobody else.

[jiangyancong]

@yegors then do you think it's possible to integrate OpenVPN library with Network Extension framework technically? From the official response, it seems possible but I don't know whether there's other issue.

[serjooo]

Question, just want an answer to sum up all the above and make sure if I understood everything correctly. It is possible to create an application that reads an .ovpn file with the new NetworkExtension and NEVPNManager; however, you would need to implement it all from scratch and even if you are successful doing that, Apple would still not allow your application to be released because OpenVPN is under the GPLv3 license. Is what I stated correct?

[schwabe]

@serjooo correct.

[mattock]

OpenVPN 3 is under AGPLv3, but the effect is the same. I believe most copyleft licenses are a no-go for Apple Appstore.

[serjooo]

@schwabe So it is useless making a VPN application using OpenVPN in the first place... Sad.. Is there any other workaround for this?

[mattock]

Besides rooting your iOS device - no.

[serjooo]

@schwabe @mattock Thank you for your quick responses very useful, saved me time before I started actual implementation on the front end. Been researching for a few days only to find out that my initial plan for this application is a dead end. Great discussion here guys thank you all for the rich information provided here. I'll keep following the thread if any change is to come about. Thank you all for your time and effort much appreciated.

[moduspwnens]

You certainly don't need to root. You don't even need to request entitlements for it any more. At the minimum you need working code and the ability to build on a device. You don't need to use private APIs or break out of the sandbox.

@serjooo's question mentioned implementing a client from scratch, which would involve no code from OpenVPN. I wasn't aware the license covers protocol-compliant usage by clients with none of their code.

[mattock]

@moduspwnens : but you would need to root to install applications not in the Appstore, right?

[moduspwnens]

Not if you build them onto the device yourself from Xcode.

EDIT: Just to not be pedantic: There are plenty of things you must root to do even if you build and deploy your own apps. This is not one of them.

[yegors]

You could always distribute the app through TestFlight or Crashlytics Beta. :)

[schwabe]

Yes sure if you implement it completely on your own without any OpenVPN code you can submit it officially to the App store. As @moduspwnens wrote about "frontend" I assumed that he was planning on using this implementation for the actual OpenVPN implementation

[serjooo]

@moduspwnens @schwabe Thus we come to a conclusion if I were to create my own iOS application, that reads .ovpn configuration file. The application can be submitted to the app store with no problem, because I am not using any of OpenVPN's actual code.

[schwabe]

@serjooo yes as long as your code is free from GPL code you can do that. Otherwise OpenVPN's own applications would not be allowed on the app store.

[AlishahSolanki]

Any progress ? how we can implement Open VPN for IOS or fully coding Open VPN from scratch with Network Extension Framework any guide on that ?

[mattock]

@solanki12 implementing OpenVPN from scratch is not a trivial task, even if you only implement the client side. Looking at Git logs it took James about two years to get the first working iOS build out. All the documentation there is is on this project's GitHub repository.

Is there a particular reason why you can't just use OpenVPN Connect for iOS?

[anatoli26]

From reading this entire issue I'm getting a conclusion that for the latest iOS it's possible to have a custom OpenVPN app without any special agreement with Apple by creating a

VPN transport using public APIs, namely the packet tunnel and app proxy providers supported by the Network Extension framework,

so the only thing that would be needed is a non-GPL license from OpenVPN Technologies, Inc for the code to comply with the AppStore license requirements, right?

If my understanding is correct, does someone here know if OpenVPN Technologies, Inc practices this and whom should I contact?

[mattock]

@anatoli26 I believe the "Sales and licensing" email address on the openvpn.net Contact us page is the right place to ask.

[AlishahSolanki]

Thanks Anatoli, I have talked about that, but Express VPN App is giving Open VPN services without Open VPN Connect, Don't know how ?

Thanks for reaching out. The iOS Connect Client is not open, and we cannot open it the way the Apple plugins work.

We cannot allow a rebrand of our IOS Client even with a commercial agreement--- I don't believe that will change even with our upcoming Network Extensions version as Network Extensions still requires a vendor identity.

Apple did not open the extension. Express VPN is still using IPSec (not OpenvPN) protocol.

if they want to develop their own client they can only do this only on Android... OR IOS using the method you described below;

Users would need to install both your app and our OpenVPN Connect app, and then use Intents to load profiles and start VPN connection from their app to the OpenVPN Connect app.

Most of the instructions for doing this is in the in-app help.

Regarding the OpenVPN Connect on Android—we are not permitting any rebranding via commercial license at this time.

Kind regards,

Gary McCloud

Head of Business Development

OpenVPN Inc. http://www.openvpn.net/

7901 Stoneridge Dr. Suite 540

Pleasanton, California 94588

From: Alishah Solanki [mailto:alishah.solanki@gmail.com] Sent: Monday, May 8, 2017 12:20 PM To: Gary McCloud gary@openvpn.net Subject: Re: OpenVPN Business Development

On Wed, May 24, 2017 at 11:58 AM, Samuli Seppänen notifications@github.com wrote:

@anatoli26 https://github.com/anatoli26 I believe the "Sales and licensing" email address on the openvpn.net Contact us https://openvpn.net/index.php/contact-us-sp-989947891.html page is the right place to ask.

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/OpenVPN/openvpn3/issues/1#issuecomment-303635536, or mute the thread https://github.com/notifications/unsubscribe-auth/ARpdBftMIYoflPZVrvRuHC-iundlnXxVks5r89UagaJpZM4KBH9E .

[yegors]

Apple did not open the extension. Express VPN is still using IPSec (not OpenvPN) protocol.

That is not true. I asked ExpressVPN support about this, as they offer "TCP and UDP" protocols in their iOS app.

Hi Alex,

Thanks for contacting ExpressVPN support.

UDP and TCP are both OpenVPN. You can check this link to read about connection protocols: https://www.expressvpn.com/internet-privacy/protocols/

Kind regards, John @ ExpressVPN

Unless they are blatantly lying, they are using OpenVPN in their branded iOS app.

[anatoli26]

Mm... looks like an official reply from OpenVPN Inc is needed. In my case I don't need the Connect front-end, just the back-end, i.e. the protocol implementation to pass all communications of my app with my server via differently-configured OpenVPN tunnels (user-selectable from within the app).

[anatoli26]

OK, I've just seen the WWDC 2015 presentation video where the topic is explained in a lot of detail, with actual code and everything: https://developer.apple.com/videos/play/wwdc2015/717/ (if you don't have safari, you may download the video from the Resources tab below).

From this video I understand that the only thing needed now (since iOS 9) for own OpenVPN client implementation on iOS is the OpenVPN protocol implementation that one would insert into the SimpleTunnel app (that is provided by Apple with a 3-clause BSD-like non-restrictive license, as a working example for everything VPN related, including establishing the tunnel, reading/writing the actual network data, etc., just no encryption) + to request the special entitlement (explained at the last 3 min of the video), though I have no idea what are the conditions to become approved.

At the same time (I may be wrong on this, please correct) AFAIK there's no OpenVPN protocol implementation published for iOS (in swift), so if someone makes his/her own OpenVPN protocol implementation in swift that would sufficiently differ from the C++ server implementation, the copyright holder for that swift code would be the person writing it, so no GPL, nor any other restrictions of any type, and the resulting openvpn-enabled app could be published as closed-source. Am I right?

[AlishahSolanki]

Anatoli, by using Network Extension Framework of iOS, by making custom tunneling how can i implement open vpn protocol cause i cant connect to it through custom tunneling using UDP and TCP ? if you can guide me ?

On Thu, May 25, 2017 at 11:33 AM, Anatoli notifications@github.com wrote:

OK, I've just seen the WWDC 2015 presentation video where the topic is explained in a lot of detail, with actual code and everything: https://developer.apple.com/videos/play/wwdc2015/717/ (if you don't have safari, you may download the video from the Resources tab below).

From this video I understand that the only thing needed now (since iOS 9) for own OpenVPN client implementation on iOS is the OpenVPN protocol implementation that one would insert into the SimpleTunnel app (that is provided by Apple with a 3-clause BSD-like non-restrictive license, as a working example for everything VPN related, including establishing the tunnel, reading/writing the actual network data, etc., just no encryption)

• to request the special entitlement (explained at the last 3 min of the video), though I have no idea what are the conditions to become approved.

At the same time (I may be wrong on this, please correct) AFAIK there's no OpenVPN protocol implementation published for iOS (in swift), so if someone makes his/her own OpenVPN protocol implementation in swift that would sufficiently differ from the C++ server implementation, the copyright holder for that swift code would be the person writing it, so no GPL, nor any other restrictions of any type, and the resulting openvpn-enabled app could be published as closed-source. Am I right?

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/OpenVPN/openvpn3/issues/1#issuecomment-303934828, or mute the thread https://github.com/notifications/unsubscribe-auth/ARpdBe3C6bmT5kmNM1135_1hGcxl2TPwks5r9SCygaJpZM4KBH9E .

[AlishahSolanki]

yes Anatoli,you are right we cam write our own implementation in swift using network extension as closed source.

On Sat, May 27, 2017 at 7:51 PM, Alishah Solanki alishah.solanki@gmail.com wrote:

Anatoli, by using Network Extension Framework of iOS, by making custom tunneling how can i implement open vpn protocol cause i cant connect to it through custom tunneling using UDP and TCP ? if you can guide me ?

On Thu, May 25, 2017 at 11:33 AM, Anatoli notifications@github.com wrote:

OK, I've just seen the WWDC 2015 presentation video where the topic is explained in a lot of detail, with actual code and everything: https://developer.apple.com/videos/play/wwdc2015/717/ (if you don't have safari, you may download the video from the Resources tab below).

From this video I understand that the only thing needed now (since iOS 9) for own OpenVPN client implementation on iOS is the OpenVPN protocol implementation that one would insert into the SimpleTunnel app (that is provided by Apple with a 3-clause BSD-like non-restrictive license, as a working example for everything VPN related, including establishing the tunnel, reading/writing the actual network data, etc., just no encryption)

• to request the special entitlement (explained at the last 3 min of the video), though I have no idea what are the conditions to become approved.

At the same time (I may be wrong on this, please correct) AFAIK there's no OpenVPN protocol implementation published for iOS (in swift), so if someone makes his/her own OpenVPN protocol implementation in swift that would sufficiently differ from the C++ server implementation, the copyright holder for that swift code would be the person writing it, so no GPL, nor any other restrictions of any type, and the resulting openvpn-enabled app could be published as closed-source. Am I right?

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/OpenVPN/openvpn3/issues/1#issuecomment-303934828, or mute the thread https://github.com/notifications/unsubscribe-auth/ARpdBe3C6bmT5kmNM1135_1hGcxl2TPwks5r9SCygaJpZM4KBH9E .

[anatoli26]

Probably if enough users are interested, we could crowdfund the protocol implementation for iOS to be implemented under non-strict open-source license like BSD or MIT so everyone could use it in any type of project, also no issues with appstore. At the same time it would be open so whoever wants could help developing it further and inspect it for bugs.

[AlishahSolanki]

I am interested, we can write a open source code

[anatoli26]

Probably we should start by asking OpenVPN Technologies, Inc if there's any reasonable price they would accept for releasing OpenVPN protocol for iOS under BSD/MIT license. Depending on the price, IMO this would be the best option.

If they are not interested, probably a similar question should be asked to WireGuard developers (in my case I don't have any special attachment to OpenVPN apart from needing a strong crypto implementation).

[AlishahSolanki]

OK, can you ask about that to Open VPN Technologies, Inc ?

On Tue, May 30, 2017 at 5:25 AM, Anatoli notifications@github.com wrote:

Probably we should start by asking OpenVPN Technologies, Inc if there's any reasonable price that they would accept for developing and releasing OpenVPN protocol for iOS under BSD/MIT license. Depending on the price, IMO this would be the best option.

If they are not interested, probably a similar question should be asked to WireGuard developers (in my case I don't have any special attachment to OpenVPN apart from needing a strong crypto implementation).

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/OpenVPN/openvpn3/issues/1#issuecomment-304747654, or mute the thread https://github.com/notifications/unsubscribe-auth/ARpdBfNlRVozUOG274DcPZvRY4XbxAaDks5r-2HlgaJpZM4KBH9E .