COMPATIBILITY + UI: Increase compatibility and show security warnings when mixing with corporate VPNs and OpenVPN

[Gribnif]

Right now, if I turn on OpenVPN (https://apps.apple.com/us/app/openvpn-connect/id590379981) it disables Lockdown. Looking in the iOS Settings, it seems to be an exclusive setting: only one VPN can be used at a time.

It would be most helpful if Lockdown could operate as a man-in-the-middle before OpenVPN. Since I doubt that's technically possible, is there, at least, some way for Lockdown to reactivate when OpenVPN is intentionally disconnected?

[BottleOfScotch]

Something broke this possibility recently. I have been using Lockdown as a firewall, and another VPN service for an actual VPN for the past half year, more or less, It displayed the two VPN configuration in two separate blocks, in the iOS settings app and both of them could be active at the same time. This changed recently, and now they are in the same block, and only one of them can be active.

[majksner]

I'm using Mullvad VPN and as soon as I connect to it, internet stop working.

[sahilc0]

Same here. iOS: Lockdown + Mullvad VPN do not work together.

[Twiglet1022]

If you want to use the Lockdown firewall alongside a VPN then you’ll need to set your VPN to use IKEv2. This will make your VPN show up under “Personal VPN” while Lockdown will show up under “VPN Configurations” allowing both to be enabled simultaneously.

[BottleOfScotch]

This has solved my problem on iOS, thank you very much.

[sahilc0]

This worked for me with ProtonVPN (using IKEv2)! thanks a bunch @Twiglet1022. Doesn't work yet with Mullvad, so I need to reach out to them and ask if I can set up "Personal VPN" with Wireguard servers.

I guess that's not a Lockdown problem.

[Twiglet1022]

I guess that's not a Lockdown problem.

Maybe, maybe not. I found out about this when I came across this post on stack exchange: https://apple.stackexchange.com/questions/180281/what-is-the-difference-between-personal-vpn-vs-vpn-configuration-profiles/

It seems the reason IKEv2 ends up under "Personal VPN" is because it's not natively supported in iOS. Custom VPN implementations appear under there. Perhaps it would be possible for Lockdown to have an alternative option to set itself up using a custom implementation that would also appear under "Personal VPN" making it possible to use it alongside OpenVPN, but I'm not a developer so I'm not sure about the specifics.

[hijohnnylin]

Hey folks - I would really like to help with this. My thoughts, as streamed from my brain, which I'm totally open to being corrected on:

1) Resource Limitations vs Magnitude - We're a small development team - we're not venture funded (because we'd be serving the VCs best interests - who would probably like for us to sell user data to Google ASAP), and we don't use ads/sponsorships (the easy way to grow), because we're not privacy hypocrites. The <1% of users who subscribe to our VPN keep the lights on here. Compare this to the work involved in investigating the hundreds, if not thousands of VPNs on the App Store - we simply can't afford to purchase and subscribe to every single VPN, and keep up with every update/change that they make. We already spend 100% of our time and resources making Lockdown better or more transparent.

2) Security - We've found cases where sometimes people re-jigger their VPN configurations in ways that make it seem like both are active and working, but in many of these cases either the third-party VPN or the Firewall doesn't work in a predictable way. For example, the VPN may show "active", but is actually not being used. It could work, but it's definitely not a supported case.

3) Open Source Many third-party VPNs are not open source. And since everyone has slightly different implementations, it's fairly unlikely that we will be able to guess what they're doing, and adjust for it appropriately.

My general take on this is that running multiple VPNs is not advisable - similar to running multiple anti-viruses on your computer.

I know that some people are stuck on long-term contracts on various VPN providers, so if cost is an issue, I'm happy to give out some promo codes if you're interested in helping with development: contact me at johnny@lockdownhq.com.

The shortcut, of course, is if you want to support the Lockdown privacy project or switch to the most [transparently operated VPN in the world] that's also fully audited, you can subscribe to Lockdown Secure Tunnel.

Does the above seem like a fair or accurate take? If not, let's discuss.

Johnny CTO, Lockdown

[Patronics]

From the discussion above, it sounds like what people are asking for is an option to configure the VPN as a "personal VPN", apparently using the "Network Extended Framework API", according to the Stack Overflow post linked above. By doing this, it seems that your VPN is likely to be better able to coexist with other VPN services, without a need to "purchase and subscribe to every single VPN, and keep up with every change they make".

And regarding encouraging users to switch to your VPN plan, that's not always an option, and certainly not an option in every case. For example, I use OpenVPN not for a "privacy tunnel", but to connect to my home network's devices when I'm away from home. Likewise, many people are required to use a VPN to connect to their work network remotely. Obviously neither of these use cases would be solved by subscribing to your service.

I just discovered and installed Lockdown today, so I haven't tested it's behavior with OpenVPN, but it sounds like as it's currently configured it's not able to be active at the same time as an OpenVPN connection. This isn't a huge deal for me, but I hope this helps clarify why encouraging people to subscribe to your service to solve this issue is not a very helpful solution for many of us.

Thanks for running this project, keep up the good work!

[BottleOfScotch]

First of all thank you Johnny for your reply and for the project as whole, amazing work.

What I would suggest, is that you make an official note or FAQ answer about the fact, that this option holds risks, and it is not supported by the team for the reasons you mentioned. And if possible in the long run, support it, by implementing the feature mentioned by Patronics before me for the app:

an option to configure the VPN as a "personal VPN"

With the limitation of users having the option with the responsibility that it might not work and have to test it themselves to make sure.

[Gribnif]

HI Johnny,

Thank you so much for Lockdown, and for your detailed reply. I do agree with @Patronics that there are cases where it is desirable to have the scam and ad protection offered by Lockdown, combined with a VPN to gain access to a protected network. This is exactly the reason I created this issue: I need to be able to connect to a VPN for work, while at the same time I would like to be able to have the protections offered by Lockdown for non-VPN sites without having to continually switch between the two products.

If, as others suggest, adding an option to make Lockdown a "personal VPN" would enable it to be active at the same time as another VPN like OpenVPN, then I would definitely be willing to give it a try.

[hijohnnylin]

Thanks all for the feedback and clarity! I've renamed the issue to make it more clear what the goals are.

I will do some research into how to make Lockdown more compatible with corporate/work VPNs, and also add disclaimers for when users attempt to combine Lockdown with other VPNs.