Setting Up an iOS VPN Without an App

Maybe it's just me, but I don't get any warm fuzzies about a VPN licensed in the UAE. Hardly a bastion of human rights, that. https://www.hrw.org/world-report/2024/country-chapters/united-arab-emirates

Apple did something right for once. Kudos.

Unfortunately Human Rights Watch is not unbiased -- it discounts the bad behavior of Western governments. As a Russian, you might find UAE a better choice of VPN provider than Western countries. There's probably a reason why Pavel Durov based his Telegram there -- they haven't pressured him the way the Russians or the French have.

VPN’s can also easy be configured with a user installable profile. You don’t need a VPN app (or MDM provider) for that.

Not sure if VPN providers provide such a profile for their configuration though…

Setting aside the fact that Apple’s iOS VPN implementation is notoriously leaky — which is, of course, why there are almost no user-facing VPN issues on iOS as opposed to macOS, using a straight-up built-in VPN protocol in a country where VPNs have been banned or are heavily censored is akin to painting a large target on one’s back.

Some of these fancy VPN apps that Apple is being forced to remove offer access to camouflaged bridges or newer protools designed to circumvent censorship — with presumably wildly varying degrees of success. Apple most definitely does nothing of the sort, making vanilla VPN connections ludicrously easy to detect and to block.

Encouraging users in repressive environments to sign up for a commercial VPN account on the web — presumably in cleartext — so that they can then connect using their iPhone’s built-in features could turn out to be lethal advice. I do not know whether Russia keeps logs of citizens who do that, but there are most certainly places that do.

Encrypting one’s communications and accessing banned material for a split-second is easy. Doing so securely, consistently, and without endangering oneself or others is extremely hard. It depends on the environment, the technical and political capabilities of the people in charge, and how little they value human life.

It is easy for John to sit in the safety of his US study, encouraging Russian users to break local laws in such a visible way, but I cannot shake the feeling that it betrays a lack of understanding of the political and technical issues at play.

@Anonymous:

So not as good as advertised. Shame, but not too surprising. Most solutions available to normies are leaky... Signal for instance allows 3rd party keyboards, and in China the popular ones were caught sending messages "home". The iPhone also has backdoors at a hardware level (see Kaspersky's presentation).

If you actually want proper government-resisting security, there's Tails/QubesOS booted off a read only external device -- but you're still relying on 3rd parties to vet the code/ensure no bugs which is pretty much impossible: there's too much complexity to vet it all.

This is even a problem for governments -- recall CryptoAG was infiltrated by the CIA. Bunnie Huang's Precursor tries to get around hardware backdoors, but they probably have exploitable bugs too. If you want to watch a video, the codec is so complex, it is hackable too, so you can forget it unless you transfer it to an air gapped computer, and even then Stuxnet comes to mind.

I know that many young Russians have downloaded VPNs to do things like watch Youtube or see Western news on their phones. I expect many will use an old device or a friend's device, itself connected to a VPN, to sign up for a VPN for a new device. My impression is that Russia has not been all that heavy handed about people using a VPN, they're just trying increase friction, and Russians often ignore what the authorities want anyway. Even at the time of the USSR, people would listen to banned foreign music, particularly in St Petersburg. IIRC, Putin did too. But of course people on the ground have a better idea than people living abroad.

There are other countries, where playing such games is currently much more dangerous. Hopefully Russia doesn't become one of them.

Concur, "split tunnelling" is the only sort that matters / is worth doing on iOS; it's not about privacy, at best it's about access. But you'll be detected trivially with the stock protocols, and anyway the UI doesn't actually give you the flexibility that a configuration profile would. I live in hope that Apple will build in WireGuard or expose a proper UI for Mask, but the state of the art for actual censorship-resistance is probably something that looks like TLS (OpenConnect) or Shadowsocks. Or Cloudflare, on the basis that they don't block it, using their Teams offering, albeit any proxy risks ultimately being profiled based on traffic volumes and patterns. It's a game.

In Turkey, it's still possible to fire up pretty much any VPN or proxy protocol, as long as it's not one of the big ones, not including Cloudflare Warp. So as long as you can find someone with a box to route through, or have built one in advance, you're (probably) golden. But of course it's in the nature of repression that if you don't know who's watching and what they see, especially when using your own connection, you'd best keep your pipe down like a good little civvy and not dare to have the wrong sort of opinions. This I do, while praying that my choice of news sources doesn't get me on a red list. So far, so good; I doubt The Republic of Turkey cares about my English-speaking friends or the things we talk about. Still, while I'm in Turkey with a phone directly linked to my English passport and my Turkish ID, I don't harbour any delusions whatever SIM card I'm using, and I'll take local Internet connectivity over some sort of roaming arrangement any day for the speeds and prices over the risk of not having a working phone.