It then turned out that I need to pass a reference to a key chain entry that I saved before. The problem was that Apple's key chains seem quite difficult to handle manually. Luckily there are a couple of swift and Objective-C libraries out there that handle Key Chains, the most famous one is KeychainAccess. I thought all my problems were solved, but alas that was just the begining. I saved the password and passed a data reference to the NEVPNIPSec class but I couldn't establish the VPN connection. The error was that authentication failed.

Anyways after some search and retires, I could finally solve the problem using an Objective-C snippet I found online (sorry I lost the original URL). And here's the swift equivalent snippet.

import Foundation

import UIKit  
import Security

// Identifiers
let serviceIdentifier = "MySerivice"  
let userAccount = "authenticatedUser"  
let accessGroup = "MySerivice"

// Arguments for the keychain queries
var kSecAttrAccessGroupSwift = NSString(format: kSecClass)

let kSecClassValue = kSecClass as CFString  
let kSecAttrAccountValue = kSecAttrAccount as CFString  
let kSecValueDataValue = kSecValueData as CFString  
let kSecClassGenericPasswordValue = kSecClassGenericPassword as CFString  
let kSecAttrServiceValue = kSecAttrService as CFString  
let kSecMatchLimitValue = kSecMatchLimit as CFString  
let kSecReturnDataValue = kSecReturnData as CFString  
let kSecMatchLimitOneValue = kSecMatchLimitOne as CFString  
let kSecAttrGenericValue = kSecAttrGeneric as CFString  
let kSecAttrAccessibleValue = kSecAttrAccessible as CFString

class KeychainService: NSObject {  
    func save(key:String, value:String) {
        let keyData: Data = key.data(using: String.Encoding(rawValue: String.Encoding.utf8.rawValue), allowLossyConversion: false)!
        let valueData: Data = value.data(using: String.Encoding(rawValue: String.Encoding.utf8.rawValue), allowLossyConversion: false)!

        let keychainQuery = NSMutableDictionary();
        keychainQuery[kSecClassValue as! NSCopying] = kSecClassGenericPasswordValue
        keychainQuery[kSecAttrGenericValue as! NSCopying] = keyData
        keychainQuery[kSecAttrAccountValue as! NSCopying] = keyData
        keychainQuery[kSecAttrServiceValue as! NSCopying] = "VPN"
        keychainQuery[kSecAttrAccessibleValue as! NSCopying] = kSecAttrAccessibleAlwaysThisDeviceOnly
        keychainQuery[kSecValueData as! NSCopying] = valueData;
        // Delete any existing items
        SecItemDelete(keychainQuery as CFDictionary)
        SecItemAdd(keychainQuery as CFDictionary, nil)
    }

    func load(key: String)->Data {

        let keyData: Data = key.data(using: String.Encoding(rawValue: String.Encoding.utf8.rawValue), allowLossyConversion: false)!
        let keychainQuery = NSMutableDictionary();
        keychainQuery[kSecClassValue as! NSCopying] = kSecClassGenericPasswordValue
        keychainQuery[kSecAttrGenericValue as! NSCopying] = keyData
        keychainQuery[kSecAttrAccountValue as! NSCopying] = keyData
        keychainQuery[kSecAttrServiceValue as! NSCopying] = "VPN"
        keychainQuery[kSecAttrAccessibleValue as! NSCopying] = kSecAttrAccessibleAlwaysThisDeviceOnly
        keychainQuery[kSecMatchLimit] = kSecMatchLimitOne
        keychainQuery[kSecReturnPersistentRef] = kCFBooleanTrue

        var result: AnyObject?
        let status = withUnsafeMutablePointer(to: &result) { SecItemCopyMatching(keychainQuery, UnsafeMutablePointer($0)) }


        if status == errSecSuccess {
            if let data = result as! NSData? {
                if let value = NSString(data: data as Data, encoding: String.Encoding.utf8.rawValue) {
                }
                return data as Data;
            }
        }
        return "".data(using: .utf8)!;
    }
}

Using this class, I was able to save password strings into the keychain and again pass them to NEVPNProtocol class as data references.

This code is quite similar to the KeychainAccess library, but it sets some more keys/attributes, that are currently not possible to set explicitly from outside, for example kSecAttrServiceValue.

To create a VPN connection in iOS you do not need to obtain a network extension entitlement from apple.

Create a VPN

import NetworkExtension

class VPN {

let vpnManager = NEVPNManager.shared();

private var vpnLoadHandler: (Error?) -> Void { return  
        { (error:Error?) in
            if ((error) != nil) {
                print("Could not load VPN Configurations")
                return;
            }
            let p = NEVPNProtocolIPSec()
            p.username = "SOME_USERNAME"
            p.serverAddress = "example.com"
            p.authenticationMethod = NEVPNIKEAuthenticationMethod.sharedSecret

            let kcs = KeychainService();
            kcs.save(key: "SHARED", value: "MY_SHARED_KEY")
            kcs.save(key: "VPN_PASSWORD", value: "MY_PASSWORD"
            p.sharedSecretReference = kcs.load(key: "SHARED")
            p.passwordReference = kcs.load(key: "VPN_PASSWORD)
            p.useExtendedAuthentication = true
            p.disconnectOnSleep = false
            self.vpnManager.protocolConfiguration = p
            self.vpnManager.localizedDescription = "Contensi"
            self.vpnManager.isEnabled = true
            self.vpnManager.saveToPreferences(completionHandler: self.vpnSaveHandler)
    } }

private var vpnSaveHandler: (Error?) -> Void { return  
    { (error:Error?) in
        if (error != nil) {
            print("Could not save VPN Configurations")
            return
        } else {
            do {
                try self.vpnManager.connection.startVPNTunnel()
            } catch let error {
                print("Error starting VPN Connection \(error.localizedDescription)");
                }
            }
        }
        self.vpnlock = false
    }}

public func connectVPN() {  
        //For no known reason the process of saving/loading the VPN configurations fails.On the 2nd time it works
        do {
            try self.vpnManager.loadFromPreferences(completionHandler: self.vpnLoadHandler)
        } catch let error {
            print("Could not start VPN Connection: \(error.localizedDescription)" )
        }
    }

public func disconnectVPN() ->Void {  
        vpnManager.connection.stopVPNTunnel()
}
}

The code does the following:
* Load the preferences
* Change the preferences to the desired values (username, password, URL etc..)
* Save the preferences
* Start the connection

I know that it is weird to load the preferences, and then save it, although we didn't have anything to load. But this is unfortunately how Apple decided that it should be done. If you apply your changes directly and saved to preferences before loading preferences, the save operation will fail. *sighs*

The password and the shared key have to be saved in a specific key chain. You can read more about saving/loading keychain entries for VPN in this other blog post.

Also note that the loadFromPreferences and the saveToPreferences callbacks are asynchronous

One more thing I learnt while figuring out this API is that the call vpnManager.connection.startVPNTunnel() succeeds it does not mean the VPN connection has been established successfully, but it means that the process of establishing a VPN tunnel has been started successfully. Apparently Apple has been writing those APIs for lawyers.

Finally if you want to be notified when the VPN connection has been established successfully, or otherwise has been disconnected, you need to use the NotificationCenter class. I'll describe this in a separate post.

In order to debug SoftEtherVPN I had to spend a considerable amount of time to get it running.

These set of libraries apply to Ubuntu 16.04

sudo apt-get install -y cmake libncurses-dev libc-bin libc-dev-bin libc6 libc6-dbg libc6-dev libc6-pic  multiarch-support nscd libnss3-dev libreadline-dev libssl-dev

After that check out and compile the project

git clone https://github.com/SoftEtherVPN/SoftEtherVPN
cd SoftEtherVPN
./configure
make clean
make DEBUG=YES

Then run the the vpn server as a root

./bin/vpnserver/vpnserver execsvc

• Now open eclipse CDT and import the project
• Go Run -> Debug Configurations -> and create a new "C/C++ Attach to application" -> Then hit "Debug"
• a Menu with the processes running on your system will open, choose the vpnserver
• Note: There should be two vpnserver processes running. Choose the one with "one" core next to its name

That's it. Now you should be able to debug SoftEther

Only Compile SoftEther

Also done for Ubuntu, you need to install the following libraries:

sudo apt-get install -y build-essential libreadline-dev libssl-dev 

The newest version at the time of writing this post is v3.1. Ubuntu has up to version 2.1 of freeradius.

First you need to install some libs needed to compile freeradius code

sudo apt-get install build-essential libmysqlclient-dev libperl-dev libssl-dev  
git clone https://github.com/FreeRADIUS/freeradius-server.git  
cd freeradius server  
./configure
make  
make install  

edit the file /etc/freeradius/radiusd.conf

1. Find the next two lines and uncomment them. After uncommenting them, they should look like the following:

$INCLUDE sql.conf 
$INCLUDE sql/mysql/counter.conf 

1. Find the snippet instantiate {...} around line 710 and add the following inside it:

noresetcounter  

/etc/freeradius/sites-available/default

Edit the file /etc/freeradius/sites-available/default. We will do several changes here

1. The first snippet is the authorize {...} snipper. Find the line files in this snippet and comment it out (around line 170).

2. Find the sql line inside the session {...} snippet (around line 454) and enable it.

3. Find the sql line inside the accounting {...} snippet (around line 406) and enable it.

4. Find the sql line inside the authorize {...} snippet (around line 177) and enable it.

5. After enabling the 'sql' line in the authorize {...} snippet add the next lines after 'sql' as follows:

sql  
chillispot_max_bytes  
noresetcounter  

Install via apt-get

sudo apt-get install freeradius freeradius-mysql apache2 php5 libapache2-mod-php5 mysql-server mysql-client php5-mysql  

While installing freeradius, you will be asked for a password. Type in a strong password and keep it for later. We will need it.

Configure your first user

*Before doing any changes to the configuration files, I can only recommend using git or mercurial to keep track of your changes and revert them *

Edit the freeradius users with vim

vim /etc/freeradius/users  

and search for the user 'John Doe' which should be commented. Remove the comment from this line as well as the next line which says:

"John Doe" Auth-Type := Local, User-Password == "hello"
Reply-Message = "Hello, %u"  

Save and exit. Upon restarting the service, this user will be activated and will be ready to use. Now start freeradius with verbose output:

sudo freeradius -fxxX  

If you get an error, like service is already running or port is being used, then most probably this means that freeradius has been started automatically when you first installed it. You need to kill this process. First find this process id

ps -ef | grep freeradius  
#Then kill it with
kill -9 <PROCESS ID HERE>  

Later when everything is working fine, you can start freeradius with:

sudo service freeradius start  

If everything goes fine and you receive no error, then you should now be able to log into your radius server. Open a new window and type:

sudo radtest "John Doe" hello 127.0.0.1 0 testing123  

You should get an accept reply, mine was:

Sending Access-Request of id 136 to 127.0.0.1 port 1812  
User-Name = "John Doe"  
User-Password = "hello"  
NAS-IP-Address = 255.255.255.255  
NAS-Port = 0  
rad_recv: Access-Accept packet from host 127.0.0.1:1812, id=136, length=37  
Reply-Message = "Hello, John Doe"  

Remote access to the radius server

The configuration method described above does not grant you automatically an access from the internet to your radius server. If you have the domain name example.com and you tried an access from outside:

sudo radtest "John Doe" hello example.com 0 testing123  

Then you will get a connection closed error. To enable remote access you need to define at least one remote clinet.
edit the /etc/freeradius/clients.conf file

vim /etc/freeradius/clients.conf  

And add the following snippet:

client 0.0.0.0/0 {  
  secret = "mysecret"
  shortname = name
}

Replace the 'mysecret' with any password you want. Note that by doing this you open your radius server authentication to the internet!!!. You can of course fine tune this setting to allow connections from only a short list of clients

Again restart the freeradius. Now from another machien, try the following:

radtest "John Doe" "hello" example.com 0 "mysecret"  

You should now be able to connect to your radius server from any client.

Here's part 2 of this tutorial
Configure freeradius with mysql