Background
I have noticed that an Internet radio app I have on my iPhone works flawlessly when on my home WiFi. But it hangs up regularly when I am not on my home WiFi.
I use a VPN to connect my iPhone back to my home when I am out and about. Originally I used OpenVPN but there was no client I was aware of that would dynamically turn the VPN tunnel on or off based on what networks the phone was using. This made it a manual process to enable and disable the VPN when I left or entered my home.
Looking into the documents from Apple, I could dynamically enable and disable a VPN based on network connection (mobile vs WiFi and on WiFi based on what the SSID is). But only for a small set of VPN types natively supported by Apple. The one in common between that list and what my home router supports is IPsec using IKEv2. So I migrated my phone to that using a mobile config setup. The laptop stayed on OpenVPN as it seldom travels and turning the VPN on or off was not a multiple times a day problem.
In general dynamically managed VPN tunneling with IPsec/IKEv2 has been working fairly well and I haven’t had to think about things too much. But there have been some rough edges that I have been uncertain as to cause.
The Internet radio app stopping playing is one thing that I attributed to that. Except that it also would hang up if I had the VPN off. Not as often, but it still happened. So the VPN was not the only issue there.
I should also note that getting OpenVPN and IPsec/IKEv2 working was a bit fiddly. As was figuring out how to create an Apple mobile configuration file that would do the desired dynamic VPN enable/disable.
More Observations
One newly acquired device, a cellular router, shows me that the IPv4 address I am being assigned by my mobile provider is non-routable. So my provider is using some sort of carrier grade NAT.
When I run a speed test from various locations with the VPN off, I see that the speed test picks locations in the general area I am in. This implies that the cellular provider has multiple gateways and it is likely that when I move through an area I am transferred from one gateway to another. This change means a new IPv4 address which will break any regular TCP connection. I am beginning to see why the Internet radio app stops playing.
In addition, I monitored the VPN connection to my server with a device located in an area with poor celluar coverage (my office desk). The IP address and port it connected to my VPN server changed on a frequent basis. The IP address changes seemed to happen at the same time the device was changing its signal strength indicator. I think it may have been changing towers looking for the best signal. So even if stationary, a connection may break.
For most VPN technologies this means the session needs to be restarted at odd but not very long intervals. And any long lived TCP stream, like the one to my Internet radio app will need to be restarted too.
So I think I finally understand why the Internet radio app on my phone has been so annoying when used in the car but works flawlessly when used at home.
Wireguard VPN
Now that I have more devices of recent design I can play around with Wireguard and see how it performs.
Scanning the documents, it does not seem to have a traditional concept of a connection session. There are symmetric encryption keys negotiated for a “session” but a session is for a limited number of data packets or a limited time, which ever comes first.
And, more interestingly in this case, the server doesn’t care where the UDP data packets were received from. It identifies the client based on the public key on the packet. This implies that it will happily and transparently deal with a mobile carrier changing NAT ports or even IP addresses when the phone moves from one tower or area to the next.
While researching Wireguard I came across some mention of dynamic VPNs on iOS. It seemed that the Wireguard app on iPhone can be configured the same as the native VPNs to enable and disable based on what network connection it has. I installed the Wireguard app and it does indeed have the ability to dynamically enable or disable the VPN tunnel based on WiFi SSID or if the phone is on mobile data or not.
Current Status
I have been using the Wireguard VPN on my iPhone for the last couple of weeks and the Internet radio app has been working flawlessly in the car. So far I have only been about 50 miles from home, so not a real test. But between that trip and more local driving it has worked as well as at home. We will be doing some longer drives in the near future that will put the setup through more paces.
But it looks like I will be decommissioning both my OpenVPN and IPsec/IKEv2 VPNs and simply using Wireguard.
And, by the way, Wireguard was much easier to setup than either OpenVPN or IPsec/IKEv2.