SSTP Connect

SSTP / SoftEther VPN Client for iOS

日本語版はこちら

FAQ

General

Q: How to start?

To use SSTP Connect, you need to create a profile first.

These items are needed for a profile:

Q: What are the items in a profile and what do they mean?

Q: Can I connect or disconnect via system VPN settings?

Yes, you can. Your profiles are saved in the system with your credentials in the keychain. Therefore, you can connect and disconnect the VPN without opening the app.

TLS Server Trust Evaluation (TLS Validation)

Q: What requirements should a server certificate meet in order to pass TLS validation?

iOS has implemented more strict rules on server certificates since iOS 13. See below links for more information.

https://support.apple.com/en-us/HT210176

https://support.apple.com/en-us/HT211025

The most important changes are:

Q: What should I do if I want to use certificates generated by SoftEther VPN Server?

Certificates automatically generated by SoftEther VPN Server do not meet the above requirements. Please follow this guide to regenerate.

Q: What should I do if the server uses a self-signed certificate or a certificate not signed by a public CA?

For security reasons, certificates signed by public CAs should be used. However if that’s not possible, you can ask your administrator for the root CA certificate and both install and trust it on your device.

Note that the certificate still needs to meet the above requirements.

Q: How to install and trust a certificate?

Email the certificate to yourself or download it from the web, then open it on your device. iOS should prompt you that a profile is now ready to install.

To install it: https://support.apple.com/en-us/HT209435

To trust it: https://support.apple.com/en-us/HT204477

Q: Can I disable TLS validation?

Generally speaking, you should never disable TLS validation. However, in some circumstances you may want to do so (e.g. the server uses an obsolete or weak certificate and you can’t change it).

Only use it as the last resort and always consult your administrator first.

Authentication with Certificates

Q: How to import my certificates?

The first step of using certificate-based authentication is importing your certificates. Currently the app only accepts RSA certificates packed in PKCS #12 format (.p12 or .pfx files). According to iOS policy, the P12 file must be password-protected.

PKCS #12 is the default format on Windows platform and also supported by SoftEther VPN Server.

You need to obtain the P12 file from your administrator and place it on your device. This can be done in several ways:

When the certificate is on your device, import it into the app by tapping Import and navigate to the folder. You need to enter the password and give the certificate a distinct description.

The certificate (and its private key) will be saved in the keychain. For security reasons, please delete the file after import or keep it in a secure place.

A certificate can be used by multiple profiles.

Q: How to remove a certificate?

In Select Certificate, you can swipe to remove certificates.

Note that under current iOS, if you remove the app without removing all the certificates, they may still be kept in the keychain (Don't worry. They are always protected by iOS). Once you reinstall the app, you can use them again.

Q: I want to import a new certificate but the app complains it's already in the keychain. How is that possible?

According to iOS policy, certificates with the same serial number from the same issuer are considered the same, even if the names are different. Please ask the administrator to generate the certificate with a new serial number.

Q: I have certificates installed in the system. Why can't I see them in the app?

As a third-party app, we can't access certificates installed in the system like built-in VPN does. You have to import them using the app.

VPN On Demand

Q: What is VPN On Demand and how to use it?

VPN On Demand is an advanced iOS feature that allows a VPN connection to be connected / disconnected if some rule matches.

You must first define a set of rules. iOS will try to match them in order and only the first matched rule will be applied. The matching process is completely handled by iOS and the app has no way to alter the behavior.

Important: Only the rules of the current enabled (selected) VPN profile are assessed.

Q: How to write an on demand rule?

A rule has one action and a number of conditions. If all conditions are met, the action is taken.

There are four types of actions:

You can specify these types of conditions:

If no condition is specified, the rule matches all situations and any rule after it will never be matched.

Q: If I want the VPN to be connected when I am away from a WiFi network but disconnected on that network, how should I setup the rules?

You need to create two rules in the following order.

  Action: Disconnect 
  Interface: Wi-Fi 
  SSID: (your Wi-Fi SSID)
  Action: Connect  
  No need to input any condition

Then, click Enable VPN On Demand and save the profile.

Note 1: Make sure the profile is selected (showing a checkmark). It will not work if the profile is not selected.

Note 2: The order is important. If you place Rule 2 before Rule 1, Rule 1 will never run because Rule 2 matches any condition. You can change the order by tapping Edit and drag rules into your desired order.

Q: What does the action type "Evaluate Connection" do?

Evaluate Connection is a special action that further assesses the action to take based on the current connection's destination.

If the destination can't be resolved on the current network, one of these actions can be taken.

For example, you can setup the following rule that if some internal website is being requested (not resolvable on the current network), VPN is automatically started.

Action: Connect If Needed
Domain Being Evaluated: companyinternal.com (this will match *.companyinternal.com)

SSTP Questions

Q: Do you offer the same connectivity as the Windows built-in SSTP client?

In most cases we provide the same connectivity as the official client. However in these situations our app does not work for you.

SoftEther Questions

Q: If I can connect using the official SoftEther Client, does that mean I can use this app too?

In most cases we provide the same connectivity as the official client. However in these situations our app does not work for you.

Q: What is UDP acceleration and why is iOS 13 / Server 4.30 required?

SoftEther by default connects via direct TCP and data packets are transferred over TCP as well. UDP acceleration enables sending and receiving data packets over UDP. Although it's named acceleration, the speed may or may not be better than TCP, depending heavily on your network condition.

SoftEther has historically implemented two versions of UDP acceleration. The original version encrypts data with RC4 cipher, which has been proved insecure and Apple has ceased its support since iOS 10.

The newer version was introduced in Server 4.30 (Build 9695) and uses ChaCha20-Poly1305 as cipher. Starting iOS 13, Apple has native support to it.

Q: How do I know whether I am using UDP or TCP? Why is UDP not working sometimes?

"UDP" sign will be displayed in the status bar when UDP is used. You can also know it from the connection log.

UDP acceleration has two working mode:

IPv6 network does not use NAT and should be naturally supporting UDP acceleration.

Q: After I switch the network, UDP acceleration seems not working and why is that?

This is normal if the UDP acceleration works in NAT traversal mode, because according to the current SoftEther protocol there is no way to renegotiate a new endpoint for an existing session. Therefore the server has no way to know your new address and cannot reach the device after the network switch.

Once you switch back to the original network (provided that your IP address has not changed), the UDP will be probably working again.

You have two options to solve this problem:

Q: Can I connect to the VPN Azure service?

Yes, you can. Make sure that you use the hostname (xx.vpnazure.net) as the server address. It will not work if you enter an IP address.

Also please note that VPN Azure has two modes:

iOS version, server build and NAT types need to be satisfying the UDP acceleration requirements for direct mode to work.

Q: Can I connect to the VPN Gate service?

Yes. Use these information when you connnect to VPN Gate servers.

CAUTION: VPN Gate servers are provided by various contributors around the world. We do not have any affiliation with them or the project, nor do we ensure connectivity or security in any form.

USE THESE SERVERS AT YOUR OWN RISK!

Other

Q: Sometimes the WiFi icon goes off with the VPN icon for several seconds. What's going on?

This is an indication that VPN is reconnecting. You are not losing your WiFi connection. It's just how iOS responds to VPN reconnecting events.

Q: I want to make sure traffic is blocked during reconnecting events (called "Seamless Tunnel" by OpenVPN). How can I do it?

This feature is already enabled and we do not offer a way to disable it.

However, please note that some system traffic does not go through VPN at all, including push notifications and some DNS requests. This is controlled by iOS.

Q: Can you help with setting up a server?

We don't make server-side products, but we can provide general advice to you. If special assistance is needed, we will evaluate the situation and (in the case that we can help) may give you a quote.

Q: What if I have more questions?

Send an email to support@domosekai.com and we will look into it. If it's a connection issue, please set log level to "debug" and send the connection log along with your mail.