Skip to content

RoamSafe VPN

RoamSafe VPN is a specialised VPN service designed to be used with either iOS or Windows clients. On iOS devices it uses the “always on VPN” feature of iPadOS devices in supervised mode. On Windows clients it uses the built-in VPN Provider.

VPN Subnet configuration

The RoamSafe VPN requires you specify a single pool of IP addresses for clients to use. This is configured with a "Client to Site VPN Subnet". This setup step is the same for both iOS and Windows Clients.

  1. Navigate to the Networks > Connections, click "+ Add" and choose "Client to Site VPN Subnet"
  2. Enter the following:
    • Name: Enter a name for the subnet. Note this will not affect client configuration, but will be needed later when configuring the VPN itself
    • Network Zone: Choose a network zone for this subnet. This will affect how VPN client traffic is routed to other networks managed by the CyberEdge, and how firewall policies are applied. The stock "Local" zone will likely be a sensible choice, or you may prefer to use a custom zone
    • IPv4 client network: Enter a private network subnet. The network subnet should be specified with CIDR notation, e.g. "192.168.1.0/24" or "10.2.0.0/16". The network subnet must not be used by any other connections or VPN subnets. Ensure the subnet is large enough for the number of VPN clients you expect
    • IPv6 client network: Enter an IPv6 network
    • Traffic Shaping Profile: leave these fields blank ig not profiles exist
  3. Click "Save"
  4. Click "Save" and "Apply Changes"

VPN configuration

After creating a VPN subnet, you can proceed to set up the VPN configuration that will use this network. At this point, you'll need to choose whether to configure the VPN for iOS or Windows clients. The following steps assume that you have already set up an Authentication Provider for use with the VPN.

iOS/iPadOS CyberEdge Configuration

  1. Navigate to the RoamSafe > RoamSafe VPN page, click "+ Add" and select "iOS VPN"
  2. Enter the following:
    • Name: Enter a name for the VPN. This won't affect client configuration, this is just for the benefit of distinguishing between multiple VPN configurations in the CyberEdge UI
    • Server Identifier: Enter a server identifier for the VPN. This must use only letters, numbers, underscores and hyphens. This will later be used in the client configuration as the "remote identifier"
    • Listen Network Zones: Select one or more network zones. These are the network zones from which the client devices will be able to connect to the VPN. On a simple network setup, specifying just the "Internet" zone may be the most appropriate
    • Authentication Provider: Select an authentication provider. This will be used to lookup user information for connecting client devices
    • Client to Site VPN subnet: Select the client to site VPN subnet you created in the previous VPN Subnet configuration steps
    • Deployment shared secret: Click "Set password" and enter a password. It's recommended you set a unique, strong password with a length of at least 16 characters. You will also need to enter this shared secret in the VPN configuration profile in Apple Configurator or your Mobile Device Management (MDM) software
    • DNS Servers: Enter the DNS servers that clients will use. This may be one of the IP addresses of the CyberEdge appliance. The IP address will need to be reachable from the chosen VPN client subnet
  3. Click "Save"
  4. Click "Save" and "Apply Changes"

iOS/iPadOS VPN Client

Before using RoamSafe VPN, the devices must be in supervised mode.

Using Apple Configurator or your MDM software, create a new device configuration profile. In the VPN section, configure the following settings:

Setting Value
Connection Name RoamSafe
VPN Type VPN
Connection Type IKEv2
Always on VPN Yes
Allow user to disable automatic connection No
Use same tunnel configuration for Cellular and WiFi Yes
Server (External IP address or hostname of the CyberEdge appliance)
Remote Identifier (The server identifier configured on the CyberEdge appliance)
Local Identifier $USERNAME
Machine Authentication Shared Secret
Shared Secret (The shared secret configured on the CyberEdge appliance)
Enable EAP No

For both IKE SA Params and Child SA Params enter the following settings:

Setting Value
Encryption Algorithm AES-256
Integrity Algorithm SHA2-256
Diffie-Hellman Group 14
Lifetime 79200

If using Apple Configurator, you must replace $USERNAME with the actual username for the user of that device. If using Jamf, you can enter the literal string $USERNAME and Jamf will fill in the username of the user that the device is assigned to. Other MDM software may provide similar functionality, please consult your MDM software documentation for details.

Ensure the VPN profile is not removed

If the user is able to remove the VPN configuration profile, their device will no-longer connect to RoamSafe VPN and their traffic will not be filtered. There are three possible scenarios:

  • If the VPN profile is installed to the device directly from Apple Configurator, you can prevent the user from removing the VPN configuration profile entirely
  • If using MDM software such as Jamf, the VPN profile cannot be removed directly, but users can remove their entire MDM enrolment profile, which will remove the VPN profile as well as any apps and other settings controlled by the MDM software. Your MDM software should be configured to alert in this scenario
  • If using MDM software in conjunction with devices purchased through the Apple Device Enrolment Program, it is possible to prevent the MDM enrolment profile from being removed by the end user. This is the preferred option when using large numbers of devices. See Apple's Device Enrolment Program website for more information.

Windows VPN CyberEdge Configuration

  1. Navigate to System > Certificates
  2. Click on "Generate Certificate"
  3. Set the Certficate values as follows:
    • Common Name should be set to the DNS-resolveable hostname that your clients will connect to, e.g. vpn.myschool.com.au
    • Purpose should be set to "Server"
    • Certficate Authority (CA) should be set to a CA which must be trusted by your VPN clients
    • Expiration Time is dependent on the Administrator's requirements. This will need to be renewed before expiration or the VPN will cease to function correctly
  4. Click on Save
  5. Navigate to the RoamSafe > RoamSafe VPN page, click "+ Add" and select "Windows VPN"
    • Name: Enter a name for the VPN. This won't affect client configuration, this is just for the benefit of distinguishing between multiple VPN configurations in the CyberEdge UI
    • Server Identifier: Enter a server identifier for the VPN. This must use only letters, numbers, underscores and hyphens. This will later be used in the client configuration.
    • Server Certificate: Select the certificate used to identify the server to clients. Any clients connecting to this VPN must trust the Certficate Authority which issued this Certifcate.
    • Listen Network Zones: Select one or more network zones. These are the network zones from which the client devices will be able to connect to the VPN. On a simple network setup, specifying just the "Internet" zone may be the most appropriate
    • Authentication Provider: Select an authentication provider. This will be used to lookup user information for connecting client devices
    • Client to Site VPN subnet: Select the client to site VPN subnet you created in the previous VPN Subnet configuration steps
    • Deployment shared secret: Click "Set password" and enter a password. It's recommended you set a unique, strong password with a length of at least 16 characters. You will also need to enter this shared secret in the VPN configuration profile in Apple Configurator or your Mobile Device Management (MDM) software
    • DNS Servers: Enter the DNS servers that clients will use. This may be one of the IP addresses of the CyberEdge appliance. The IP address will need to be reachable from the chosen VPN client subnet
  6. Click "Save"
  7. Click "Save" and "Apply Changes"

## Windows VPN Setup

The following steps are for the manual configuration of a single Windows client to connect to the RoamSafe VPN. Administrators may wish to apply these settings via Group Policy. Group Policy settings are out of the scope of this documentation.

  1. Go to Settings > Network and Internet > VPN, and click on "Add a VPN connection"
  2. Configure your VPN connection with the following settings:
    • set VPN Provider to "Windows (built-in)
    • set Connection name to the VPN server ID you set on Edge VPN
    • set Server name or Address to the DNS name of the server hosting the VPN. This name must be resolveable by the client, and must correspond to the Common Name of the VPN server certificate configure on the RoamSafe VPN
    • set VPN type to "IKEv2"
    • set Type of sign-in info to "User name and password"
    • set User name to the use of the Windows device
    • set Password to the pre-shared key configured in the RoamSafe VPN
    • click on Save
  3. Open the regedit utility and navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Rasman\Parameters
  4. Create a new DWORD entry named NegotiateDH2048_AES256 and set it to the value 2
  5. You will have created a VPN server certificate during the setup of the Windows RoamSafe VPN. The Certificate Authority that generated the VPN server certificate must be trusted by the Windows client. Install the Certificate Authority on the Windows client:
    • Download the CA from the Admin interface by navigating to System > Certificates and clicking on the download icon next to the relevant Certificate Authority
    • Copy the Certificate Authority to the Windows Client, ensuring the file ends with .crt
    • Double click on the certificate, then click on "Open", and "Install Certificate"
    • Select "Local Machine" and click on Next
    • Select "Place all certificates in the following store", then "Browse", and select "Trusted Root Authorities"
    • click on "Finish"
  6. Increase the level of encryption on the Windows client VPN
    • go to Network Connections
    • find the Network Connection matching your VPN name, right-click, and select properties
    • in "Data Encrypt" select "Maximum strength encrypt (disconnect if server declines)
    • click on OK
  7. Manually set the encryption properties of the VPN connection:
    • open powershell as a system administrator
    • run the following powershell command, substituting in the name of the VPN connection you created: 
      Set-VpnConnectionIPsecConfiguration -ConnectionName <your VPN connection name> -IntegrityCheckMethod SHA256 -AuthenticationTransformConstants GCMAES256 -CipherTransformConstants GCMAES256 -DHGroup ECP384 -EncryptionMethod GCMAES256 -PfsGroup ECP384
  8. Test the connection by connecting to your VPN server
  9. If the connection is not using DNS from the CyberEdge, you may have to set the connection metric manually. To do so, go to the Advanced TCP/IP settings of the VPN adapter, untick the Automatic metric option and set the value to 1.