passepartoutvpn.github.io/faq/index.html

370 lines
24 KiB
HTML
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

<!DOCTYPE html>
<html lang="en" itemscope itemtype="http://schema.org/Blog">
<head>
<title>Passepartout, VPN client for Apple platforms</title>
<meta charset="utf-8">
<meta http-equiv="X-UA-Compatible" content="IE=edge">
<meta name="author" content="Davide De Rosa" />
<meta name="description" content="Passepartout is a user-friendly VPN client for Apple platforms." />
<meta name="viewport" content="width=device-width, initial-scale=1" />
<meta name="apple-mobile-web-app-title" content="Passepartout">
<!-- Twitter -->
<meta name="twitter:card" content="summary" />
<meta name="twitter:site" content="@keeshux" />
<meta name="twitter:title" content="Passepartout" />
<meta name="twitter:url" content="https://passepartoutvpn.app" />
<meta name="twitter:image" content="https://passepartoutvpn.app/s/logo.png?1734087682" />
<meta name="twitter:description" content="Passepartout is a user-friendly VPN client for Apple platforms." />
<!-- Facebook -->
<meta property="og:type" content="website" />
<meta property="og:url" content="https://passepartoutvpn.app" />
<meta property="og:title" content="Passepartout" />
<meta property="og:site_name" content="Passepartout" />
<meta property="og:description" content="Passepartout is a user-friendly VPN client for Apple platforms." />
<meta property="og:image" content="https://passepartoutvpn.app/s/logo.png?1734087682" />
<!-- Google+ -->
<meta itemprop="name" content="Passepartout" />
<meta itemprop="description" content="Passepartout is a user-friendly VPN client for Apple platforms." />
<meta itemprop="image" content="https://passepartoutvpn.app/s/logo.png?1734087682" />
<link rel="canonical" href="https://passepartoutvpn.app" />
<link rel="author" href="" />
<link rel="stylesheet" href="/s/main.css?1734087682" />
<link rel="stylesheet" href="/s/main-mobile.css?1734087682" media="only screen and (max-width: 600px)" />
<link href="https://cdnjs.cloudflare.com/ajax/libs/font-awesome/5.15.4/css/all.min.css" rel="stylesheet">
<link rel="shortcut icon" href="/s/favicon.ico?1734087682" />
<link rel="apple-touch-icon" href="/s/iphone-icon-precomposed.png?1734087682" />
</head>
<body>
<div id="container">
<header>
<a href="https://passepartoutvpn.app"><img id="logo" src="/s/logo.svg" alt="Passepartout" /></a>
<h1><a href="https://passepartoutvpn.app">Passepartout</a></h1>
<p>Your go-to app for VPN and privacy.</p>
</header>
<main>
<h2 id="frequently-asked-questions">Frequently Asked Questions</h2>
<ul>
<li><a href="#why-use-icloud-to-share-profiles-with-the-apple-tv">Why use iCloud to share profiles with the Apple TV?</a></li>
<li><a href="#my-profile-does-not-appear-on-the-apple-tv">My profile does not appear on the Apple TV</a></li>
<li><a href="#i-am-concerned-with-icloud-privacy">I am concerned with iCloud privacy</a></li>
<li><a href="#i-cannot-see-my-profiles-on-another-device">I cannot see my profiles on another device</a></li>
<li><a href="#why-dont-shortcuts-execute-in-the-background">Why dont Shortcuts execute in the background?</a></li>
<li><a href="#id-like-to-use-wireguard-with-providers">Id like to use WireGuard with providers</a></li>
<li><a href="#id-like-to-see-a-widget">Id like to see a Widget</a></li>
<li><a href="#im-unable-to-add-my-wi-fi-to-on-demand-networks">Im unable to add my Wi-Fi to on-demand networks</a></li>
<li><a href="#i-had-purchased-this-app-before-yet-it-prompts-me-for-purchases">I had purchased this app before yet it prompts me for purchases</a></li>
<li><a href="#i-had-purchased-this-app-before-yet-testflight-builds-are-restricted">I had purchased this app before yet TestFlight builds are restricted</a></li>
<li><a href="#my-provider-is-not-listed">My provider is not listed</a></li>
<li><a href="#im-on-wi-fi-but-my-device-shows-im-connected-via-lte">Im on Wi-Fi but my device shows Im connected via LTE</a></li>
<li><a href="#why-is-location-access-required-when-adding-a-wi-fi-network-to-on-demand">Why is location access required when adding a Wi-Fi network to on-demand?</a></li>
<li><a href="#i-can-connect-to-the-vpn-but-the-internet-does-not-work">I can connect to the VPN but the Internet does not work</a></li>
<li><a href="#the-vpn-fails-with-auth-failed-or-immediately-disconnects-with-encryption-failed">The VPN fails with “Auth failed” or immediately disconnects with “Encryption failed”</a></li>
<li><a href="#my-provider-returns-auth-failed-but-my-credentials-are-correct">My provider returns “Auth failed” but my credentials are correct</a></li>
<li><a href="#my-personal-server-returns-tls-failed">My personal server returns “TLS failed”</a></li>
<li><a href="#the-configuration-file-lacks-a-required-option-cipher">The configuration file lacks a required option (cipher)</a></li>
<li><a href="#the-configuration-file-contains-an-unsupported-option-external-file">The configuration file contains an unsupported option (external file)</a></li>
<li><a href="#it-seems-that-my-traffic-doesnt-necessarily-go-through-the-vpn">It seems that my traffic doesnt necessarily go through the VPN</a></li>
<li><a href="#id-like-to-see-my-ip-address-in-the-app">Id like to see my IP address in the app</a></li>
<li><a href="#mullvad-ignores-my-custom-dns-settings">Mullvad ignores my custom DNS settings</a></li>
</ul>
<h3 id="why-use-icloud-to-share-profiles-with-the-apple-tv">Why use iCloud to share profiles with the Apple TV?</h3>
<p>As of December 2024, the Apple TV is still limited when it comes to file transfers. AirDrop and iCloud Drive are the most natural options for one-off “import and delete” of a profile, but they are not available. Another option is setting up a local server with a QR, but I find it quite a cumbersome UX.</p>
<p>Therefore, given that Passepartout supports end-to-end CloudKit encryption, iCloud proved a decent trade-off between usability and privacy. Besides the convenience of the simple toggle, the iOS/macOS apps act as a remote to reflect local changes instantly on your Apple TV. This benefits the UX of the TV app dramatically, where you only use the remote to change the profile or toggle the connection.</p>
<p>Bear in mind that only “Apple TV” profiles are shared and synchronized over iCloud implicitly. Other profiles follow the “iCloud &gt; Enabled” toggle (in 3.0.0) or the global iCloud app preference (before 3.0.0).</p>
<h3 id="my-profile-does-not-appear-on-the-apple-tv">My profile does not appear on the Apple TV</h3>
<p>Make sure that the Apple ID of the <strong>default account</strong> of the Apple TV is the same Apple ID of the iOS/macOS device you are sharing the profile from. I could be wrong, but it seems to me that other accounts dont get proper iCloud updates like the default account, i.e. the one you set up the Apple TV with.</p>
<h3 id="i-am-concerned-with-icloud-privacy">I am concerned with iCloud privacy</h3>
<p>Starting from version 2.2.0, iCloud synchronization is opt-in and disabled by default. Those upgrading to 2.2.0 will still see the option enabled to reflect the current app state, but you may disable it at any time. Rest assured that version 2.3.0, however, introduces end-to-end profile encryption.</p>
<p>If you mean to recover the best privacy, after disabling iCloud from the app, you may erase the existing store so that your profiles only stay on your device. If that is not enough, enter your iCloud settings, look for Passepartout inside “Manage Account Storage” and tap “Delete Data From iCloud”.</p>
<h3 id="i-cannot-see-my-profiles-on-another-device">I cannot see my profiles on another device</h3>
<p>If you have iCloud enabled and have updated the app to 2.3.0 on one device, other devices with an older version may be unable to read the profiles because of end-to-end encryption. Update all your devices to 2.3.0 to recover them.</p>
<p>Also there was another bug in 2.3.0 that was preventing profiles from being saved to iCloud at all. Cycling the “Sync with iCloud” toggle should restore proper syncing.</p>
<h3 id="why-dont-shortcuts-execute-in-the-background">Why dont Shortcuts execute in the background?</h3>
<p>They finally do!</p>
<p>Starting from version 3.0.0, Passepartout stores one VPN configuration per profile. This means you can build your workflows directly from the Apple Shortcuts app and that they can execute in the background.</p>
<p>Use the “Set VPN” action in Shortcuts and pick your profiles by name. Beware that having on-demand enabled may affect some automation.</p>
<p>The “Connect to provider server” automation is a bit more complex but will be restored soon.</p>
<h4 id="23x">2.3.x</h4>
<p>Unfortunately, Apple is guilty of not fixing a related bug. I mean, its been there for years -since iOS 9 with my first bug report dating back to 2017- without them caring at all. No feedback and not even a proper response. And of course, no progress.</p>
<p>This is one of the several threads remarking the issue:</p>
<p><a href="https://forums.developer.apple.com/thread/96020">https://forums.developer.apple.com/thread/96020</a></p>
<p>Now, due to this bug, App Extensions cant control VPN using custom protocols -Siri Intents Extension in this case, in order to run shortcuts in the background. Only native VPN protocols work (IKEv2, IPsec etc.).</p>
<p>In short, theres really <em>nothing</em> I can do about it.</p>
<h3 id="id-like-to-use-wireguard-with-providers">Id like to use WireGuard with providers</h3>
<p>Im working on it.</p>
<h3 id="id-like-to-see-a-widget">Id like to see a Widget</h3>
<p>Im working on it.</p>
<h3 id="im-unable-to-add-my-wi-fi-to-on-demand-networks">Im unable to add my Wi-Fi to on-demand networks</h3>
<h4 id="190-ios">1.9.0 [iOS]</h4>
<p>If you see the “You are not connected to any Wi-Fi network.” message, its coming from a <a href="https://forums.developer.apple.com/thread/123544">known iOS 13 bug</a>.</p>
<p>Until Apple fixes it, you may want to try these workarounds:</p>
<ul>
<li>Reboot the device</li>
<li>Reinstall the app from scratch</li>
</ul>
<p>Unfortunately neither is guaranteed to work. While extremely sorry for the inconvenience, I cant do more than this about this iOS bug.</p>
<p>Anyway, you can follow <a href="https://www.reddit.com/r/passepartout/comments/dt0fxy/read_this_if_you_cannot_add_your_wifi_to_trusted/">this Reddit discussion</a> for updates.</p>
<h4 id="181-and-before-ios">1.8.1 and before [iOS]</h4>
<p>The effect of the new location access requirement in iOS 13 is the inability to add the connected Wi-Fi network. The app will either trust a bogus “Wi-Fi” or “WLAN” SSID name, or present the alert “You are not connected to any Wi-Fi network.”.</p>
<p>To work around this issue:</p>
<ul>
<li>Add the network while the VPN is enabled and connected through such network.</li>
<li>Upgrade Passepartout to the latest version (much, much better option).</li>
</ul>
<h3 id="i-had-purchased-this-app-before-yet-it-prompts-me-for-purchases">I had purchased this app before yet it prompts me for purchases</h3>
<p>Since iOS version 1.9.0, Passepartout switched to a freemium model, which means free to download with paid in-app purchases. Of course, those who purchased former versions of the app will retain full access to all features and providers, except for the “Apple TV” feature which is a separate purchase. Most of the time the upgrade will be seamless. In some cases, however, it will take those users an extra step to restore app functionalities.</p>
<p>Any of the hints below will fix the issue 100% of the times:</p>
<ul>
<li>Kill and relaunch the app. This is preferred when you re-download the app from scratch.</li>
<li>When prompted for purchase, tap “Restore purchases”. You will only be asked for your Apple ID credentials, no money involved.</li>
</ul>
<p>If you still struggle, dont hesitate to get in touch.</p>
<h3 id="i-had-purchased-this-app-before-yet-testflight-builds-are-restricted">I had purchased this app before yet TestFlight builds are restricted</h3>
<p>Starting from 2.2.0, Public Beta builds from TestFlight recognize in-app purchases that you formerly made on the App Store.</p>
<p>For that to happen:</p>
<ul>
<li>Install the app from App Store first</li>
<li>If a paywall is triggered, restore your purchases</li>
<li>DO NOT uninstall the app, install a TestFlight build over the one you have</li>
<li>You should now see, in beta, the features you purchased on the App Store</li>
</ul>
<p>On the other hand, if you install a TestFlight build from scratch, paid features will not be available.</p>
<p><em>WARNING: this trick is currently ineffective on macOS.</em></p>
<h3 id="my-provider-is-not-listed">My provider is not listed</h3>
<p>You should contact with your provider to double check if there is interest in being added to Passepartout. Beware that some may be concerned instead. Ultimately, you can submit your provider request for a viability review to <a href="mailto:providers@passepartoutvpn.app">providers@passepartoutvpn.app</a>.</p>
<h3 id="im-on-wi-fi-but-my-device-shows-im-connected-via-lte">Im on Wi-Fi but my device shows Im connected via LTE</h3>
<p>The Wi-Fi/LTE icon (replace LTE with any cellular signal) while on VPN has been broken since iOS 10 or the like. Its something that Apple is unable to fix or doesnt bother fixing.</p>
<p>You should do a simple test. Verify your data consumption with your LTE provider website, normally phone providers have that. Now, when on VPN and the LTE icon appears in spite of Wi-Fi, download a relevant chunk of data. You may then learn that the plan is unaffected, implying that youre actually connected via Wi-Fi.</p>
<p>I havent found a workaround for this and its been there for almost two years. Yeah, its a shame.</p>
<h3 id="why-is-location-access-required-when-adding-a-wi-fi-network-to-on-demand">Why is location access required when adding a Wi-Fi network to on-demand?</h3>
<p>Starting from iOS 12 (or 13?), iOS has restricted what apps can learn about Wi-Fi networks. Location access has become a requirement to access the SSID of the connected Wi-Fi, which is crucial to add it to on-demand networks.</p>
<p>Thats why, starting from iOS app 1.9.0, Passepartout will prompt you for a location permission when adding a Wi-Fi network. Make sure that location services (under “Privacy”) are enabled on your device, otherwise the app will be unable to ask the permission in the first place.</p>
<h3 id="i-can-connect-to-the-vpn-but-the-internet-does-not-work">I can connect to the VPN but the Internet does not work</h3>
<h4 id="mtu">MTU</h4>
<p>Historically, Passepartout has used a low MTU setting (1250 bytes) in order to maximize compatibility, at the cost of performance. iOS version 1.13.0 -and any macOS version- supports tunnel MTU customization. With this update, it sounded reasonable to also leverage a standard (higher) MTU (usually 1500).</p>
<p>If such a change is making the app struggle in your environment, I encourage you to try lowering the MTU.</p>
<p>Add a “Routing” module to your profile and specify a custom MTU value. Decrease incrementally until you restore the VPN operation.</p>
<h5 id="23x-1">2.3.x</h5>
<p>You can change the MTU by setting MTU to “Manual” in “Network settings”. You will then be able to pick something down to 1200 bytes.</p>
<h4 id="compression">Compression</h4>
<p>Most of the time there could be a mismatch in compression framing. E.g. server is using LZO compression framing whereas the client is not, or vice versa. Sometimes the app gracefully shuts down with “Compression unsupported”, sometimes the error can be subtle and packet transmission could just fail silently, resulting in no data exchanged over the wire.</p>
<p>Therefore, make sure that compression directives are compatible between client and server before looking into routing issues. Also read the next FAQ entry, as it may be another cause of a dead data link.</p>
<h4 id="dns">DNS</h4>
<p>Last but not least: make sure that youre not experiencing a simple DNS issue. Try pinging a remote machine by IP address: if that works, then DNS is the culprit. This usually happens when your server, whatever the reason, doesnt push public DNS servers to clients.</p>
<p>Theres a quick workaround: add a “DNS” module in your profile and add an explicit DNS server address. That should fix it.</p>
<h5 id="23x-2">2.3.x</h5>
<p>Enter “Network settings”, set “DNS” to “Manual” and add an explicit DNS server address.</p>
<h3 id="the-vpn-fails-with-auth-failed-or-immediately-disconnects-with-encryption-failed">The VPN fails with “Auth failed” or immediately disconnects with “Encryption failed”</h3>
<p>This may happen when you rely on default OpenVPN encryption, which is normally Blowfish (BF-CBC). The algorithm, besides being unsupported by Passepartout, is also weak and therefore discouraged. In order to fix this issue, you must switch to AES encryption. Passepartout only supports AES, be it in CBC or GCM mode.</p>
<p>Set encryption explicitly in the server configuration, e.g.:</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>cipher AES-128-CBC
auth SHA1
</code></pre></div></div>
<p>and dont forget to update the client .ovpn as well with the <strong>exact same parameters</strong>.</p>
<p>If you want to leverage newer AES-GCM encryption, you could just use:</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>ncp-ciphers AES-256-GCM
# or
ncp-ciphers AES-128-GCM
</code></pre></div></div>
<p>and the client wouldnt need to change a thing, because the algorithm will be enforced by the server no matter what.</p>
<h3 id="my-provider-returns-auth-failed-but-my-credentials-are-correct">My provider returns “Auth failed” but my credentials are correct</h3>
<p>Bear in mind that some providers require specific credentials for their direct OpenVPN servers. Thats why Passepartout, in those cases, has a convenient link at the bottom of the OpenVPN “Credentials” screen (“Account” in 2.3.x), showing you where to find such credentials on your providers website.</p>
<p>Regarding Mullvad in particular, remember to strip spaces from the username.</p>
<h3 id="my-personal-server-returns-tls-failed">My personal server returns “TLS failed”</h3>
<p>This may happen with older ciphersuites when verifying peer against the CA. You should upgrade your server certificates to a more modern standard (e.g. RSA no less than 2048-bit).</p>
<h3 id="the-configuration-file-lacks-a-required-option-cipher">The configuration file lacks a required option (cipher)</h3>
<p>When missing, OpenVPN implies a Blowfish cipher, which is severely obsolete and unsupported. Passepartout requires that you set an AES cipher instead. For that to work, you must update your OpenVPN server and client configuration to use AES by explicitly setting a cipher (e.g. <code class="language-plaintext highlighter-rouge">cipher AES-128-CBC</code>).</p>
<p>Recent servers might still be pushing a modern cipher option (normally AES-GCM), but Passepartout enforces an explicit client <code class="language-plaintext highlighter-rouge">cipher</code> to avoid <a href="#the-vpn-fails-with-auth-failed-or-immediately-disconnects-with-encryption-failed">another subtle issue</a>.</p>
<h3 id="the-configuration-file-contains-an-unsupported-option-external-file">The configuration file contains an unsupported option (external file)</h3>
<p>Due to easier interoperability, the app does not support external files in the .ovpn main configuration. Thats because more often than not, it may not make sense referring to relative paths in a mobile device environment. Think of the Mail app for example. The fix is straightforward though, say you have an external <code class="language-plaintext highlighter-rouge">ca</code> file:</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>ca my-ca.crt
</code></pre></div></div>
<p>Just replace it with:</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>&lt;ca&gt;
...
content of my-ca.crt
...
&lt;/ca&gt;
</code></pre></div></div>
<p>The same applies to other settings like <code class="language-plaintext highlighter-rouge">cert</code>, <code class="language-plaintext highlighter-rouge">key</code>, <code class="language-plaintext highlighter-rouge">tls-auth</code> and <code class="language-plaintext highlighter-rouge">tls-crypt</code>. In the specific case of <code class="language-plaintext highlighter-rouge">tls-auth</code> with a key direction, like:</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>tls-auth ta.key 1
</code></pre></div></div>
<p>Replace with:</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>&lt;tls-auth&gt;
...
content of ta.key
...
&lt;/tls-auth&gt;
key-direction 1
</code></pre></div></div>
<h3 id="it-seems-that-my-traffic-doesnt-necessarily-go-through-the-vpn">It seems that my traffic doesnt necessarily go through the VPN</h3>
<p>Talking about OpenVPN, unless <code class="language-plaintext highlighter-rouge">redirect-gateway</code> is either:</p>
<ul>
<li>Explicitly added to the .ovpn configuration</li>
<li>Pushed from the server</li>
</ul>
<p>the default gateway is NOT changed. That is, your external IP wont be the VPNs IP. This is not the case for provider profiles, though, where the default gateway is always <em>enforced</em> to be the provider gateway to avoid unintended leaks.</p>
<p>Try <a href="https://www.iplocation.net/">this website</a> to test your external IP before and after this change.</p>
<h3 id="id-like-to-see-my-ip-address-in-the-app">Id like to see my IP address in the app</h3>
<p>The reason why Passepartout does not present any personal information in app is <em>privacy</em>. Obtaining ones IP address, regardless of being connected to a VPN or not, involves querying -and trusting- a third party service. Knowing such info is also of little use, given that most of the time you dont want to share your VPN IP address and therefore link your identity to it. However, this feature might be introduced later as a diagnostic tool.</p>
<h3 id="mullvad-ignores-my-custom-dns-settings">Mullvad ignores my custom DNS settings</h3>
<p>It looks like Mullvad “hijacks” DNS on default endpoints, making custom DNS settings irrelevant. In order to do custom DNS with Mullvad, make sure to explicitly pick the “Custom DNS” preset, which will let you connect to the UDP:1400 and TCP:1401 endpoints. These endpoints do support custom DNS servers instead.</p>
<p>Until version 1.7.0 for iOS, you will have to do a manual “Refresh infrastructure” in order to access the new preset.</p>
<p>Read the <a href="https://github.com/passepartoutvpn/api-source-mullvad/issues/1">related report on GitHub</a>.</p>
</main>
<footer>
<ul class="contacts">
<li><a href="https://github.com/passepartoutvpn" title="The project on GitHub" class="fab fa-github"></a></li>
<li><a href="https://buymeacoffee.com/passepartout" title="Support with a donation" class="fas fa-coins"></a></li>
<li><a href="https://twitter.com/keeshux" title="Follow the author on Twitter" class="fab fa-twitter"></a></li>
<li><a href="mailto:info@passepartoutvpn.app" title="Submit an inquiry" class="fa fa-envelope"></a></li>
</ul>
<ul class="secondary">
<li><a href="/faq/" title="Frequently Asked Questions">FAQ</a></li>
<li>&mdash;</li>
<li><a href="/providers/" title="Providers">Providers</a></li>
<li>&mdash;</li>
<li><a href="/disclaimer/" title="Disclaimer">Disclaimer</a></li>
<li>&mdash;</li>
<li><a href="/privacy/" title="Privacy policy">Privacy policy</a></li>
</ul>
<p class="notice">
Copyright (c) 2024 <a href="https://davidederosa.com" title="The author website">Davide De Rosa</a><br />
The logo is taken from the awesome <a href="https://www.iconfinder.com/iconsets/circle-icons-1" title="Circle Icons">Circle Icons</a> set by <a href="https://www.elegantthemes.com/" title="Elegant Themes">Nick Roach</a>
</p>
</footer>
</div>
</body>
</html>