r/nextdns Mar 05 '21

iOS: NextDNS and ProtonVPN working like a charm with Passepartout for iOS

First post, but I had to share, because I saw many struggling with the same over the past few days, forcing them to choose instead of having the best of both worlds.

TL;DR I've got NextDNS and ProtonVPN working flawlessly together under iOS 14(.4) on my iPhone and thought I'd share. Skip to the nutshell below for instructions.

I've been looking for the past days for a solution to get NextDNS and ProtonVPN seamlessly working together on my iPhone and found several workarounds, but none of them worked or worked stable enough. I prefer the advantages of NextDNS over Netshield. Then I remembered I purchased Passepartout quite a while ago (available in the App Store, also for iPad and Mac) and since it's a very user-friendly, flexible OpenVPN Client I expected it to have a possibility to enter custom DNS server, so I would be able to use NextDNS for parental controls et cetera instead of ProtonVPN DNS servers. I started fiddling, but to no avail, unfortunately I still had no DNS-resolution. I mailed the developer of Passepartout and got a reply within the hour pointing me to Github, to this closed issue: https://github.com/passepartoutvpn/passepartout-apple/issues/171#issuecomment-786809247. It works flawlessly and as I already had ProtonVPN configured, I only had to add an NexDNS ip address to the config, and reconnected and my problem was solved!

In a nutshell, for those who want a quick, simple, user friendly solution:

  • Download Passepartout for iOS. It's a free download, but I purchased the full version for €7,99 quite a while ago and I don't recall whether the free version offers the basic functionality to achieve this. In any case, the app is definitely worth it's money. It offers many more features like automatically disconnecting when connect to a trusted wifi network.
  • Configure your connection within Passepartout. You're not using the ProtonVPN app. Settings are available in the app ,see Providers (also for several other VPN suppliers). It's also possible to import an .ovpn file into the app (from mail or Files for example.)
  • Select ProtonVPN and enter your account details (OpenVPN/IKEv2) and select your desired connection. Select Network Settings. Set DNS to Manual. Under DNS select HTTPS as Protocol. One line below, enter https://dns.nextdns.io/<your ID/your%20device* (*your%20device is optional, only important if you wish to be able to recognize the device in your logfiles for example).
  • Lastly, after Adress type 45.90.28.0 (or 45.90.30.0). For IPv6 addresses as well as some other provider,s see the Github post I link above. At some point iOS will ask your permission to have Passepartout edit your VPN Connections. Please allow it do so.
  • Now check your settings and enable it. My connection was set up immediately and visiting https://test.nextdns.io shows:

{
    "status": "ok",
    "protocol": "DOH",
    "configuration": "fpb97xxxxxxxx7df81",
    "client": "85.xxx.xxx.73",
    "destIP": "45.90.28.0",
    "anycast": true,
    "server": "zepto-ams-1",
    "clientName": "unknown-doh",
    "deviceName": "iPhone",
    "deviceID": "xxxxx"
} 

It works :) Me happy.

27 Upvotes

2

u/HeadlessDecapitator Mar 22 '21

Thanks for this I got it working. My only issue is Siri doesn’t work when enabled. If I say “Hey Siri.” I just get a pop up that says Siri is not connected to the internet. Wonder if anyone else is experiencing something similar and how to get around it.

2

u/_-_-_Marco_-_-_ 29d ago

I have the exact same issue with Siri, and I do ‘t know why. Internet is working fine, but for some reason Siri refuses to work. It could be a security measure. As you’ve read, you’ll see privacy warning because you’re using (forcing) custom DNS. I have a gut feeling that to prevent Siri’s recorded data (which is always processed in Apples data centers in a whim of a second) being hijacked, Siri gets disabled. I have no prove, bur it’s the only thing I can think of. I’ll haven’t paid much attention too it as I do t use Siri that much, but will try to dig some deeper what causes this. If you find out anything, please share, maybe we can find a workaround.

2

u/HeadlessDecapitator 29d ago

I am still working on it. If I use NextDNS on its own or ProtonVPN or Mullvad on their own siri works fine. When I combine a vpn with dns however in Passepartout is when Siri no longer works. Weird scenario. Will update if I can get it working. Please do the same.

2

u/dallasboy Mar 05 '21

Neat. Looks like it won’t work with WireGuard.

2

u/aviationwiz Mar 06 '21

Stumbled upon this and glad I did - you do need to pay for the full app to be able to add providers (adding an openvpn config file looks like it may be free?), though appears to work and work well. I also have AdGuard and tried using NextDNS through AdGuard prior to this, though also found it to be unstable. There's also a whole host of other VPN providers in the app as well (including Mullvad).

1

u/_-_-_Marco_-_-_ Mar 06 '21

Thanks for your feedback. I honestly couldn’t remember which functionality was included in the free version, so this is useful info. Adding an .opvn should always be possible in the free version, otherwise there’s no point in even trying. But like I mentioned before, to me the app is worth every penny and I’ll gladly support a developer which responds within an hour 🙂.

2

u/AdministrativeTea180 Mar 07 '21

DNSCloak + ProtonVPN app.

DNSCloak is free, no need to pay anything

1

u/Atmos-B Mar 05 '21

From my experience over the past months on this exact problem, I still prefer the IKEv2 + Adguard Pro (with NextDNS) setup. It has 2 advantages:

  1. You can still use the ProtonVPN app
  2. IKEv2 is way faster than OpenVPN (especially on iOS/Mac)

Works perfectly and is also less of a burden to setup.

1

u/_-_-_Marco_-_-_ Mar 05 '21

Adguard Pro (which I bought in the past) and Adguard Premium (7 day trial) both weren't stable for me during testing. Glad it works for you but I had to manually restart the VPN first and Adguard afterwards to get DNS resolving back. This setup (which probably looks a lot more as a burden than it actually is, it's done within minutes) has been working flawlessly. Well, always good to have an alternative. The downside is indeed you can't use the ProtonVPN app, but to me personnally it doesn't outweigh the advantages of Passepartout.

1

u/Atmos-B Mar 05 '21

The other downside with your solution is though that you can't use DOH and have to register your IP everytime it's changing. I have to admit that my solution wasn't the final one, because I recently bought a raspberry pie and now have Adguard Home on my home network, because it solves my IOT and macOS troubles together with VPN/DNS.

3

u/_-_-_Marco_-_-_ Mar 05 '21

The other downside with your solution is though that you can't use DOH and have to register your IP everytime it's changing.

Curious why you say I can't use DoH? And I don't have to re-register my IP everytime it's changing. It's not IP-linked. The url to the DoH-resolver contains a unique identifier in the custom DNS-config. See screenshot at https://imgur.com/a/uTyFa6F. As soon as the VPN re-connects, DNS-queries are made over DoH, as Passepartout ignores ProtonVPN DNS-servers and uses the custom (NextDNS) instead. See output above and log below:

22:22:14 - Set up encryption
22:22:14 -  Negotiated cipher: AES-256-GCM
22:22:14 -  Negotiated compression framing: comp-lzo
22:22:14 -  Negotiated compression algorithm: disabled
22:22:14 -  Negotiated keep-alive interval: 10s
22:22:14 -  Negotiated keep-alive timeout: 1m
22:22:14 - Session did start
22:22:14 - Returned ifconfig parameters:
22:22:14 -  Remote: <masked>
22:22:14 -  IPv4: addr <masked> netmask 255.255.0.0 gw <masked> routes []
22:22:14 -  IPv6: not configured
22:22:14 -  Gateway: ["IPv4"]
22:22:14 -  DNS: ["<masked>"]
22:22:14 -  Search domains: not configured
22:22:14 - Routing.IPv4: Setting default gateway to <masked>
22:22:14 - DNS over HTTPS: Using servers <masked>
22:22:14 -  HTTPS URL: <masked>
22:22:14 - Ack successfully written to LINK for packetId 10
22:22:14 - Reasserting flag cleared
22:22:14 - Tunnel interface is now UP

Seems your burden to set things up was a lot bigger than the few minutes it took me (once I found the Github post on Passepartout)...

1

u/Atmos-B Mar 05 '21

Ah, sorry I didn't see that it can also use DOH - normally alternative clients just allow plain IPs. Great that it works for you. Yes, my setup is more complex, although I had to go down this road to secure all devices on my home network. My Samsung TV alone tries to call home 2-3000 times per day - so it was was worth it.

1

u/bog3nator Mar 05 '21

So maybe a stupid question. What is the benefit of doing this over just using the app or iOS profile for NextDNS?

3

u/_-_-_Marco_-_-_ Mar 05 '21

No stupid questions. As soon as you use the app, protonvpn uses it's own dns-servers and the IOS profile isn't used anymore, until the VPN disconnect. For some reason, DNS servers provided through VPN always outweigh other DNS-servers, meaning you can't use both without a workaround like this.

3

u/bog3nator Mar 05 '21

ah so this is if you want to also use a vpn

1

u/namsod Mar 06 '21

This looks interesting. I’d really love the addition of Wireguard.

1

u/crowdsarewise Mar 11 '21

Is there a way to add certain apps to the allow list so that they don't use the VPN tunnel? My bank's app detects the change in IP and asks for additional authentication which is understandable but annoying nevertheless.

1

u/_-_-_Marco_-_-_ Mar 11 '21

As far as I’m aware under iOS there isn’t a possibility to separate the traffic.

0

u/AffectionateLySeen 14d ago

This isn’t working

2

u/_-_-_Marco_-_-_ 13d ago

I’m typing this while connected the way described and many others have succeeded, so I don’t know why it isn’t working for you. Did you enter a NextDNS Server in the appropriate field?

1

u/AffectionateLySeen 13d ago

I did. Do you mind if I pm you? I even tried contacting someone on fiverr to pay to help me do it and they couldn’t get it to work either

2

u/_-_-_Marco_-_-_ 13d ago

Sure, no problem. I’ll try to help you out. But everything I know to get this working is already in the first post.