Download
Back to blog
Tutorial··10 min read

How to Set Up a VPN on iPhone: A Practical Guide

Setting up a VPN on iPhone is straightforward once you know which of the two paths you actually need. Most people install a VPN app from the App Store and tap connect. A smaller group, typically people whose employer hands them a config file or whose VPN provider supplies manual credentials, go through Settings instead. Both paths work, both produce the same little “VPN” badge in the status bar, but they behave differently when something fails.

This guide walks through both, then covers the parts most articles skip: how iOS actually handles a VPN that drops, what “kill switch” really means on this platform, and the on-demand rules that quietly do most of the heavy lifting on a working setup.

The Two Ways to Put a VPN on Your iPhone

There are exactly two supported approaches:

  1. Install a VPN app from the App Store. The app installs a VPN profile on first launch and manages everything for you. This is the path almost everyone should take.
  2. Configure a VPN manually in Settings. You enter server addresses, credentials, and protocol details by hand, or import a configuration file. Useful when you have IKEv2 credentials from work or a config file from a provider that doesn't ship an app.

If you just want a VPN running on your iPhone, use a VPN app. The manual path exists for specific cases and is documented below for completeness.

Using a VPN App (Recommended for Most)

This is the default path, and it works the same way regardless of which provider you choose.

Step-by-step

  1. Open the App Store and install the VPN app of your choice.
  2. Launch the app. On first run, iOS shows a system prompt asking permission to add VPN configurations to your iPhone.
  3. Tap Allow, then authenticate with Face ID, Touch ID, or your passcode. This is iOS verifying you — not the VPN app — so the dialog looks the same for every VPN.
  4. Sign in to the app or pick a server. Most modern apps let you tap a single connect button.
  5. Tap connect. Within a second or two, you'll see a small VPN badge appear next to the cellular and Wi-Fi indicators in the status bar. That badge is iOS's own confirmation that the tunnel is up, and apps can't fake it.

The first-launch profile prompt only appears once per app. After that, connecting and disconnecting happens entirely inside the app, or via the Settings toggle.

What the Profile Actually Does

The VPN profile is a small system-level configuration that tells iOS how to route traffic when the VPN is active. It includes the protocol (most quality apps now use WireGuard), the server address, and the cryptographic keys. The profile lives in Settings → General → VPN & Device Management → VPN. If you ever uninstall the app, deleting the profile from here is a clean way to ensure nothing is left behind.

Manual Configuration (Settings → General → VPN & Device Management)

This is the path for people who already have VPN credentials from somewhere else. You won't find a server browser or country picker here — manual config assumes you know exactly which server you're connecting to.

Supported Types on iOS

iOS supports three built-in VPN types out of the box:

  • IKEv2 — modern, fast, well-supported. The default choice for manual setup.
  • IPsec — older but solid. Common in enterprise.
  • L2TP — deprecated by Apple, weak by modern standards. Avoid unless you have no other option.

WireGuard is not a built-in iOS VPN type. iOS doesn't ship native WireGuard support in Settings, so even though it's the protocol most modern providers prefer, you'll need a WireGuard-capable app to use it. See our WireGuard vs OpenVPN vs IKEv2 comparison for what each protocol actually gives you.

When You'd Use the Manual Path

  • Your VPN provider hands you a .mobileconfig file. Open it on your iPhone and iOS walks you through installing it.
  • Your employer runs an IKEv2 server and gives you a server address, remote ID, and credentials.
  • You're connecting to a router or NAS that exposes its own VPN endpoint.

How to Enter Credentials Manually

  1. Open Settings → General → VPN & Device Management → VPN → Add VPN Configuration.
  2. Pick the type (IKEv2 for most cases).
  3. Enter the description, server, remote ID, and your username and password or certificate.
  4. Save. The new profile appears in the VPN list with a toggle.
  5. Flip the toggle to connect.

If your provider sent a .mobileconfig file, opening it from Mail or Files skips most of the typing — iOS imports the settings directly.

On-Demand / Connect On Demand

This is the feature that turns “I have a VPN installed” into “I have a VPN that actually stays on.” Most people never find it. It's worth two minutes of your time.

What It Does

On-Demand tells iOS to automatically connect the VPN when certain network conditions are met. The two useful patterns are:

  • Always — the VPN reconnects whenever any network is active.
  • On Wi-Fi — the VPN connects on Wi-Fi but not on cellular (useful if you trust your carrier but not coffee shop Wi-Fi).

You can also do the inverse, connecting on cellular but not on trusted home Wi-Fi, though that's a less common configuration.

How to Find It

  1. Open Settings → General → VPN & Device Management → VPN.
  2. Tap the small (i) next to your VPN profile.
  3. Scroll down to Connect On Demand and toggle it on.
  4. Configure the rules to match your preference.

If you installed a VPN app, the app probably has its own on-demand toggle in its settings screen. Either path writes to the same underlying iOS configuration.

The Tradeoff

On-Demand makes the VPN dramatically more reliable. The cost is a small amount of extra battery and a longer cold-start when your phone wakes up, since iOS has to bring the tunnel back up before letting your apps hit the network. WireGuard's handshake is fast enough that you usually won't notice.

Kill Switch Reality on iOS

This section is for people who have read about VPN “kill switches” and want to know what's actually possible on iPhone.

A true kill switch, the kind desktop VPN apps advertise, blocks all internet traffic if the VPN tunnel drops. On Windows, Linux, and macOS, apps can install a firewall rule that enforces this at the OS level. iOS does not expose that capability to third-party apps. Apple's NetworkExtension framework doesn't include a global “drop all non-VPN traffic” hook.

What apps can do on iOS is approximate the behavior using on-demand rules. The configuration looks like this:

  • On-demand is enabled with a rule that triggers on every network.
  • The rule is set so that if the VPN can't connect, the network connection is treated as unavailable.

This works well in steady state, but there's an honest caveat: during the brief window when iOS is switching networks (Wi-Fi to cellular, for example) or waking the device, the tunnel may not be active yet. A small amount of traffic can leak in that gap before on-demand re-establishes the connection. Modern WireGuard apps reconnect in well under a second, so the window is short, but it exists. Anyone who tells you iOS has a perfect kill switch hasn't read the framework documentation.

If a leak-free window matters for your use case, a desktop OS gives you better tools than iOS does. For most people, on-demand with always-on rules is plenty.

Cellular vs Wi-Fi Behavior

By default, an iOS VPN persists across network changes. Switch from your home Wi-Fi to LTE and the VPN stays on, since iOS hands the tunnel off transparently. Some apps offer a “disable on cellular” toggle for people who want to save battery or avoid the small overhead on metered connections.

Troubleshooting Common Issues

A short field guide to the problems iPhone users actually hit.

“Profile Install Permission Denied”

This usually means an MDM policy is blocking VPN profiles, or you tapped Don't Allow on the first-launch prompt. Open Settings → General → VPN & Device Management, find the pending profile, and complete the install. If you're on a managed device (work or school phone), check with your administrator.

VPN Drops When the Phone Sleeps

iOS aggressively suspends background activity to save battery, and VPN connections aren't exempt. Enable Connect On Demand as described above — that's the supported way to keep the tunnel alive across sleep cycles.

Slower Than Expected

A few things to check:

  • Server distance. A VPN server on the other side of the planet will always be slower than one in your city. Pick a closer server first.
  • Protocol. WireGuard typically outperforms IKEv2 and OpenVPN in real-world tests.
  • Wi-Fi MTU. Rare but real: if your router uses an unusual MTU, the VPN encapsulation may cause fragmentation. Most modern apps handle this automatically.

IP Doesn't Change

If your apparent IP address doesn't change after connecting, run a leak test with any “what is my IP” web tool. Two common causes: IPv6 traffic bypassing the tunnel (some older configurations don't tunnel IPv6), or DNS queries leaking to your ISP's resolvers. Both are configuration issues, and a well-built VPN app handles them for you.

Won't Reconnect After Airplane Mode

Toggle the VPN off and back on from Settings, or quit and relaunch the VPN app. Airplane mode tears down all networking, and occasionally the VPN state machine doesn't recover cleanly.

Per-App VPN

You may have heard about routing only certain apps through a VPN. On iOS, per-app VPN is real but limited to managed devices. It's an MDM feature that enterprises use to tunnel their internal apps without affecting personal traffic. Consumer VPN apps don't have access to this API. Whatever VPN you install on a personal iPhone routes everything system-wide.

This is mostly fine. If you want one app to skip the VPN, the workaround is to disconnect the VPN, use the app, then reconnect. Awkward, but rarely needed.

Bottom Line

For most iPhone users, setting up a VPN on iPhone means downloading an app, accepting the profile prompt once, and turning on Connect On Demand. That gets you most of the value with no manual configuration. The manual path in Settings exists for specific cases like enterprise IKEv2 or providers without apps, and the iOS kill-switch story is honestly weaker than desktop equivalents, but on-demand rules close most of the gap.

If you're picking a VPN for the first time, prioritize ones that use WireGuard, default to anonymous accounts with no email signup, and have a clear position on logs. The setup steps are the same across providers — the trust model isn't.

Snap VPN is an iOS-native client built around WireGuard. Your subscription follows your Apple ID, there's no email or account signup, and we don't tie any user identifier to a real person. macOS is next. If you want a VPN that respects the platform conventions described above and stays out of your way, Snap VPN is where to start.

Further reading: what a VPN actually is and using a VPN while traveling.

The Snap VPN Team
Editorial