As mentioned in the last post, due to some ridiculous changes by Microsoft, you cannot set up an IKEv2 VPN in Settings GUI on Windows 10 Mobile. Usually this can only be done with MDM.
However, some people on XDA-Dev、wfun and WindowsCentral find solutions for this issue.
You’ll need to use Interop to unlock the Windows Phone (similar to Root on Android or Jailbreak on iOS) and edit rasphone.apk . I won’t explain in details on this solution.
Interop isn’t necessary, but you’ll need (1) a MicroSD card, (2) a MicroSD card reader, (3) a computer with Windows 10.
Prepare a usable rasphone.pbk file
- Set up a VPN in Windows 10 (desktop) and modify gateway & metrics as mentioned in the last post. Make sure it’s usable.
C:\Users\<YOUR-USERNAME>\AppData\Roaming\Microsoft\Network\Connections\Pbkand find the
Prepare the file & create the soft link
- Take out the MicroSD card and connect it to the computer with card reader.
- Backup all files, then format it to NTFS. Copy the files back into it.
- create a new folder in the card with any name, for example,
myvpn. Copy the aforementioned
rasphone.apkinto it. If you use certification as logon credential, then copy it too.
- Run the following commands as Administrator in cmd.exe (assuming the card is
X: cd myvpn mklink /d "pbk" "C:\Data\Users\DefApps\AppData\Roaming\Microsoft\Network\Connections\Pbk" exit
- Put the MicroSD card back into the phone.
Install the usable
rasphone.pbkinto the phone
- Create a VPN connection in Settings and then delete it, so as to make the pbk folder in phone read-writable.
- Reboot the phone.
- Install the Files app (by Microsoft). Open SDcard->myvpn and you’ll see a pbk folder (actually a soft link) and other files you’ve copied.
- Copy the the
rasphone.pbkfrom SDcard to
myvpn\pbkfolder. Then open
pbkfolder to make sure it’s copied.
- If the VPN is authenticated by certificates, install your certificate into the phone.
- Reboot the phone.
That’s all. Now try connecting the VPN and visiting Google. If you can open Google then it’s done.
Based on Solution Two, this improved solution applies to phones without SD card and also doesn’t require Interop. See this post for details.
The idea is to create a shortcut pointing to
rasphone.pbk on the phone, so that you can directly modify the actual
rasphone.pbk. The key step is creating such a shortcut and find a usable text editor (because there are too many junk apps on Windows Store).
.Vicer has provided the necessary shortcut. To edit the text, you can use NotepadX. Copy
@rasphone.lnk.db to the phone and rename it as
@rasphone.lnk. Open it with NotepadX and you can edit the real
rasphone.pbk. You should modify:
IpInterfaceMetric=15(or smaller numbers)
Save it when finished.
This solution utilizes NTFS soft link and the permission of pbk folder on Win10m, which should be an exploit. Of course we can expect that Microsoft will treat it as a Feature and never fix it. Btw, I’d also like to mention other relevant
bugs features here:
- If you still have problem after the above steps, you might have forgot to reboot in some steps. The solution is: reboot; delete all VPNs; if you cannot delete some VPNs, reboot and try again until all are removed; reboot once more; then start from the beginning.
- When roaming from mobile network to WiFi network, the IKEv2 VPN will automatically reconnect. However, when roaming from WiFi to mobile, it won’t auto-reconnect.
- Further to the above point, the VPN displays “not connected” in Settings GUI, but is actually not disconnected. When roaming back to WiFi, it will auto-reconnect.
- Further to the above point, if you do not roam back but try to connect again, a 809 error will pop out. The solution is rebooting.
- In Win10m, if the target folder of a soft link doesn’t exist, there won’t be any error but only an empty folder. Therefore you have to carefully check whether the soft link path is correct.
- In Win10m, when opening the soft link pointing to C: drive, only files & folders in current folder can be seen. You won’t see any content in sub-directories. This could be some kind of security setting. No error pops out.