I don't know how they're accomplishing it technically, but http://getcloak.com manages to auto-enable my VPN on my iPhone every time I connect to a non-whitelisted wireless network.
I'm a Cloak user. Connect on Demand in iOS has a great design, but unfortunately it's buggy. About once a week, I will catch it not using the VPN (and not blocking traffic nor trying to reconnect). I even connected my iPhone to Apple's desktop utility that allows reading the device logs and I correlated the behavior to certain log errors. This problem started in iOS 7.0 and remains up to 7.1.1 (iOS 6 was fine).
As a result of this bugginess, I'm no longer willing to use untrusted wi-fi networks even with VPN. It's really too bad that Apple is not fixing this, because it renders the Connect on Demand feature useless from a security point of view, and it nullifies the functionality of Cloak. Cloak is otherwise an awesome app and service, and it's not their fault as they can't control this code.
iOS 7 opened up some APIs for it. GetCloak's app uses it (and has a lot more niceties, I read), and so does the ugly but generic OpenVPN app. I'm guesses that they're not able to block all traffic before the VPN is set up though. I'm not sure. And I'm certain the OpenVPN app doesn't fail safe/closed.
Anyone know of a portable, travel wifi router that supports VPN and fails closed?
As a result of this bugginess, I'm no longer willing to use untrusted wi-fi networks even with VPN. It's really too bad that Apple is not fixing this, because it renders the Connect on Demand feature useless from a security point of view, and it nullifies the functionality of Cloak. Cloak is otherwise an awesome app and service, and it's not their fault as they can't control this code.