Skip to main content
Home
iOS 17+ · iPadOS 17+

A VPN client built into your SSH app

IKEv2, IPSec/Xauth and OpenVPN on iPhone and iPad, auto-connected before SSH or RDP. No second app, no context switch.

Download SSHive FreeSee all features
Reaching a protected fleet from an iPhone usually means a VPN app from one vendor (Cisco AnyConnect, Pulse Secure, OpenVPN Connect) and your SSH/RDP app from another. The dance: open VPN app, authenticate, switch to SSH app, work, switch back to disconnect. Multiply by team members and you get an ops anti-pattern. SSHive bundles a real VPN client into the iOS app, IKEv2, IPSec/Xauth and OpenVPN supported, with `.ovpn` config import, built on Apple's NetworkExtension / Packet Tunnel Provider framework. Toggle "Auto-connect VPN before SSH/RDP" on a profile, and SSHive raises the VPN automatically before opening a session, tears it down on disconnect. One app, one credential set, no juggling. Free covers basic VPN connectivity; Pro adds advanced profiles, simultaneous VPNs, and the rest of the SSHive feature set.

What works on iPhone and iPad

IKEv2 / IPSec / OpenVPN

The three most-deployed VPN protocols supported natively: IKEv2 (the modern default on macOS/iOS), IPSec with Xauth (still common in corporate gateways), and OpenVPN (via `.ovpn` config import, the same files OpenVPN Connect accepts).

Apple NetworkExtension

Built on Apple's system-level NetworkExtension / Packet Tunnel Provider framework, the same APIs Cisco AnyConnect and OpenVPN Connect use. This means the VPN is real (full L3 routing, not a SOCKS proxy hack), respects iOS battery management, and shows up in Settings > VPN like any other VPN profile.

Auto-connect before SSH/RDP

On any SSH, RDP, VNC or SFTP profile, you can tick "Auto-connect VPN" and pick a VPN profile. When you open the connection, SSHive raises the VPN first (or reuses an existing tunnel), then opens the session. Tear-down on disconnect. The flow that takes 5 taps elsewhere is 1 tap here.

.ovpn config import

Drop a `.ovpn` file (from OpenVPN Access Server, Mullvad, ProtonVPN custom configs, anywhere) into SSHive. The parser handles inline `<ca>`, `<cert>`, `<key>` blocks, TLS-auth, comp-lzo, and the common variants. No translation step needed.

Why bundle a VPN into an SSH client

One app for the whole workflow

The realistic mobile ops workflow is: VPN to corporate → SSH to bastion → SSH to internal server → SFTP a config → RDP a Windows VM. SSHive is the only iOS app that handles every step in one window with one credential setup.

No telemetry, no traffic relayed

SSHive is paid (Pro $9.99 one-time) and has no advertising business model, so the app simply does not need to look at your VPN traffic. No telemetry, no third-party analytics, no traffic relayed through servers we control, the VPN goes directly from your iPhone to your configured endpoint.

Coexists with Tailscale and WireGuard

SSHive's VPN uses NetworkExtension like other system VPN apps. If you already use Tailscale or WireGuard for personal tailnets, you keep using them, they run alongside SSHive's VPN at the system level. SSHive's VPN is there for the IKEv2/IPSec/OpenVPN cases Tailscale and WireGuard do not cover.

Other VPN clients on iOS

OpenVPN Connect

Free

The official OpenVPN client. Solid, free, OpenVPN-only. You still need a separate SSH/RDP app, and there is no auto-connect orchestration with your remote-access workflow.

Cisco AnyConnect / Secure Client

Free client (server-licensed)

The standard enterprise VPN client for Cisco gateways. The obvious choice when your company uses Cisco infrastructure. Pair it with SSHive for the SSH/RDP side, no conflict.

Tailscale / WireGuard

Free / paid tiers

Modern mesh and WireGuard-based VPNs. Excellent for personal tailnets and team networks. Different category than IKEv2/IPSec/OpenVPN, coexist with SSHive's VPN at the system level.

NetworkExtension and how the VPN actually works

iOS does not let third-party apps just open raw network sockets and pretend to be a VPN. The only way to do real VPN traffic on iOS is through Apple's NetworkExtension framework, specifically the Packet Tunnel Provider sub-API for OpenVPN/WireGuard-style tunnels, or the IKEv2/IPSec provider for the protocols Apple supports natively. Apps that use NetworkExtension get a special entitlement from Apple and run a separate extension process that handles the encrypted tunnel; the main app talks to this extension over IPC. SSHive does this properly: the VPN configuration UI is in the main app, the actual tunnel runs in an extension process that survives even when the main app is suspended by iOS. This is why an SSH session that uses an SSHive-managed VPN stays connected when you put the phone in your pocket, the kernel routes packets through the extension transparently. By contrast, a poorly-built "VPN" that just runs a SOCKS proxy inside the app dies the moment iOS suspends the app. The practical consequence: SSHive's VPN works for the actual on-call scenario. The page hits your phone, you tap a saved SSH profile that has "Auto-connect VPN" enabled, the VPN comes up in 1-2 seconds (faster for IKEv2, slower for OpenVPN), the SSH session opens through it. You investigate. The iPhone falls asleep mid-session, the VPN stays connected via the extension, the SSH session's TCP socket survives if the network does. You wake the phone, you are still in. Twenty minutes later you disconnect; SSHive tears down the VPN automatically. The credential model continues to apply: VPN credentials (PSK, username/password, OpenVPN client cert passphrase) sit in the iOS Keychain with `BiometryCurrentSet`, biometric required at first connect, then the extension holds a transient copy in memory while the tunnel is up. No `.mobileconfig` profile installed system-wide, no credentials in plaintext anywhere on disk.

Frequently asked questions

Can I import my company's .ovpn file into SSHive?+
Yes. AirDrop or share the `.ovpn` file into SSHive, the parser handles inline `<ca>`, `<cert>`, `<key>` blocks, TLS-auth and the common variants. Username/password (or client certificate passphrase) are then prompted on first connect and stored in the iOS Keychain.
Does SSHive VPN log my traffic?+
No. SSHive ships zero telemetry. The VPN connection is direct from your iPhone to your configured endpoint, we do not relay it through any server we control. We do not have access to your VPN traffic, your destination IPs, or your credentials.
Can the VPN auto-connect when I open an SSH profile?+
Yes. On the SSH (or RDP/VNC/SFTP) profile, enable "Auto-connect VPN" and pick a VPN profile. SSHive raises the VPN before opening the session and tears it down on disconnect. If the VPN is already up, it reuses the existing tunnel.

Try SSHive Free for macOS

Get the all-in-one SSH, SFTP, RDP and VNC client for Mac. Free download, no signup required.

Download SSHive Free