includeAllNetworks

I've implemented a VPN apps (for iOS and for macOS) with Packet Tunnel Provider.The includedRoutes contains all the IPv4 default routes:newSettings.ipv4Settings?.includedRoutes = [NEIPv4Route.default()]My question is regarding local networks:If I'm not using split tunnel (not including/excluding any other route), what happens to traffic to the local network? By local network I mean the network the device is connected to without the client.I expected that all traffic should go to the tunnel, but I see that I'm able to access resources on my local network even when the tunnel is up.In addition to that, I checked the new flag - includeAllNetworksr which is relevant only to macOS:If this flag is set, I can't access the local network when the VPN is up.So the question is how to configure if the user is able or unable to access resources on his local tunnel.Maybe using the above flag is the answer? And if it is the answer, then what about iOS?Edit: When includeAllNetworks is set, sometimes I don't have tra

Hi,I want a transparent proxy that captures all outgoing tcps so I used NETransparentProxyManager to start an AppProxyProvider with the following rule:networkSettings.includedNetworkRules = NENetworkRule( remoteNetwork: nil, remotePrefix: NSNotFound, localNetwork: nil, localPrefix: NSNotFound, protocol: .TCP, direction: NETrafficDirection.outbound )Everything works as expected except that, after the AppProxyProvider has been started:Any try of starting a tcp listener listening on 0.0.0.0 fails with error Protocol wrong type for socket. This can be easily reproduced by runningpython3 -m http.server, which fails with the error:OSError: [Errno 41] Protocol wrong type for socketTcp listeners that were already boud to 0.0.0.0 won't see incoming connections from local network.Is it a bug or were I doing something wrong?Also, I notice that the transparent proxy cannot capture tcp connections to localhost. I suppose it is by design but is there any way to achieve that? (setting includeAllNetworks to true and

Now that the flag includeAllNetworks is working as expected (see https://developer.apple.com/forums/thread/722156), I tried to set it and also the ExcludeLocalNetworks flag. As described in the documentation, I'm able to use AirPlay and AirDrop while being connected, but what I was hoping for was to exclude from the tunnel all the LAN traffic, including pings to local hosts, ssh, printer access, etc. Isn't it what ExcludeLocalNetworks should accomplish? If not, how can I exclude LAN traffic from a full tunnel (i.e. not a split tunnel)? [Custom VPN, macOS, Packet Tunnel Provider, system extension]

Hi, I would like to enable includeAllNetworks setting in a personal VPN product. If a transparent proxy of other macOS security product (i.e. Avast Security, Cisco AnyConnect) is enabled, the VPN session fails to connect with an error message nesessionmanager: Failed to register Personal IncludeAllNetworks VPN Session NESMIKEv2VPNSession[...] due to Enterprise VPN session NESMTransparentProxySession[...] (status 3) nesessionmanager: [com.apple.networkextension:] NESMIKEv2VPNSession[Primary Tunnel:...]: Rejected start command from AVG Secure VPN[3332] The startVPNTunnel method however doesn't return any error. The product needs to wait until its internal connection timer expires, call stopVPNTunnel and then the NEVPNStatus changes from disconnected to disconnecting followed by disconnected. Is there a way to programatically detect the error or transparent proxy presence?

Hi,I want a transparent proxy that captures all outgoing tcps so I used NETransparentProxyManager to start an AppProxyProvider with the following rule:networkSettings.includedNetworkRules = NENetworkRule( remoteNetwork: nil, remotePrefix: NSNotFound, localNetwork: nil, localPrefix: NSNotFound, protocol: .TCP, direction: NETrafficDirection.outbound )Everything works as expected except that, after the AppProxyProvider has been started:Any try of starting a tcp listener listening on 0.0.0.0 fails with error Protocol wrong type for socket. This can be easily reproduced by runningpython3 -m http.server, which fails with the error:OSError: [Errno 41] Protocol wrong type for socketTcp listeners that were already boud to 0.0.0.0 won't see incoming connections from local network.Is it a bug or were I doing something wrong?Also, I notice that the transparent proxy cannot capture tcp connections to localhost. I suppose it is by design but is there any way to achieve that? (setting includeAllNetworks to true and

Hello, Regarding this explanation If this property is YES, the system excludes network connections to hosts on the local network — such as AirPlay, AirDrop, and CarPlay — but only when the includeAllNetworks or enforceRoutes property is also YES. So my question is the local network here only meaning AirPlay, AirDrop, and CarPlay? Is the pings to local LAN IP still working? What is the exactly the local network definition here? Is it based on the interface or the IPs? For example, somehow we connects to a wifi which assigned a public IP. After VPN is connected with tunnel all mode, we set includeAllNetworks and excludeLocalNetworks flag, will the traffic originally goes through wlan interface goes through utun interface? Or it will keep going through wlan interface?

Is it possible to have both 'includeAllNetworks' and split-tunnel simultaneously? I want to enable a split tunnel so only some of the traffic will reach the tunnel, but at the same time, to make sure that the above traffic will always reach the tunnel - even if it's coming from some low-level networking API or even if the traffic started before creating the tunnel. Setting the 'includeAllNetworks' flag will help with the above cases, but then I'll get all the traffic via the tunnel without consideration in the split tunnel configuration. (Details: System-extension, PacketTunnelProvider)