includeAllNetworks

Finally we could resolve the MDM profile - network broken issue with MDM profile having VPN payload by setting IncludeAllNetworks to 0. IncludeAllNetworks 0

One of the biggest issues is that if you set includeAllNetworks , then attempt to bind to a cellular adapter via sockets OR use NWConnection and prohibit WiFi and require Cellular but you are on a WiFi network, NECP will deny the cellular use. When binding, it will succeed, but then route traffic over the default route anyway. Ideally, with includeAllNetworks, we would like to bind to each adapter and decide when each should be used. Is this expected with includeAllNetworks?

For programmingly set VPN set this property which is available after iOS 14 var includeAllNetworks: Bool { get set } https://developer.apple.com/documentation/networkextension/nevpnprotocol/3131931-includeallnetworks of NEVPNProtocol to be true could fix this issue. We could see on this page https://developer.apple.com/documentation/devicemanagement/vpn/vpn that includeAllNetworks is available for iOS 4.0+ and macOS 10.7+. But in this document https://developer.apple.com/business/documentation/Configuration-Profile-Reference.pdf includeAllNetworks doesn't exist yet.

Tried it for the same case on iOS, and I found that when includeAllNetworks is set in the profile, the VPN status will get disconnected status after connecting. How should we use includeAllNetworks correctly on iOS/macOS? Any help is appreciate.

There was an update to the documentation that was posted recently for includeAllNetworks. - https://developer.apple.com/documentation/networkextension/nevpnprotocol/3131931-includeallnetworks Notice that this is not supported for NETransparentProxyManager. Matt Eaton DTS Engineering, CoreOS meaton3@apple.com

IncludeAllNetworks support is in iOS14 (in the current beta). Here is the behavior summary once VPN is enabled with IncludeAllNetworks set to true: all traffic will be dropped if tunnel is not up once tunnel is up, all traffic will be policed by traffic policies to go over tunnel if VPN is enabled manually (via UI), tunnel will be re-established, in case it came down, automatically This IncludeAllNetworks will solve the WhatsApp issue that you mentioned.

No, includeAllNetworks is disabled (unset).

If we define either includeAllNetworks or enforceRoutes, then the excludedRoutes are ignored, and all traffic gets tunneled. This is the part that needs to further investigation. I would expect that if you set includeAllNetworks to NO, enforceRoutes to YES, and then you have set of excludedRoutes that they be excluded from the tunnel and would go through the primary interface. I would open a bug report on this and add this to your thread.

includeAllNetworks covers a lot more than setting the default route. We need the extra assurance that all traffic will be handled, and that the tunnel won't leak. Defining it at config definition time is a pain, but I can work around that. The main issue I see at this point is that when I define includeAllNetworks and it takes effect, I can no longer connect to the gateway, even by IP address.

default 19:05:54.375325+0200 nesessionmanager nesessionmanager : Failed to register Personal IncludeAllNetworks VPN Session Okay, the line above does mean that a Personal and Enterprise VPN on your system cannot both have the flag for IncludeAllNetworks. The Enterprise VPN will take precedence here and the Personal VPN will be stopped with this message that you are seeing. Matt Eaton DTS Engineering, CoreOS meaton3@apple.com

I'm encountering issues with using includeAllNetworks where NECP is denying adapter usage, among other problems. Are you aware of any specific reasons why setting default routes wouldn't direct traffic through the tunnel? Additionally, it seems that with includeAllNetworks, enforcing routes may not function as expected. Any insights or guidance you could provide on these matters would be greatly appreciated.

The definition of excludedRoutes: excludedRoutes The IPv4 network traffic that the system routes to the primary physical interface, not the TUN interface. Makes it clear that they should not be sent to the TUN interface. This is not what's happening. If we define neither includeAllNetworks nor enforceRoutes, then the excludedRoutes are properly excluded. If we define either includeAllNetworks or enforceRoutes, then the excludedRoutes are ignored, and all traffic gets tunneled. We tested every combination of the enforceRoutes, includeAllNetworks, excludeLocalNetworks, and overridePrimary options. We can provide logs showing the network settings provided to the Network Extension framework at start time, along with the protocol settings, as well as the traffic from the excluded network going to the VPN extension.

Ok, there's definitely a strange behaviour. If I delete all of the vpn profiles in Network preferences, only then I can connect NEVPNProtocolIKEv2 profile with IncludeAllNetworks flag. As soon as I add any other vpn profile I am no longer able to connect my IKEv2 profile. Even if I manually add some IPSec profile via Network prefeneces 🤯. This makes IncludeAllNetworks flag impossible to use in my vpn app.

I should also point out that this talk from the latest WWDC mentions includeAllNetworks, and it seems strange that the behaviour we're seeing is intended.