We are using an NEPacketTunnel provider for our custom VPN solution, and doing so we are setting NEPacketTunnelNetworkSettings with setting IPv4 and IPv6 default routes. We are then setting DNS networkSettings.dnsSettings?.matchDomains = [] However, apps like FaceTime still go around the VPN. Once you set setTunnelNetworkSettings is there no way to ask the system to return what the current saved configuration? Testing, Ive also tried turning off IPv6 on my home network and cell data to force all traffic to my IPv4 default routes. Ive seen FaceTime work on one session, relaunch the app and never again. Note: IncludeAllNetworks does work, but comes with a lot of downsides too. Our goal is to securely and redundantly help with video calls , streaming apps etc.
Search results for
includeAllNetworks
150 results found
Selecting any option will automatically load the page
Post
Replies
Boosts
Views
Activity
Hello, We are facing what we believe is a compatibility issue with two networking APIs. If the Network extension VPN configuration has includeAllNetworks flag enabled and the NEHotspotHelper is registered. The user has internet connection but it is blocked, and there user will get internet back only after restarting the device. VPN Configuration is as below while connecting to VPN, { localizedDescription = WLVPN WireGuard Configuration enabled = YES protocolConfiguration = { serverAddress = <18-char-str> passwordReference = {length = 20, bytes = 0x67656e70ed0d05c06b1b4896bf4fef2031e1a92d} disconnectOnSleep = NO includeAllNetworks = YES excludeLocalNetworks = YES excludeCellularServices = YES excludeAPNs = YES excludeDeviceCommunication = YES enforceRoutes = NO providerBundleIdentifier = com.wlvpn.ios.consumervpn.network-extension } onDemandEnabled = NO onDemandRules = () } After running the code shown below. Regardless if the VPN is connected or not, the user needs to restart his devic
I got this response from Apple: The behavior seen is expected with includeAllNetworks enabled. Once the VPN config is enabled, default drop is enabled, meaning traffic will be dropped unless they are tunneled. This is to prevent data leak across tunnel flaps. This sounds like exactly what is happening in your use case. If you leave the config enabled, and from your extension, you try to cancel the tunnel. This will leave the default drop enabled without tunnel, traffic will get dropped until tunnel comes back up. Query: But Now Which API to use to disconnect the VPN on NE side so that it doesn't causes any internet connectivity issue?
Topic:
App & System Services
SubTopic:
Networking
Tags:
[quote='756357021, KhothAmit, /thread/756357, /profile/KhothAmit'] Observation : Interestingly, when we call the following method from the app side. The VPN disconnects and the device retains its internet connectivity. [enabledConfig.connection stopVPNTunnel]; [/quote] Right, it looks like there was a response on the radar mentioning that this is happening because includeAllNetworks is set and cancelling the tunnel from the provider side can leave the system in this state. While this is being worked out, please disconnect the VPN from the application side or through the VPN UI.
Topic:
App & System Services
SubTopic:
Networking
Tags:
includeAllNetworks is disabled. Oh, wow, I completely misread that. Sorry about the confusion. If you claim the default route then you’ll receive traffic for which there isn’t a specific route. By default Apple platforms add routes for all locally connected networks. So, if you have a Mac on Wi-Fi and a printer on that same Wi-Fi, the traffic to that printer shouldn’t come to your VPN. Share and Enjoy — Quinn “The Eskimo!” @ Developer Technical Support @ Apple let myEmail = eskimo + 1 + @ + apple.com
Topic:
App & System Services
SubTopic:
Networking
Tags:
Thanks eskimo, but please let me rephrase the question: 'includeAllNetworks' is disabled. At the provider, all routes are included: [NEIPv4Route.default()] In this case, should the LAN traffic go via the VPN? Or is the LAN traffic excluded from the VPN?
Topic:
App & System Services
SubTopic:
Networking
Tags:
includeAllNetworks does what it says on the tin. However, there are additional flags to opt out of specific types of traffic. The obvious one here is excludeLocalNetworks, but you should survey the full set of properties in the NEVPNProtocol class. IMPORTANT One of the most important is the brand new excludeDeviceCommunication. We recently published a couple of technotes that touch on this: TN3158 Resolving Xcode 15 device connection issues TN3165 Packet Filter is not API Share and Enjoy — Quinn “The Eskimo!” @ Developer Technical Support @ Apple let myEmail = eskimo + 1 + @ + apple.com
Topic:
App & System Services
SubTopic:
Networking
Tags:
I've implemented a custom system extension VPN for macOS using a Packet Tunnel Provider. At the Protocol Configuration, the 'includeAllNetworks' flag is unset. At the provider, I included all routes (IPv4 default route). What is the expected behavior for LAN traffic? Should the LAN traffic go via the VPN? By 'LAN traffic', I'm referring to local hosts, ssh, printer access, etc.
Please refer this That seems like a different issue to me. Specifically, in this case you’re setting includeAllNetworks and that other thread you’re not. Share and Enjoy — Quinn “The Eskimo!” @ Developer Technical Support @ Apple let myEmail = eskimo + 1 + @ + apple.com
Topic:
App & System Services
SubTopic:
Core OS
Tags:
The relationship between includeAllNetworks and the routing properties (includedRoutes and excludedRoutes) is complex. Our expectation is that a full tunnel, one that that sets includeAllNetworks, would not also set the routing properties. That’s the case that we fully support. If you also set enforceRoutes then they system might do what you want, that is, honour the routing properties even though you’ve set includeAllNetworks. However, I discussed your situation with the folks who work on this stuff and they tell me that this isn’t an option that we officially support. It might work, it might not. Try this out and reply back here with the results. I’m curious. Also, if this configuration is important to you then I recommend that you file a bug report with details about your use case. Please post your bug number, just for the record. You should do this even if the setup currently works. In that case we’ll use your bug as an indicator that folks are relying on this. Share and Enjoy —
Topic:
App & System Services
SubTopic:
Core OS
Tags:
Requirement: We need to update below tunnel provider properties once VPN is up. Is it possible? includeAllNetworks excludeLocalNetworks enforceRoutes When is the standard time to configure and save the below properties in system preferences? Is it possible to save these properties in system preference when VPN is up? saveToPreferencesWithCompletionHandler If we can change these properties in VPN connected state, When these tunnel provider properties will come into effect?
Transfer … packets safely, using full tunnel. To a VPN server that’s available on the public Internet? Note that there are two ways to achieve a full tunnel: Claim the default route. Do that are also set includeAllNetworks. The latter is tricky [1], and I recommend that you not attempt it until you’ve got more experience with this stuff. Actually, there's nothing special with DNS. From our perspective there’s a bunch of stuff special about DNS. If you’re building a VPN product, I recommend that you avoid trying to make assumptions about DNS because those are likely to break. Share and Enjoy — Quinn “The Eskimo!” @ Developer Technical Support @ Apple let myEmail = eskimo + 1 + @ + apple.com [1] For example, it can break the network interface required to talk to Xcode. See TN3158 Resolving Xcode 15 device connection issues.
Topic:
App & System Services
SubTopic:
Core OS
Tags:
I am connecting to VPN connection with NEPacketTunnelProvider configuration as IncludeAllNetworks=YES; ExcludeLocalNetwork=NO; which is tunneling all the traffic generated on my device which is expected. But Once I disconnect and kill the NEPacketTunnelProvider instance, My internet is blocked unless I restart the device. This behavior is not seen with iOS 16 and things work smooth. Kindly update as soon as possible
Problematic: 0.0.0.0/1 128.0.0.0/1 Why are you using this approach rather than setting includeAllNetworks? Share and Enjoy — Quinn “The Eskimo!” @ Developer Technical Support @ Apple let myEmail = eskimo + 1 + @ + apple.com
Topic:
App & System Services
SubTopic:
Core OS
Tags:
Do not hard-code BSD interface names, like pdp_ip0. It will end badly. I have a bunch of backstory about this in the various posts linked to from Extra-ordinary Networking. socket still send data via utun, witch is a vpn interface That can happen if the VPN sets includeAllNetworks. Share and Enjoy — Quinn “The Eskimo!” @ Developer Technical Support @ Apple let myEmail = eskimo + 1 + @ + apple.com
Topic:
App & System Services
SubTopic:
Networking
Tags: