Is it possible to have both 'includeAllNetworks' and split-tunnel simultaneously? I want to enable a split tunnel so only some of the traffic will reach the tunnel, but at the same time, to make sure that the above traffic will always reach the tunnel - even if it's coming from some low-level networking API or even if the traffic started before creating the tunnel. Setting the 'includeAllNetworks' flag will help with the above cases, but then I'll get all the traffic via the tunnel without consideration in the split tunnel configuration. (Details: System-extension, PacketTunnelProvider)
Search results for
includeAllNetworks
150 results found
Selecting any option will automatically load the page
Post
Replies
Boosts
Views
Activity
I've submitted a feedback issue about this, with sample code. It's extremely easy to reproduce with a minimal VPN. Right now it's blocking release of anything using includeAllNetworks for us, because loss of DNS resolution is completely unacceptable. Hopefully there's some simple way to resolve the problem. FB13331886
Topic:
App & System Services
SubTopic:
Networking
Tags:
One odd thing is that it's only things that rely on DNS that appear to be breaking. If I try to ssh/ping/etc. to a system by IP address it works fine. It looks like there's a supportsDefaultDrop flag set on the config when includeAllNetworks is set, 2023-10-27 13:13:22.077480-0700 0x50591 Debug 0xb588c 320 0 nesessionmanager: [com.apple.networkextension:] applyIPDefaultDrop: session TestConfig But it's not clear why this would only have an effect when we disconnect from the extension instead of calling stopTunnel from the management app. Or why it would only affect name resolution.
Topic:
App & System Services
SubTopic:
Networking
Tags:
Tried it for the same case on iOS, and I found that when includeAllNetworks is set in the profile, the VPN status will get disconnected status after connecting. How should we use includeAllNetworks correctly on iOS/macOS? Any help is appreciate.
Topic:
App & System Services
SubTopic:
Networking
Tags:
Going through the console, it actually seems that the profile is loaded properly: NESMVPNSession[Primary Tunnel:XRTC Accelerator:6CB1FD0B-6268-4701-8968-2EE37DE109AC:(null)] starting with configuration: { name = **** identifier = 6CB1FD0B-6268-4701-8968-2EE37DE109AC applicationName = *** application = com.***.*** grade = 1 VPN = { enabled = YES onDemandEnabled = NO disconnectOnDemandEnabled = NO onDemandUserOverrideDisabled = NO protocol = { type = plugin identifier = E8C022C7-41EE-4627-B2CD-88CE84D2A1DD serverAddress = VPN Server identityDataImported = NO disconnectOnSleep = NO disconnectOnIdle = NO disconnectOnIdleTimeout = 0 disconnectOnWake = NO disconnectOnWakeTimeout = 0 includeAllNetworks = YES excludeLocalNetworks = YES excludeCellularServices = YES excludeAPNs = YES enforceRoutes = NO pluginType = com*** authenticationMethod = 0 providerConfiguration = { key = value, } providerBundleIdentifier = ***.PacketTunnelProvider } tunnelType = packet } } but then I get [4768]: Tearing down XPC connec
Topic:
App & System Services
SubTopic:
Networking
Tags:
I am trying to set includeAllNetworks flags right now and I see some wield behaviors from macOS system: default 13:32:50.825941+0800 ***** newStatus = Connecting... default 13:32:51.816353+0800 ***** newStatus = Disconnected default 13:32:52.222371+0800 ***** newStatus = Connected The app which is observing VPN status gets notified with disconnected status between connecting and connected. And in some cases I find that app will never gets connected notification after disconnected. In that case tunnel interface and all tunnel network settings are well set. But our UI logic will just handle the disconnected case. If I just clear the includeAllNetwork flag, then everything is fine. default 14:13:50.075947+0800 ***** newStatus = Connecting... default 14:13:50.829195+0800 ***** newStatus = Connected The test environment is macOS 14.0 and I am using network extension framework for the status KVO. So I am just wondering if this is expected behavior or not. If this is expected, then is there any
We're seeing nessionmanager problems caused by having a configuration present on the system which. Has includeAllNetworks set in the protocol Was previously connected & then disconnected After VPN disconnection we sometimes see that DNS and other things are not working. The VPN extension is no longer running, so I'd expect that settings would have been cleaned up, but they aren't in some cases. The system won't recover on its own, and when we delete the VPN configuration we see a set of messages from VPN session manager. There are two I've seen, on different systems. One shows the utun interface being cleaned up, and various network settings being removed. The other refers to deregistering an Enterprise VPN Session, [NESMVPNSession unsetDefaultDropAll], and IP Drop-All disabled. In both of these cases the cleanup is being done hours after the session was disconnected and the extension unloaded from memory. Does anyone know what exactly is happening there, and why the OS isn't cleaning up on disco
Hello, Regarding this explanation If this property is YES, the system excludes network connections to hosts on the local network — such as AirPlay, AirDrop, and CarPlay — but only when the includeAllNetworks or enforceRoutes property is also YES. So my question is the local network here only meaning AirPlay, AirDrop, and CarPlay? Is the pings to local LAN IP still working? What is the exactly the local network definition here? Is it based on the interface or the IPs? For example, somehow we connects to a wifi which assigned a public IP. After VPN is connected with tunnel all mode, we set includeAllNetworks and excludeLocalNetworks flag, will the traffic originally goes through wlan interface goes through utun interface? Or it will keep going through wlan interface?
Hi, I would like to enable includeAllNetworks setting in a personal VPN product. If a transparent proxy of other macOS security product (i.e. Avast Security, Cisco AnyConnect) is enabled, the VPN session fails to connect with an error message nesessionmanager: Failed to register Personal IncludeAllNetworks VPN Session NESMIKEv2VPNSession[...] due to Enterprise VPN session NESMTransparentProxySession[...] (status 3) nesessionmanager: [com.apple.networkextension:] NESMIKEv2VPNSession[Primary Tunnel:...]: Rejected start command from AVG Secure VPN[3332] The startVPNTunnel method however doesn't return any error. The product needs to wait until its internal connection timer expires, call stopVPNTunnel and then the NEVPNStatus changes from disconnected to disconnecting followed by disconnected. Is there a way to programatically detect the error or transparent proxy presence?
I would suggest a more accurate name - ‘includeMostNetworks’ instead of ‘includeAllNetworks’. For any change in documentation, API names, or API behavior I would open an Enhancement Request here. Regarding: After reading the updated documentation, it is not clear what the ‘includeAllNetworks’ actually does, as when it is disabled, the VPN also sends most network traffic over the tunnel. The way I have always thought of this property is that it allows your tunnel to define a sweeping set of destination addresses without having to manually define all of these routes in your packet tunnel configuration.
Topic:
App & System Services
SubTopic:
Core OS
Tags:
https://developer.apple.com/documentation/networkextension/nevpnprotocol/3131931-includeallnetworks The ‘includeAllNetworks’ property was introduced in iOS 14 to allow VPN configuration on iOS to force all network traffic through the VPN tunnel, to prevent any leaks outside the tunnel. Older version of this document said:
A Boolean value that indicates whether the system sends all network traffic over the tunnel. Current documentation says: A Boolean value that indicates whether the system sends most network traffic over the tunnel. There are a few issues with this change: The change in functionality was introduced without any notice or change in developer documentation. The documentation was updated almost a year after the change in functionality. The property should have been deprecated in iOS 16, and the new property should have been introduced. I would suggest a more accurate name - ‘includeMostNetworks’ instead of ‘includeAllNetworks’. After reading the updated documentation,
regarding includeAllNetworks, if we reproduce this on e.g. iOS 14 or 15, what do you recommend, does it make sense to create a ticket for it, or those versions will not get fixed? DNS leak = DNS query requests that doesn't go through the tunnel. From what I've saw when setTunnelNetworkSettings(_:completionHandler:) is called, from the call point until almost its completion block is executed, the route to utun is deleted from system and then recreated. Because of this, requests made in this short time will not be able to go thru the tunnel and will most escape on e.g. en0. In the same time mDNS will fire lots of DNS queries at every network configuration change and some of the requests will manage to go around the tunnel, until the route is recreated.
Topic:
App & System Services
SubTopic:
Networking
Tags:
… while others, specially latest versions, handle this fine. Can includeAllNetworks be changed while the tunnel is running Given that this is working on the latest system, that sounds like a bug that we fixed. And on the same note, regarding [setTunnelNetworkSettings(_:completionHandler:)], can this be called multiple times while the tunnel is running? That’s expected to work. what I've saw each call to [setTunnelNetworkSettings(_:completionHandler:)] after VPN connected results in at least DNS leaks, because the routing table is recreated. I don’t understand what you mean by “DNS leak”. Share and Enjoy — Quinn “The Eskimo!” @ Developer Technical Support @ Apple let myEmail = eskimo + 1 + @ + apple.com
Topic:
App & System Services
SubTopic:
Networking
Tags:
Hi, I saw that almost each OS version, on ios and macos, handles differently changing includeAllNetworks while the tunnel is running. On some the entire OS reports no-net, while others, specially latest versions, handle this fine. Can includeAllNetworks be changed while the tunnel is running, or the tunnel must be stopped and restarted with the new value? e.g. the tunnel is started with it set to false, but later is changed to true into VPN profile. And on the same note, regarding setTunnelNetworkSettings, can this be called multiple times while the tunnel is running? For example if the VPN server IP changes. Because what I've saw each call to setTunnelNetworkSettings after VPN connected results in at least DNS leaks, because the routing table is recreated. Let me know if it is easier to track to create separate questions. Thanks
Hi, I'm new to iOS development and would like to gain some understanding about how NEPacketTunnelProvider handles for UDP traffic. In my code, I've created NEPacketTunnelNetworkSettings let settings = NEPacketTunnelNetworkSettings(tunnelRemoteAddress: proxyHost) let ipv4Settings = NEIPv4Settings( addresses: [127.0.0.1], subnetMasks: [255.255.255.255] ) settings.ipv4Settings = ipv4Settings let proxySettings = NEProxySettings() ... settings.proxySettings = proxySettings and passed it to the setTunnelNetworkSettings function. And I was able to start the VPN with no issues. However, in the debug tool, I couldn't see any UDP traffic which I'm sure there should be some. The only UDP connection had no traffic constantly. Does the NEProxySettings only work for TCP? What am I missing here? (I've set protocolConfiguration?.includeAllNetworks = true in my NETunnelProviderManager) Thanks