Search results for

“includeAllNetworks”

157 results found

Post

Replies

Boosts

Views

Activity

Reply to LAN traffic
Thanks eskimo, but please let me rephrase the question: 'includeAllNetworks' is disabled. At the provider, all routes are included: [NEIPv4Route.default()] In this case, should the LAN traffic go via the VPN? Or is the LAN traffic excluded from the VPN?
Topic: App & System Services SubTopic: Networking Tags:
May ’24
Reply to includeAllNetworks - Can't establish tunnel when includeAllNetworks is set
Removing 'includeAllNetworks' and restarting the VPN resolve all the errors. There are no logs like 'host unreachable error for DNS server'. Setting 'includeAllNetworks' and restarting the VPN will print those logs. I'm not using local DNS server, I'm just calling to getaddrinfo which suppose to query public DNS servers. More details: The problem is that I can't connect at all: In order to connect I need to get responses from getaddrinfo, but as I said getaddrinfo fails. I also tried to use lib curl which also failed. I've set the includeAllNetworks and I tried to connect - my extension uses some C code to establish the connection using BSD sockets and low level code. I'm not using high level functions like 'createUDPSessionThroughTunnelToEndpoint' at the extension. Since I can't connect I don't have the tunnel - I'm creating the tunnel only after I found the server's IP, so how can the traffic go only via a tunnel which isn't exists yet? P.S - sry for the delay.
Topic: App & System Services SubTopic: Networking Tags:
Jul ’20
Reply to `NEVPNProtocol.includeAllNetworks` and `NEPacketTunnelProvider.createTCPConnectionThroughTunnel`
Does this mean that the remote endpoint being connected to by createTCPConnectionThroughTunnel must reside inside the private network being connected to by the tunnel in order for it to work properly with the .includeAllNetworks setting? When using createTCPConnectionThroughTunnel this API will create a new TCP connection bound to the tunnels interface. So if the address NWEndpoint has a remote address that corresponds to the interface, then all should be good. The includeAllNetworks flag causing an issue here is an interesting wrinkle. Do you have any other providers installed and on the device / machine that you are working with? Also, what do you have the tunnelRemoteAddress set to in NEPacketTunnelNetworkSettings? Is it the destination IP of your VPN server? Lastly, are there any logs that show up in the Console.app of where the TCP connection is getting stuck?
Topic: App & System Services SubTopic: Networking Tags:
Jun ’22
Reply to includeAllNetwork Problems.
Hi, from what I understand it appears this is not possible to set on-the-fly and it can be configured only when installing the profile.. In my testing this includeAllNetworks behaves quite similarly to settings includedRoutes on the IPV4Settings to NEIPv4Route.default(). This could possibly be set when starting the tunnel, so you would need to stop and start again to toggle this.
Topic: App & System Services SubTopic: Networking Tags:
Mar ’21
Reply to Failed to register Personal IncludeAllNetworks VPN Session NESMIKEv2VPNSession
Matt, you mean even if none of the profiles are active (connected)? If I delete all of the vpn profiles in Network preferences, only then I can connect NEVPNProtocolIKEv2 profile with IncludeAllNetworks flag. As soon as I add any other vpn profile I am no longer able to connect my IKEv2 profile. The rules I had previously researched and posted about were logical rules that exist on the system under the hood. It sounds like your test is confirming that it is you can have a conflicting VPN profile if you have another VPN profile (Personal or Enterprise) that is installed on the system, but not active, and also contains the includeAllNetworks flag. Is that correct? If so, you should file an enhancement request - https://developer.apple.com/bug-reporting/ to document this behavior. Matt Eaton DTS Engineering, CoreOS meaton3@apple.com
Topic: App & System Services SubTopic: Networking Tags:
Dec ’20
Reply to NEPacketTunnel Provider Leaking Traffic
Ah, OK, thanks for the explanation. That behaviour doesn’t come as a huge surprise, in that NE applies specific NECP rules to your packet tunnel provider in order to prevent VPN loops [1]. However, I can see why it’d be annoying. I don’t see any way around this, other than to not set includeAllNetworks but that creates its own problems. My only advice is that you file a bug about the poor interaction between includeAllNetworks and scoped network connections. Please post your bug number, just for the record. Share and Enjoy — Quinn “The Eskimo!” @ Developer Technical Support @ Apple let myEmail = eskimo + 1 + @ + apple.com [1] You’re probably familiar with this but, if not, see A Peek Behind the NECP Curtain.
Topic: App & System Services SubTopic: Networking Tags:
Jun ’24
Reply to In-tunnel networking when `includeAllNetworks` is set.
Hmmm, interesting. I suspect that this is tied to the implementation of includeAllNetworks, itself introduced in iOS 14. Anyway, I don’t see any code-level workaround here (other than to not set includeAllNetworks but I presume that you’re setting that for a good reason). My advice is that you file a bug about this. Enable additional logging per the VPN (Network Extension) for iOS/iPadOS instructions on our Bug Reporting > Profiles and Logs. Once you’re done, please post the bug number here. I wanna do a little more digging on this issue, but I need you bug number to start that process. Share and Enjoy — Quinn “The Eskimo!” @ Developer Technical Support @ Apple let myEmail = eskimo + 1 + @ + apple.com
Topic: App & System Services SubTopic: Networking Tags:
Feb ’25
Reply to VPN causes CarPlay to not work
Configuring a VPN with includeAllNetworks causes CarPlay / Netflix Cast [to fail] That sounds eminently bugworthy to me. Please post your bug number, just for the record. Share and Enjoy — Quinn “The Eskimo!” @ Developer Technical Support @ Apple let myEmail = eskimo + 1 + @ + apple.com
Topic: App & System Services SubTopic: General Tags:
Aug ’22
Push notifications not delivered over Wi-Fi with includeAllNetworks = true regardless of excludeAPNS setting
We have a VPN app that uses NEPacketTunnelProvider with includeAllNetworks = true. We've encountered an issue where push notifications are not delivered over Wi-Fi while the tunnel is active in a pre-MFA quarantine state (tunnel is up but traffic is blocked on server side), regardless of whether excludeAPNS is set to true or false. Observed behavior Wi-Fi excludeAPNS = true - Notifications not delivered Wi-Fi excludeAPNS = false - Notifications not delivered Cellular excludeAPNS = true - Notifications delivered Cellular excludeAPNS = false - Notifications not delivered On cellular, the behavior matches our expectations: setting excludeAPNS = true allows APNS traffic to bypass the tunnel and notifications arrive; setting it to false routes APNS through the tunnel and notifications are blocked (as expected for a non-forwarding tunnel). On Wi-Fi, notifications fail to deliver in both cases. Our question Is this expected behavior when includeAllNetworks is enabled on Wi-Fi, or is this a known is
Topic: App & System Services SubTopic: Networking Tags:
7
0
694
Mar ’26
Reply to LAN traffic
Thanks eskimo, but please let me rephrase the question: 'includeAllNetworks' is disabled. At the provider, all routes are included: [NEIPv4Route.default()] In this case, should the LAN traffic go via the VPN? Or is the LAN traffic excluded from the VPN?
Topic: App & System Services SubTopic: Networking Tags:
Replies
Boosts
Views
Activity
May ’24
Reply to Transparent proxy UDP flows
As far as I remember, Protocol wrong type for socket error for ICMP ping may indicated that you set includeAllNetworks=true during VPN initialization. Please try set to false.
Topic: App & System Services SubTopic: Core OS Tags:
Replies
Boosts
Views
Activity
Sep ’21
Reply to Version/OS compatibility of Catalina Network Extension features
It's great to see VPN security improved with the includeAllNetworks and excludeLocalNetworks properties added to NEVPNProtocol. Would be really great if these same features could be brought to iOS soon as well. My feedback report: FB6970648Cheers,Rob
Topic: App & System Services SubTopic: Networking Tags:
Replies
Boosts
Views
Activity
Aug ’19
Reply to includeAllNetworks - Can't establish tunnel when includeAllNetworks is set
Removing 'includeAllNetworks' and restarting the VPN resolve all the errors. There are no logs like 'host unreachable error for DNS server'. Setting 'includeAllNetworks' and restarting the VPN will print those logs. I'm not using local DNS server, I'm just calling to getaddrinfo which suppose to query public DNS servers. More details: The problem is that I can't connect at all: In order to connect I need to get responses from getaddrinfo, but as I said getaddrinfo fails. I also tried to use lib curl which also failed. I've set the includeAllNetworks and I tried to connect - my extension uses some C code to establish the connection using BSD sockets and low level code. I'm not using high level functions like 'createUDPSessionThroughTunnelToEndpoint' at the extension. Since I can't connect I don't have the tunnel - I'm creating the tunnel only after I found the server's IP, so how can the traffic go only via a tunnel which isn't exists yet? P.S - sry for the delay.
Topic: App & System Services SubTopic: Networking Tags:
Replies
Boosts
Views
Activity
Jul ’20
Reply to VPN Forced Tunneling not working on MacOS 14
Problematic: 0.0.0.0/1 128.0.0.0/1 Why are you using this approach rather than setting includeAllNetworks? Share and Enjoy — Quinn “The Eskimo!” @ Developer Technical Support @ Apple let myEmail = eskimo + 1 + @ + apple.com
Topic: App & System Services SubTopic: Core OS Tags:
Replies
Boosts
Views
Activity
Feb ’24
Reply to `NEVPNProtocol.includeAllNetworks` and `NEPacketTunnelProvider.createTCPConnectionThroughTunnel`
Does this mean that the remote endpoint being connected to by createTCPConnectionThroughTunnel must reside inside the private network being connected to by the tunnel in order for it to work properly with the .includeAllNetworks setting? When using createTCPConnectionThroughTunnel this API will create a new TCP connection bound to the tunnels interface. So if the address NWEndpoint has a remote address that corresponds to the interface, then all should be good. The includeAllNetworks flag causing an issue here is an interesting wrinkle. Do you have any other providers installed and on the device / machine that you are working with? Also, what do you have the tunnelRemoteAddress set to in NEPacketTunnelNetworkSettings? Is it the destination IP of your VPN server? Lastly, are there any logs that show up in the Console.app of where the TCP connection is getting stuck?
Topic: App & System Services SubTopic: Networking Tags:
Replies
Boosts
Views
Activity
Jun ’22
Reply to Simple transparent app proxy Network Extensions on macOS
I was also facing this issue (deny(1) system-privilege 10006) with PacketTunnel on macOS and includeAllNetworks was the culprit. Thanks to your answer, I was able to resolve the issue (only after wasting more than a day). Has there been any update on FB7468866 to fix this issue?
Topic: App & System Services SubTopic: Drivers Tags:
Replies
Boosts
Views
Activity
May ’21
Reply to includeAllNetwork Problems.
Hi, from what I understand it appears this is not possible to set on-the-fly and it can be configured only when installing the profile.. In my testing this includeAllNetworks behaves quite similarly to settings includedRoutes on the IPV4Settings to NEIPv4Route.default(). This could possibly be set when starting the tunnel, so you would need to stop and start again to toggle this.
Topic: App & System Services SubTopic: Networking Tags:
Replies
Boosts
Views
Activity
Mar ’21
Reply to enforceRoutes causes excludedRoutes to be ignored
Interesting. Regarding: In both cases includeAllNetworks and excludeLocalNetworks are both NO. If you set excludeLocalNetworks and enforceRoutes to YES does this properly exclude the traffic in your excludedRoutes? If not, then I would open a bug report here just to see if this is something that needs to be further investigated.
Topic: App & System Services SubTopic: Networking Tags:
Replies
Boosts
Views
Activity
May ’23
Reply to Failed to register Personal IncludeAllNetworks VPN Session NESMIKEv2VPNSession
Matt, you mean even if none of the profiles are active (connected)? If I delete all of the vpn profiles in Network preferences, only then I can connect NEVPNProtocolIKEv2 profile with IncludeAllNetworks flag. As soon as I add any other vpn profile I am no longer able to connect my IKEv2 profile. The rules I had previously researched and posted about were logical rules that exist on the system under the hood. It sounds like your test is confirming that it is you can have a conflicting VPN profile if you have another VPN profile (Personal or Enterprise) that is installed on the system, but not active, and also contains the includeAllNetworks flag. Is that correct? If so, you should file an enhancement request - https://developer.apple.com/bug-reporting/ to document this behavior. Matt Eaton DTS Engineering, CoreOS meaton3@apple.com
Topic: App & System Services SubTopic: Networking Tags:
Replies
Boosts
Views
Activity
Dec ’20
Reply to NEPacketTunnel Provider Leaking Traffic
Ah, OK, thanks for the explanation. That behaviour doesn’t come as a huge surprise, in that NE applies specific NECP rules to your packet tunnel provider in order to prevent VPN loops [1]. However, I can see why it’d be annoying. I don’t see any way around this, other than to not set includeAllNetworks but that creates its own problems. My only advice is that you file a bug about the poor interaction between includeAllNetworks and scoped network connections. Please post your bug number, just for the record. Share and Enjoy — Quinn “The Eskimo!” @ Developer Technical Support @ Apple let myEmail = eskimo + 1 + @ + apple.com [1] You’re probably familiar with this but, if not, see A Peek Behind the NECP Curtain.
Topic: App & System Services SubTopic: Networking Tags:
Replies
Boosts
Views
Activity
Jun ’24
Reply to Failed to register Personal IncludeAllNetworks VPN Session NESMIKEv2VPNSession
No, I don't think this is the case. The conflicting VPN profile is NESMLegacySession (IPSec) added manually to the Network preferences panel by the user and NOT the app. I don't think this profile has includeAllNetworks flag set or if it even can have one.
Topic: App & System Services SubTopic: Networking Tags:
Replies
Boosts
Views
Activity
Dec ’20
Reply to In-tunnel networking when `includeAllNetworks` is set.
Hmmm, interesting. I suspect that this is tied to the implementation of includeAllNetworks, itself introduced in iOS 14. Anyway, I don’t see any code-level workaround here (other than to not set includeAllNetworks but I presume that you’re setting that for a good reason). My advice is that you file a bug about this. Enable additional logging per the VPN (Network Extension) for iOS/iPadOS instructions on our Bug Reporting > Profiles and Logs. Once you’re done, please post the bug number here. I wanna do a little more digging on this issue, but I need you bug number to start that process. Share and Enjoy — Quinn “The Eskimo!” @ Developer Technical Support @ Apple let myEmail = eskimo + 1 + @ + apple.com
Topic: App & System Services SubTopic: Networking Tags:
Replies
Boosts
Views
Activity
Feb ’25
Reply to VPN causes CarPlay to not work
Configuring a VPN with includeAllNetworks causes CarPlay / Netflix Cast [to fail] That sounds eminently bugworthy to me. Please post your bug number, just for the record. Share and Enjoy — Quinn “The Eskimo!” @ Developer Technical Support @ Apple let myEmail = eskimo + 1 + @ + apple.com
Topic: App & System Services SubTopic: General Tags:
Replies
Boosts
Views
Activity
Aug ’22
Push notifications not delivered over Wi-Fi with includeAllNetworks = true regardless of excludeAPNS setting
We have a VPN app that uses NEPacketTunnelProvider with includeAllNetworks = true. We've encountered an issue where push notifications are not delivered over Wi-Fi while the tunnel is active in a pre-MFA quarantine state (tunnel is up but traffic is blocked on server side), regardless of whether excludeAPNS is set to true or false. Observed behavior Wi-Fi excludeAPNS = true - Notifications not delivered Wi-Fi excludeAPNS = false - Notifications not delivered Cellular excludeAPNS = true - Notifications delivered Cellular excludeAPNS = false - Notifications not delivered On cellular, the behavior matches our expectations: setting excludeAPNS = true allows APNS traffic to bypass the tunnel and notifications arrive; setting it to false routes APNS through the tunnel and notifications are blocked (as expected for a non-forwarding tunnel). On Wi-Fi, notifications fail to deliver in both cases. Our question Is this expected behavior when includeAllNetworks is enabled on Wi-Fi, or is this a known is
Topic: App & System Services SubTopic: Networking Tags:
Replies
7
Boosts
0
Views
694
Activity
Mar ’26