Search results | Apple Developer Forums

Reply to includeAllNetworks - Can't establish tunnel when includeAllNetworks is set

Removing 'includeAllNetworks' and restarting the VPN resolve all the errors. There are no logs like 'host unreachable error for DNS server'. Setting 'includeAllNetworks' and restarting the VPN will print those logs. I'm not using local DNS server, I'm just calling to getaddrinfo which suppose to query public DNS servers. More details: The problem is that I can't connect at all: In order to connect I need to get responses from getaddrinfo, but as I said getaddrinfo fails. I also tried to use lib curl which also failed. I've set the includeAllNetworks and I tried to connect - my extension uses some C code to establish the connection using BSD sockets and low level code. I'm not using high level functions like 'createUDPSessionThroughTunnelToEndpoint' at the extension. Since I can't connect I don't have the tunnel - I'm creating the tunnel only after I found the server's IP, so how can the traffic go only via a tunnel which isn't exists yet? P.S - sry for the delay.

App & System Services Networking

Jul ’20

Reply to Transparent proxy UDP flows

As far as I remember, Protocol wrong type for socket error for ICMP ping may indicated that you set includeAllNetworks=true during VPN initialization. Please try set to false.

App & System Services Core OS

Sep ’21

Reply to VPN Forced Tunneling not working on MacOS 14

Problematic: 0.0.0.0/1 128.0.0.0/1 Why are you using this approach rather than setting includeAllNetworks? Share and Enjoy — Quinn “The Eskimo!” @ Developer Technical Support @ Apple let myEmail = eskimo + 1 + @ + apple.com

App & System Services Core OS

Feb ’24

Reply to Simple transparent app proxy Network Extensions on macOS

I was also facing this issue (deny(1) system-privilege 10006) with PacketTunnel on macOS and includeAllNetworks was the culprit. Thanks to your answer, I was able to resolve the issue (only after wasting more than a day). Has there been any update on FB7468866 to fix this issue?

App & System Services Drivers

May ’21

Reply to includeAllNetwork Problems.

Hi, from what I understand it appears this is not possible to set on-the-fly and it can be configured only when installing the profile.. In my testing this includeAllNetworks behaves quite similarly to settings includedRoutes on the IPV4Settings to NEIPv4Route.default(). This could possibly be set when starting the tunnel, so you would need to stop and start again to toggle this.

App & System Services Networking

Mar ’21

Reply to Failed to register Personal IncludeAllNetworks VPN Session NESMIKEv2VPNSession

No, I don't think this is the case. The conflicting VPN profile is NESMLegacySession (IPSec) added manually to the Network preferences panel by the user and NOT the app. I don't think this profile has includeAllNetworks flag set or if it even can have one.

App & System Services Networking

Dec ’20

Reply to Failed to register Personal IncludeAllNetworks VPN Session NESMIKEv2VPNSession

Matt, you mean even if none of the profiles are active (connected)? If I delete all of the vpn profiles in Network preferences, only then I can connect NEVPNProtocolIKEv2 profile with IncludeAllNetworks flag. As soon as I add any other vpn profile I am no longer able to connect my IKEv2 profile. The rules I had previously researched and posted about were logical rules that exist on the system under the hood. It sounds like your test is confirming that it is you can have a conflicting VPN profile if you have another VPN profile (Personal or Enterprise) that is installed on the system, but not active, and also contains the includeAllNetworks flag. Is that correct? If so, you should file an enhancement request - https://developer.apple.com/bug-reporting/ to document this behavior. Matt Eaton DTS Engineering, CoreOS meaton3@apple.com

App & System Services Networking

Dec ’20

Reply to NEPacketTunnel Provider Leaking Traffic

Ah, OK, thanks for the explanation. That behaviour doesn’t come as a huge surprise, in that NE applies specific NECP rules to your packet tunnel provider in order to prevent VPN loops [1]. However, I can see why it’d be annoying. I don’t see any way around this, other than to not set includeAllNetworks but that creates its own problems. My only advice is that you file a bug about the poor interaction between includeAllNetworks and scoped network connections. Please post your bug number, just for the record. Share and Enjoy — Quinn “The Eskimo!” @ Developer Technical Support @ Apple let myEmail = eskimo + 1 + @ + apple.com [1] You’re probably familiar with this but, if not, see A Peek Behind the NECP Curtain.

App & System Services Networking

Jun ’24

Reply to `NEVPNProtocol.includeAllNetworks` and `NEPacketTunnelProvider.createTCPConnectionThroughTunnel`

Does this mean that the remote endpoint being connected to by createTCPConnectionThroughTunnel must reside inside the private network being connected to by the tunnel in order for it to work properly with the .includeAllNetworks setting? When using createTCPConnectionThroughTunnel this API will create a new TCP connection bound to the tunnels interface. So if the address NWEndpoint has a remote address that corresponds to the interface, then all should be good. The includeAllNetworks flag causing an issue here is an interesting wrinkle. Do you have any other providers installed and on the device / machine that you are working with? Also, what do you have the tunnelRemoteAddress set to in NEPacketTunnelNetworkSettings? Is it the destination IP of your VPN server? Lastly, are there any logs that show up in the Console.app of where the TCP connection is getting stuck?

App & System Services Networking

Jun ’22

Reply to VPN causes CarPlay to not work

Configuring a VPN with includeAllNetworks causes CarPlay / Netflix Cast [to fail] That sounds eminently bugworthy to me. Please post your bug number, just for the record. Share and Enjoy — Quinn “The Eskimo!” @ Developer Technical Support @ Apple let myEmail = eskimo + 1 + @ + apple.com

App & System Services General

Aug ’22

Reply to enforceRoutes causes excludedRoutes to be ignored

Interesting. Regarding: In both cases includeAllNetworks and excludeLocalNetworks are both NO. If you set excludeLocalNetworks and enforceRoutes to YES does this properly exclude the traffic in your excludedRoutes? If not, then I would open a bug report here just to see if this is something that needs to be further investigated.

App & System Services Networking

May ’23

Reply to In-tunnel networking when `includeAllNetworks` is set.

Hmmm, interesting. I suspect that this is tied to the implementation of includeAllNetworks, itself introduced in iOS 14. Anyway, I don’t see any code-level workaround here (other than to not set includeAllNetworks but I presume that you’re setting that for a good reason). My advice is that you file a bug about this. Enable additional logging per the VPN (Network Extension) for iOS/iPadOS instructions on our Bug Reporting > Profiles and Logs. Once you’re done, please post the bug number here. I wanna do a little more digging on this issue, but I need you bug number to start that process. Share and Enjoy — Quinn “The Eskimo!” @ Developer Technical Support @ Apple let myEmail = eskimo + 1 + @ + apple.com

App & System Services Networking

Feb ’25

Reply to NEPacketTunnelProvider does not seem to be capturing all the traffic

Apologies for talking to myself there 🤪 but I made interesting discovery. If I use the includeAllNetworks configuration - https://developer.apple.com/documentation/networkextension/nevpnprotocol/3131931-includeallnetworks, then this finally seems to rein in Messenger and does not let is around the tunnel. That is great but it has the side-effect of once again breaking Signal, WhatsApp and probably other similar apps. I checked Signal debug logs and found that I cannot find a server by hostname. Which suggested DNS issue. So I re-added DNS configuration, added these IPs to the excludedRoutes and now Signal works but only one way. I can send messages, they are delivered but I cannot receive messages. I still think that the fact that Messenger can just go around the tunnel is the main issue.

App & System Services Networking

Mar ’21

Push notifications not delivered over Wi-Fi with includeAllNetworks = true regardless of excludeAPNS setting

We have a VPN app that uses NEPacketTunnelProvider with includeAllNetworks = true. We've encountered an issue where push notifications are not delivered over Wi-Fi while the tunnel is active in a pre-MFA quarantine state (tunnel is up but traffic is blocked on server side), regardless of whether excludeAPNS is set to true or false. Observed behavior Wi-Fi excludeAPNS = true - Notifications not delivered Wi-Fi excludeAPNS = false - Notifications not delivered Cellular excludeAPNS = true - Notifications delivered Cellular excludeAPNS = false - Notifications not delivered On cellular, the behavior matches our expectations: setting excludeAPNS = true allows APNS traffic to bypass the tunnel and notifications arrive; setting it to false routes APNS through the tunnel and notifications are blocked (as expected for a non-forwarding tunnel). On Wi-Fi, notifications fail to deliver in both cases. Our question Is this expected behavior when includeAllNetworks is enabled on Wi-Fi, or is this a known is

App & System Services Networking APNS iOS Network Extension

5

0

202

1w

Reply to Why binding INADDR_ANY in Network Extension is not allowed other apps to connect it using localhost

You essentially have a few options here. Go full tunnel VPN, to which you could claim all the routes on your system by hand, or go with the includeAllNetworks flag on NETunnelProviderProtocol. Or, you could go with Per-App VPN and claim traffic for specific apps. Having apps connect to a listener so that you can route their traffic through the VPN in not the way to go here.

App & System Services Networking

May ’22

includeAllNetworks

Post

Replies

Boosts

Views

Activity