Search results for

“includeAllNetworks”

157 results found

Post

Replies

Boosts

Views

Activity

Push notifications not delivered over Wi-Fi with includeAllNetworks = true regardless of excludeAPNS setting
We have a VPN app that uses NEPacketTunnelProvider with includeAllNetworks = true. We've encountered an issue where push notifications are not delivered over Wi-Fi while the tunnel is active in a pre-MFA quarantine state (tunnel is up but traffic is blocked on server side), regardless of whether excludeAPNS is set to true or false. Observed behavior Wi-Fi excludeAPNS = true - Notifications not delivered Wi-Fi excludeAPNS = false - Notifications not delivered Cellular excludeAPNS = true - Notifications delivered Cellular excludeAPNS = false - Notifications not delivered On cellular, the behavior matches our expectations: setting excludeAPNS = true allows APNS traffic to bypass the tunnel and notifications arrive; setting it to false routes APNS through the tunnel and notifications are blocked (as expected for a non-forwarding tunnel). On Wi-Fi, notifications fail to deliver in both cases. Our question Is this expected behavior when includeAllNetworks is enabled on Wi-Fi, or is this a known is
Topic: App & System Services SubTopic: Networking Tags:
7
0
696
Mar ’26
Reply to Why binding INADDR_ANY in Network Extension is not allowed other apps to connect it using localhost
You essentially have a few options here. Go full tunnel VPN, to which you could claim all the routes on your system by hand, or go with the includeAllNetworks flag on NETunnelProviderProtocol. Or, you could go with Per-App VPN and claim traffic for specific apps. Having apps connect to a listener so that you can route their traffic through the VPN in not the way to go here.
Topic: App & System Services SubTopic: Networking Tags:
May ’22
Reply to Push notifications not delivered over Wi-Fi with includeAllNetworks = true regardless of excludeAPNS setting
Hi Quinn, We wanted to follow up regarding bug report FB22135575. At the moment, we haven’t seen any progress or updates on the feedback we filed regarding APNS delivery with includeAllNetworks = true over Wi-Fi. Could you please check internally if there’s any update on the investigation or current status of the report? Thank you.
Topic: App & System Services SubTopic: Networking Tags:
May ’26
Reply to Simple transparent app proxy Network Extensions on macOS
Thanks for the update Matt. However, I received this issue with Packet Tunnel. Whenever includeAllNetworks is enabled, if PacketTunnelProvider tries to apply a split tunnel rule, the rule fails to apply (but no error returned) and packet tunnel receives all the traffic as if its full tunnel and wildcard match domain. Now I understand that when includeAllNetworks is enabled, split tunnel rules conflict with this setting and should not be used. But there is no clear documentation or error when settings split tunnel rules. There is just a cryptic message in Console.app System Policy: deny(1) system-privilege 10006 which is easy to miss. It does not even specify the problem. So, I think it would be nicer to have documentation mention this conflict and its impact. It would be even nicer to have NETunnelProvider.setTunnelNetworkSettings method return an error in its completion block when such conflicts take place.
Topic: App & System Services SubTopic: Drivers Tags:
May ’21
Reply to includeAllNetworks - Can't establish tunnel when includeAllNetworks is set
Interesting. The bottom line is that it sounds like traffic is escaping the tunnel some how with includeAllNetworks = true and is therefore being dropped. At this point I think it would be good to open a DTS incident - https://developer.apple.com/support/technical/ so I can take a closer look at what is happening. Matt Eaton DTS Engineering, CoreOS meaton3@apple.com
Topic: App & System Services SubTopic: Networking Tags:
Jul ’20
Reply to Failed to register Personal IncludeAllNetworks VPN Session NESMIKEv2VPNSession
Is there any other place in the system where VPN configs can be found? For macOS, System Preferences - Network is the standard place. You can use % scutil also to take a look at the Network Configurations via % scutil --nc list. If you do not include IncludeAllNetworks are you able to connect your tunnel? Matt Eaton DTS Engineering, CoreOS meaton3@apple.com
Topic: App & System Services SubTopic: Networking Tags:
Mar ’21
Reply to VPN, includeAllNetworks, and MMS
While I can dream of a flag to allow MMS through I recommend that you do more than just dream. do you know of a way to allow MMS to go outside the VPN while otherwise keeping similar functionality to includeAllNetworks No. Share and Enjoy — Quinn “The Eskimo!” @ Developer Technical Support @ Apple let myEmail = eskimo + 1 + @ + apple.com
Topic: App & System Services SubTopic: Networking Tags:
Jan ’23
Reply to `NEVPNProtocol.includeAllNetworks` and `NEPacketTunnelProvider.createTCPConnectionThroughTunnel`
Another update: it looks like if I use URLSession instead of createTCPConnectionThroughTunnel to create a TCP stream, the connection works just fine with .includeAllNetworks set to true, but the connection doesn't go through the tunnel. It would be rather ironic if users switched this setting on expecting a more secure connection, only to have the app be forced to use a part of the API that doesn't tunnel a portion of their networking...
Topic: App & System Services SubTopic: Networking Tags:
May ’22
Reply to Configure IKEv2 VPN with always-on
Thanks for both of you for the answers! And regarding to 'includeAllNetworks' - it sounds similar to always-on, but I want to force the user to always use the VPN, or he won't have traffic, but without letting him the option to disable this behaviour (so he won't be able to uncheck the on-demand for example). Is it possible? This way it will behave just like always-on when the user is not allowed to stop automatic connections.
Topic: App & System Services SubTopic: Networking Tags:
Jun ’20
Reply to NEPacketTunnel Provider Leaking Traffic
If you’re concerned about ‘leaking’ traffic then your best path forward is to set includeAllNetworks. You can find more on this in Routing your VPN network traffic. IMPORTANT It’s likely that you’ll want to exclude some traffic, otherwise you can break things like Xcode debugging! Share and Enjoy — Quinn “The Eskimo!” @ Developer Technical Support @ Apple let myEmail = eskimo + 1 + @ + apple.com
Topic: App & System Services SubTopic: Networking Tags:
Jun ’24
Reply to `NEVPNProtocol.includeAllNetworks` and `NEPacketTunnelProvider.createTCPConnectionThroughTunnel`
Hi Matt, thanks so much for your reply. We pass nil as the TLS delegate parameter when calling startTunnelWithOptions, so I don't think that should be an issue. I'd just like to re-state the conditions of the failure mode: .includeAllNetworks set to true in the provider settings leads to connections created with createTCPConnectionThroughTunnel not connecting createTCPConnectionThroughTunnel works normally when .includeAllNetworks is set to false Normal network operations with URLSession.shared work normally in the network extension with .includeAllNetworks set to true Normal network operations on the rest of the system (i.e., outside of the network extension) work normally with .includeAllNetworks set to true You gave the following possibilities as worth investigating (let's set aside #1 and #2 for the moment for the reasons mentioned above): The connection purely timed out. A better path became available and the viability changed, which is a way of describing that the tun
Topic: App & System Services SubTopic: Networking Tags:
Jun ’22
Reply to includeAllNetworks and in-tunnel networking
Feedback has been filed - FB16748087. The reason I'm asking here is because just going by API documentation, there is nothing to suggest that using in-tunnel connections with includeAllNetworks wouldn't work. Hey! Out of curiosity, what kind of “traffic” are you trying to send through the ”tunnel”? When our app establishes a VPN connection, our tunnel process must negotiate extra configuration that will then be used to actually relay user traffic.
Topic: Networking SubTopic:
Networking Q&A
Tags:
1w
Reply to VPN, includeAllNetworks, and MMS
The fact that MMS fails when you set includeAllNetworks doesn’t surprise me. You’ve specifically told the system that you want all network traffic, which is at odds with standard cellco practice of requiring that MMS be delivered over the cellco’s network. Share and Enjoy — Quinn “The Eskimo!” @ Developer Technical Support @ Apple let myEmail = eskimo + 1 + @ + apple.com
Topic: App & System Services SubTopic: Networking Tags:
Jan ’23
Push notifications not delivered over Wi-Fi with includeAllNetworks = true regardless of excludeAPNS setting
We have a VPN app that uses NEPacketTunnelProvider with includeAllNetworks = true. We've encountered an issue where push notifications are not delivered over Wi-Fi while the tunnel is active in a pre-MFA quarantine state (tunnel is up but traffic is blocked on server side), regardless of whether excludeAPNS is set to true or false. Observed behavior Wi-Fi excludeAPNS = true - Notifications not delivered Wi-Fi excludeAPNS = false - Notifications not delivered Cellular excludeAPNS = true - Notifications delivered Cellular excludeAPNS = false - Notifications not delivered On cellular, the behavior matches our expectations: setting excludeAPNS = true allows APNS traffic to bypass the tunnel and notifications arrive; setting it to false routes APNS through the tunnel and notifications are blocked (as expected for a non-forwarding tunnel). On Wi-Fi, notifications fail to deliver in both cases. Our question Is this expected behavior when includeAllNetworks is enabled on Wi-Fi, or is this a known is
Topic: App & System Services SubTopic: Networking Tags:
Replies
7
Boosts
0
Views
696
Activity
Mar ’26
Reply to VPN: excludedRoutes IPs are going via virtual adapter
Please refer this That seems like a different issue to me. Specifically, in this case you’re setting includeAllNetworks and that other thread you’re not. Share and Enjoy — Quinn “The Eskimo!” @ Developer Technical Support @ Apple let myEmail = eskimo + 1 + @ + apple.com
Topic: App & System Services SubTopic: Core OS Tags:
Replies
Boosts
Views
Activity
Apr ’24
Reply to Why binding INADDR_ANY in Network Extension is not allowed other apps to connect it using localhost
You essentially have a few options here. Go full tunnel VPN, to which you could claim all the routes on your system by hand, or go with the includeAllNetworks flag on NETunnelProviderProtocol. Or, you could go with Per-App VPN and claim traffic for specific apps. Having apps connect to a listener so that you can route their traffic through the VPN in not the way to go here.
Topic: App & System Services SubTopic: Networking Tags:
Replies
Boosts
Views
Activity
May ’22
Reply to nesessionmanager sometimes not deallocating tunnel on VPN disconnect
I've submitted a feedback issue about this, with sample code. It's extremely easy to reproduce with a minimal VPN. Right now it's blocking release of anything using includeAllNetworks for us, because loss of DNS resolution is completely unacceptable. Hopefully there's some simple way to resolve the problem. FB13331886
Topic: App & System Services SubTopic: Networking Tags:
Replies
Boosts
Views
Activity
Nov ’23
Reply to Push notifications not delivered over Wi-Fi with includeAllNetworks = true regardless of excludeAPNS setting
Hi Quinn, We wanted to follow up regarding bug report FB22135575. At the moment, we haven’t seen any progress or updates on the feedback we filed regarding APNS delivery with includeAllNetworks = true over Wi-Fi. Could you please check internally if there’s any update on the investigation or current status of the report? Thank you.
Topic: App & System Services SubTopic: Networking Tags:
Replies
Boosts
Views
Activity
May ’26
Reply to Simple transparent app proxy Network Extensions on macOS
Thanks for the update Matt. However, I received this issue with Packet Tunnel. Whenever includeAllNetworks is enabled, if PacketTunnelProvider tries to apply a split tunnel rule, the rule fails to apply (but no error returned) and packet tunnel receives all the traffic as if its full tunnel and wildcard match domain. Now I understand that when includeAllNetworks is enabled, split tunnel rules conflict with this setting and should not be used. But there is no clear documentation or error when settings split tunnel rules. There is just a cryptic message in Console.app System Policy: deny(1) system-privilege 10006 which is easy to miss. It does not even specify the problem. So, I think it would be nicer to have documentation mention this conflict and its impact. It would be even nicer to have NETunnelProvider.setTunnelNetworkSettings method return an error in its completion block when such conflicts take place.
Topic: App & System Services SubTopic: Drivers Tags:
Replies
Boosts
Views
Activity
May ’21
Reply to includeAllNetworks - Can't establish tunnel when includeAllNetworks is set
Interesting. The bottom line is that it sounds like traffic is escaping the tunnel some how with includeAllNetworks = true and is therefore being dropped. At this point I think it would be good to open a DTS incident - https://developer.apple.com/support/technical/ so I can take a closer look at what is happening. Matt Eaton DTS Engineering, CoreOS meaton3@apple.com
Topic: App & System Services SubTopic: Networking Tags:
Replies
Boosts
Views
Activity
Jul ’20
Reply to Failed to register Personal IncludeAllNetworks VPN Session NESMIKEv2VPNSession
Is there any other place in the system where VPN configs can be found? For macOS, System Preferences - Network is the standard place. You can use % scutil also to take a look at the Network Configurations via % scutil --nc list. If you do not include IncludeAllNetworks are you able to connect your tunnel? Matt Eaton DTS Engineering, CoreOS meaton3@apple.com
Topic: App & System Services SubTopic: Networking Tags:
Replies
Boosts
Views
Activity
Mar ’21
Reply to VPN, includeAllNetworks, and MMS
While I can dream of a flag to allow MMS through I recommend that you do more than just dream. do you know of a way to allow MMS to go outside the VPN while otherwise keeping similar functionality to includeAllNetworks No. Share and Enjoy — Quinn “The Eskimo!” @ Developer Technical Support @ Apple let myEmail = eskimo + 1 + @ + apple.com
Topic: App & System Services SubTopic: Networking Tags:
Replies
Boosts
Views
Activity
Jan ’23
Reply to `NEVPNProtocol.includeAllNetworks` and `NEPacketTunnelProvider.createTCPConnectionThroughTunnel`
Another update: it looks like if I use URLSession instead of createTCPConnectionThroughTunnel to create a TCP stream, the connection works just fine with .includeAllNetworks set to true, but the connection doesn't go through the tunnel. It would be rather ironic if users switched this setting on expecting a more secure connection, only to have the app be forced to use a part of the API that doesn't tunnel a portion of their networking...
Topic: App & System Services SubTopic: Networking Tags:
Replies
Boosts
Views
Activity
May ’22
Reply to Configure IKEv2 VPN with always-on
Thanks for both of you for the answers! And regarding to 'includeAllNetworks' - it sounds similar to always-on, but I want to force the user to always use the VPN, or he won't have traffic, but without letting him the option to disable this behaviour (so he won't be able to uncheck the on-demand for example). Is it possible? This way it will behave just like always-on when the user is not allowed to stop automatic connections.
Topic: App & System Services SubTopic: Networking Tags:
Replies
Boosts
Views
Activity
Jun ’20
Reply to NEPacketTunnel Provider Leaking Traffic
If you’re concerned about ‘leaking’ traffic then your best path forward is to set includeAllNetworks. You can find more on this in Routing your VPN network traffic. IMPORTANT It’s likely that you’ll want to exclude some traffic, otherwise you can break things like Xcode debugging! Share and Enjoy — Quinn “The Eskimo!” @ Developer Technical Support @ Apple let myEmail = eskimo + 1 + @ + apple.com
Topic: App & System Services SubTopic: Networking Tags:
Replies
Boosts
Views
Activity
Jun ’24
Reply to `NEVPNProtocol.includeAllNetworks` and `NEPacketTunnelProvider.createTCPConnectionThroughTunnel`
Hi Matt, thanks so much for your reply. We pass nil as the TLS delegate parameter when calling startTunnelWithOptions, so I don't think that should be an issue. I'd just like to re-state the conditions of the failure mode: .includeAllNetworks set to true in the provider settings leads to connections created with createTCPConnectionThroughTunnel not connecting createTCPConnectionThroughTunnel works normally when .includeAllNetworks is set to false Normal network operations with URLSession.shared work normally in the network extension with .includeAllNetworks set to true Normal network operations on the rest of the system (i.e., outside of the network extension) work normally with .includeAllNetworks set to true You gave the following possibilities as worth investigating (let's set aside #1 and #2 for the moment for the reasons mentioned above): The connection purely timed out. A better path became available and the viability changed, which is a way of describing that the tun
Topic: App & System Services SubTopic: Networking Tags:
Replies
Boosts
Views
Activity
Jun ’22
Reply to includeAllNetworks and in-tunnel networking
Feedback has been filed - FB16748087. The reason I'm asking here is because just going by API documentation, there is nothing to suggest that using in-tunnel connections with includeAllNetworks wouldn't work. Hey! Out of curiosity, what kind of “traffic” are you trying to send through the ”tunnel”? When our app establishes a VPN connection, our tunnel process must negotiate extra configuration that will then be used to actually relay user traffic.
Topic: Networking SubTopic:
Networking Q&A
Tags:
Replies
Boosts
Views
Activity
1w
Reply to VPN, includeAllNetworks, and MMS
The fact that MMS fails when you set includeAllNetworks doesn’t surprise me. You’ve specifically told the system that you want all network traffic, which is at odds with standard cellco practice of requiring that MMS be delivered over the cellco’s network. Share and Enjoy — Quinn “The Eskimo!” @ Developer Technical Support @ Apple let myEmail = eskimo + 1 + @ + apple.com
Topic: App & System Services SubTopic: Networking Tags:
Replies
Boosts
Views
Activity
Jan ’23