includeAllNetworks

I work on an iOS VPN app, and we're having some problems with the interaction between MMS and the includeAllNetworks flag. When the includeAllNetworks flag is on, MMS sending fails. I believe this is because iOS is trying to go outside the VPN tunnel and over cellular and is using the cellular network's default DNS lookup for the MMS server (in a sample case we've been using for testing, mms.msg.eng.t-mobile.com). (Logs seem to show the phone dropping back to cellular even when it has a strong WiFi connection.) I believe iOS also chooses the cellular connection when making the request where the MMS packets are sent. And thus with includeAllNetworks active, iOS does not permit these packets through, causing the MMS send to fail. Does this explanation above seem accurate, and seem like why MMS isn't working with the VPN active? We've been debugging via Console logs, and can see the DNS request fail, but have limited insight into the lower level parts of the networking stack. Does includeAllNetworks

Hi, I have a problem with the VPN profile on macos 13 with some custom VPN protocol. I've run the VPN application when I had macos 12.x. The application worked fine, created system configuration. Then I've updated the os to 13. After the update I'm not able to connect to VPN when includeAllNetworks=true. The defaultPath is always unsatisfied, so the tunnel is not able to connect to VPN server. The system routes seam to be ok using netstat and route. If VPN is started with includeAllNetworks=false it works. On logs I've saw that when includeAllNetworks=true, nesessionmanager prints the following errors: error 08:01:59.652919+0100 nesessionmanager -[NESMVPNSession setDefaultDropAll]: VPN addLocalNetworksExceptionWithOrder failed for Control priority error 08:01:59.653105+0100 nesessionmanager VPN-includeAllNetworks evaluateConfiguration failed error 08:01:59.653479+0100 nesessionmanager -[NESMVPNSession setDefaultDropAll]: VPN addLocalNetworksExceptionWithOrder failed for Hig

When trying to bind a socket to the tunnel interface via setsockopt(socket, IPPROTO_IP, IP_BOUND_IF, &ifindex, len) Within the PacketTunnel itself despite this call succeeding the data is still routed through the default interface. This is observed when includeAllNetworks is true. When it is false it seems to send it on both interfaces. Is there something wrong with how I'm doing it?

Configuring a VPN with includeAllNetworks causes CarPlay / Netflix Cast. Even enabling excludeLocalNetworks does not resolve this issue. Is this a known issue and can we work around this?

I'm seeing the connection to the VPN gateway failing in our Network Extension (not a System Extension) most of the time. Sometimes it succeeds. There's no difference in what the application or the extension are doing in the two cases. I can't see a pattern to when it fails, but In the console I see different messages. The only thing I've seen showing up consistently on failures but not successes is the message about the swfs_pid_entry. On failure: vpn_extension Gateway address 10.10.10.10, port 443 kernel ALF, old data swfs_pid_entry <private>, updaterules_msg <private>, updaterules_state <private> vpn_extension connect failed with error 65 (No route to host) kernel connect() - failed necp_set_socket_domain_attributes vpn_extension Connect returncode 65 On success: vpn_extension Gateway address 10.10.10.10, port 443 trustd User has disabled system data installation.

The .includeAllNetworks flag on the NEVPNProtocol object seems suitable for use as a vpn kill switch. At the very least, the documentation specifies that if this value is true and the tunnel is unavailable, the system drops all network traffic. Our application has a UI element that allows the user to toggle this setting, for the purposes of ensuring that all of their traffic is sent through the VPN connection. We're encountering an issue, however: it appears that, with this setting enabled, any NWTCPConnection returned by NEPacketTunnelProvider.createTCPConnectionThroughTunnel will never connect. It stays in the .connecting state and never advances to the .connected state. The documentation for this method states that this method can be used to create a TCP connection to an endpoint inside the private network. Does this mean that the remote endpoint being connected to by createTCPConnectionThroughTunnel must reside inside the private network being connected to by the tunnel in order for it to work pr