Search results for

includeAllNetworks

150 results found

Post

Replies

Boosts

Views

Activity

Reply to Simple transparent app proxy Network Extensions on macOS
That may not apply to your issue, but make sure that you don't have includeAllNetworks set to true (which would sound logical in the first place but causes all sorts of weird failures) in the NETunnelProviderProtocol instance you pass to the NETransparentProxyManager while configuring the proxy in the main app.Doing so causes a networking loop back into the transparent proxy that gets NECP deny messages, which really do not explain the base issue at all. Reported as FB7468866.
Topic: App & System Services SubTopic: Drivers Tags:
Apr ’20
Reply to How IP_BOUND_IF works to bind a socket to a specific interface?
Do not hard-code BSD interface names, like pdp_ip0. It will end badly. I have a bunch of backstory about this in the various posts linked to from Extra-ordinary Networking. socket still send data via utun, witch is a vpn interface That can happen if the VPN sets includeAllNetworks. Share and Enjoy — Quinn “The Eskimo!” @ Developer Technical Support @ Apple let myEmail = eskimo + 1 + @ + apple.com
Topic: App & System Services SubTopic: Networking Tags:
Jan ’24
Reply to iOS VPN Issue -Disconnecting VPN from Packet Tunnel Network Extension Causes Loss of Internet Connectivity
[quote='756357021, KhothAmit, /thread/756357, /profile/KhothAmit'] Observation : Interestingly, when we call the following method from the app side. The VPN disconnects and the device retains its internet connectivity. [enabledConfig.connection stopVPNTunnel]; [/quote] Right, it looks like there was a response on the radar mentioning that this is happening because includeAllNetworks is set and cancelling the tunnel from the provider side can leave the system in this state. While this is being worked out, please disconnect the VPN from the application side or through the VPN UI.
Topic: App & System Services SubTopic: Networking Tags:
Jun ’24
Reply to Simple transparent app proxy Network Extensions on macOS
Now I understand that when includeAllNetworks is enabled, split tunnel rules conflict with this setting and should not be used. But there is no clear documentation or error when settings split tunnel rules. So, I think it would be nicer to have documentation mention this conflict and its impact. I agree. I think this is a great enhancement request - https://developer.apple.com/bug-reporting/ for documentation on this matter. Please respond back with the Feedback ID when you have done so. Matt Eaton DTS Engineering, CoreOS meaton3@apple.com
Topic: App & System Services SubTopic: Drivers Tags:
May ’21
Reply to Some traffic bypassing VPN
I can’t speak to the behaviour of specific third-party clients, but I will say that it’s perfectly feasible for clients to force traffic to run over a specific interface.As to what you can do about this, my recommendation is that you look at the includeAllNetworks and excludeLocalNetworks properties we added to NEVPNProtocol in iOS 13 beta. Share and Enjoy — Quinn “The Eskimo!” Apple Developer Relations, Developer Technical Support, Core OS/Hardware let myEmail = eskimo + 1 + @apple.com
Topic: App & System Services SubTopic: Networking Tags:
Sep ’19
Reply to Packet Tunnel Provider + split tunnel + Proxy
Anyway to bypass this without changing the proxy settings? I suspect the immediate way to run your traffic through a proxy on the other side of the tunnel, but that may not be an option. Regarding: Isn't it a bug? Hard to say because if the full tunnel case uses something like includeAllNetworks in the NETunnelProviderProtocol then I would say, no this is not a bug. However, if this behavior has changed between versions, then yes, I would open a bug report. Matt Eaton DTS Engineering, CoreOS meaton3@apple.com
Topic: App & System Services SubTopic: Drivers Tags:
Jan ’22
Reply to Some traffic bypassing VPN
Hello !We did check with built in IPSEC profiles also. No any customizations whatever.Behaviour was similar, that Facebook Messenger was able to send out packets using IP address of underlying Wifi interface (and 4G). Even created .mobileconfig profile, which included ` OverridePrimary=1`.Still same behaviour on 12.3.1.Will try your suggestion with `includeAllNetworks` on iOS 13 beta. Btw. do you have deeper documentation on behaviour than onhttps://developer.apple.com/documentation/networkextension/nevpnprotocol/3143658-excludelocalnetworks?language=objcbest regards,taavi
Topic: App & System Services SubTopic: Networking Tags:
Sep ’19
Reply to Setting includeAllNetworks usually blocks GW connection in the extension, "kernel ALF, old data swfs_pid_entry"?
Still haven't figured out what to set to see the ALF data, but I noticed that there are some messages from netext about the connection that's failing. netext is a Microsoft Defender extension. If includeAllNetworks is on and Microsoft Defender is trying to do something with the traffic to the Gateway I suspect that it would be a problem. Are there any known issues that you can say anything about WRT anti-malware (e.g., Microsoft Defender) & proxy software (e.g., iBoss) interacting with VPN packet tunnels? It'll be tricky for me to find a test system which has none of these installed...
Topic: App & System Services SubTopic: Networking Tags:
Jul ’22
Reply to LAN traffic
includeAllNetworks is disabled. Oh, wow, I completely misread that. Sorry about the confusion. If you claim the default route then you’ll receive traffic for which there isn’t a specific route. By default Apple platforms add routes for all locally connected networks. So, if you have a Mac on Wi-Fi and a printer on that same Wi-Fi, the traffic to that printer shouldn’t come to your VPN. Share and Enjoy — Quinn “The Eskimo!” @ Developer Technical Support @ Apple let myEmail = eskimo + 1 + @ + apple.com
Topic: App & System Services SubTopic: Networking Tags:
May ’24
Reply to LAN traffic
includeAllNetworks does what it says on the tin. However, there are additional flags to opt out of specific types of traffic. The obvious one here is excludeLocalNetworks, but you should survey the full set of properties in the NEVPNProtocol class. IMPORTANT One of the most important is the brand new excludeDeviceCommunication. We recently published a couple of technotes that touch on this: TN3158 Resolving Xcode 15 device connection issues TN3165 Packet Filter is not API Share and Enjoy — Quinn “The Eskimo!” @ Developer Technical Support @ Apple let myEmail = eskimo + 1 + @ + apple.com
Topic: App & System Services SubTopic: Networking Tags:
May ’24
Reply to Push notifications not delivered over Wi-Fi with includeAllNetworks = true regardless of excludeAPNS setting
MFA stands for Multi-Factor Authentication. But that detail isn't critical here — the key point is simply that the tunnel is up and established successfully (startTunnel completes without error, setTunnelNetworkSettings is applied), routing is in place, but the server is not forwarding traffic. The sample code I shared reproduces this exact state — it's a loopback tunnel that never forwards packets. The core issue remains: with includeAllNetworks = true, push notifications are not delivered over Wi-Fi regardless of the excludeAPNS setting, while on cellular they work as expected when excludeAPNS = true.
Topic: App & System Services SubTopic: Networking Tags:
1w
Reply to IOS 18.1 broke my VPN app
Why is that a worry? This property does not seem to have any noticable effect anyways. The tunnel can still connect to any address. I assume this is only for display purposes in the VPN settings. But who knows, the documentation does certainly not provide any insights. What worries me is that you guys at Apple implement breaking changes like that without the slightest hint but that's another story. But I figured it out in the meanwhile. For some reason, includeAllNetworks has to be set true starting from 18.1.0. This by the way another setting that is totally unclear in the documentation. Setting a default route usually means to redirect everything. So what is include all networks supposed to mean in that context?
Topic: App & System Services SubTopic: Networking
Nov ’24
Setting includeAllNetworks usually blocks GW connection in the extension, "kernel ALF, old data swfs_pid_entry"?
I'm seeing the connection to the VPN gateway failing in our Network Extension (not a System Extension) most of the time. Sometimes it succeeds. There's no difference in what the application or the extension are doing in the two cases. I can't see a pattern to when it fails, but In the console I see different messages. The only thing I've seen showing up consistently on failures but not successes is the message about the swfs_pid_entry. On failure: vpn_extension Gateway address 10.10.10.10, port 443 kernel ALF, old data swfs_pid_entry <private>, updaterules_msg <private>, updaterules_state <private> vpn_extension connect failed with error 65 (No route to host) kernel connect() - failed necp_set_socket_domain_attributes vpn_extension Connect returncode 65 On success: vpn_extension Gateway address 10.10.10.10, port 443 trustd User has disabled system data installation.
Topic: App & System Services SubTopic: Networking Tags:
5
0
2.3k
Jul ’22
Reply to On-demand rules
VPN On Demand wasn’t designed as a mechanism to prevent ‘leaks’. For that we have Always-on VPN. At least, we do with the built-in IKEv2 VPN transports. We don’t support that for third-party VPNs (r. 33804980). [quote='778896021, roee84, /thread/778896, /profile/roee84'] I'm not using flags such as 'capture all network' [/quote] Is this in reference to the includeAllNetworks property? If so, then you should definitely explore that option. It is the closest to Always-on VPN that you can get with a third-party VPN. Share and Enjoy — Quinn “The Eskimo!” @ Developer Technical Support @ Apple let myEmail = eskimo + 1 + @ + apple.com
Topic: App & System Services SubTopic: Networking Tags:
Apr ’25
Reply to nesessionmanager sometimes not deallocating tunnel on VPN disconnect
One odd thing is that it's only things that rely on DNS that appear to be breaking. If I try to ssh/ping/etc. to a system by IP address it works fine. It looks like there's a supportsDefaultDrop flag set on the config when includeAllNetworks is set, 2023-10-27 13:13:22.077480-0700 0x50591 Debug 0xb588c 320 0 nesessionmanager: [com.apple.networkextension:] applyIPDefaultDrop: session TestConfig But it's not clear why this would only have an effect when we disconnect from the extension instead of calling stopTunnel from the management app. Or why it would only affect name resolution.
Topic: App & System Services SubTopic: Networking Tags:
Oct ’23