Search results for

includeAllNetworks

150 results found

Post

Replies

Boosts

Views

Activity

Reply to includeAllNetworks - Can't establish tunnel when includeAllNetworks is set
Interesting. The bottom line is that it sounds like traffic is escaping the tunnel some how with includeAllNetworks = true and is therefore being dropped. At this point I think it would be good to open a DTS incident - https://developer.apple.com/support/technical/ so I can take a closer look at what is happening. Matt Eaton DTS Engineering, CoreOS meaton3@apple.com
Topic: App & System Services SubTopic: Networking Tags:
Jul ’20
Reply to includeAllNetworks - Can't establish tunnel when includeAllNetworks is set
It's not even restarting the tunnel I it was existed before, it's also for creating it for the first time. Even if I simulate a new user - just creating a profile with includeAllNetworks = true, and start the VPN for the first time, I have the above problem. Doing the same thing but with includeAllNetworks = false, and there's no problem at all. Removing the profile also works. It's just this flag which causes the problem - all the traffic at the extension gets blocked, even if it's the first time I'm trying to create the tunnel.
Topic: App & System Services SubTopic: Networking Tags:
Jul ’20
Reply to includeAllNetworks - Can't establish tunnel when includeAllNetworks is set
Removing 'includeAllNetworks' and restarting the VPN resolve all the errors. There are no logs like 'host unreachable error for DNS server'. Setting 'includeAllNetworks' and restarting the VPN will print those logs. I'm not using local DNS server, I'm just calling to getaddrinfo which suppose to query public DNS servers. More details: The problem is that I can't connect at all: In order to connect I need to get responses from getaddrinfo, but as I said getaddrinfo fails. I also tried to use lib curl which also failed. I've set the includeAllNetworks and I tried to connect - my extension uses some C code to establish the connection using BSD sockets and low level code. I'm not using high level functions like 'createUDPSessionThroughTunnelToEndpoint' at the extension. Since I can't connect I don't have the tunnel - I'm creating the tunnel only after I found the server's IP, so how can the traffic go only via a tunnel which isn't exists yet? P.S - sry for the delay.
Topic: App & System Services SubTopic: Networking Tags:
Jul ’20
Version/OS compatibility of Catalina Network Extension features
We moved our macOS NKE-based VPN over to Network Extensions a while back. Although Network Extensions offered us less control over the system traffic it also let us have a single code base for the core functionality on iOS & macOS, as well as offering the possibilty of MDM.The talk on Network Extensions for Modern macOS offered us some of the control back. The includeAllNetworks and excludeLocalNetworks flags are great to see. But, the title of the talk said 'for Modern macOS', so:- Are they only on macOS, or are the Network Extension parts of that talk also applicable to iOS?- Will those Network Extension flags function if the user is running macOS Mojave?- iOS 12?Or are they only going to work on Cataline/iOS13 and later?Users do tend to upgrade their macOS & iOS versions, but corporate customers upgrade slowly, and they're our market.One abillity of NKEs that we lost with Network Extensions was the ability to do an 'Always On' VPN which made sure that all traffic from the system was tunnel
Topic: App & System Services SubTopic: Networking Tags:
4
0
1.7k
Jul ’20
Reply to includeAllNetworks - Can't establish tunnel when includeAllNetworks is set
If you are using a local DNS server that cannot be accessed due to all traffic going through the tunnel then this would explain why calls to getaddrinfo are failing. The logs in the console look like traffic is still trying to go over an interface that is not utun or ipsec related though. I'm wondering if you are getting this because of a routing change for the VPN's virtual interface and this traffic is not respecting that change. If you remove and includeAllNetworks and restart the VPN, does this resolve the errors in the log below? Not that this is a solution to your problem, I'm just trying to work through why this traffic is going around the tunnel interfaces if you instructed it not to. No mDNSKeepalive for interface en8/IOSkywalkLegacyEthernetInterface kr 0xE00002C0 NetWakeInterface: en8 <private> no WOMP uDNSCheckCurrentQuestion: host unreachable error for DNS server <private> for question failed to send packet on InterfaceID 0x5 en8/4 to <private>:53 skt 74 error -1 errno 6
Topic: App & System Services SubTopic: Networking Tags:
Jul ’20
Reply to When mobile data is switched on WhatsApp bypass VPN
IncludeAllNetworks support is in iOS14 (in the current beta). Here is the behavior summary once VPN is enabled with IncludeAllNetworks set to true: all traffic will be dropped if tunnel is not up once tunnel is up, all traffic will be policed by traffic policies to go over tunnel if VPN is enabled manually (via UI), tunnel will be re-established, in case it came down, automatically This IncludeAllNetworks will solve the WhatsApp issue that you mentioned.
Topic: App & System Services SubTopic: Networking Tags:
Jun ’20
Reply to When mobile data is switched on WhatsApp bypass VPN
For programmingly set VPN set this property which is available after iOS 14 var includeAllNetworks: Bool { get set } https://developer.apple.com/documentation/networkextension/nevpnprotocol/3131931-includeallnetworks of NEVPNProtocol to be true could fix this issue. We could see on this page https://developer.apple.com/documentation/devicemanagement/vpn/vpn that includeAllNetworks is available for iOS 4.0+ and macOS 10.7+. But in this document https://developer.apple.com/business/documentation/Configuration-Profile-Reference.pdf includeAllNetworks doesn't exist yet.
Topic: App & System Services SubTopic: Networking Tags:
Jun ’20
includeAllNetworks - can't connect the VPN
I've implemented a custom VPN app for macOS (Packet Tunnel Provider). I've added to the protocol configuration the flag 'includeAllNetworks'. For some reason, there are multiple times where the initial connection to the VPN fails. I'm using sockets, getaddrinfo func, and lib curl. But when this flag is set, it seems that there's no internet access, even before the first connection of the VPN. The weird thing is - that sometimes the VPN connects without a problem. Without this flag the VPN always connects without a problem. Are there any limitations I should know regarding to using this flag?
Topic: App & System Services SubTopic: Networking Tags:
1
0
511
Jun ’20
Reply to Configure IKEv2 VPN with always-on
For AlwaysON VPN, to lock down the VPN, the iOS device is supervised and the AlwaysON VPN profile will be marked as non-removable by user. There is no UI option for user to turn off the VPN to allow traffic to pass. With VPN IncludeAllNetworks, you can put the device in supervised mode and also marked the profile as non-removable. But the VPN UI will allow the user to turn the VPN on/off, allowing users to bypass VPN. Sounds like you need an option to disallow user to be able to turn off VPN via UI. Please file a radar for the request.
Topic: App & System Services SubTopic: Networking Tags:
Jun ’20
Reply to Configure IKEv2 VPN with always-on
Thanks for both of you for the answers! And regarding to 'includeAllNetworks' - it sounds similar to always-on, but I want to force the user to always use the VPN, or he won't have traffic, but without letting him the option to disable this behaviour (so he won't be able to uncheck the on-demand for example). Is it possible? This way it will behave just like always-on when the user is not allowed to stop automatic connections.
Topic: App & System Services SubTopic: Networking Tags:
Jun ’20
Reply to Configure IKEv2 VPN with always-on
Currently, AlwaysON VPN is only supported on supervised iOS devices. It is configuration profile based only, and is limited to the built-in IKEv2 provider. There is no app-based customization support. It sounds like you want to have your own app with your own custom SSL provider, but with the alwaysOn-VPN-like behavior (forcing all traffic onto tunnel to avoid traffic leakage). On iOS 14, check out the new key, includeAllNetworks, in the NEVPNProtocol.h file. If VPN is enabled and this includeAllNetworks is set, VPN will make sure all traffic must be tunneled. If tunnel is not up yet, all traffic will be dropped. If tunnel is enabled manually, this key will continuously keep the tunnel up. If tunnel is onDemand, then tunnel will be brought up by onDemand. https://developer.apple.com/documentation/networkextension/nevpnprotocol/3131931-includeallnetworks
Topic: App & System Services SubTopic: Networking Tags:
Jun ’20
Reply to Network system extension failing to load
Hi Matt,I able to fix the IPC issues. Now i could see it is saving the configuation correctly. But next my expectation was to get the callback on App proxy provider(i.e. AppProxyProvider) but not getting the callback. Looks like it is not able to get into the network system extension. Network preference, extension status showing as Connecting...) Any thought please? ( {n localizedDescription = MyExtension n enabled = YESn protocolConfiguration = {n serverAddress = <23-char-str>n disconnectOnSleep = NOn includeAllNetworks = NOn excludeLocalNetworks = NOn providerBundleIdentifier = com.sample.extensionn }n onDemandEnabled = NOn} )Extension info.plist:<?xml version=1.0 encoding=UTF-8?> <!DOCTYPE plist PUBLIC -//Apple//DTD PLIST 1.0//EN http://www.apple.com/DTDs/PropertyList-1.0.dtd> <plist version=1.0> <dict> <key>CFBundleDevelopmentRegion</key> <string>$(DEVELOPMENT_LANGUAGE)</string> <key>CFBundleDisplayName</key> <string>FPNetwor
Topic: App & System Services SubTopic: Networking Tags:
Jun ’20