includeAllNetworks

I've implemented a custom VPN app for macOS (using Packet Tunnel Provider). I set includeAllNetworks at the protocolConfiguration. When this field is set, I can't connect and I can't send traffic even at the extension. Even simple calls at the extension, like getaddrinfo or curl fails. If I'm unsetting this variable (includeAllNetworks = false) then I can connect without a problem. In addition I can see those lines at the Xcode Console: Connection 2: encountered error(1:53) Connection 3: encountered error(1:53) Connection 1: encountered error(1:53) And those lines at the Console: No mDNS_Keepalive for interface en8/IOSkywalkLegacyEthernetInterface kr 0xE00002C0 NetWakeInterface: en8 <private> no WOMP uDNS_CheckCurrentQuestion: host unreachable error for DNS server <private> for question failed to send packet on InterfaceID 0x5 en8/4 to <private>:53 skt 74 error -1 errno 65 (No route to host)

I work on an iOS VPN app, and we're having some problems with the interaction between MMS and the includeAllNetworks flag. When the includeAllNetworks flag is on, MMS sending fails. I believe this is because iOS is trying to go outside the VPN tunnel and over cellular and is using the cellular network's default DNS lookup for the MMS server (in a sample case we've been using for testing, mms.msg.eng.t-mobile.com). (Logs seem to show the phone dropping back to cellular even when it has a strong WiFi connection.) I believe iOS also chooses the cellular connection when making the request where the MMS packets are sent. And thus with includeAllNetworks active, iOS does not permit these packets through, causing the MMS send to fail. Does this explanation above seem accurate, and seem like why MMS isn't working with the VPN active? We've been debugging via Console logs, and can see the DNS request fail, but have limited insight into the lower level parts of the networking stack. Does includeAllNetworks

Is it possible to have both 'includeAllNetworks' and split-tunnel simultaneously? I want to enable a split tunnel so only some of the traffic will reach the tunnel, but at the same time, to make sure that the above traffic will always reach the tunnel - even if it's coming from some low-level networking API or even if the traffic started before creating the tunnel. Setting the 'includeAllNetworks' flag will help with the above cases, but then I'll get all the traffic via the tunnel without consideration in the split tunnel configuration. (Details: System-extension, PacketTunnelProvider)

I've been looking at adding includeAllNetworks to our Network Extension VPN (Packet Tunnel Provider). We do some authentication in the app and then start the VPN. All connections in the VPN extension are done by IP address, so there is no name resolution required. The connection setup in the VPN extension involves some HTTP GETS &amp; responses. I'm seeing a couple of problems. It looks like includeAllNetworks has to be set on the VPN configuration when it's defined. Is that correct? When I try setting it at other points, either in the NEPacketTunnelProvider protocolConfiguration or in the NEVPNManager protocol configuration it has no effect. The protocol itself appears to be inaccessible. When I set it in the NEVPNManager's protocolConfiguration before I start the connection it shows includeAllNetworks as set, but when I start the connection the nesessionmanager debug output shows that it's not set in the protocol and it's not in effect. Is there any way to set this on-the-fly?

Hi, I would like to enable includeAllNetworks setting in a personal VPN product. If a transparent proxy of other macOS security product (i.e. Avast Security, Cisco AnyConnect) is enabled, the VPN session fails to connect with an error message nesessionmanager: Failed to register Personal IncludeAllNetworks VPN Session NESMIKEv2VPNSession[...] due to Enterprise VPN session NESMTransparentProxySession[...] (status 3) nesessionmanager: [com.apple.networkextension:] NESMIKEv2VPNSession[Primary Tunnel:...]: Rejected start command from AVG Secure VPN[3332] The startVPNTunnel method however doesn't return any error. The product needs to wait until its internal connection timer expires, call stopVPNTunnel and then the NEVPNStatus changes from disconnected to disconnecting followed by disconnected. Is there a way to programatically detect the error or transparent proxy presence?

I've implemented a custom VPN app for macOS (Packet Tunnel Provider). I've added to the protocol configuration the flag 'includeAllNetworks'. For some reason, there are multiple times where the initial connection to the VPN fails. I'm using sockets, getaddrinfo func, and lib curl. But when this flag is set, it seems that there's no internet access, even before the first connection of the VPN. The weird thing is - that sometimes the VPN connects without a problem. Without this flag the VPN always connects without a problem. Are there any limitations I should know regarding to using this flag?

Hi, I saw that almost each OS version, on ios and macos, handles differently changing includeAllNetworks while the tunnel is running. On some the entire OS reports no-net, while others, specially latest versions, handle this fine. Can includeAllNetworks be changed while the tunnel is running, or the tunnel must be stopped and restarted with the new value? e.g. the tunnel is started with it set to false, but later is changed to true into VPN profile. And on the same note, regarding setTunnelNetworkSettings, can this be called multiple times while the tunnel is running? For example if the VPN server IP changes. Because what I've saw each call to setTunnelNetworkSettings after VPN connected results in at least DNS leaks, because the routing table is recreated. Let me know if it is easier to track to create separate questions. Thanks

Hi all, I'm working on deploying a VPN for users of our enterprise app, using the built-in IKEv2 provider (configured either by a configuration profile or an app). I'm struggling to get the user experience right and was curious to hear if the behaviors I'm observing have been seen by other developers. The main behavior I am observing is that the client tends to randomly disconnect, and it does not attempt to reconnect. This is particularly problematic when paired with the includeAllNetworks option. Paired with includeAllNetworks: The device does not attempt to reconnect the tunnel Once the tunnel disconnects, onDemandRules don't seem to evaluate. Even if a NEOnDemandRuleConnect rule matches the current network, the connection does not reestablish. All network traffic remains blocked on both WiFi and Cellular (rendering any network-dependent app unusable) until the user intervenes and toggles the connection in the Settings app This seems like a problematic user experience and I would be surpr

As described in a few threads here, it is not possible to set IncludeAllNetworks to true on NEVPNProtocolIKEv2 if there are any Enterprise VPNs with NEVPNProtocolIKEv2 enabled, even if they are not used at that moment. The problem I faced, is that system does not have any other VPN configs listed in System Preferences - Network, but connection still can't be established with error: Failed to register Personal IncludeAllNetworks VPN Session NESMIKEv2VPNSession due to Enterprise VPN session NESMVPNSession. Is there any other place in the system where VPN configs can be found?

Hello, We are facing what we believe is a compatibility issue with two networking APIs. If the Network extension VPN configuration has includeAllNetworks flag enabled and the NEHotspotHelper is registered. The user has internet connection but it is blocked, and there user will get internet back only after restarting the device. VPN Configuration is as below while connecting to VPN, { localizedDescription = WLVPN WireGuard Configuration enabled = YES protocolConfiguration = { serverAddress = <18-char-str> passwordReference = {length = 20, bytes = 0x67656e70ed0d05c06b1b4896bf4fef2031e1a92d} disconnectOnSleep = NO includeAllNetworks = YES excludeLocalNetworks = YES excludeCellularServices = YES excludeAPNs = YES excludeDeviceCommunication = YES enforceRoutes = NO providerBundleIdentifier = com.wlvpn.ios.consumervpn.network-extension } onDemandEnabled = NO onDemandRules = () } After running the code shown below. Regardless if the VPN is connected or not, the user needs to restart his devic

When setting up a packet tunnel with a profile that has includeAllNetworks set to true, we seemingly cannot send any traffic inside the tunnel using any kind of an API. We've tried using BSD sockets, as we ping a host only reachable within the tunnel to establish whether we have connectivity - this does not work. When using NWConnection from the Network framework and specifying the required interface via virtualInterface from the packet tunnel, the connection state never reaches ready. Our interim solution is to, as ridiculous as it sounds, include a whole userspace networking stack so we can produce valid TCP packets just to send into our own tunnel. We require a TCP connection within our own tunnel to do some configuration during tunnel setup. Is there no better solution?

Hi, I have a problem with the VPN profile on macos 13 with some custom VPN protocol. I've run the VPN application when I had macos 12.x. The application worked fine, created system configuration. Then I've updated the os to 13. After the update I'm not able to connect to VPN when includeAllNetworks=true. The defaultPath is always unsatisfied, so the tunnel is not able to connect to VPN server. The system routes seam to be ok using netstat and route. If VPN is started with includeAllNetworks=false it works. On logs I've saw that when includeAllNetworks=true, nesessionmanager prints the following errors: error 08:01:59.652919+0100 nesessionmanager -[NESMVPNSession setDefaultDropAll]: VPN addLocalNetworksExceptionWithOrder failed for Control priority error 08:01:59.653105+0100 nesessionmanager VPN-includeAllNetworks evaluateConfiguration failed error 08:01:59.653479+0100 nesessionmanager -[NESMVPNSession setDefaultDropAll]: VPN addLocalNetworksExceptionWithOrder failed for Hig

I am trying to set includeAllNetworks flags right now and I see some wield behaviors from macOS system: default 13:32:50.825941+0800 ***** newStatus = Connecting... default 13:32:51.816353+0800 ***** newStatus = Disconnected default 13:32:52.222371+0800 ***** newStatus = Connected The app which is observing VPN status gets notified with disconnected status between connecting and connected. And in some cases I find that app will never gets connected notification after disconnected. In that case tunnel interface and all tunnel network settings are well set. But our UI logic will just handle the disconnected case. If I just clear the includeAllNetwork flag, then everything is fine. default 14:13:50.075947+0800 ***** newStatus = Connecting... default 14:13:50.829195+0800 ***** newStatus = Connected The test environment is macOS 14.0 and I am using network extension framework for the status KVO. So I am just wondering if this is expected behavior or not. If this is expected, then is there any