NEPacketTunnelProvider route traffic

Question

118-sethshadow OP

Created Oct ’18

Replies 6

Boosts 0

Views 1.7k

Participants 3

Hi,

I've been attempting to create a app that can read in user traffic and then route it normally.

Essentially, I've been using NEPacketTunnelProvider with a test linux server as a VPN, and have been routing traffic through that. I can successfully perform traffic routing with this client/server setup.

Now what I want is to perform this without the server.

I've been successful with performing DNS requests and getting back responses, and I've confirmed this using Wireshark. What I don't understand is why there are no subsequent requests leading to an HTTP/s request being generated and getting passed into the TunnelProvider. Instead, more DNS requests are being fired as if the client never got the response.

I'm passing back the response data into the packetFlow object, with IP and UDP headers that I construct manually since the UDPSession object strips those headers off, and I'm matching the data as much as I can with how it would be had I still had the linux server. The only aspects I can't replicate would be the TTL and packet ID, but they shouldn't have any significant effect so I generate them randomly.

Despite the IP and port information being correct, the client phone never seems to process the response packets. This never happens when using the client/server structure for the VPN. I don't understand what difference is preventing the phone from reading those response packets.

Boost

Answer 1

DTS Engineer OP

Apple

Oct ’18

I don’t understand your goals here. How can you create a VPN tunnel without a VPN server?

Share and Enjoy
—
Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

0

Answer 2

NotMyName OP

Oct ’18

I think what the original poster means is that they want to essentially emulate the VPN server, presumably for testing purposes—by generating the same (or equivalent) network traffic that would have been generated by the external server.

0

Answer 3

118-sethshadow OP

Oct ’18

That's right NotMyName, thanks.

I want to perform this emulation using only APIs available on iOS, and without a need to create any logic outside of it. As you said eskimo, it wouldn't be an actual VPN tunnel in this case; not unless I were to somehow create a server/proxy on the iPhone and use a tunneling protocol through that.

For now I want to try this emulation, but I've only been successful in a fragment of its implementation. And I'd want to retain access to user traffic which is why I used the TunnelProvider APIs.

0

Answer 4

DTS Engineer OP

Apple

Oct ’18

I want to perform this emulation using only APIs available on iOS, and without a need to create any logic outside of it.

Understood. Alas, this isn’t something that I’m going to support. The packet tunnel provider architecture was designed to support… well… packet tunnels, and trying to use it for other things puts you well outside of its design parameters.

Sorry.

Share and Enjoy
—
Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

0

Answer 5

118-sethshadow OP

Oct ’18

I would still be using it as a packet tunnel. It's just that routing logic would remain in the phone so a user would never have to worry about their traffic data being obtained by some vendor's external servers.

If it's still not acceptable even with that in mind, then how about constructing a server/proxy on the phone that the tunnel provider can route to, and have that server/proxy handle routing instead? I thought this might be another viable option with something along the lines of AppProxyProvider.

0

Answer 6

DTS Engineer OP

Apple

Oct ’18

I would still be using it as a packet tunnel. It's just that routing logic would remain in the phone so a user would never have to worry about their traffic data being obtained by some vendor's external servers.

I’m very confused by this. If it’s a tunnel, it must tunnel to something.

Share and Enjoy
—
Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

0