Network connectivity while VPN is connecting

Question

roee84 OP

Created Feb ’20

Replies 5

Boosts 0

Views 1.9k

Participants 3

I've implemented a VPN app with Packet Tunnel Provider for iOS/macOS.

When I'm trying to connect, and the VPN is at connecting state, all network connectivity is blocked.

But from the documentation of startTunnelWithOptions, it seems that the OS shouldn't block the connectivity until I call to the startTunnelWithOptions' completion block

When the Packet Tunnel Provider executes the completionHandler block with a nil error parameter,
it signals to the system that it is ready to begin handling network data.

What I want is to allow some URLs to be accessible even at the connection state, or ot another words - to exclude some routes even before I have the tunnel. Is it possible?

Boost

Answer 1

Systems Engineer OP

Apple

Feb ’20

Accepted Answer

I would expect that the network traffic is operational on the system until the VPN is connected and the default route can attempt to route the traffic.

One possibility is that the onDemandRule is delaying traffic on the system while attempting to establish the VPN tunnel. Test this with the onDemandRule disabled and this should provide you with a path to investigate further. If you see traffic active while the tunnel is established then you know the onDemandRule was delaying traffic.

Matt Eaton

DTS Engineering, CoreOS

meaton3 at apple.com

0

Answer 2

roee84 OP

Feb ’20

I just checked it, and it's correct.

If onDemand is disabled, there is traffic when the tunnel is established.

If onDemand is enabled, there isn't any trafic when the tunnel is established, even if I'm starting the tunnel myself, without waiting for the onDemandRule to trigger the VPN.

So thanks for the answer.

Should I open a bug for this? Or is it somehow the expected behavior?

0

Answer 3

Systems Engineer OP

Apple

Feb ’20

No problem. Glad to help out.

I would expect that this is working as intended. However, for further documentation, or to cover any possible edge case missed here it is always good to open up a bug anyways to provide further insight into these situations.

Matt Eaton

DTS Engineering, CoreOS

meaton3 at apple.com

0

Answer 4

DTS Engineer OP

Apple

Feb ’20

Or is it somehow the expected behavior?

Probably this.

Matt and I chatted about your question recently and we came up with scenario we’d like to outline. Imagine you’re volunteering as a sysadmin for the Waffle Varnish Cooperative™, who has a public web site

www.waffle-varnish.org

and a CRM system at

crm.waffle-varnish.org

. The latter is only available to staff over a VPN. You want to set up VPN On Demand so that when a staff member enters

crm.waffle-varnish.org

into a browser, it starts the VPN. In this case, the browser’s outgoing connection must be placed on hold until the VPN comes up. If not, the browser will fail to connect because

crm.waffle-varnish.org

isn’t available on the public Internet. The user will have to manually retry. This is clearly suboptimal.

Now think about what happens if you set up VPN On Demand too ‘wide’, for example, to cover all of

waffle-varnish.org

. Now the staff member’s connections to the public web site will be held up waiting for VPN On Demand, even though that’s not necessary.

Now, if VPN On Demand is holding up unrelated connections, that would definitely be bugworthy. But if it’s holding up connections that match the on demand rules, that’s the correct behaviour.

Share and Enjoy
—
Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

0

Answer 5

roee84 OP

Feb ’20

Great, sounds now very reasonable to behave this way.

Thanks for both of you for the quick and helpful replies!

0