Hi,
I've built a basic NEPacketTunnelProvider that can successfully pass traffic from an iOS client to my VPN concentrator. I'm also able to configure the VPN tunnel to only route traffic to particular IPs or domains just like I can with the built in VPNs.
My question, though, is how I can inspect a packet from the packetFlow and then decide to not put that packet on my VPN tunnel. My core example is that I'd like to be able to identify latency and bandwidth sensitive traffic (like streaming video) and not pass this over the VPN so that the user gets the best experience.
One solution I thought of was to dynamically update the excluded IPs and then drop the packets and have the client attempt to reconnect. This has two problems. The first is that some clients give up too easily. The second, and more concerning, is that the exclusion list will grow without bounds unless I carefully manage it. This seems error prone.
My second attempt was to try to use a raw socket but as other posters have discovered the extension is not running as root and thus does not have permissions to create a raw socket.
So, my question: Is there a recommended way for the NEPacketTunnelProvider to choose to put some packets out the local interface (bond0) instead of the VPN tunnel?
Thanks,
-J