Private Relay interferes with NetworkExtension, breaks port 80 traffic

I have a VPN app that uses a tunnel to route traffic, and I'm finding that port 80 traffic cannot be routed when Private Relay is enabled. Oddly, it's just port 80 traffic. HTTP traffic over 8080 or other ports still work fine.

Specifically, connecting the socket using the connect() function for a port 80 address always returns the same error "No route to host".

According to the Packet Tunnel Provider documentation (https://developer.apple.com/documentation/networkextension/packet_tunnel_provider?language=objc):

When a VPN configuration is active, connections use the VPN instead of iCloud Private Relay. Network Extension providers also don’t use iCloud Private Relay.

This is not the behavior that we are seeing. As soon as I disable Private Relay on the device, the port 80 traffic flows correctly and there's no more errors. We already tried excluding the Private Relay servers from the tunnel, but that didn't have any impact on this issue. Is there anything else we could try to work around this?

So far we've tested with iOS 15 beta versions through beta 4. Also tested on developer versions as well as public beta.

Up vote post of jda-blue Down vote post of jda-blue
2.2k views
Posted by
jda-blue
Reply

  • Through beta 5 now, same result.

    jda-blue
Add a Comment

Replies

Seeing this as well, and with iOS 15 GM.

However, we discovered that "no route to host" error is only occurring with sockets, e.g. not with NWTCPConnection. Unfortunately, there are reasons we need to use sockets directly (e.g. setting socket options, binding to the network interface, etc), so this is not a viable solution.

Can someone at Apple provide guidance on what we can do about this?

Posted by
lbc
Up vote reply of lbc Down vote reply of lbc

  • Yes, this is exactly what I'm seeing. I filed a Feedback report and worked with Apple to provide a packet trace and sysdiagnose logs. The report still says that there are no other similar reports filed. I think it would help if you file a report as well.

    jda-blue
Add a Comment

Still going back and forth on this issue. This does work perfectly fine as long as Private Relay isn't enabled.

For now, our alternate plan if we can't get this resolved is to tell our customers to turn off Private Relay. We'll add it to our help articles, customer service troubleshooting steps, chatbot, etc.

Posted by
jda-blue
Up vote reply of jda-blue Down vote reply of jda-blue

  • I'm seeing the very same issue with macOS Monterey (12.1), eg. "curl -o/dev/null -v http://speedtest.tele2.net/1GB.zip" seems to failing on command line, as well on Firefox and Chrome when private relay is enabled, but works on Safari.

    Still in beta.. works like beta. :)

    tigeli
Add a Comment

Just re-tested as of iOS 15.3.1 and this issue doesn't appear to be there anymore for iOS.

Posted by
jda-blue
Up vote reply of jda-blue Down vote reply of jda-blue
Add a Comment