I know it's already possible to inclusively establish a VPN connection with NETunnelPacketProvider by instantiating an NEAppRule for each of the processes I want included in the network connection, and setting that list as the appRules property (documented here). I'd like to know if there's a way to include all apps/processes by default, and only specify the processes that I'd like to exclude from the VPN connection.
I'd like to know if there's a way to include all apps/processes by default, and only specify the processes that I'd like to exclude from the VPN connection.
Not exactly, but there are a few related options on the table here:
Per-App VPN with MDM. This will align your tunnel with only the apps that you wish to trigger the tunnel for and only allow that traffic through the tunnel by process. This is very similar to what is covered in NEAppRule's above.
Creating a split tunnel for only the traffic you want to secure with your packet tunnel. This is similar to option one but is done instead via destination IP instead of process. This option also does not require MDM.
If this is macOS then you could use a NETransparentProxyProvider and proxy all traffic on the system and then when you see traffic you do not wish to proxy via bundle id, then just hand it of to the system by returning false from handleNewFlow.
When using a NEPacketTunnelProvider, if the traffic gets to the tunnel, our APIs assume that you will send it out over the network and that is why it's best to create a split tunnel situation or a Per-App VPN configuration so that your unwanted traffic never reaches the tunnel.
Matt Eaton
DTS Engineering, CoreOS
meaton3@apple.com