Why binding INADDR_ANY in Network Extension is not allowed other apps to connect it using localhost

Hi,

I have an extension using NEPacketTunnelProvider, I need bind both lan address and localhost so that other apps can connect it and transfer data.

I found that if I bind INADDR_LOOPBACK, other apps on the phone can connect it using the localhost(127.0.0.1)

If I bind INADDR_ANY, other apps on the phone can connect it using the lan address but not the localhost(127.0.0.1)

My question is why other app on the phone can not connect using localhost(127.0.0.1) when binding INADDR_ANY?

Thank you.

NEPacketTunnelNetworkSettings:

  1. Exclude route: 192.168.0.0/16, 127.0.0.0/8, 169.254.0.0/16, 10.0.0.0/8, 172.16.0.0/12, 255.255.255.255/32, 239.255.255.250/32, fc00::/7, fe80::/10, ff02::c/128, ff05::c/128, ff08::c/128, ff0e::c/128
  2. Include route: [NEIPv4Route defaultRoute]
  3. NEProxySettings with HTTPEnabled and HTTPSEnabled to localhost (a http server)
  4. NEProxySetting exception: 192.168.0.0/16, 127.0.0.0/8, 169.254.0.0/16, 10.0.0.0/8, 172.16.0.0/12, 255.255.255.255/32, localhost, *.local, captive.apple.com
  5. NEProxySetting excludeSimpleHostnames: YES
Up vote post of HenryL Down vote post of HenryL
762 views
Posted by
HenryL
Reply
Add a Comment

Replies

How are your NEPacketTunnelNetworkSettings configured and why do you need other apps on the device to connect to localhost?

Posted by
meaton
Up vote reply of meaton Down vote reply of meaton

  • Thanks. I added the NEPacketTunnelNetworkSettings in my post. I allow other app to connect my port in localhost in order to force the app's traffic to the server. ( if the app allows to set the proxy )

    HenryL
Add a Comment

I allow other app to connect my port in localhost in order to force the app's traffic to the server.

Instead of doing this, why not just claim the destination IP of the route in question, or go full per-App VPN and then way you do not have to run a localhost listener in your app. See TN3120: Expected use cases for Network Extension packet tunnel providers.

Posted by
meaton
Up vote reply of meaton Down vote reply of meaton

  • It's just a normal VPN software, nothing to do with MDM; and I do not know the software or destination IP: lots of softwares allow setting the proxy in app, but I do not know which one the user is using. My question is why network extension runtime is different from the normal world. Thanks.

    HenryL
Add a Comment

You essentially have a few options here. Go full tunnel VPN, to which you could claim all the routes on your system by hand, or go with the includeAllNetworks flag on NETunnelProviderProtocol. Or, you could go with Per-App VPN and claim traffic for specific apps. Having apps connect to a listener so that you can route their traffic through the VPN in not the way to go here.

Posted by
meaton
Up vote reply of meaton Down vote reply of meaton
Add a Comment