I'm implementing a VPN using the Network Extension Framework.
I've recently noticed that our VPN was sometimes reporting to be connected, but when I checked my IP address it would be my public one. This was a drastic change of behavior that didn't seem to be associated with any specific change we have done recently.
Originally I was trying to debug this issue in our App, but then I noticed that another VPN I'm using that's directly set up through System Settings in macOS (Ventura 13.5), and that is not running any of our code, is showing the same behavior.
In this case the VPN was set up through System Settings as an IKEv2 VPN, so there's no 3rd party vendor code running - just macOS doing its thing.
Both times I had this issue, the only thing that would fix it was rebooting the computer.
When checking netstat -nr -f inet
I noticed that the order of the default routes changed when the issue got resolved:
- When the VPN was connected but being ignored, the topmost route was en0, and the second route was ipsec.
- When the VPN was connected and working fine, the topmost route was ipsec, and the second route was en0.
The same routing difference was visible for our own VPN network extension.
Any thoughts about how I can debug this further?
Given that this is not affecting only our VPN, but is also affecting an unrelated VPN managed by macOS it feels like it may be a macOS bug, but I'm not sure how to validate for that.