How to configure PacketTunnelProvider settings

Hello!

If I set only remote address, then packet tunnel provider does not intercept packets at all. Internet works.

If I add ipv4Settings, then packet tunnel provider somewhat catch packets. If I try open something in web beforehand, and quickly start packet tunnel provider, it sees leftover packets. Internet does not work.

If I set DNS settings, then tunnel starts receiving "apple.com", "icloud.com" DNS queries. I guess that's not right. Internet does not work.

How do I set everything right?

=============

My settings:

let settings = NEPacketTunnelNetworkSettings(tunnelRemoteAddress: address)

settings.ipv4Settings = NEIPv4Settings(addresses: ["172.16.200.10"], subnetMasks: ["255.255.255.255"])

settings.ipv4Settings?.includedRoutes = [NEIPv4Route.default()]

settings.ipv4Settings?.excludedRoutes = [
            NEIPv4Route(destinationAddress: "192.168.0.0", subnetMask: "255.255.0.0"),
            NEIPv4Route(destinationAddress: "10.0.0.0", subnetMask: "255.0.0.0"),
            NEIPv4Route(destinationAddress: "172.16.0.0", subnetMask: "255.240.0.0")
]

settings.dnsSettings = NEDNSSettings(servers: ["8.8.8.8", "8.8.4.4"])
settings.dnsSettings?.matchDomains = [""]

settings.mtu = 1400
Up vote post of newbie2602 Down vote post of newbie2602
336 views
Posted by
newbie2602
Reply

  • I hope additions about internet are helpful. I know that even if packet tunnel provider starts gathering packets, i will need working vpn server to access web

    newbie2602
Add a Comment

Replies

Maybe I should set something up for my NETunnelProviderManager? Besides basic options

Posted by
newbie2602
Up vote reply of newbie2602 Down vote reply of newbie2602
Add a Comment

How do I set everything right?

It depends on what your actual goals are, and you’ve not given us any info on that front. What are you trying to do with your packet tunnel provider?

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Posted by
eskimo
Up vote reply of eskimo Down vote reply of eskimo
Add a Comment

Develop VPN as a pet project

Posted by
newbie2602
Up vote reply of newbie2602 Down vote reply of newbie2602
Add a Comment

OK, that’s perhaps a too high-level description of your goals (-:

I’m looking for information about what packets you want to be routed through your VPN. Are you creating a split tunnel? Or a full tunnel? And you talked a lot about DNS, so I’m curious if you’re trying to do special with that?

ps If you’re struggling to answer these questions, I recommend that you read TN3120 Expected use cases for Network Extension packet tunnel providers.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Posted by
eskimo
Up vote reply of eskimo Down vote reply of eskimo
Add a Comment

Do use a packet tunnel provider to secure network access while on an insecure network. For example, use NEPacketTunnelProvider to implement an iOS or macOS VPN client that tunnels network traffic through a public VPN service that provides access to the wider internet. Common techniques used to achieve this functionality include creating a full tunnel VPN that routes all traffic to the remote VPN server that then forwards the traffic to its final destination.

I guess, that's what I am looking for. Transfer (all allowed?) packets safely, using full tunnel.

Actually, there's nothing special with DNS. It’s just that for a long time I couldn’t understand why the packet tunnel provider doesn’t see packets at all, and when I accidentally set the DNS settings, I was able to get at least some progress. That's why I mentioned it a lot

Posted by
newbie2602
Up vote reply of newbie2602 Down vote reply of newbie2602
Add a Comment

Transfer … packets safely, using full tunnel.

To a VPN server that’s available on the public Internet?

Note that there are two ways to achieve a full tunnel:

  • Claim the default route.

  • Do that are also set includeAllNetworks.

The latter is tricky [1], and I recommend that you not attempt it until you’ve got more experience with this stuff.

Actually, there's nothing special with DNS.

From our perspective there’s a bunch of stuff special about DNS. If you’re building a VPN product, I recommend that you avoid trying to make assumptions about DNS because those are likely to break.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

[1] For example, it can break the network interface required to talk to Xcode. See TN3158 Resolving Xcode 15 device connection issues.

Posted by
eskimo
Up vote reply of eskimo Down vote reply of eskimo
Add a Comment

To a VPN server that’s available on the public Internet?

Yes

=====================

Actually, there's nothing special with DNS.

From our perspective there’s a bunch of stuff special about DNS. If you’re building a VPN product, I recommend that you avoid trying to make assumptions about DNS because those are likely to break.

I am sorry, that's not what I meant. I tried describing why I mentioned DNS a lot. I did not try to downplay DNS.

=====================

What about split tunneling, how to configure packet tunnel provider? If I want allow the users to access the VPN resources while using their own local Internet Connection for web traffic

Posted by
newbie2602
Up vote reply of newbie2602 Down vote reply of newbie2602
Add a Comment

If I want allow the users to access the VPN resources while using their own local Internet Connection for web traffic

Standard practice for that case is for your provider to list the networks ‘behind’ the VPN in the includedRoutes property. Typically the VPN protocol lets the client get the list of networks from the server, so you don’t have to hard code that in your client.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Posted by
eskimo
Up vote reply of eskimo Down vote reply of eskimo
Add a Comment