VPN: excludedRoutes IPs are going via virtual adapter

[iOS 17] We are trying to configure below Tunnel Provider configuration and we are saving it in NETunnelProviderManager preferences before calling startTunnelWithOptions

tunnelProvider.protocolConfiguration.includeAllNetworks = YES;

tunnelProvider.protocolConfiguration.excludeLocalNetworks = NO;

tunnelProvider.protocolConfiguration.enforceRoutes = NO;

We are adding an IP in the excludeRoutes which belongs to server address[10.97.6.244]. Please refer the below network settings for VPN

    IPv4Settings = {
    configMethod = manual
    addresses = (
        10.97.4.188,
    )
    subnetMasks = (
        255.255.255.255,
    )
    includedRoutes = (
        {
            destinationAddress = 0.0.0.0
            destinationSubnetMask = 0.0.0.0
        },
    )
    excludedRoutes = (
        {
            destinationAddress = 10.97.6.244
            destinationSubnetMask = 255.255.255.255
        },
    )
    overridePrimary = NO
}

Issue: when we are trying to access server address, it's getting tunneled because of that few of our APIs are sending failure and we are unable to connect to VPN.

Expected Results : excludedRoutes IPs should go via physical interface.

STEPS TO REPRODUCE

  1. Configure VPN packet tunnel provider config as mentioned above and add some IPs in excludeRoutes
  2. Save the configuration to NETunnelProviderManager preferences using “saveToPreferencesWithCompletionHandler”
  3. Try to connect to VPN
  4. excludeRoutes are tunneled via VA
Up vote post of Shweta-mittal19 Down vote post of Shweta-mittal19
274 views
Posted by
Shweta-mittal19
Reply
Add a Comment

Replies

The relationship between includeAllNetworks and the routing properties (includedRoutes and excludedRoutes) is complex. Our expectation is that a full tunnel, one that that sets includeAllNetworks, would not also set the routing properties. That’s the case that we fully support.

If you also set enforceRoutes then they system might do what you want, that is, honour the routing properties even though you’ve set includeAllNetworks. However, I discussed your situation with the folks who work on this stuff and they tell me that this isn’t an option that we officially support. It might work, it might not.

Try this out and reply back here with the results. I’m curious.

Also, if this configuration is important to you then I recommend that you file a bug report with details about your use case. Please post your bug number, just for the record.

You should do this even if the setup currently works. In that case we’ll use your bug as an indicator that folks are relying on this.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Posted by
eskimo
Up vote reply of eskimo Down vote reply of eskimo
Add a Comment

Hi @eskimo , Please refer this https://developer.apple.com/forums/thread/747963?login=true&page=1#784413022

Posted by
Shweta-mittal19
Up vote reply of Shweta-mittal19 Down vote reply of Shweta-mittal19
Add a Comment

Please refer this

That seems like a different issue to me. Specifically, in this case you’re setting includeAllNetworks and that other thread you’re not.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Posted by
eskimo
Up vote reply of eskimo Down vote reply of eskimo
Add a Comment