NEPacketTunnel Provider Leaking Traffic

If you’re concerned about ‘leaking’ traffic then your best path forward is to set includeAllNetworks. You can find more on this in Routing your VPN network traffic.

IMPORTANT It’s likely that you’ll want to exclude some traffic, otherwise you can break things like Xcode debugging!

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

I'm encountering issues with using includeAllNetworks where NECP is denying adapter usage, among other problems. Are you aware of any specific reasons why setting default routes wouldn't direct traffic through the tunnel?

Additionally, it seems that with includeAllNetworks, enforcing routes may not function as expected. Any insights or guidance you could provide on these matters would be greatly appreciated.

One of the biggest issues is that if you set includeAllNetworks , then attempt to bind to a cellular adapter via sockets OR use NWConnection and prohibit WiFi and require Cellular but you are on a WiFi network, NECP will deny the cellular use. When binding, it will succeed, but then route traffic over the default route anyway.

Ideally, with includeAllNetworks, we would like to bind to each adapter and decide when each should be used. Is this expected with includeAllNetworks?

Are you aware of any specific reasons why setting default routes wouldn't direct traffic through the tunnel?

Claiming the default route only affect traffic that relies on the default route. If the traffic has an explicit route, the system honours that. There are two common cases for this:

• If the traffic is to an address on a local network.

• If the connection is bound to a specific interface.

Ideally, with includeAllNetworks, we would like to bind to each adapter and decide when each should be used.

I don’t understand this. When you say “we would like to bind”, is the “we” referring to your packet tunnel provider?

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Yes, inside of the PacketTunnel Provider we use sockets to bind to an interface. This is used for faster failover, avoiding bad networks and aggregating for speed. With include all networks set to on, we can successfully bind to pdp_ip0 when en0 is active however , attempting to use that socket it gets routed through the default en0 interface. You can test it out when binding to pdp_ip0 with include all networks on, sending a ping to ifconfig and it will return with the default interfaces IP.

Ah, OK, thanks for the explanation.

That behaviour doesn’t come as a huge surprise, in that NE applies specific NECP rules to your packet tunnel provider in order to prevent VPN loops [1]. However, I can see why it’d be annoying.

I don’t see any way around this, other than to not set includeAllNetworks but that creates its own problems. My only advice is that you file a bug about the poor interaction between includeAllNetworks and scoped network connections.

Please post your bug number, just for the record.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

[1] You’re probably familiar with this but, if not, see A Peek Behind the NECP Curtain.