On demand rules and Split tunnel

I'm guessing it's this one - "Should the wake function be called because of the on-demand rule?" But if so, each request to APNs will wake the VPN from sleep. Is there any way to prevent it, and still start the VPN for any other traffic?

Bump.

Is there any way to create on-demand rules, so that any traffic initiated by the user would trigger the VPN, but any other traffic won't?

Sorry I didn’t reply earlier. I made a note to reply but somehow I missed it. Weird.

Anyway, back to your question:

What is the expected behavior here?

VPN On Demand and packet routing are separate subsystems. The former makes its decisions independent of the latter [1]. So I’d expect to see the first behaviour:

Should the wake function be called because of the on-demand rule?

What are you actually seeing?

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

[1] A key feature of VPN On Demand is that:

• You can specify that certain domains are on the other side of the tunnel

• And those domains can have custom DNS servers

This supports the common case of enterprises where only an internal DNS server knows about internal names. So a connection to www.corp.example.com is able to trigger VPN On Demand, which brings up the tunnel, which adds a DNS server for the corp.example.com domain, which is able to resolve www.corp.example.com and thus allow the connection. Meanwhile, external folks talk to an external DNS server that knows nothing of the corp.example.com domain.

So VPN On Demand has to make its decision before it knows the destination IP address of a connection.

Sorry I didn’t reply earlier. I made a note to reply but somehow I missed it. Weird.

NP, and thanks for the detailed reply!

So I’d expect to see the first behaviour

Okay, but let me rephrase a bit my question: This is what I was trying to get to:

Is there any way to create on-demand rules, so that any traffic initiated by the user would trigger the VPN, but any other traffic won't?:

And more specifically: Let's say that it's a night time, so both the Mac and the user went to sleep.. I noticed that during this 8 hours sleep, the VPN awakes multiple times, so I'm guessing it's related to APNs traffic. I would like that such traffic won't need to wake the VPN, and so I'll prevent a multiple wake-sleep events.

Is something like that is possible with the above On-Demand rules I described earlier?

Is something like that is possible with the above On-Demand rules I described earlier?

I don’t think so.

I’ve not seen complaints about this from iOS developers, but that’s not super surprising. Both platforms have their own complexities when it comes to networking, and sometimes the ducks just don’t line up [1].

At the routing layer we recently introduced excludeAPNs that can help with issues like this, but I’m not aware of anything like that at the on-demand layer. My suggestion is that you file an enhancement request for that. Please post your bug number, just for the record.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

[1] For an example of this, see this thread.

Enhancement number:

FB16475536