On demand rules and Split tunnel

App & System Services Networking
roee84 OP
Created Jan ’25
Replies 6
Boosts 0
Views 333
Participants 2

I've implemented a custom system extension VPN for macOS using Packet Tunnel Provider. The VPN is configured with on-demand, and a rule to always connect whenever there's traffic:

onDemandRules = [NEOnDemandRuleConnect()]

As for the tunnel's settings (at the Packet Tunnel Provider), I've configured a split tunnel, so some routes are excluded from the tunnel.

Now I have the following scenario:

  • The VPN is connected
  • The Mac enters sleep
    • The sleep() function is called (at my Packet Tunnel Provider)
  • The Mac briefly awakes to check emails/push notifications/etc. This traffic is excluded from the tunnel.

What is the expected behavior here? Should the wake function be called because of the on-demand rule? Or should the VPN remain asleep because this traffic is excluded from the tunnel?

Answered by DTS Engineer in 824034022
Written by roee84 in 823874022
Is something like that is possible with the above On-Demand rules I described earlier?

I don’t think so.

I’ve not seen complaints about this from iOS developers, but that’s not super surprising. Both platforms have their own complexities when it comes to networking, and sometimes the ducks just don’t line up [1].

At the routing layer we recently introduced excludeAPNs that can help with issues like this, but I’m not aware of anything like that at the on-demand layer. My suggestion is that you file an enhancement request for that. Please post your bug number, just for the record.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

[1] For an example of this, see this thread.

Replies  6
Boosts  0
Views  333
Participants  2
roee84 OP
Jan ’25

I'm guessing it's this one - "Should the wake function be called because of the on-demand rule?" But if so, each request to APNs will wake the VPN from sleep. Is there any way to prevent it, and still start the VPN for any other traffic?

0
roee84 OP
3w

Bump.

Is there any way to create on-demand rules, so that any traffic initiated by the user would trigger the VPN, but any other traffic won't?

0
DTS Engineer OP
Apple
3w

Sorry I didn’t reply earlier. I made a note to reply but somehow I missed it. Weird.

Anyway, back to your question:

Written by roee84 in 773251021
What is the expected behavior here?

VPN On Demand and packet routing are separate subsystems. The former makes its decisions independent of the latter [1]. So I’d expect to see the first behaviour:

Written by roee84 in 773251021
Should the wake function be called because of the on-demand rule?

What are you actually seeing?

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

[1] A key feature of VPN On Demand is that:

  • You can specify that certain domains are on the other side of the tunnel

  • And those domains can have custom DNS servers

This supports the common case of enterprises where only an internal DNS server knows about internal names. So a connection to www.corp.example.com is able to trigger VPN On Demand, which brings up the tunnel, which adds a DNS server for the corp.example.com domain, which is able to resolve www.corp.example.com and thus allow the connection. Meanwhile, external folks talk to an external DNS server that knows nothing of the corp.example.com domain.

So VPN On Demand has to make its decision before it knows the destination IP address of a connection.

1
roee84 OP
3w

Sorry I didn’t reply earlier. I made a note to reply but somehow I missed it. Weird.

NP, and thanks for the detailed reply!

So I’d expect to see the first behaviour

Okay, but let me rephrase a bit my question: This is what I was trying to get to:

Is there any way to create on-demand rules, so that any traffic initiated by the user would trigger the VPN, but any other traffic won't?:

And more specifically: Let's say that it's a night time, so both the Mac and the user went to sleep.. I noticed that during this 8 hours sleep, the VPN awakes multiple times, so I'm guessing it's related to APNs traffic. I would like that such traffic won't need to wake the VPN, and so I'll prevent a multiple wake-sleep events.

Is something like that is possible with the above On-Demand rules I described earlier?

0
DTS Engineer OP
Apple
3w
Accepted Answer
Written by roee84 in 823874022
Is something like that is possible with the above On-Demand rules I described earlier?

I don’t think so.

I’ve not seen complaints about this from iOS developers, but that’s not super surprising. Both platforms have their own complexities when it comes to networking, and sometimes the ducks just don’t line up [1].

At the routing layer we recently introduced excludeAPNs that can help with issues like this, but I’m not aware of anything like that at the on-demand layer. My suggestion is that you file an enhancement request for that. Please post your bug number, just for the record.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

[1] For an example of this, see this thread.

0
roee84 OP
3w

Enhancement number:

FB16475536

0
On demand rules and Split tunnel
First post date Last post date
 
 
Q