I am learning about layer 3 VPN implementations for MacOS, and am slowly making my way through docs and tutorials. I noticed that part of creating an instance of NETunnelProviderManager
on the app side of the project requires the specification of protocolConfiguration
via an instance of NETunnelProviderProtocol
. One of the arguments for this class is serverAdress
, which to my understanding, tells the OS where to route traffic towards at the end of the day.
My question: many VPNs these days allow the option to specify the location for which you want your traffic to be routed through. I imagine this would necessitate changing this serverAddress
field in the backend. However, setting this option (on a commercially available VPN) doesn't typically prompt the OS notification that you get when initially installing a VPN configuration for the first time. How is this functionality achieved? I could see one possible solution being that most VPN providers route through a main service beforehand (so the first IP in the chain never has to change), though I could see this being problematic for a number of other reasons.
Assuming you have a valid NETunnelProviderManager
object called manager
, is this valid?
self.manager?.protocolConfiguration?.serverAddress = "somewhereElse"
Even if it compiles, will the traffic be properly re-routed?
My understanding of the flow right now is that in order to "lock in" a new configuration, or modify it, you need to call manager.saveToPreferences
, which triggers the OS notification I mentioned earlier.
It is absolutely possible to change a provider’s protocol configuration on the fly. In the container app:
-
Find the relevant configuration manager.
-
Apply your changes to it.
-
Save it.
This won’t trigger a user confirmation prompt because it’s modifying an existing configuration, not installing a new one.
You don’t even have to stop and start the tunnel for those changes to take effect. Instead, in the provider, use KVO to watch for changes to your protocolConfiguration
property.
Having said that, I don’t think that this:
implies this:
The VPN ingress server isn’t necessarily related to the VPN outgress address. The app’s back end could be forwarding stuff internally.
Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"