I've implemented a custom system extension VPN for macOS using Packet Tunnel Provider. The VPN is configured with on-demand, and a rule to always connect whenever there's traffic:
onDemandRules = [NEOnDemandRuleConnect()]
As expected, if the VPN isn't active, all traffic gets blocked until it is ready.
Not expected: In the following scenario, there is some 'traffic leak':
- Use only WiFi (not wired cable)
- Connect the VPN
- Disable the WiFi and wait for the VPN to disconnect
- Enable the WiFi
- Some packets are routed outside the VPN, and aren't being blocked
- Some moments after, all traffic will be blocked, and the VPN will start the 'connecting' process.
Is the above scenario a 'known' issue? Can it be a race condition in the OS, where some packets can be sent after the network is brought back before the VPN process starts? Is there any way to fix this problem?
P.S: I'm not using flags such as 'capture all network'