OnDemand VPN connection stuck in NO INTERNET

Question

Created 3w

Replies 14

Boosts 0

Participants 3

We create custom VPN tunnel by overriding PacketTunnelProvider on MacOS. Normal VPN connection works seamlessly. But if we enable onDemand rules on VPN manager, intemittently during tunnel creation via OnDemand, internet goes away on machine leading to a connection stuck state.

Why does internet goes away during tunnel creation?

Boost

Answer 1

DTS Engineer OP

Apple

3w

How is your provided packaged? As an app extension? Or a system extension?

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

0

Answer 2

disinghal OP

2w

App Extension

0

Answer 3

DTS Engineer OP

Apple

2w

OK. Thanks for confirming.

When you see this, is there only one user involved? That is:

You’ve log in via the GUI.
And are working with networking, including your VPN.
Without logging out.
Or fast user switching to a different user.

Is that right?

This matters because appex packaging only really works in the context of a single user, so if you add other users into the mix things get complicated.

Also, you wrote:

internet goes away on machine leading to a connection stuck state.

Can you clarify what this means? I see two possibilities:

Networking goes away for other apps on the system but the system doesn’t start your packet tunnel provider.
Alternatively, the system starts your packet tunnel provider and it attempts to connect to your VPN server and that connection acts like there’s no Internet.

Is it either of these? Or something else?

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

0

Answer 4

disinghal OP

2w

Single User
Machine has internet -> onDemand Enabled-> calls startTunnel() -> but before even we call setTunnelNetworkSettings(), internet goes away on machine

So I am guessing some network settings are changing on machine in between leading to traffic going over incorrect interface.

0

Answer 5

disinghal OP

2w

Happening only when onDemand is enabled (Not at all when we manually call startTunnel and setup VPN tunnel settings).

0

Answer 6

DTS Engineer OP

Apple

2w

Happening only when onDemand is enabled

OK. Then what does your on-demand setup look like?

before even we call setTunnelNetworkSettings(), internet goes away on machine

Does that mean your packet tunnel provider is able to open a network connection to the VPN server? That seems like it should be the case — most VPN clients have to contact the VPN server to get the settings they need to order to call setTunnelNetworkSettings() — but I just want to be clear.

And if that’s the case, then does the packet tunnel provider’s connect to the VPN server tear when the “internet goes away”? Or is it just that the Internet goes away for other app’s running on the Mac?

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

0

Answer 7

disinghal OP

2w

let rule = NEOnDemandRuleConnect() rule.interfaceTypeMatch = .any manager.onDemandRules = [rule] manager.isOnDemandEnabled = true manager.isEnabled = true manager.saveToPreferences {}

Yes, we need to contact VPN server and some other endpoints to get the configuration. But https requests are timing out because device is loosing internet connectivity (All apps + device)

0

Answer 8

disinghal OP

2w

It stays in NO_INTERNET state until on-demand is disabled

0

Answer 9

DTS Engineer OP

Apple

2w

But https requests are timing out because device is loosing internet connectivity

Are you issuing these HTTP requests from within your packet tunnel provider process?

What API are you using? URLSession? Or something else?

And what’s this NO_INTERNET state? That’s not something I’d recognise from Apple code. Is this being returned by a library that you’re using?

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

0

Answer 10

disinghal OP

2w

Yes, from within Packet tunnel provider process.
URLSession
No state as such. Device loses internet connectivity

0

Answer 11

DTS Engineer OP

Apple

2w

Thanks for those answers.

1. Yes, from within Packet tunnel provider process.

OK. I’d expect that to work.

2. URLSession

If you use a low-level API to make a connection to your server, does that go through?

Specifically, I’d like you to try using Network framework for this, meaning NWConnection in Swift or nw_connection_t in C-based languages.

Note that this is just a diagnostic test, not a suggested fix. The advantage of testing this with Network framework rather than URLSession is that it’s much simpler. URLSession adds a lot of value on top of Network framework, but that also means it has a lot of additional scope for failure.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

0

Answer 12

disinghal OP

4d

Why we are landing into no internet only during OnDemand connections? Is that a bug in Apple's ondDemand flow?
Any known / documented bugs with URLSession?

0

Answer 13

DTS Engineer OP

Apple

2d

Did you run the NWConnection diagnostic test I suggested in my previous post? What was the result?

Again, this test is a important because it allows us to distinguish between two cases:

Networking in your provider is blocked completely.
Networking in your provider is fine in general but there’s an issue specific to URLSession.

Knowing this is both useful as a diagnostic and, at least in the second case, raises the potential for a workaround.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

0

Answer 14

Arnine45 OP

2d

1.1.1.1 1.0.0.1

0