OnDemand VPN connection stuck in NO INTERNET

App & System Services Networking macOS Network Extension

Created Jan ’26

Replies 31

Boosts 0

Participants 4

We create custom VPN tunnel by overriding PacketTunnelProvider on MacOS. Normal VPN connection works seamlessly. But if we enable onDemand rules on VPN manager, intemittently during tunnel creation via OnDemand, internet goes away on machine leading to a connection stuck state.

Why does internet goes away during tunnel creation?

Answered by DTS Engineer in 876714022

OK. In that case I don’t see any way to make this work )-:

When you set an on-demand rule, connections that match that rule are held until the demand is satisfied. This makes sense when you think about the intended use case for on-demand rules, namely, a split VPN. Typically this pans out as follows:

There’s a site that’s only available on the organisation’s intranet.
The device manager deploys an on-demand VPN configuration to access that intranet.
The user runs an app that connects to that site.
The system treats that as demand and starts the VPN connection.
And holds the app’s connection until the VPN connection is established.
Once that’s done, it releases the app’s connection, which then connects to the site over the VPN.

This yields an obvious chicken’n’problem when the VPN provider relies on a connection that also matches the on-demand rule. The system can avoid this problems if the provider does it directly, from within its own process. This is the same sort of logic that NECP uses to avoid VPN loops. But if the provider’s connection somehow depends on some other unrelated process, tracking that dependency is hard and AFAIK there’s no facility within the system to do it.

You could file a bug about this, requesting that we tweak the system to understanding this dependency. However, that’s unlikely to be an easy fix.

Note If you do file a bug:

Enabled relevant debugging on a test machine (definitely VPN (Network Extension) but I think that Single Sign-On also makes sense).
Attach a sysdiagnose log taken from a machine in this stuck state.
Please post your bug number, just for the record.

As to what you can do about this right now, you need to find a way to break this dependency loop. For example:

You might limit the scope of your on-demand rules.
Or change how you authenticate these requests.
One switch to per-app VPN, targeting a specific list of apps that doesn’t include your SSO app.

Just as an FYI, extremely wide on-demand VPN rules are a common source of problems. I often see them deployed when folks are trying to use a packet tunnel provider for something that isn’t VPN. TN3120 Expected use cases for Network Extension packet tunnel providers has a general discussion of that issue.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Boost

DTS Engineer OP

Apple

URL Session is calling a public endpoint.

Right, but you’ve set up your on-demand rules to say that everything generates demand.

It’d be interesting to see what happens if you configure your on-demand rules to only generate demand what you load a URL that’s behind the VPN. I suspect it’ll work consistently, but if you find that’s not the case then that’d be an interesting datapoint.

It happens intermittently.

Fair enough. But that doesn’t really contradict the position I explained above. You’ve set yourself up for failure and that you only fail in some cases. That’s a win, right? (-:

Seriously though, I don’t think I’m going to be able to help you further here. You are clearly exploring the limits of what’s possible. If you want to make the case that this should work, I recommend that you do that directly in a bug report..

If you do file a bug, please post your bug number, just for the record.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"