When enforceRoutes = YES is set on a split tunnel VPN configuration containing only excluded routes, all traffic matching the included routes is silently dropped — no packets reach the VPN tunnel. Only the excluded routes route correctly via the physical adapter.
Setting enforceRoutes = NO with an identical configuration restores full connectivity immediately, confirming the issue is specific to the combination of enforceRoutes = YES and a non-empty excludedRoutes.
This has been verified on iPadOS 26.
Test Environment Device: iPad pro 4th gen OS Version: iPadOS 26.0 VPN Type: NEPacketTunnelProvider
VPN Configuration (NEPacketTunnelNetworkSettings)
tunnelRemoteAddress = 103.135.123.108
DNSSettings = {
protocol = cleartext
server = (10.34.250.51)
}
IPv4Settings = {
configMethod = manual
addresses = (10.34.247.235)
subnetMasks = (255.255.255.255)
includedRoutes = (
{
destinationAddress = 0.0.0.0
destinationSubnetMask = 0.0.0.0
}
)
excludedRoutes = (
{
destinationAddress = 10.168.10.182
destinationSubnetMask = 255.255.255.255
}
)
overridePrimary = NO
}
MTU = 1400
enforceRoutes = YES includeAllNetworks = NO
Reproduction Steps
Configure NEPacketTunnelProvider with the settings above Set protocolConfiguration.enforceRoutes = YES Set protocolConfiguration.includeAllNetworks = NO Establish VPN connection and wait for Connected status Attempt to access any internet resource
Observed Behavior
- Excluded route (10.168.10.182) correctly routes via physical adapter — confirmed in Wireshark
- Included routes (0.0.0.0/0) — zero packets visible in Wireshark on any interface, traffic completely dropped
- Internet fully inaccessible — no DNS responses, no TCP connections established
Setting enforceRoutes = NO with an identical route configuration and all other settings unchanged restores full internet connectivity immediately. No other change is made.