@eskimo Thanks!
The docs aren't clear on this (at least to me) - but you're saying i can just call flow.readData { data, error in ... } once after the flow is opened - and it'll automatically invoke that block each time the flow has data? Or you're saying that i need to call flow.readData { data, error in ... } in a loop but that it just won't block (so i could potentially iterate over an array of flows calling readData() on each one in a loop without worrying about any of them blocking) ?
Post
Replies
Boosts
Views
Activity
@eskimo thanks for your reply. I watched that video, but i still have many questions. In particular the 'per-app VPN' functionality LOOKS as if it's suitable, but reading your comments on another thread: https://developer.apple.com/forums/thread/87484
You seem to imply that it is NOT suitable as: "On macOS it can only be deployed via a configuration profile (which is typically deployed via MDM but you could do that manually)" - whereas we need the user to be able to add/remove arbitrary apps from the split tunnel according to their needs.
Just to state clearly again what it is i'm trying to do: We have a VPN product that is cross-platform and implements openvpn and wireguard VPN using standard cross-platform apprroaches (that is, we do not use any apple-specific APIs for creating/maintaining the vpn connection)
We need to allow the user to add/remove apps from the 'split tunnel' - at run time - that is, these apps are not known ahead of time or hard-coded.
The apps in the split tunnel need to be able to either bind to the VPN (in the case the VPN does not have the default route) or bypass the VPN (in the case the VPN *does* have the default route).
Your comments on that linked thread, albeit 2 years old are very worrying as you give advice to another user who is attempting to do something similar to write a, now inaccessible, NKE to achieve what he wants.
I hope now i've explained more clearly what i'm trying to achieve, is it possible to achieve what i want using the Network Extension APIs ? I will note, that on linux this is trivial to achieve, and on Windows (via WFP) this is trivial also --- but with the deprecation of NKEs, it's now worrying that the APIs are not sufficient.
Thanks again in advance!
@Systems Engineer Thanks for your reply! However, looking at the docs for NEPacketTunnelProvider this is the wrong kind of split tunneling. The docs indicate it allows splitting traffic based on destination IP, which can already be achieved via the routing table and is not quite what I want.
I need to be able to split traffic based on the PID of a process (or the executable path of a process). That is, based on the PID (or executable path) of an arbitrary process i want to be able have its traffic either bypass the VPN or force its traffic through the VPN - this should be possible whether or not the VPN endpoint has the default route.
Note that we are not currently using apple APIs to set up our VPN - we are just using a standard openvpn/wireguard setup and use the routing table directly to control routes - but with the NKE to make routing exceptions for specific apps (apps that bypass the vpn or apps that are forced on the vpn)