Post marked as solved
Post marked as solved with 8 replies, 1,083 views
Hi there,
I'm exploring the possibilities of intercepting VPN traffic with NEFilterPacketProvider on macOS. After running a few tests it looks like NEFilterPacketProvider can intercept packets on virtual interfaces with Raw IP link-layer only. These interfaces are created by built-in IKEv2/IPsec personal VPN or by third-party VPN clients based on NEPacketTunnelProvider (e.g. ProtonVPN). I could see that tcpdump recognizes the data link type of these interfaces as Raw IP:
# tcpdump -L -i utun2
Data link types for utun2 (use option -y to set):
RAW (Raw IP)
Other virtual interfaces, I tested in Catalina 10.15.7, don't seem to be available for interception. For instance, an interface with BSD loopback link-layer created by PulseSecure VPN:
# tcpdump -L -i utun3
Data link types for utun3 (use option -y to set):
NULL (BSD loopback)
or an interface with PPP link-layer created by built-in LT2P/IPsec personal VPN:
# tcpdump -L -i ppp0
Data link types for ppp0 (use option -y to set):
PPP (PPP)
I reviewed Apple Developer Documentation but didn't find any clues about which data link-layer types NEFilterPacketProvider should support.
I think it is a severe limitation if NEFilterPacketProvider is able to monitor only virtual interfaces with Raw IP link-layer. How could we use it reliably if a user might accidentally/intentionally bypass it by very simple installation of built-in LT2P/IPsec VPN client?
A workaround suggestion would be much appreciated.