User Profile

Hi there, I'm exploring the possibilities of intercepting VPN traffic with NEFilterPacketProvider on macOS. After running a few tests it looks like NEFilterPacketProvider can intercept packets on virtual interfaces with Raw IP link-layer only. These interfaces are created by built-in IKEv2/IPsec personal VPN or by third-party VPN clients based on NEPacketTunnelProvider (e.g. ProtonVPN). I could see that tcpdump recognizes the data link type of these interfaces as Raw IP: # tcpdump -L -i utun2 Data link types for utun2 (use option -y to set): RAW (Raw IP) Other virtual interfaces, I tested in Catalina 10.15.7, don't seem to be available for interception. For instance, an interface with BSD loopback link-layer created by PulseSecure VPN: # tcpdump -L -i utun3 Data link types for utun3 (use option -y to set):   NULL (BSD loopback) or an interface with PPP link-layer created by built-in LT2P/IPsec personal VPN: # tcpdump -L -i ppp0 Data link types for ppp0 (use option -y to set):   PPP (PPP) I reviewed Apple Developer Documentation but didn't find any clues about which data link-layer types NEFilterPacketProvider should support. I think it is a severe limitation if NEFilterPacketProvider is able to monitor only virtual interfaces with Raw IP link-layer. How could we use it reliably if a user might accidentally/intentionally bypass it by very simple installation of built-in LT2P/IPsec VPN client? A workaround suggestion would be much appreciated.