Wonderful! Thanks this works great.

Thanks! Just tried the loadFileRepresentation method but in the completionHandler I am getting the following error: Error copying file type com.apple.quicktime-movie. Error: Error Domain=NSItemProviderErrorDomain Code=-1000 "Cannot load representation of type com.apple.quicktime-movie" UserInfo={NSLocalizedDescription=Cannot load representation of type com.apple.quicktime-movie, NSUnderlyingError=0x600002153450 {Error Domain=NSItemProviderErrorDomain Code=-1 "Cannot copy file at URL file:///Users/filip/Library/Developer/CoreSimulator/Devices/7197B12A-3B5C-467E-99DD-B9A5C8DC7211/data/Containers/Shared/AppGroup/44298F88-8E9E-49E8-BCA3-E68877DC0BFC/File%20Provider%20Storage/3C2BCCBC-4474-491B-90C2-93DF848AADF5.mov." UserInfo={NSLocalizedDescription=Cannot copy file at URL file:///Users/filip/Library/Developer/CoreSimulator/Devices/7197B12A-3B5C-467E-99DD-B9A5C8DC7211/data/Containers/Shared/AppGroup/44298F88-8E9E-49E8-BCA3-E68877DC0BFC/File%20Provider%20Storage/3C2BCCBC-4474-491B-90C2-93DF848AADF5.mov., NSUnderlyingError=0x6000021534e0 {Error Domain=NSItemProviderErrorDomain Code=-1 "Cannot create a temporary file. Error: Undefined error: 0" UserInfo={NSLocalizedDescription=Cannot create a temporary file. Error: Undefined error: 0}}}}} Looks like it is indeed a bug?

So in the end I managed to make some progress. Getting all the IP4 routes and setting them manually seems to help. But I discovered that Facebook Messenger is somehow bypassing my VPN. This is the only app that seems to do this. But even if I completely stop the traffic going through (just for the test), then nothing obviously works, but sending messages with Messenger works fine. How is this possible? Another point I discovered is that if I include the NEIPv4Route.default() then this alone causes Signal and WhatsApp to not work. 🤔

RE: my recent post. So actually the reason for Messenger to circumvent the tunnel is that it somehow fallbacks to cellular data. It did not occur to me to investigate this option

Yes, but I tried it with the cellular data turned off. So even if Messenger were to bind to this interface, it should not go through?

Found the enforceRules configuration property. - https://developer.apple.com/documentation/networkextension/nevpnprotocol/3689459-enforceroutes A Boolean value that indicates whether route rules for this tunnel take precendence over any locally defined routes. Which kind of sounds like something I need, but setting it to true does nothing regarding Messenger.

Apologies for talking to myself there 🤪 but I made interesting discovery. If I use the includeAllNetworks configuration - https://developer.apple.com/documentation/networkextension/nevpnprotocol/3131931-includeallnetworks, then this finally seems to rein in Messenger and does not let is around the tunnel. That is great but it has the side-effect of once again breaking Signal, WhatsApp and probably other similar apps. I checked Signal debug logs and found that I cannot find a server by hostname. Which suggested DNS issue. So I re-added DNS configuration, added these IPs to the excludedRoutes and now Signal works but only one way. I can send messages, they are delivered but I cannot receive messages. I still think that the fact that Messenger can just go around the tunnel is the main issue.

Hi, from what I understand it appears this is not possible to set on-the-fly and it can be configured only when installing the profile.. In my testing this includeAllNetworks behaves quite similarly to settings includedRoutes on the IPV4Settings to NEIPv4Route.default(). This could possibly be set when starting the tunnel, so you would need to stop and start again to toggle this.

Thanks for the clarifications. I am more than happy to not touch DNS.. I tried using this crazy code to get all the routes: swift class func getIFAddresses() - [NetInfo] { var addresses = [NetInfo]() var ifaddr : UnsafeMutablePointerifaddrs? = nil if getifaddrs(&ifaddr) == 0 { var ptr = ifaddr; while ptr != nil { let flags = Int32((ptr?.pointee.ifa_flags)!) var addr = ptr?.pointee.ifa_addr.pointee if (flags & (IFF_UP|IFF_RUNNING|IFF_LOOPBACK)) == (IFF_UP|IFF_RUNNING) { if addr?.sa_family == UInt8(AF_INET) || addr?.sa_family == UInt8(AF_INET6) { var hostname = [CChar](repeating: 0, count: Int(NI_MAXHOST)) if (getnameinfo(&addr!, socklen_t((addr?.sa_len)!), &hostname, socklen_t(hostname.count), nil, socklen_t(0), NI_NUMERICHOST) == 0) { if let address = String.init(validatingUTF8:hostname) { var net = ptr?.pointee.ifa_netmask.pointee var netmaskName = [CChar](repeating: 0, count: Int(NI_MAXHOST)) getnameinfo(&net!, socklen_t((net?.sa_len)!), &netmaskName, socklen_t(netmaskName.count), nil, socklen_t(0), NI_NUMERICHOST) if let netmask = String.init(validatingUTF8:netmaskName) { addresses.append(NetInfo(ip: address, netmask: netmask)) } } } } } ptr = ptr?.pointee.ifa_next } freeifaddrs(ifaddr) } return addresses } Which seemed to work. Does the ordering of includedRoutes matter? Since I tried to claim all routes the above code returned (for IPV4 anyway) and then also the default() route which seemed to broke a few apps.

Is it possible that this is not getting called? I had a couple of os_logs there and nothing in the console.

Yes, this works fine when it is the first install or user hasn't used any other VPN app. The issue happens when my profile has been installed and user has other VPN app which makes its VPN profile the active one.

Yea, sorry. This is indeed an iOS app. I have tried the loadFromPreferences(completionHandler: method which works fine (without errors) but when I try to start the tunnel againI get the same error about configuration being disabled. I understand that only one VPN configuration may be active at any given point, but this happens when other VPN's aren't running, just that their profile is selected in the Settings - VPN section. Console.app shows just this when trying to start the tunnel: Received an IPC establish request Cannot establish IPC with 2500 because IPC is already in the process of being established The startVPNTunnel, can be passed options, but I couldn't find anything in the docs. Maybe here I could somehow specify to re-enable the configuration? Previously I also tried to re-install the entire profile, but that did not solve this problem.

Thanks, I will do more checking for these two processes. As far as I know these apps that I am manually enabling/selecting in the VPN Settings should be the same category as my app is. The difference is that when my app is selected, these other apps are able to start their tunnels just fine, while mine shows the error mentioned.

So I created test app and requests from it behave as expected. If the domain is set via matchDomains is gets "routed" to my VPN. But the Instagram example does not work like this. The app uses i.instagram.com and graph.instagram.com - but even if I try to add them to matchDomains it doesn't work. When matchDomains is [""] - then Instagram and other apps get "routed" to my VPN. I am using the NEProxySettings as part of the NEPacketTunnelNetworkSettings so I can set my local proxy server as the destination for connections. The reason for my matchDomains experiments is that I need to reduce battery consumption and since there are predefined domains that my VPN needs to handle (and can ignore the rest), I am trying to use this settings to use the tunnel only for connections when really necessary.

So I did more testing and so far what I found is that the matchDomains actually seems to work correctly, but not for instagram.com as I already mentioned. I really have no idea why this domain does not work, since I can see the connections in the debug console. From the apps I tried Twitter for example with twitter.com as match and it worked fine for website and app. I also tried subdomains like api.example.com and it works as expected. Is this possibly wort a TSI report? But I don't think there is anything else configuration-wise that I could try? Well, my usecase is a bit different and it is not intended as traditional VPN. It is closer to tools like Charles Proxy or Proxyman.