I already asked about this flag here - https://developer.apple.com/forums/thread/653116?login=true&page=1#622394022 but I just saw this thread so I'll try to ask it also here: Regarding the first point - "all traffic will be dropped if tunnel is not up": I've set this flag, saved the VPN profile, and not I want to create the tunnel. The problem is that all the traffic is blocked, so I can't create my tunnel if I have no traffic. All my getaddrinfo calls fails, and all the traffic from my extension fails even that I still didn't call completionHandler for the startTunnel function. How can I solve it?

It's not even restarting the tunnel I it was existed before, it's also for creating it for the first time. Even if I simulate a new user - just creating a profile with includeAllNetworks = true, and start the VPN for the first time, I have the above problem. Doing the same thing but with includeAllNetworks = false, and there's no problem at all. Removing the profile also works. It's just this flag which causes the problem - all the traffic at the extension gets blocked, even if it's the first time I'm trying to create the tunnel.

Is it possible that I must use createUDPSessionThroughTunnel at the extension for this case?

And in addition, It sounds reasonable that traffic coming from the extension should not be blocked.

No, no custom NEDNSSettings. I think the basic question is why the traffic got blocked before there's even a tunnel?

Another comment: I didn't call the completionHandler of the startTunnel at the extension, so I would expect that traffic would still pass outside the tunnel, until the tunnel is established.

Removing 'includeAllNetworks' and restarting the VPN resolve all the errors. There are no logs like 'host unreachable error for DNS server'. Setting 'includeAllNetworks' and restarting the VPN will print those logs. I'm not using local DNS server, I'm just calling to getaddrinfo which suppose to query public DNS servers. More details: The problem is that I can't connect at all: In order to connect I need to get responses from getaddrinfo, but as I said getaddrinfo fails. I also tried to use lib curl which also failed. I've set the includeAllNetworks and I tried to connect - my extension uses some C code to establish the connection using BSD sockets and "low" level code. I'm not using high level functions like 'createUDPSessionThroughTunnelToEndpoint' at the extension. Since I can't connect I don't have the tunnel - I'm creating the tunnel only after I found the server's IP, so how can the traffic go only via a tunnel which isn't exists yet? P.S - sry for the delay.

Bumping this old thread. Not this issue happened to one of my users. Failed saving to keychain with error: -25291. I just asked them to restart their Mac, I'll report back with the results. But if it will reproduce, can I ask them to run sysdiagnose on their Mac, or is it just for developers? What else can I do? They already sent me their Console logs.

And a related question - if at the extension I configured a split tunnel (only some routes at the includedRoutes) - how it works with includeAllNetworks which supposes to send all traffic to the tunnel?

(I wanted to fix some typos, but I can't edit questions on the new forums)

Thanks for the answer, I've submitted a feedback - FB7772323

Thanks for all the detailed answers!

And 'one more thing' ;) - the above questions I asked are relevant both for iOS and macOS

Thanks for both of you for the answers! And regarding to 'includeAllNetworks' - it sounds similar to always-on, but I want to force the user to always use the VPN, or he won't have traffic, but without letting him the option to disable this behaviour (so he won't be able to uncheck the on-demand for example). Is it possible? This way it will behave just like always-on when the user is not allowed to stop automatic connections.

Great, now that I know it should reconnect after restarting the device, I'll spend more time investigating this. Thanks!