Packet Tunnel and emails

To my knowledge there are no email exclusions for the tunnel.

| How is it possible? Are emails are excluded from the tunnel?

You mentioned that everything was routed to the tunnel as expected, the VPN failed to connect, but you received the mail anyway. My question is, do you have any on-demand connection rules specifically around email or a domain that your email may be associated with that trigger this on demand connection for mail rather than other traffic?

| What happened is that the iPhone didn't have network access (the tunnel was down, but

| everything was routed to it, as expected) and it try to connect to the VPN and fail. But

| the iPhone stiil recieved the mail somehow, even it didn't have internet connection.

Matt Eaton

DTS Engineering, CoreOS

meaton3 at apple.com

The onDemandRules contains only one class, onDemandRuleConnect, without any rules to match so it always applies:

let onDemandRuleConnect = NEOnDemandRuleConnect()
myVpn.onDemandRules = [onDemandRuleConnect]

This is the description of the NEOnDemandRuleConnect class:

When rules of this class match, the VPN connection is started whenever an application running on the system
opens a network connection. Network connectivity will be blocked until the VPN is connected.

So whenever there's traffic, the VPN should try to connect, but as I said above, it will fail. So AFAIK, all the traffic should be blocked, including the incoming email.

I have a guess that might explain it, but I don't know if it's true:

If the emails are pushed to the device from the mail server (aginst been fetched by the iPhone), and according to the above description, "the VPN connection is started whenever an application running on the system opens a network connection", maybe it's not consider to openning a network connection?

In this case the general onDemandRule that you have set for the VPN does not guarantee that any application's traffic will go through the VPN. Configuring a per-app VPN would allow you to associate the network traffic for an app to a VPN. This is why you are seeing the mail traffic come through even though your VPN may not be connected.

Matt Eaton

DTS Engineering, CoreOS

meaton3 at apple.com

Thanks for the reply, but it's kind of surprising. I checked now at the documentation, and this is probably the relevant part (which I never noticed before, Taken from https://developer.apple.com/documentation/networkextension/netunnelprovidermanager):

The Per-App VPN app rules serve as both routing rules and VPN On Demand rules. 
This is in contrast to IP destination-based routing, where the VPN On Demand rules are configured separately
from the routing rules. When the onDemandEnabled property is set to true and an app that matches the
Per-App VPN rules attempts to communicate over the network, the VPN will be started automatically.

So can you explain what will heppen at the above case, where the VPN is not per app and I set the onDemandRules to "always connect"?

Which traffic will start the VPN? And once the VPN is enbaled, if I understand correctly not all the app's traffic is guarenteed to go through the VPN, is it correct (the mail app didn't trigger the VPN to start, but if the VPN was already running, the mail would go via the VPN or bypass it)?

And final question - Is it related to onDemand at all? If I set the VPN to be not per app and not onDemand, and I start the VPN, then it's the same scenario where not all traffic must go through it?

P.S - I can't use the per-app because not all of my users have MDM system.

The only way to configure Per-App VPN is by enrolling the device in a Mobile Device Management (MDM) system,
and then linking apps that are managed by the MDM system with a VPN configuration created 
from a com.apple.vpn.managed.applayer configuration profile payload

The onDemandRule will attempt to connect the VPN, but it will do so using the default route, or destination IP address.

| So can you explain what will heppen at the above case, where the VPN is not per app and | I set the onDemandRules to "always connect"?

For a personal VPN (not per-app or always-on) that is configured and a tunnel connection is started, it is not the case where network traffic triggers the VPN like per-app would.

| Which traffic will start the VPN?

| And once the VPN is enbaled, if I understand correctly

| not all the app's traffic is guarenteed to go through the VPN,

In a personal VPN configuration the mail app did not trigger the VPN to start. If the VPN was already running then the default route would attempt to route this traffic.

| is it correct (the mail app didn't trigger the VPN to start, but if the VPN was already

| running, the mail would | go via the VPN or bypass it)?

If you set the VPN to per-app and then initiated a network connection the VPN will then kick on at that point. If it is not already on when the process comes alive. The reason I had asked more about your onDemandRules is because I wanted to learn more about the type of VPN you had configured and the rules that were configured with it.

| And final question - Is it related to onDemand at all? If I set the VPN to be not per

| app and not onDemand, and I start the VPN, then it's the same scenario where not all

| traffic must go through it?

Matt Eaton

DTS Engineering, CoreOS

meaton3 at apple.com

First, thanks for the detailed answer!

But as for my VPN, this is an enterprise VPN (and not a personal VPN), it was created with NETunnelProviderManager, and this is the documentation for the NETunnelProviderManager class:

VPN configurations created using NETunnelProviderManager are classified as regular enterprise VPN configurations
(as opposed to the Personal VPN configurations created by NEVPNManager).

Also, it's not a per-app VPN (so it can't be always-on) , but it's an enterprise VPN, with onDemandRules to try connectting whenever there's traffic.

Ah, this make sense. The Enterprise VPN and Personal VPN work in a very similar way in how they are activated. For example, I mentioned that a personal VPN is configured and started. The onDemandRule will attempt to keep the VPN connected using the default route, but the VPN is not started based on network activity. This is very similar to how an Enterprise VPN would work. The difference between the two is that the Enterprise VPN takes precedence on the system over a Personal VPN and only one Enterprise VPN can be running at a time.

Going back to your original question, in a Enterprise VPN configuration the mail app did not trigger the VPN to start. If the VPN was already running then the default route would attempt to route this traffic.

Matt Eaton

DTS Engineering, CoreOS

meaton3 at apple.com

Thanks for all the help (and also for the patience 🙂)