Network connectivity while VPN is connecting

I would expect that the network traffic is operational on the system until the VPN is connected and the default route can attempt to route the traffic.

One possibility is that the onDemandRule is delaying traffic on the system while attempting to establish the VPN tunnel. Test this with the onDemandRule disabled and this should provide you with a path to investigate further. If you see traffic active while the tunnel is established then you know the onDemandRule was delaying traffic.

Matt Eaton

DTS Engineering, CoreOS

meaton3 at apple.com

I just checked it, and it's correct.

If onDemand is disabled, there is traffic when the tunnel is established.

If onDemand is enabled, there isn't any trafic when the tunnel is established, even if I'm starting the tunnel myself, without waiting for the onDemandRule to trigger the VPN.

So thanks for the answer.

Should I open a bug for this? Or is it somehow the expected behavior?

No problem. Glad to help out.

I would expect that this is working as intended. However, for further documentation, or to cover any possible edge case missed here it is always good to open up a bug anyways to provide further insight into these situations.

Matt Eaton

DTS Engineering, CoreOS

meaton3 at apple.com

Or is it somehow the expected behavior?

Probably this.

Matt and I chatted about your question recently and we came up with scenario we’d like to outline. Imagine you’re volunteering as a sysadmin for the Waffle Varnish Cooperative™, who has a public web site

www.waffle-varnish.org

and a CRM system at

crm.waffle-varnish.org

. The latter is only available to staff over a VPN. You want to set up VPN On Demand so that when a staff member enters

crm.waffle-varnish.org

into a browser, it starts the VPN. In this case, the browser’s outgoing connection must be placed on hold until the VPN comes up. If not, the browser will fail to connect because

crm.waffle-varnish.org

isn’t available on the public Internet. The user will have to manually retry. This is clearly suboptimal.

Now think about what happens if you set up VPN On Demand too ‘wide’, for example, to cover all of

waffle-varnish.org

. Now the staff member’s connections to the public web site will be held up waiting for VPN On Demand, even though that’s not necessary.

Now, if VPN On Demand is holding up unrelated connections, that would definitely be bugworthy. But if it’s holding up connections that match the on demand rules, that’s the correct behaviour.

Share and Enjoy
—
Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

Great, sounds now very reasonable to behave this way.

Thanks for both of you for the quick and helpful replies!