Packet Tunnel Provider - local networks

If you are seeing local access to resources over IPv4, is this network traffic not passing through the packet tunnel? If this traffic is not passing through the tunnel, are you sure it is over IPv4 and not IPv6?

| I expected that all traffic should go to the tunnel, but I see that I'm able to access

| resources on my local network even when the tunnel is up.

Which are you looking to configure? Are you looking for all traffic over IPv4 to go through the tunnel, no matter what it's acccessing?

| So the question is how to configure if the user is able or unable to access resources on

| his local tunnel.

Matt Eaton

DTS Engineering, CoreOS

meaton3 at apple.com

I think that this traffic isn't passing through the tunnel - all the traffic for the tunnel is sent outside, so the tunnel shouldn't have access to the local resources.

And for example, lets say I have something like this:

This is my local network:

net 192.168.1.122 netmask 0xffffff00 broadcast 192.168.1.255

And when I'm starting the VPN I set this

ipv4Settings = NEIPv4Settings(addresses: [10.41.50.8], subnetMasks: ["255.255.255.255"])

so the TUN interface has Pv4 address 10.41.50.8 with a netmask 255.255.255.255.

If all traffic goes via the tunnel, the tunnel shouldn't have access to the resources on my LAN.

Are you looking for all traffic over IPv4 to go through the tunnel, no matter what it's acccessing?

First I want to know how is it suppose to work - all traffic should go via the tunnel, or traffic for the LAN should not reach it at all?

Then, I would like to know how to configure it, so every customer can choose what he wants (As for now I told them to use split tunnel, I'm not sure if it's correct and if there are any other ways).

And the final part - the reason I asked it is because I got a question from a customer: He has the following configuration:

IOS device (ipad) ip: 172.16.0.x/12

Local resource 172.27.252.12

Remote resource 172.27.252.12

Customer is seeing traffic sent to the local resource and not to the remote resource when the VPN is connected.

How it's supposed to work will be based on your NEIPv4Settings and your NEIPv4Routes

| First I want to know how is it suppose to work - all traffic should go via the tunnel,

| or traffic for the LAN should not reach it at all?

To claim all traffic you would probably want to go back to your first example to run a full tunnel with NEIPv4Route.default(). For running a split tunnel and claiming only part of the traffic you could go with a similar configuration to what you have.

let IPv4Settings = NEIPv4Settings(addresses: ["x.x.x.x"], subnetMasks: ["255.255.255.255"])
IPv4Settings.includedRoutes = [ NEIPv4Route(destinationAddress: "x.x.x.x", subnetMask: "255.255.255.0") ]

let settings = NEPacketTunnelNetworkSettings(tunnelRemoteAddress: "x.x.x.x")
settings.ipv4Settings = IPv4Settings

Matt Eaton

DTS Engineering, CoreOS

meaton3 at apple.com

So this is baisically what I've asked, because it's not working that way: This is my code -

let newSettings = NEPacketTunnelNetworkSettings(tunnelRemoteAddress: "y.y.y.y")

let IPv4Settings = NEIPv4Settings(addresses: ["x.x.x.x"], subnetMasks: ["255.255.255.255"])

newSettings.ipv4Settings?.includedRoutes = [NEIPv4Route.default()]

And as you said it should claim all traffic, but for some reason - it isn't: As the other example I wrote above, the user is able to access resources on his LAN but can't access the 'remote' resource.

Interesting. I suspect something is capturing the local traffic for a specified interface before it is sent to the default route. Also if the includeAllNetworks or excludeLocalNetworks flags are set this could impact the situation as well. To figure out more on what is happening I would recommend opening a TSI so I can take a closer look at your entire configuration. If you do open a TSI, please attach a sample project that reproduces the your scenario.

Matt Eaton

DTS Engineering, CoreOS

meaton3 at apple.com