When mobile data is switched on WhatsApp bypass VPN

Recently I met with a weird VPN bypassing problem which seems related to the mobile data network.


I wrote an application that created a personal VPN with protocol IPsec(IKEv2) and it connected to a VPN server. On the VPN server side do some traffic filter job.

With packet capture on the iOS mobile phone could see

  1. When there was only a Wi-Fi network connected all packets were in the IPsec VPN tunnel(could tell it by the packets' source IP and destination IP). Block the WhatsApp traffic on the VPN server-side and it worked well. WhatsApp showed connecting and after on messages were blocked;
  2. Switched on mobile data and ran WhatsApp could see WhatsApp traffic was in the VPN tunnel which was connected under the Wi-Fi network. But after a few seconds(around 30 secs) could see WhatsApp traffic was sent out via mobile data network which was 4G network there;
  3. If only mobile data network is switched on and Wi-Fi network switched off then could see after trying connecting for a few seconds(around 30 secs) the WhatsApp traffic bypassed VPN and it was not blocked.

In summary, I was trying to block the WhatsApp traffic on the VPN server side, but somehow once mobile data was enabled on the iOS device then there will be VPN bypassing issue and WhatsApp can not be blocked.


And with more tests ( on iOS 12.4.5 / 13.4.1 / 13.5.1 ), I found that

  1. With or without WLAN Assist the results are the same;
  2. Enterprise VPN written with Network Extension has the same problem;
  3. I also tried similar software like Slack but didn't found the same issue.


I have no idea how WhatsApp bypass VPN when its traffic was blocked. Is it a bug of the iOS VPN?

Answered by jeffreyc in 616252022
For programmingly set VPN set this property which is available after iOS 14
var includeAllNetworks: Bool { get set }
https://developer.apple.com/documentation/networkextension/nevpnprotocol/3131931-includeallnetworks
of NEVPNProtocol to be true could fix this issue.

We could see on this page
https://developer.apple.com/documentation/devicemanagement/vpn/vpn
that includeAllNetworks is available for iOS 4.0+ and macOS 10.7+.
But in this document
https://developer.apple.com/business/documentation/Configuration-Profile-Reference.pdf
includeAllNetworks doesn't exist yet.


Accepted Answer
For programmingly set VPN set this property which is available after iOS 14
var includeAllNetworks: Bool { get set }
https://developer.apple.com/documentation/networkextension/nevpnprotocol/3131931-includeallnetworks
of NEVPNProtocol to be true could fix this issue.

We could see on this page
https://developer.apple.com/documentation/devicemanagement/vpn/vpn
that includeAllNetworks is available for iOS 4.0+ and macOS 10.7+.
But in this document
https://developer.apple.com/business/documentation/Configuration-Profile-Reference.pdf
includeAllNetworks doesn't exist yet.


IncludeAllNetworks support is in iOS14 (in the current beta). Here is the behavior summary once VPN is enabled with IncludeAllNetworks set to true:
  • all traffic will be dropped if tunnel is not up

  • once tunnel is up, all traffic will be policed by traffic policies to go over tunnel

  • if VPN is enabled manually (via UI), tunnel will be re-established, in case it came down, automatically

This IncludeAllNetworks will solve the WhatsApp issue that you mentioned.

I already asked about this flag here - https://developer.apple.com/forums/thread/653116?login=true&page=1#622394022
but I just saw this thread so I'll try to ask it also here:
Regarding the first point - "all traffic will be dropped if tunnel is not up":
I've set this flag, saved the VPN profile, and not I want to create the tunnel. The problem is that all the traffic is blocked, so I can't create my tunnel if I have no traffic. All my getaddrinfo calls fails, and all the traffic from my extension fails even that I still didn't call completionHandler for the startTunnel function.
How can I solve it?
When mobile data is switched on WhatsApp bypass VPN
 
 
Q