how to redirect flow originated from extension App through tunInterface.

Hi,

We are working on app for MacOS where we are using NetworkExtension and NEPacketTunnelProvider.

We would like originate a connection from that app using boost::asio and redirect the flow through tuninterface of Nepackettunnelprovider so that we can force the connection to go through our tunnel.
Currently we observe that this connection is not going through extension's tunInterface.
Please let me know if its possible and how ?

Options:
1) do we need to use createTCPConnectionThroughTunnel
and not boost::asio ?
2) or use tcpproxy at App layer.

Answered by vk04 in 621321022
Thanks Matt for the response,
I am running my extension app on clean VM , I believe there is no other provider running on it.
Just wanted to understand that if the connection is being initiated by the extension, will it get routed to tun device by default. ?
What we thought that this connection will respect the routing table which is there before loading the extension , so it wouldn't get routed to tun device.
We want to send a packet through the tun device - but send it from within our extension itself.

Thanks for your help.

Or can we change routing table before loading extension to achieve this ?
Instead of trying to force a connection through an interface I would take a look at why your Packet Tunnel Provider is not handling the connection. It sounds like there may be more than one extension on the system laying claim to the connection. This would be my first investigation point. From there your Provider will utilize the current virtual interface that was created for it to route the connection. In this case it very well could be a utun{n} interface and no forcing would be needed.

Matt Eaton
DTS Engineering, CoreOS
meaton3@apple.com
Accepted Answer
Thanks Matt for the response,
I am running my extension app on clean VM , I believe there is no other provider running on it.
Just wanted to understand that if the connection is being initiated by the extension, will it get routed to tun device by default. ?
What we thought that this connection will respect the routing table which is there before loading the extension , so it wouldn't get routed to tun device.
We want to send a packet through the tun device - but send it from within our extension itself.

Thanks for your help.

Thanks Matt for the response,
I am running my extension app on clean VM , I believe there is no other provider running on it.
Just wanted to understand that if the connection is being initiated by the extension, will it get routed to tun device by default. ?
What we thought that this connection will respect the routing table which is there before loading the extension , so it wouldn't get routed to tun device.
We want to send a packet through the tun device - but send it from within our extension itself.

Thanks for your help.
If you extension is creating the connection using something like NWTCPConnection then the connection will go through the virtual interface created for the Network Extension.


Matt Eaton
DTS Engineering, CoreOS
meaton3@apple.com
Thanks Matt for your response,
We tested creating connection through createTCPConnectionThroughTunnel (which returns NWTCPConnection) and I see packets coming through tun device, but currently we are porting our app from kernel to extension, and we have common code for windows and mac to create connection using bsd-socket, so is it possible to create connection through bsd-socket and connection happens through extension's tun device. ?
Now I see why you asked about trying to force the traffic through a specific interface. For the BSD interfaces you can attempt to setup sockets that route through virtual interface but this seems problematic in a dynamic environment such as Network Extensions. For all the reasons that plague sockets in a normal app, i.e., connectivity changes, sleep and wake lifecycles, and loss recovery all need to be handled by your socket code for the Network Extension life cycle, where as NWTCPConnection handles all of this for you.

Matt Eaton
DTS Engineering, CoreOS
meaton3@apple.com
Thanks Matt for your response, as we were able to originate connection through "createTCPConnectionThroughTunnel" and got packets through tun-device , so we will use this api.
What we have understood is "createTCPConnectionThroughTunnel" api has to be used inside the class NEPacketTunnelProvider, is there any other api which can be used to create connection outside class NEPacketTunnelProvider ?

Thanks
vk

outside class NEPacketTunnelProvider

Do you mean from the host app, with a similar API such as NWConnection or nw_connection_t?


Matt Eaton
DTS Engineering, CoreOS
meaton3@apple.com
how to redirect flow originated from extension App through tunInterface.
 
 
Q