Network Extension - split tunnels + matchDomains

Question

Created Jul ’20

Replies 3

Boosts 0

Participants 2

Is it possible to implement somehow split tunnel according to domains and not only via IP?
The Packet Tunnel Provider is at the IP layer so it's probably not possible, but what about Per App VPN?
I found this description -
https://developer.apple.com/documentation/networkextension/neapprule/1406488-matchdomains

Declaration
var matchDomains: [Any]? { get set }
Discussion
If this property is set to a nonempty array, then only connections to destinations in the domains specified in the array will use the VPN.

So is it possible for Per App VPN to split traffic according to domains?

Answered by ForumsContributor in

Boost

Answer 1

Systems Engineer OP

Apple

Jul ’20

If the requirement for the split tunnel is to have a set of domains in a specific app got through the Per-App VPN then yes, this is technically possible. As you pointed out that is what NEAppRule attempts to do with a Per-App VPN:

Code Block swiftvar appRules = [NEAppRule]()
let appRule = NEAppRule(signingIdentifier: "com.apple.Safari", designatedRequirement: "...")
appRule.matchDomains = ["example.com"]
appRules.append(appRule)
perAppManager.appRules = appRules

The rules above would activate your tunnel if Safari was started and example.com was requested.

Matt Eaton
DTS Engineering, CoreOS
meaton3@apple.com

1

Answer 2

roee84 OP

Jul ’20

But once this rule above activated the tunnel and the VPN is up, what will happen when the request URL will be somethingelse.net - will this go via the VPN?
In other words: Once the tunnel is up, it will get all the traffic from that app, or just the traffic matching the rules?

0

Answer 3

Systems Engineer OP

Apple

Jul ’20

Accepted Answer

When example.com activates the tunnel in Safari, I suspect after the tunnel is activated what is handled by the tunnel comes down to the NEAppRule's configured, as well as the tunnel addresses, routing, and DNS settings configured for the NETunnelNetworkSettings.

Matt Eaton
DTS Engineering, CoreOS
meaton3@apple.com

1