Do includedRoutes and excludedRoutes work with per-app NEPacketTunnelProvider?

I am not aware of any reason NEIPv4Settings would not work in a Per-App VPN context. I can imagine a situation where you have instructed the system to use a Packet Tunnel for a specific app and then you are trying to exclude routes on that app for the Packet Tunnel to handle, if this is what you mean?


Matt Eaton
DTS Engineering, CoreOS
meaton3@apple.com

Hi Matt,

Yes. I'm using our Packet Tunnel Provider with MDM to assign the VPN to specific apps. We want to have some traffic in that app go over the VPN, and other traffic to go directly to the internet. I have tried setting includedRoutes and/or excludedRoutes but all traffic is going over the VPN. Using the same routes with device wide VPN works.

Thanks

Using the same routes with device wide VPN works.

Right, for a device wide Packet Tunnel this make sense.

It sounds like there is some logical routing issues here based on multiple Per-App VPN settings that are trying to route traffic to different places. What I would recommend is starting with one working set of rules and then start adding new rules and Per-App settings until you get to a place where things break down. This should give you insight into what the issue is.


Matt Eaton
DTS Engineering, CoreOS
meaton3@apple.com

Hi Matt,

I this is what I tried:
1) Device wide VPN with no includedRoutes or excludeRoutes set. All traffic goes over the VPN as expected.
2) Device wide VPN with a single IP address in includedRoutes. Only traffic for that single IP address does over the VPN as expected.
3) Per-app VPN with no includedRoutes or excludeRoutes set. All traffic for the targeted app goes over the VPN as expected.
4) Per-app VPN with a single IP address in includedRoutes. All traffic for the targeted app goes over the VPN. This is not expected.

Thanks.

Hi neiljac,

Did you find an answer to your question? I am also seeing the issue where includedRoutes and matchdomains are not being honoured in case of Packet Tunnel Per App assigned to chrome app. It works fine when i am using device wide Packet Tunnel.

Hi Matt,

Could you let us know if this expected and the includedRoutes and matchdomains are ignored when we are using packet tunnel per app mode? Could you please share some docs on this? Any leads would be appreciated.

Thanks, Shyam

@Shyam

Could you let us know if this expected and the includedRoutes and matchdomains are ignored when we are using packet tunnel per app mode?

Re-visting my original answer here, data is routed to a VPN in either one of two ways, by destination IP or on a per-app basis. So it would make sense that setting up includedRoutes and matchdomains do not work when you have setup a MDM profile to direct app traffic to your VPN if your tunnel has been configured to serve on a per-app basis.

Regarding:

Could you please share some docs on this? Any leads would be appreciated.

Here are the docs I am referencing.

Matt Eaton
DTS Engineering, CoreOS
meaton3@apple.com

Thanks @meaton for sharing the details.