does all (app) traffic go through the VPN for Per-App VPN?

Question

Created Oct ’20

Replies 4

Boosts 0

Views 1.6k

Participants 2

Hi

I am wondering if all application data will be routet to (through) the VPN for apps that are managed and set to use Per-App VPN?

We have a packet tunnel VPN, and saw in another thread that destination IP VPN can be bypassed if the app binds to a specific network interface. Is the same true for apps connected to a Per-App VPN?

What happens to the app(s) traffic if we only capture IPv4 packets (e.g. only set IPv4 settings with default route)? Does the IPv6 packets go outside the VPN?

Answered by patrikk in 641099022

Thanks for your reply.

I cannot test binding on the macOS side since it is an iOS/iPadOS only app (what I know of, until silicon I guess :) ). I guess I could bind manually in a test-app though..

I tested it with and without settings for v6, and without it the app doesn't get internet (when using a ipv6-only address).
So I tested without settings for v4 as well (so we don't get any traffic at all), and then the app(s) got no internet connection at all.

So it seems that a Per-App VPN forces the traffic through, and if we don't register for packets/traffic the app(s) won't get internet.

Boost

Answer 1

Systems Engineer OP

Apple

Oct ’20

A lot of great questions here. In general, a Per-App VPN will attempt to route traffic for a managed app.

We have a packet tunnel VPN, and saw in another thread that destination IP VPN can be bypassed if the app binds to a specific network interface. Is the same true for apps connected to a Per-App VPN?

I suspect that doing this with a Per-App VPN would cause network issues on a connection, or just force the connection through the specified tun interface for the Per-App VPN. To know for sure, test it out. You should be able to see this if you ran a test from the macOS side.

What happens to the app(s) traffic if we only capture IPv4 packets (e.g. only set IPv4 settings with default route)? Does the IPv6 packets go outside the VPN?

If you configured a v4 route on your tunnel then this will be used. Are you explicitly trying to connect to a v6 route via address and not hostname and seeing a routing issue?

Matt Eaton
DTS Engineering, CoreOS
meaton3@apple.com

0

Answer 2

patrikk OP

Oct ’20

Accepted Answer

Thanks for your reply.

I cannot test binding on the macOS side since it is an iOS/iPadOS only app (what I know of, until silicon I guess :) ). I guess I could bind manually in a test-app though..

I tested it with and without settings for v6, and without it the app doesn't get internet (when using a ipv6-only address).
So I tested without settings for v4 as well (so we don't get any traffic at all), and then the app(s) got no internet connection at all.

So it seems that a Per-App VPN forces the traffic through, and if we don't register for packets/traffic the app(s) won't get internet.

0

Answer 3

Systems Engineer OP

Apple

Oct ’20

I tested it with and without settings for v6, and without it the app doesn't get internet (when using a ipv6-only address).

So without a v6 route and using a v6 only address you do not get access to the internet. Okay, that is a good indicator of what is happening here. If you add your v6 route back to your tun interface for the Per-App VPN, I suspect that your traffic is being routed through the Per-VPN.

Matt Eaton
DTS Engineering, CoreOS
meaton3@apple.com

0

Answer 4

patrikk OP

Oct ’20

Yes, it will then be routed through the VPN (logged out the INET type of the packets to verify).
So the behaviour is what can be expected, either the traffic goes through the VPN or the app(s) won't get any traffic through at all (as opposed to the destination IP mode which let traffic go outside the VPN if one doesn't setup the NEIPvX settings).

Thanks for your time!

0