Using UDP Applications over NEAppProxyProvider VPN

Hi,


We are developing NEAppProxyProvider Per-App VPN and also implemented UDP support using NWUDPSession. We could get Skype video calls to work over this VPN fine before some months but suddenly it stopped working now. This might be due to some changes in Skype latest release as we have not changes our code base since then.


Has anybody tried to test some UDP applications with NEAppProxyProvider UDP support? I would like to test it with various applicaitons but could not find such applications using UDP protocol. Also, has anybody faced issue with Skype over NEAppProxyProvider recently?


Thanks and regards!

Hi, Were you able to resolve this issue? I'm facing the same issue. I'm not able to make skype calls (audio) using NEAppProxyProvider Per-App VPN.

I see some traffic related to STUN protocol in the network trace but the call never goes through, I'm using the NWUDPSession object too. Also skype app when connected to VPN shows No Internet Connection. When there is no VPN it doesnt show that message. Please help!

I will appreciate any help/clue in this regard.


-Surender

My recommendation here is that you do your own testing of your app proxy provider’s UDP support. Create a small test app that uses UDP and see how it behaves when run over your app proxy. That way you control both sides of the equation and thus can accurately map the boundaries of your UDP support.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

We have some DNS Lookup applications working with UDP Flows and Skype was also working fine on earlier versions of iOS and macOS but not recently. We have raised radar for this issue. Looks like something is wrong with listening sockets with per-app VPN. If VPN is connected and we launch Skype it says Internet Not Connected but if Skype triggers On-Demand VPN then it says Internet Connected correctly.

I strongly suspect that this is more about that specific app than about the VPN subsystem. It’s not unusual for apps with sophisticated networking needs to have problems in less common network scenarios.

We have raised radar for this issue.

What was the bug number?

Looks like something is wrong with listening sockets with per-app VPN.

I you think that this is a problem with the VPN infrastructure then I recommend that you write a small test app that uses UDP to see if that has the same problem. If it does, you’ve cut Skype out of the mix, which will radically simplify the investigation.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

WWDC runs Mon, 5 Jun through to Fri, 9 Jun. During that time all of DTS will be at the conference, helping folks out face-to-face. http://developer.apple.com/wwdc/

Hi Eskimo, As per your instructions, I wrote a UDP test app and sending the receiving the UDP traffic to and from a echo server.

I'm launching 5 parallel threads each has it's own UDP socket and each sends about 50 packets. My payload size is of 5 different sizes and max it can go is upto 1400. What I have noticed is that plugin received all 250 packets but my WriteDatagram call fails for about 50 times.

[session writeDatagram:datagram completionHandler:^(NSError *error)

The erro thrown each time is Error Domain=NSPOSIXErrorDomain Code=12 "Cannot allocate memory"

Also these failures are only upstream, all teh packets that echo server sends back are recieved fine at plugin and further received fine by the test app.

The error is only coming while writing them to the endpoint above call and this is pretty consistent.


Also we have also noticed that skype displays No Internet Connection when it is made to go through tunnel.


Thanks,

Surneder

That sounds like

ENOMEM
. While it’s weird to get that when writing to a socket, it’s not unheard of. Your response to this should be the same as your response to any error when dealing with datagrams: drop the datagram. Anyone using a datagram protocol has to deal with the possibility of datagrams being lost.

It doesn’t sound like this is related to your Skype problem though.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

WWDC runs Mon, 5 Jun through to Fri, 9 Jun. During that time all of DTS will be at the conference, helping folks out face-to-face. http://developer.apple.com/wwdc/

>>It doesn’t sound like this is related to your Skype problem though

Eskimo, skype didn't work for us over apppropxy which lead me to write a test app to understand what's going on(read our conversation on 1st and 2nd May above).

>>Anyone using a datagram protocol has to deal with the possibility of datagrams being lost.

Yes, that is correct. But in this case the writeDatagram API itself is failing to write the datagram with a non-obvious error message. They are not getting lost somewhere over the wire. I'm not sure if that is one acceptable way of a datagram getting lost. Also on an average 50 out of 250 is a failrly large number of packet that are getting lost.

If there is anything else I can do for you to understand this issue better, i'm motivated to do it because we really want to fix this issue for skype support over tunnel.

As always, you are a great help, any pointer will help!

Regards,

Surender

They are not getting lost somewhere over the wire.

True, but probably unimportant (-: These days most link layers (notably Wi-Fi and the various WWAN protocols) provide link-layer retransmissions, so packets don’t get lost on the wire. What does happen is that packet get dropped by routers when they run out of buffer space. Which is exactly analogous to your situation.

Regardless, you should take steps to avoid runaway buffering in your provider. You do that by exert back pressure on the input flow. Keep track of the number of bytes you have queued on the output side and, if that number gets too high, suspend your reads from the input side (the NEAppProxyTCPFlow or NEAppProxyUDPFlow) until it drops to a reasonable level.

If there is anything else I can do for you to understand this issue better, i'm motivated to do it because we really want to fix this issue for skype support over tunnel.

I’m still confused by this position. Do you have any evidence that this buffering problem is related ot your Skype problem?

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

WWDC runs Mon, 5 Jun through to Fri, 9 Jun. During that time all of DTS will be at the conference, helping folks out face-to-face. http://developer.apple.com/wwdc/

Do you have any evidence that this buffering problem is related ot your Skype problem?

No. These are two separate issues and we need to address both. We need skype to work over tunnel and in general we also need support for UDP traffic through tunnel. At this point both are not working. UDP traffic has WriteDatagram issue and skype calls don't last for more than 5 seconds.

For skype we see the initial traffic coming in the tunnel and it writes everything that it receives from the flow and just before the call drops it stops getting any packets from the end point [NWUDPSEssion setReadHandler] reads 0 continuosly.

Do you I think file a RADAR for this? are there any known issues with skype or UDP in general?

Thanks!

Do you I think file a RADAR for this? are there any known issues with skype or UDP in general?

I strongly suspect that this is a Skype-specific thing, but it’s hard to be sure without deeper investigation. You can certainly file a bug about this but I can’t promise you that it’ll get any traction.

Have you tried Skype with some per-app VPNs from other vendors? If it fails there then you know that it’s not just you.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

WWDC runs Mon, 5 Jun through to Fri, 9 Jun. During that time all of DTS will be at the conference, helping folks out face-to-face. http://developer.apple.com/wwdc/

Thank you Eskimo, I will try per App VPN from other vendors.

As always, you are great help, thank you very much!


-Surender

Using UDP Applications over NEAppProxyProvider VPN
 
 
Q