Exclusive ( VPN or proxy )connection between app and server

App & System Services Networking
Ihor_Yachmenov OP
Created Mar ’21
Replies 4
Boosts 0
Views 593
Participants 2
Hi, references to my past question 
Code Block language
https://developer.apple.com/forums/thread/675312

I examine the answer but I think this way not for me, I read the information from a conference WWDC15 “What’s New in Network Extension and VPN”,

Link:
Code Block language
https://docplayer.net/24027619-What-s-new-in-network-extension-and-vpn.html

and did find a few solutions but not sure that it will be a good choice.

My goal is to create a connection (VPN or proxy) between the app and server on macOS.
App gives access to web sites and “IF” web site is a blocked application enable VPN, but if user using my app and for example, an app like torrent all files which download using torrent will be to go through my VPN server, I don’t want that, therefore I need connection only between app and server because an app like torrent can kill me.

For this solution, if I understand correct exist few ways:

  • NEVPNManager - not good because I can’t create an exclusive connection and all traffic from macOS will go through the server, this is a bad way.

  • NETunnelProvider (NEPacketTunnel Provider or NEAppProxy Provider) - looks good for my situation but this is an “Enterprise solution” and I don’t fully understand what does it mean. I examine the question about “per-app VPN” but this task needs an MDM server(not for me), and I think “NEPacketTunnel Provider or NEAppProxy Provider” also needs MDM server? Because from WWDC15 I saw the label “Per-App VPN” for both.

If I wrong please explain what mean “Enterprise solution” in this case, need to create some server-side or something else?

  • NEFilterProvider - not for me because this is a “content filter”, my app didn’t filter content, the app gives access to blocked content.

From this answer


You would have to move the proxy functionality out to the system level and either create a NEAppProxyProvider or use the System Configuration proxy settings to route traffic locally to a process so it can decide where the traffic needs to go. Both are a lot of work and do seem like a bit of overkill for this action. I would try looking into NEFilterDataProvider as a first step here.



if I understand correctly my way is to use the SystemConfiguration proxy system but how does this Programmatically from the app? And in this case, all from macOS will be go through the server I am right or not?

Or use the second way to move the proxy functionality out to the system level, but how do this? And in this case, I can create an exclusive connection between only my app from macOS and the server? I do not fully understand this case.
Answered by Systems Engineer in 665568022

I examine the NEFilterDataProvider, and if I correctly understand this option, I can filter objects from the app but not from a whole system, I am right?

You should be able to do either.


Matt Eaton
DTS Engineering, CoreOS
meaton3@apple.com
Replies  4
Boosts  0
Views  593
Participants  2
Systems Engineer OP
Apple
Mar ’21
First, I see that you are running on macOS, but what is your deployment target? Is it the Mac App Store or is it Developer ID?

The reason I ask the above question is in regards to:

NETunnelProvider (NEPacketTunnel Provider or NEAppProxy Provider) - looks good for my situation but this is an “Enterprise solution” and I don’t fully understand what does it mean.

For Developer ID Developers you ca create a NEPacketTunnelProvider or NEAppProxyProvider using an Network System Extension. You can absolutely use MDM here, and MDM will make all of the distribution and deployment a lot easier, but I am not aware of this being a requirement in this environment.

Regarding:

And in this case, all from macOS will be go through the server I am right or not?

Yes, you are correct. You are essentially moving the content filter action to a local daemon that your System Configuration proxy is point towards.

Regarding my previous suggestion:

I would try looking into NEFilterDataProvider as a first step here.

Since you are by-definition performing a Content Filter action, did you look into NEFilterDataProvider?


Matt Eaton
DTS Engineering, CoreOS
meaton3@apple.com
0
Ihor_Yachmenov OP
Mar ’21

I examine the NEFilterDataProvider, and if I correctly understand this option, I can filter objects from the app but not from a whole system, I am right?

From all the above information, in my case I can use next ways:

  • (NETunnelProvider) per-app VPN with MDM server ;

  • NEPacketTunnelProvider or NEAppProxyProvider for the app Network Extension but I can’t restrict traffic which will be gone from the whole system only the app traffic;

  • System Configuration if I want to restrict traffic from the whole system.

I correctly describe what I can use in this case or there are any other ways in the macOS system?
Correct me please if I am wrong.

Regards, Ihor.

0
Ihor_Yachmenov OP
Mar ’21

First, I see that you are running on macOS, but what is your deployment target? Is it the Mac App Store or is it Developer ID?

At the current moment, I can't say because I need to solve the problem with a connection only between the app and server, primarily I oriented on Mac App Store of course but If I can't solve this problem app doesn't have sense, users will kill the server.
0
Systems Engineer OP
Apple
Mar ’21
Accepted Answer

I examine the NEFilterDataProvider, and if I correctly understand this option, I can filter objects from the app but not from a whole system, I am right?

You should be able to do either.


Matt Eaton
DTS Engineering, CoreOS
meaton3@apple.com
0
Exclusive ( VPN or proxy )connection between app and server
First post date Last post date
 
 
Q