Proxy set on IPv4 Split tunnel includedRoutes are not going via proxy

Question

BMDivya OP

Created Mar ’21

Replies 2

Boosts 0

Views 1.5k

Participants 2

Hi,

I have Split tunnel and Proxy configured in Network extension as below,

I have three IPv4 Split tunnel addresses say as x.x.x.x, y.y.y.y and z.z.z.z set as includedRoutes in IPv4Settings on NEPacketTunnelNetworkSettings.
I have configured Automatic proxy using NEProxySettings where proxy server is running at my-proxy.com:8080. My PAC file is written in such a way that when traffic matches the Split tunnel IPv4 address say as y.y.y.y (which is one of the includedRoutes) to go via proxy.

Below are the observations made,

Traffic matching these includedRoutes x.x.x.x, y.y.y.y and z.z.z.z are routed through the virtual interface used by the VPN tunnel (which is as expected).
But IPv4 address y.y.y.y (which is inside the VPN Split tunnel) which was supposed to go via proxy is not actually going via proxy.

So,

How is Proxy set on Split tunnel rule expected to work? or
How is traffic excepted to route when Proxy is set on one or many of the includedRoutes in NEPacketTunnelNetworkSettings?

I am using Safari browser for accessing resources.

Boost

Answer 1

Systems Engineer OP

Apple

Mar ’21

I have configured Automatic proxy using NEProxySettings where proxy server is running at my-proxy.com:8080

One thing you could try is setting your proxy settings in the Settings app and then reporting them in NEProxySettings. I would expect this to provide the packet with altered destination address, as this is what it does in NEAppProxyProvider. This could create a dilema for your included routes also, so be mindful of this.

Also note that I would recommend testing your PAC outside of the packet tunnel to ensure that this is routing properly before getting the packet tunnel involved.

Matt Eaton
DTS Engineering, CoreOS
meaton3@apple.com

0

Answer 2

BMDivya OP

Apr ’21

Hi Matt,

As per your suggestion, I have configured the automatic proxy PAC file URL in WIFI Settings and Split Tunnel rules in my VPN server.

In this case, the traffic y.y.y.y is going to the PROXY even before entering into the tunnel i.e., traffic y.y.y.y is not coming inside tunnel and thus ignoring the tunnelling rule. Though I achieve proxying the traffic y.y.y.y, this approach is not applicable for my use case where I want traffic y.y.y.y to reach tunnel first and then get proxied from within the tunnel.

How can I achieve this behaviour?

0