includeAllNetwork Problems.

I've been looking at adding includeAllNetworks to our Network Extension VPN (Packet Tunnel Provider).

We do some authentication in the app and then start the VPN. All connections in the VPN extension are done by IP address, so there is no name resolution required.

The connection setup in the VPN extension involves some HTTP GETS & responses. I'm seeing a couple of problems.

It looks like includeAllNetworks has to be set on the VPN configuration when it's defined. Is that correct? When I try setting it at other points, either in the NEPacketTunnelProvider protocolConfiguration or in the NEVPNManager protocol configuration it has no effect. The protocol itself appears to be inaccessible.

When I set it in the NEVPNManager's protocolConfiguration before I start the connection it shows includeAllNetworks as set, but when I start the connection the nesessionmanager debug output shows that it's not set in the protocol and it's not in effect.

Is there any way to set this on-the-fly? In our particular VPN interaction the Gateway tells the VPN client whether it wants the client to use includeAllNetworks, so we can't just hard-code it.

When I do set this in the VPN configuration I can't reach the Gateway. I see that the nesessionmanager shows it as set, but the initial URLSession call gets a .cfurlErrorNotConnectedToInternet result in didCompleteWithError. I've verified that the URI specifies an IP address, not as a hostname, so for example 
Code Block 
https://10.0.1.10/someapi

There is no network traffic after I start the connection until the connection fails, and transitions from Connecting to Disconnecting. (well, except for things like MDNS and a couple of others that aren't blocked by the setting)
Since I'm connecting by IP address I'd expect that this would work.

In the console I see

default 13:42:57.476293-0700 VPNExtension [C10 Hostname#0a01000a:443 failed path (unsatisfied (Path was denied by NECP policy), interface: en0, ipv4)] event: null:null @4.222s

I haven't seen any good examples of VPN setup with the new flags, and the documentation is frustratingly vague. Are there any good resources for this?

Kevin
Up vote post of kjbrock Down vote post of kjbrock
1.5k views
Posted by
kjbrock
Reply
Add a Comment

Replies

This happens when I try a connection using raw BSD socket() calls as well.

What am I missing here?

Posted by
kjbrock
Up vote reply of kjbrock Down vote reply of kjbrock
Add a Comment
Hi,

from what I understand it appears this is not possible to set on-the-fly and it can be configured only when installing the profile..

In my testing this includeAllNetworks behaves quite similarly to settings includedRoutes on the IPV4Settings to NEIPv4Route.default(). This could possibly be set when starting the tunnel, so you would need to stop and start again to toggle this.
Posted by
nemecek_f
Up vote reply of nemecek_f Down vote reply of nemecek_f
Add a Comment
Hello Kevin,

It looks like includeAllNetworks has to be set on the VPN configuration when it's defined. Is that correct?

Yes.

Is there any way to set this on-the-fly? In our particular VPN interaction the Gateway tells the VPN client whether it wants the client to use includeAllNetworks, so we can't just hard-code it.

Since includeAllNetworks forces all traffic through the virtual interface, if you need to make a configuration network call that needs to go outside the tunnel then this needs to be done while the tunnel is not configured or active.

default 13:42:57.476293-0700 VPNExtension [C10 Hostname#0a01000a:443 failed path (unsatisfied (Path was denied by NECP policy), interface: en0, ipv4)] event: null:null @4.222s

Right, if possible, I would gather the network configuration information before the tunnel is started, otherwise using this flag will not work for this case.


Matt Eaton
DTS Engineering, CoreOS
meaton3@apple.com
Posted by
meaton
Up vote reply of meaton Down vote reply of meaton
Add a Comment
includeAllNetworks covers a lot more than setting the default route. We need the extra assurance that all traffic will be handled, and that the tunnel won't leak.

Defining it at config definition time is a pain, but I can work around that.

The main issue I see at this point is that when I define includeAllNetworks and it takes effect, I can no longer connect to the gateway, even by IP address.


Posted by
kjbrock
Up vote reply of kjbrock Down vote reply of kjbrock
Add a Comment
Hi Matt. We're not gathering configuration information when we see the error message I included.

That's when we're trying to open the actual VPN connection to the Gateway. How are we supposed to open the socket that's going to carry the gateway traffic in this case?

That is, what Network Extension calls need to be completed before it will let us communicate with the Gateway?

Kevin



Posted by
kjbrock
Up vote reply of kjbrock Down vote reply of kjbrock
Add a Comment
Kevin,

Regarding:

The main issue I see at this point is that when I define includeAllNetworks and it takes effect, I can no longer connect to the gateway, even by IP address.
That's when we're trying to open the actual VPN connection to the Gateway. How are we supposed to open the socket that's going to carry the gateway traffic in this case?

The VPN connection that you are trying to open, is it to the address/hostname reported in NETunnelProviderProtocol's serverAddress and out in initWithTunnelRemoteAddress for NEPacketTunnelNetworkSettings? If so, then I would open a bug report about this and please respond back here with the Feedback ID.


Matt Eaton
DTS Engineering, CoreOS
meaton3@apple.com
Posted by
meaton
Up vote reply of meaton Down vote reply of meaton
Add a Comment