Private Relay with NETransparentProxyProvider

App & System Services Core OS
HoratiuLUPEAN OP
Created Jun ’21
Replies 6
Boosts 0
Views 1.3k
Participants 2

Hello,

We have a Network Extension that implements NETransparentProxyProvider that filters TCP trafic on ports 80 and 443.

On macOS Monterey (21A5248p) with Private Relay enabled no connection from Safari is seen by our Network Extension (connections from other browsers are seen by our extension, so it's not a problem with the rules).

According to this forum post and App Proxy Provider documentation the connections should use the VPN. We also tested this with our Network Extension by inheriting from NEAppProxyProvider instead of NETransparentProxyProvider and the connections are seen by the extension.

My question is if this is the intended behaviour for NETransparentProxyProvider or if it is a bug? And if it is intended if there is a way to filter those connections while still using a Transparent Proxy?

Thank you!

Replies  6
Boosts  0
Views  1.3k
Participants  2
Systems Engineer OP
Apple
Jun ’21

According to this forum post and App Proxy Provider documentation the connections should use the VPN. We also tested this with our Network Extension by inheriting from NEAppProxyProvider instead of NETransparentProxyProvider and the connections are seen by the extension.

My question is if this is the intended behaviour for NETransparentProxyProvider or if it is a bug?

Thank you for reporting this. So if I am understanding you correctly, when Private Relay is turned on and NETransparentProxyProvider is running on the system, Safari connections are not seen in your NETransparentProxyProvider? However, when using NEAppProxyProvider with Private Relay, Safari connections are seen in your Proxy Provider, is that correct? If that is correct then please file a bug report on this and include a sysdiagnose. Before you take a sysdiagnose please make sure to install these macOS debug profiles on the system:

  • Net-diagnose for macOS
  • Network Diagnostics for macOS
  • VPN (Network Extension) for macOS

Once you have these debug profiles installed, please reproduce the issue and trigger a sysdiagnose and upload it to your bug. Please include the exact time and date the issue was reproduced. Once you have done this please respond back with the Feedback ID.

Matt Eaton
DTS Engineering, CoreOS
meaton3@apple.com
0
HoratiuLUPEAN OP
Jun ’21

So if I am understanding you correctly, when Private Relay is turned on and NETransparentProxyProvider is running on the system, Safari connections are not seen in your NETransparentProxyProvider? However, when using NEAppProxyProvider with Private Relay, Safari connections are seen in your Proxy Provider, is that correct?

Yes, This is correct.

I filed the bug report: FB9189676

A thing I forgot to mention before, but I mentioned it in the bug report is that while using NETransparentProxyProvider the connections seem to use Private Relay (my guess is that this is the reason we do not see the connections) and while using NEAppProxyProvider the connections do not use Private Relay.

0
Systems Engineer OP
Apple
Jun ’21

I filed the bug report: FB9189676 A thing I forgot to mention before, but I mentioned it in the bug report is that while using NETransparentProxyProvider the connections seem to use Private Relay (my guess is that this is the reason we do not see the connections) and while using NEAppProxyProvider the connections do not use Private Relay.

Thank you for opening the bug report, I see it internally and have copied myself on it for more information.

Yes, I do see the note on your bug about the traffic being available in NEAppProxyProvider and not NETransparentProxyProvider while Private Relay is enabled and I suspect that is what is being investigated.

Thanks again for reporting this.

Matt Eaton
DTS Engineering, CoreOS
meaton3@apple.com
0
Systems Engineer OP
Apple
Jun ’21

Additionally, if you want to open a TSI for this item, I will be happy to use that to allocate some time for setting up a test case for this scenario to see if there is any workaround available for NETransparentProxyProvider and Private Relay. Make sure to reference this post if you do open a TSI.

Matt Eaton
DTS Engineering, CoreOS
meaton3@apple.com
0
HoratiuLUPEAN OP
Jun ’21

Additionally, if you want to open a TSI for this item, I will be happy to use that to allocate some time for setting up a test case for this scenario to see if there is any workaround available for NETransparentProxyProvider and Private Relay.

Considering this is just the first beta and if it is a bug it will probably will be fixed at a point, I do not think it's necessary for now. For testing purposes we can use NEAppProxyProvider at this point.

Thank you for opening the bug report, I see it internally and have copied myself on it for more information. Yes, I do see the note on your bug about the traffic being available in NEAppProxyProvider and not NETransparentProxyProvider while Private Relay is enabled and I suspect that is what is being investigated.

If there is any more information or logs you need, let me know and I'll gladly provide them.

0
Systems Engineer OP
Apple
Jun ’21

If there is any more information or logs you need, let me know and I'll gladly provide them.

Okay, will do.

Matt Eaton
DTS Engineering, CoreOS
meaton3@apple.com
0
Private Relay with NETransparentProxyProvider
First post date Last post date
 
 
Q