How to determine if my app is communicating via VPN?

Question

Created Jun ’21

Replies 3

Boosts 0

Views 1.5k

Participants 3

I am trying to create a flutter+swift app for iOS which could determine if there is an active VPN connection and which could determine if my app is communicating via VPN.

Currently, I am trying to check in my app, if there is any network interface like these (if there is, that would mean the VPN connection is active):

tap, tun, ppp, ipsec, ipsec0, utun1, utun2, pptp

Unfortunately, this doesn't work well. On some iOS devices, I see that there is an existing "ipsec" interface, but there is actually no VPN connection. And on some other devices, I see it working correctly (mostly iOS14+).

I read about it, and it seems that "ipsec" interface is often used for handling WiFi calls and to communicate between Apple devices. Is this right? Does it mean that it's not determinable if this interface will be set (because it can be controlled by the network provider or by the Apple ecosystem)?

I am also wondering if there is a reliable way to tell if the device has an active VPN connection, or at least tell if the given app is using a per-app VPN at the moment?

Boost

Answer 1

DTS Engineer OP

Apple

Jun ’21

which could determine if my app is communicating via VPN.

What API are you using for your communication? This matters because your question only makes sense in the context of a specific network connection. It’s quite feasible for, in any single app, one connection to run over VPN and one connection to not.

Also, what action do you take based on this info? This matters there are lots of things that might look like VPN but aren’t, and vice versa, and thus it’s important to understand the cost of incorrect results (both false positives and false negatives).

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

0

Answer 2

DTS Engineer OP

Apple

Jul ’21

So this is an enterprise app?

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

0

Answer 3

Hoffman OP

Jul ’21

At the risk of asking what may be the obvious, and given IP routing is dynamic and can change at any time, establishing a VPN (SSL/TLS/HTTPS/DTLS) within the app seems expedient, and avoids trying to finesse the already-volatile network configuration?

If the app needs to check whether it has a network path, try the path. That’s easiest. Either directly to the target host, or (if the target is also accessible externally) maybe establish a test SSL/TLS/HTTPS/DTLS communications with a known host; to a host that is only accessible to the app when operating within the target network or when some other tunnel is active into he target network.

Polling the connection state for IP routing… gets ugly.

0