How to setup `matchDomains` for NEPacketTunnelProvider?

To smoke out what is happening here I would create a test app that makes a request to example.com and the also traffic with example.com through Safari. That way you know how that request is working from the client side to give you a basis to debug this in your NEProxySettings. Next, why do you need to use NEProxySettings if you are running a NEPacketTunnelProvider?

Matt Eaton
DTS Engineering, CoreOS
meaton3@apple.com

So I created test app and requests from it behave as expected. If the domain is set via matchDomains is gets "routed" to my VPN.

But the Instagram example does not work like this. The app uses i.instagram.com and graph.instagram.com - but even if I try to add them to matchDomains it doesn't work. When matchDomains is [""] - then Instagram and other apps get "routed" to my VPN.

I am using the NEProxySettings as part of the NEPacketTunnelNetworkSettings so I can set my local proxy server as the destination for connections.

The reason for my matchDomains experiments is that I need to reduce battery consumption and since there are predefined domains that my VPN needs to handle (and can ignore the rest), I am trying to use this settings to use the tunnel only for connections when really necessary.

So I created test app and requests from it behave as expected. If the domain is set via matchDomains is gets "routed" to my VPN.

That is good news. If you see this with other hostnames that this may be worth a bug report.

Regarding:

I am using the NEProxySettings as part of the NEPacketTunnelNetworkSettings so I can set my local proxy server as the destination for connections.

Why do you need to use NEProxySettings to set the destination of your connections? You should be in control of the network transport on your tunnel. What is the actual goal of your NEPacketTunnelProvider? Is it to authenticate and access a secure network?

Matt Eaton
DTS Engineering, CoreOS
meaton3@apple.com

So I did more testing and so far what I found is that the matchDomains actually seems to work correctly, but not for instagram.com as I already mentioned. I really have no idea why this domain does not work, since I can see the connections in the debug console. From the apps I tried Twitter for example with twitter.com as match and it worked fine for website and app.

I also tried subdomains like api.example.com and it works as expected.

Is this possibly wort a TSI report? But I don't think there is anything else configuration-wise that I could try?

Well, my usecase is a bit different and it is not intended as traditional VPN. It is closer to tools like Charles Proxy or Proxyman.

So I did more testing and so far what I found is that the matchDomains actually seems to work correctly, but not for instagram.com as I already mentioned. I really have no idea why this domain does not work, since I can see the connections in the debug console. From the apps I tried Twitter for example with twitter.com as match and it worked fine for website and app.

This is what I expected, actually. Although I will not comment on what I believe is happening here, I would urge you to consider what would make a network request through a proxy fail to reach the proxy.

Regarding:

Is this possibly wort a TSI report?

Usually I would say, yes. However, it does look like you are using a Packet Tunnel for an unsupported case:

Well, my usecase is a bit different and it is not intended as traditional VPN. It is closer to tools like Charles Proxy or Proxyman.

So, if you have any code level questions that are not related to your proxy or VPN, then yes, open a TSI and DTS can help further.

Matt Eaton
DTS Engineering, CoreOS
meaton3@apple.com

This is what I expected, actually. Although I will not comment on what I believe is happening here, I would urge you to consider what would make a network request through a proxy fail to reach the proxy

I totally respect you don't wish to comment, but I think I perhaps did not describe the issue correctly, as the problem is not that the connection is failing, but rather it doesn't arrive at the tunnel at all.

To summarize my observed behavior based on matchDomains settings:

matchDomains = [""]

Matches all connections - including Instagram app. - as expected

matchDomains = ["twitter.com"]

Matches Twitter website and app (specifically 3rd party client Tweetbot) - as expected.

matchDomains = ["instagram.com"]

Matches only Instagram website, not its app - this feels to me like an incorrect behavior. Since I am handling all Instagram connections in the tunnel when I match all domains.

as the problem is not that the connection is failing, but rather it doesn't arrive at the tunnel at all.

matchDomains = ["instagram.com"] Matches only Instagram website, not its app - this feels to me like an incorrect behavior. Since I am handling all Instagram connections in the tunnel when I match all domains.

If the connections are not actually failing, and are getting to the packet tunnel when you remove the NEProxySettings, then I would double check the domain with a device specific proxy, like the one in Instruments. If you are certain you are working with the correct domain then I would open a Bug Report. Please respond back with the Feedback ID if you need to open a bug report.

Matt Eaton
DTS Engineering, CoreOS
meaton3@apple.com

@meaton filled the feedback: FB9414046. Honestly dont have much experience with this so if something is missing or needs clarification - I am happy to update the feedback.

Thanks.

@meaton filled the feedback: FB9414046

Thank you. I see that your bug made it to the right place.

Regarding:

Honestly dont have much experience with this so if something is missing or needs clarification

Your bug report looks like. I also added an internal note to reference this thread.

Matt Eaton
DTS Engineering, CoreOS
meaton3@apple.com