Multiple Simultaneous VPN Tunnels Connections in macOS

We are developing a split tunnel based VPN application (PacketTunnel) for macOS using NetworkExtension and SystemExtension. We are currently assessing whether there could be any problems or limitations with multiple VPN tunnels (from different apps) running simultaneously that could cause any traffic routing conflict or any other problems. So here are the scenarios that we have questions about?

  1. Is it possible to have multiple NEPacketTunnelProvider based tunnels running at the same time which are created by different applications?
  2. Is it possible to have one NEPacketTunnelProvider based VPN and one kext based VPN tunnel running at the same time? We are planning on supporting from macOS Catalina.
  3. Assuming answer to first question is, yes, what would be the behaviour if there is include route overlap between two NEPacketTunnelProvider based VPN tunnels?
  4. Assuming answer to second question is, yes, what would be the behaviour if there is include route overlap between our NEPacketTunnelProvider based VPN tunnel and other kext based VPN tunnel?
  5. Is there a way to create custom VPN tunnel or utun interface, from an app, apart from suing NetworkExtension or kext, in macOS? Could that cause a route overlap or conflict with our NetworkExtension tunnel when running simultaneously?
  6. Is there a way to find out tunnel address, match domains and include routes of other VPN tunnels or utun interfaces created by other applications? This may help us use different include routes than existing tunnels and avoid route overlap.
  7. Is there a way to create a VPN profile using NETunnelProviderManager which is not visible in System Preferences -> Network Preferences like NETransparentProxyManager which are not visible since Big Sur?

Thanks in advance for your response.

Up vote post of dispatchMain Down vote post of dispatchMain
1.1k views
Posted by
dispatchMain
Reply
Add a Comment

Accepted Reply

Is there a way to create custom VPN tunnel or utun interface, from an app, apart from using NetworkExtension or KEXT, in macOS?

This is something you will need to research on your own. This is not something I would recommend or provide help with either as it is way off the beaten path of what is considered to be supported.

Regarding:

Is there a way to find out tunnel address, match domains and include routes of other VPN tunnels or utun interfaces created by other applications (kext or NE or any other way)? This may help us do some tricks with include routes and avoid route overlap. netstat -rn seems to be one way to get some of this information. Is there any better way?

On macOS, yes, there is. Have a look at the SCDynamicStore APIs for rounding up this related information. It may not give you everything, but it should give you a good amount of information about other system configurations. (Note that this is not available on iOS. I realize that you are not targeting macOS, but others targeting iOS do ask this question)

Matt Eaton
DTS Engineering, CoreOS
meaton3@apple.com
Posted by
meaton
Up vote reply of meaton Down vote reply of meaton
Post marked as solved
Add a Comment

Replies

Is it possible to have multiple NEPacketTunnelProvider based tunnels running at the same time which are created by different applications?

For NEPacketTunnelProvider, No. If you start NEPacketTunnelProvider A and then start NEPacketTunnelProvider B, then NEPacketTunnelProvider A will stop because you can only have one Enterprise VPN running on the system at one time.

Regarding:

Is it possible to have one NEPacketTunnelProvider based VPN and one kext based VPN tunnel running at the same time? We are planning on supporting from macOS Catalina.

Kext based VPNs are not a recommended path. You should be adopting the Network Extension frameworks, even in Catalina.

Regarding:

Is there a way to create custom VPN tunnel or utun interface, from an app, apart from suing NetworkExtension or kext, in macOS? Could that cause a route overlap or conflict with our NetworkExtension tunnel when running simultaneously?

See my answer to the previous question; the only recommended paths here are through the Network Extension framework.

Regarding:

Is there a way to create a VPN profile using NETunnelProviderManager which is not visible in System Preferences -> Network Preferences like NETransparentProxyManager which are not visible since Big Sur?

Not that I am aware of.

Matt Eaton
DTS Engineering, CoreOS
meaton3@apple.com
Posted by
meaton
Up vote reply of meaton Down vote reply of meaton
Add a Comment

Thanks for your response Matt.

Regarding

Is it possible to have one NEPacketTunnelProvider based VPN and one kext based VPN tunnel running at the same time? We are planning on supporting from macOS Catalina.

and

Is there a way to create custom VPN tunnel or utun interface, from an app, apart from suing NetworkExtension or kext, in macOS? Could that cause a route overlap or conflict with our NetworkExtension tunnel when running simultaneously?

We have no plans of using kext for our VPN tunnel. These questions are in context of our VPN using NetworkExtension and some other simultaneous VPN using kext. Since we can not control other VPN providers, we are trying to assess whether their kext based VPNs could be a challenge for our NetworkExtension base VPN tunnel.

Can you please answer these two questions with in this context as well as below question?

Assuming answer to second question is, yes, what would be the behaviour if there is include route overlap between our NEPacketTunnelProvider based VPN tunnel and other kext based VPN tunnel?

Posted by
dispatchMain
Up vote reply of dispatchMain Down vote reply of dispatchMain
Add a Comment

Assuming answer to second question is, yes, what would be the behaviour if there is include route overlap between our NEPacketTunnelProvider based VPN tunnel and other kext based VPN tunnel?

I am assuming that if there is route overlap on the system between a NKE and a Network Extension VPN on Catalina, that the second VPN that tried to claim the conflicting route would just fail entirely. Note that this is for Catalina only and would not apply to Big Sur or Monterey as NKE's are not allowed to run here. For Big Sur and Monterey the rules that apply to Network Extension VPNs would apply.

Matt Eaton
DTS Engineering, CoreOS
meaton3@apple.com
Posted by
meaton
Up vote reply of meaton Down vote reply of meaton
Add a Comment

Thanks for the response, Matt. We may have to change support from Big Sur and above to avoid conflict with KEXT based VPNs.

Last two queries:

  1. Is there a way to create custom VPN tunnel or utun interface, from an app, apart from using NetworkExtension or KEXT, in macOS?
  2. Is there a way to find out tunnel address, match domains and include routes of other VPN tunnels or utun interfaces created by other applications (kext or NE or any other way)? This may help us do some tricks with include routes and avoid route overlap. netstat -rn seems to be one way to get some of this information. Is there any better way?
Posted by
dispatchMain
Up vote reply of dispatchMain Down vote reply of dispatchMain
Add a Comment

Is there a way to create custom VPN tunnel or utun interface, from an app, apart from using NetworkExtension or KEXT, in macOS?

This is something you will need to research on your own. This is not something I would recommend or provide help with either as it is way off the beaten path of what is considered to be supported.

Regarding:

Is there a way to find out tunnel address, match domains and include routes of other VPN tunnels or utun interfaces created by other applications (kext or NE or any other way)? This may help us do some tricks with include routes and avoid route overlap. netstat -rn seems to be one way to get some of this information. Is there any better way?

On macOS, yes, there is. Have a look at the SCDynamicStore APIs for rounding up this related information. It may not give you everything, but it should give you a good amount of information about other system configurations. (Note that this is not available on iOS. I realize that you are not targeting macOS, but others targeting iOS do ask this question)

Matt Eaton
DTS Engineering, CoreOS
meaton3@apple.com
Posted by
meaton
Up vote reply of meaton Down vote reply of meaton
Post marked as solved
Add a Comment