Packet Tunnel Provider + split tunnel + Proxy

Hi I've developed a custom VPN app for macOS (system-extension, Packet Tunnel Provider), and I have the following problem:

  1. I'm connected vie Ethernet only (not Wi-Fi). I configured on the Ethernet interface HTTP and HTTPS proxies.
  2. I'm connecting to my VPN:
  • If I'm using a 'full tunnel' - the traffic won't pass to the Ethernet proxies, this is expected
  • If I'm using a split tunnel - even the routes included on the tunnel will reach the Ethernet proxies, this is not expected.

Am I right that this behavior is not expected? How can I fix this issue?

If I'm using a 'full tunnel' - the traffic won't pass to the Ethernet proxies, this is expected If I'm using a split tunnel - even the routes included on the tunnel will reach the Ethernet proxies, this is not expected.

It sounds like if the full tunnel traffic is not sending the proxy traffic then the split tunnel would not send it either, but is there anything else different about how this traffic is configured that would cause a difference here between split and full tunnel?

Matt Eaton
DTS Engineering, CoreOS
meaton3@apple.com

No, this is the only difference. If I'm setting

newSettings.ipv4Settings?.includedRoutes =  [NEIPv4Route.default()]

The traffic won't reach to the Ethernet proxies.

Setting includedRoutes to some specific routes will behave differently - all routes (+ the routes included at the tunnel) will be sent to Ethernet proxies.

Setting includedRoutes to some specific routes will behave differently - all routes (+ the routes included at the tunnel) will be sent to Ethernet proxies.

Okay, the odd part here is that traffic not even claimed by the tunnel seems to be getting sent to the proxy. Is the proxy set at the tunnel level or at the system level via System Preferences? If the proxy settings are set at the System Preferences level then what is happening sounds reasonable.

Matt Eaton
DTS Engineering, CoreOS
meaton3@apple.com

The proxy is set at the system level via System Preferences. Why does traffic that claimed by the tunnel is getting sent to this proxy? (On a 'full tunnel', the traffic won't reach this proxy)

Why does traffic that claimed by the tunnel is getting sent to this proxy?

Does this traffic also match the proxy rules? If so, that would be one reason.

Matt Eaton
DTS Engineering, CoreOS
meaton3@apple.com

Does this traffic also match the proxy rules?

Yes, the proxy should handle all traffic. However, it seems like an inconsistent behavior - on a full tunnel, traffic won't reach the proxy (and the traffic matches the proxy rules), and on split-tunnel, all traffic will reach the proxy, even the "claimed" traffic. Isn't it a bug? Anyway to bypass this without changing the proxy settings?

Anyway to bypass this without changing the proxy settings?

I suspect the immediate way to run your traffic through a proxy on the other side of the tunnel, but that may not be an option.

Regarding:

Isn't it a bug?

Hard to say because if the full tunnel case uses something like includeAllNetworks in the NETunnelProviderProtocol then I would say, no this is not a bug. However, if this behavior has changed between versions, then yes, I would open a bug report.

Matt Eaton
DTS Engineering, CoreOS
meaton3@apple.com
Packet Tunnel Provider + split tunnel + Proxy
 
 
Q