Should the per-app VPN new app rules be active only after tunnel reload?

Hi!

My VPN application has a system extension with NEPacketTunnelProvider inside.

In the VPN application I configure the VPN with .forPerAppVPN() tunnel provider manager.

Next, I'm setting the appRules field of this tunnel provider with my app rules dynamically during my app run.

This is important for us, that we should have an ability to update the app rules dynamically, so we can't just hardcode all apps once.

The problem I met is it seems that I have to do reload (disable - enable) the tunnel for new app rules to be active. To see, why is this a problem, consider, please, such scenario:

1. Add some streaming app into profile, and then run it. It begins its streaming business.
2. Add some other app into profile, and then run it. Currently, to force the traffic of this second application to go through the VPN, I have to disable and enable profile, which will cause connection lost in my first streaming app. The reconnection in that streaming app is up to the app itself: it could be quick or could be not.

What I'm doing now, is:

1. Assigning the new app rules array to the appRules member of the tunnel provider
2. Calling saveToPreferences for this tunnel provider
3. In the completion callback of saveToPreferences, I'm calling stopTunnel, and then startTunnel.

This works, but it causes pure behavior I described with streaming apps. If I remove the step 3 - only the traffic of the first app will be redirected to the tunnel.

So, the questions I have are:

1. Is it expected, that I have to perform disable-enable sequence to activate new app rules for my VPN tunnel?
2. If (1) is true, are there any recommended ways to provide my users stable experience without disconnection in the scenario I've described?
3. If (1) is false, how should I trigger the appRules update for inner VPN system?