LAN traffic with NEPackTunnelProvider

Question

Created Nov ’22

Replies 6

Boosts 0

Participants 3

Our App using NEPackTunnelProvider to provider VPN service. We add IP: 0.0.0.0 subnetMask: 0.0.0.0 to IPv4Settings includedRoutes (We want all traffic pass through VPN ). But we found LAN traffic not hajack by VPN. And after we add a route like : 192.168.3.33 mask 255.255.255.255 to IPv4Settings includedRoutes, which 192.168.3.33 is a host in the LAN, then VPN can hijack the traffic to 192.168.3.33. But the traffic could not be send to the host successfully.

So, could you tell me that LAN traffic won't be hijacked by VPN, is that by design? If we want to hijack LAN traffic and send it normally, is it possible?

When the traffic is sent to the host, the traffic seems to be hijacked by the VPN again, so it cannot be sent normally. Is there a way to avoid this?

Boost

Answer 1

DTS Engineer OP

Apple

Dec ’22

LAN traffic with NEPacketTunnelProvider

What platform are you testing on?

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

0

Answer 2

icefire_wang OP

Dec ’22

What platform are you testing on?

iOS

0

Answer 3

DTS Engineer OP

Apple

Dec ’22

I’m confused by your goal here. If an app creates a connection to a peer that’s directly connected to the local Wi-Fi, why does your VPN need to get involved?

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

0

Answer 4

icefire_wang OP

Dec ’22

I’m confused by your goal here. If an app creates a connection to a peer that’s directly connected to the local Wi-Fi, why does your VPN need to get involved?

Because our APP not only provides a VPN service to users, but also provides a safe access environment. So we need access control for the device. So we don't want any traffic from the device to bypass our VPN and go straight out.

0

Answer 5

DTS Engineer OP

Apple

Dec ’22

Because our APP not only provides a VPN service to users, but also provides a safe access environment.

OK, so you see, this is why Matt wrote TN3120 Expected use cases for Network Extension packet tunnel providers. When you try to use a packet tunnel provider as a content filter, you will run into all sorts of weird and wonderful problems. This is just one example of such problems.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

1

Answer 6

icefire_wang OP

Dec ’22

OK, so you see, this is why Matt wrote TN3120 Expected use cases for Network Extension packet tunnel providers. When you try to use a packet tunnel provider as a content filter, you will run into all sorts of weird and wonderful problems. This is just one example of such problems.

Thanks. I understand, so if we want both VPN and traffic control, we must use different provider to achieve it.

0