I work on an iOS VPN app, and we're having some problems with the interaction between MMS and the includeAllNetworks
flag. When the includeAllNetworks
flag is on, MMS sending fails.
I believe this is because iOS is trying to go outside the VPN tunnel and over cellular and is using the cellular network's default DNS lookup for the MMS server (in a sample case we've been using for testing, mms.msg.eng.t-mobile.com
). (Logs seem to show the phone dropping back to cellular even when it has a strong WiFi connection.) I believe iOS also chooses the cellular connection when making the request where the MMS packets are sent. And thus with includeAllNetworks
active, iOS does not permit these packets through, causing the MMS send to fail.
- Does this explanation above seem accurate, and seem like why MMS isn't working with the VPN active? We've been debugging via Console logs, and can see the DNS request fail, but have limited insight into the lower level parts of the networking stack.
- Does
includeAllNetworks
override any IP addresses in theexcludedRoutes
array, effectively neuteringexcludedRoutes
when it is active? It seems like it does, but I haven't been able to find any documentation saying so. - If so, is there any way to allow MMS to go outside the VPN while otherwise keeping
includeAllNetworks
active? We want to keep MMS working*, but prevent any other traffic leaks. We can't figure out a way to do this without turning offincludeAllNetworks
.
`* While this is more philosophical, it seems like MMS going outside the tunnel isn't a giant security concern. Presumably the cell provider knows the phone's IP address already, and SMS messages already go clear over the wire.
For anyone stumbling upon this thread, this is now fixed as of iOS 16.4: https://developer.apple.com/documentation/networkextension/nevpnprotocol/4140517-excludecellularservices
This defaults to true
, so things should just start working now.