VPN, includeAllNetworks, and MMS

I work on an iOS VPN app, and we're having some problems with the interaction between MMS and the includeAllNetworks flag. When the includeAllNetworks flag is on, MMS sending fails.

I believe this is because iOS is trying to go outside the VPN tunnel and over cellular and is using the cellular network's default DNS lookup for the MMS server (in a sample case we've been using for testing, mms.msg.eng.t-mobile.com). (Logs seem to show the phone dropping back to cellular even when it has a strong WiFi connection.) I believe iOS also chooses the cellular connection when making the request where the MMS packets are sent. And thus with includeAllNetworks active, iOS does not permit these packets through, causing the MMS send to fail.

  1. Does this explanation above seem accurate, and seem like why MMS isn't working with the VPN active? We've been debugging via Console logs, and can see the DNS request fail, but have limited insight into the lower level parts of the networking stack.
  2. Does includeAllNetworks override any IP addresses in the excludedRoutes array, effectively neutering excludedRoutes when it is active? It seems like it does, but I haven't been able to find any documentation saying so.
  3. If so, is there any way to allow MMS to go outside the VPN while otherwise keeping includeAllNetworks active? We want to keep MMS working*, but prevent any other traffic leaks. We can't figure out a way to do this without turning off includeAllNetworks.

`* While this is more philosophical, it seems like MMS going outside the tunnel isn't a giant security concern. Presumably the cell provider knows the phone's IP address already, and SMS messages already go clear over the wire.

Answered by mattch in 750480022

For anyone stumbling upon this thread, this is now fixed as of iOS 16.4: https://developer.apple.com/documentation/networkextension/nevpnprotocol/4140517-excludecellularservices

This defaults to true, so things should just start working now.

The fact that MMS fails when you set includeAllNetworks doesn’t surprise me. You’ve specifically told the system that you want all network traffic, which is at odds with standard cellco practice of requiring that MMS be delivered over the cellco’s network.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

I understand the philosophy behind that, but the user (and developer) experience seems subpar: macOS and iPadOS (on a WiFi iPad): If you set includeAllNetworks you can ensure all the user's traffic goes through the VPN tunnel, with no loss of functionality. iOS: If you set includeAllNetworks, you can ensure all the user's traffic goes through the VPN tunnel, but MMS will not work. Your choice is either "let MMS work, but don't guarantee the remaining traffic goes through the tunnel" or "kill user's MMS functionality".

MMS is currently treated differently by iOS when there is a WiFi connection, as seen in the logs - it diverts MMS traffic to the cellular network. Given how cell companies require MMS to be delivered, it doesn't seem out-of-line that it would also be treated differently by iOS if a VPN is active. And even if this wasn't the default, adding a flag to allow MMS to go outside a VPN seems really, really helpful here. (We already have an optional excludeLocalNetworks flag that only matters when includeAllNetworks is active. Perhaps an additional excludeMMS as well?)

While I can dream of a flag to allow MMS through, do you know of a way to allow MMS to go outside the VPN while otherwise keeping similar functionality to includeAllNetworks ("if... the tunnel is unavailable, the system drops all network traffic")?

While I can dream of a flag to allow MMS through

I recommend that you do more than just dream.

do you know of a way to allow MMS to go outside the VPN while otherwise keeping similar functionality to includeAllNetworks

No.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Accepted Answer

For anyone stumbling upon this thread, this is now fixed as of iOS 16.4: https://developer.apple.com/documentation/networkextension/nevpnprotocol/4140517-excludecellularservices

This defaults to true, so things should just start working now.

VPN, includeAllNetworks, and MMS
 
 
Q