Need to redirect some traffic to Physical adapter from tun interface.

In NEPacketTunnelProvider, we are having the full tunnel and once we are receiving the packets, we want some of the traffic redirect back to the physical adapter from tun interface.

we tried sending traffic outside the tunnel but it redirect back to the tunnel interface.

Is there a way we can redirect traffic back to physical adapter from tun interface?

Answered by DTS Engineer in 741916022

what my requirement is to intercept the whole system traffic and dynamically decide whether to discard the traffic or send it to the server.

OK, then a filter — packet or otherwise — is not going to help because it can only allow or deny traffic.

Is there a way we can convert layer 4 packet to layer 3?

No. Well, yes, but it’s a bunch of code. I’ve seen folks embed an entire TCP/IP stack in their provider (for example, lwIP) but that’s not a lot of fun.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

I’m not 100% sure I understand your question here. It sounds like:

  • You have a packet tunnel provider in destination IP mode (that is, not per-app VPN).

  • You’ve configured the routing table to claim a wide range of destination IP addresses.

  • The system is thus routing you packets to those IP addresses.

  • Under some circumstances you want to tell the system “Oh wait, no, don’t see this to me, send it directly.”

Is that right?

If so, there’s no good way to do this with a packet tunnel provider.

Most folks who find themselves in this situation do so because they’re using a packet tunnel provider for something other than VPN [1]. You may want to explore other NE provider types, such as a content filter or a transparent proxy.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

[1] So much so that Matt wrote TN3120 Expected use cases for Network Extension packet tunnel providers.

Is that right?

Yes, I want to achieve something similar.

You may want to explore other NE provider types, such as a content filter or a transparent proxy.

Actually, I need an IP packet for my use case, I looked into a transparent proxy but it provides TCP or UDP steam(data packets) which I believe are layer 4 packets. Also, looked into content filtering using NEFilterPacketProvider but I'm not sure how will I process the packets and write back to the interface. Do you have any suggestions to achieve this using a content filter?

Actually, I need an IP packet for my use case

Well, that complicates things.

I looked into a transparent proxy but it provides TCP or UDP steam (data packets) which I believe are layer 4 packets.

Correct.

Other than TCP or UDP, what IP traffic are you trying to manipulate?

looked into content filtering using NEFilterPacketProvider

That’s not going to work. A packet filter can only allow or deny a packet [1]; it can’t modify it.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

[1] Well, it can defer it, but it’ll eventually have to allow or deny it.

what IP traffic are you trying to manipulate?

Im not sure if I understand this correctly. what my requirement is to intercept the whole system traffic and dynamically decide whether to discard the traffic or send it to the server. For this transparent app proxy looks best option where I can filter both FQDN and ip address but it provides the data stream whereas we need ip packets.

Is there a way we can convert layer 4 packet to layer 3?

Accepted Answer

what my requirement is to intercept the whole system traffic and dynamically decide whether to discard the traffic or send it to the server.

OK, then a filter — packet or otherwise — is not going to help because it can only allow or deny traffic.

Is there a way we can convert layer 4 packet to layer 3?

No. Well, yes, but it’s a bunch of code. I’ve seen folks embed an entire TCP/IP stack in their provider (for example, lwIP) but that’s not a lot of fun.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Need to redirect some traffic to Physical adapter from tun interface.
 
 
Q