Is there a way to exclude traffic generated by VPN Controller App from packet-tunnel provider running in ip-destination mode?

Question

Created Jan ’23

Replies 3

Boosts 1

Participants 2

Our PacketTunnel Provider is configured to run in IP-Destination mode on iOS. We have enabled OnDemand with NEOnDemandRuleConnect rule.

Currently, with above setup, system blocks network connection until VPN is connected.

is there a way to instructs system not to block any network traffic generated from VPN Controller App if OnDemand is enabled with NEOnDemandRuleConnect and VPN status is anything except "Connected"?

We have requirement of making call to remote APIs from VPN Controller when VPN is not connected and at the same time don't want to trigger VPN connection due to above mentioned OnDemand rule.

Boost

Answer 1

Systems Engineer OP

Apple

Jan ’23

is there a way to instructs system not to block any network traffic generated from VPN Controller App if OnDemand is enabled with NEOnDemandRuleConnect and VPN status is anything except "Connected"?

I suspect you want to gather some information to provide to your VPN in aide in tunnel connection, and that is why you want to make a network call before the tunnel is connected. If I am correct, and you are running a NEPacketTunnelProvider, are you able fetch those resources inside the provider?

For example, something like:

override func startTunnel(options: [String : NSObject]?, completionHandler: @escaping (Error?) -> Void) {
    
    // Add your code here to fetch your VPN based resources

    self.queue.async {
        let settings = self.makeSettings(settings: yourFetchedSettings)
        self.setTunnelNetworkSettings(settings) { errorQ in
            

            completionHandler(nil)
        }
    }
}

And I know you mentioned that your tunnel has restricted all access to the network until it's connected, so presumably you are using the incudeAllNetworks flag and so you'd have to remove that flag to make the above approach work, but this may be one option.

0

Answer 2

randhir OP

Jan ’23

I suspect you want to gather some information to provide to your VPN in aide in tunnel connection, and that is why you want to make a network call before the tunnel is connected.

You understood it correctly. Let me explain it again in more detail. As part of establishing VPN connection, Just after successful SSL Handshake with Tunnel Server, Tunnel Server provides one URL, Packet Tunnel extension passes this URL to VPN Controller App, and using this URL Controller App fetches some settings(user auth required). Since Network connectivity is blocked until the VPN is connected, we are unable to make a call to URL provided by Tunnel Server, and we have to make this call to fetch some settings which is required in order to establish VPN connection(before we return completionHandler(nil)).

are you able fetch those resources inside the provider?

As I mentioned above, unfortunately No. ` Since Network connectivity is blocked until the VPN is connected, unable to fetch required resources inside the provider.

so presumably you are using the incudeAllNetworks flag and so you'd have to remove that flag to make the above approach work, but this may be one option.

We have not enabled includeAllNetworks, and also as per doc, it is disabled/false by default. I also tried setting it false explicitly but no luck.

0

Answer 3

randhir OP

Jan ’23

^^ correction in the includeAllNetworks's link

We have not enabled includeAllNetworks, and also as per doc, it is disabled/false by default. I also tried setting it false explicitly but no luck.

0