NEPacketTunnelProvider: determine destination DNS and IP. How?

Need to determine DNS … and IP from the packet itself. How to do it with NEPacketTunnelProvider?

You can get the IP address by parsing the packet itself.

There’s no way for a packet tunnel provider to recover the DNS name that was used. In fact, there’s no guarantee that there was a DNS name used. Folks can happily connect to an IP address.

Is it in this class [NEPacket]?

No.

When operating in destination IP mode, NEPacket doesn’t buy you much. It’s only really useful in source IP mode, a form of per-app VPN, where the metadata property is populated. However, per-app VPN has significant deployment restrictions. See TN3134 Network Extension provider deployment.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Is it possible not to use per-app VPN if need to determine only IP? Is it possible to determine IP in "general" version of NE that using NEPacketTunnelProvider?

The global idea of all of this matter is not to send to VPN all of traffic. There need to send only selected IP adresses to VPN and other via standard network. Is it possible on MacOS and iOS with NEPacketTunnelProvider. Therefore somehow need to detrmine IP and if IP from list send it to VPN if not in list send it to normal network.

Is it possible somehow to get raw IP packet and parse the packet itself like it describedon this schema?

Is it possible not to use per-app VPN if need to determine only IP?

Sure. Parse the IP packet.

The global idea of all of this matter is not to send to VPN all of traffic.

This is where things get tricky. While you can determine the destination IP address by parsing the packet, once the packet has made it to your packet tunnel provider then you are committed to sending it over the tunnel. There’s no way your provider can look at the packet and say “Oh, I don’t want to handle this, send via the normal mechanism.”

Rather, you must configure your tunnel’s network settings such that your only get the packets you’re prepared to handle. You do this using NEPacketTunnelNetworkSettings, and specifically the includedRoutes and excludedRoutes properties of the NEIPv4Settings and NEIPv6Settings.

My experience is that most folks who run into problems like this do so because they’re not building a VPN. Rather, they’re trying to use a packet tunnel provider to build some other type of product, like a content filter. We don’t support that, per TN3120 Expected use cases for Network Extension packet tunnel providers.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Is it correct that if there need only IPs from list, means need to set something like "exclude all" into excludedRoutes and add to included only list of IPs into includedRoutes? And there will be functionality that allow me to handle in VPN only IPs from list?

"Exclude all" came into my brain by analogy of firewall rulles when you prohbiting everythin and open only allowed. For this issue allow everything to pass standard and only from list forward to TUN interface. And every packet that came to TUN must be passed through NEPacketTunnelProvider. Is it correct?

Rather, they’re trying to use a packet tunnel provider to build some other type of product, like a content filter.

Is it correct that you advising to use another type of extension - NEFilterDataProvider?

If yes, what kind of limitations is for NEFilterDataProvider? Especially for deployment and publication in AppStore.

If there using of NEFilterDataProvider, could it be there parsed and handled packets, not just forward? For example additionally encrypt and turn it back to network with rule. Could it be done by NEFilterAction?

Is it correct that you advising to use another type of extension

That depends on your specific requirements, and you haven’t really posted a lot of details about what those are.

Having said that, it does seem like you want to modify traffic, and that’s not something that a content filter can do.

what kind of limitations is for NEFilterDataProvider?

See TN3134 Network Extension provider deployment.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Hello! Look below on details mentined by you:

That depends on your specific requirements, and you haven’t really posted a lot of details about what those are.

One of the possible cases:

The company required to use VPN for customers or employees for accessing resources. But company don't want to care about all of internet traffic that goes from them (at least because of money, they don't want to pay for all of traffic from users). The company just wnat that only cpecified resources passing through VPN but any other passing through default. The list of this resources need to be defined somehow in VPN application and be available for publishing in AppStore without restrictions.

For now seeking solution to make kind of Selective VPN solution that alows me to define list of resources that is passing through VPN and ignore all other traffic.

The company required to use VPN for customers or employees for accessing resources.

Most VPN deployments solve this by knowing what IP networks are ‘inside’ the VPN. On startup the packet tunnel provider determines that list of IP networks — either it has a hard-coded list or its gets the list from the VPN server itself — and claims those routes via the includedRoutes property.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"