Change includeAllNetworks from NetworkExtension while tunnel is running

Question

smaryus OP

Created Jun ’23

Replies 3

Boosts 0

Participants 2

Hi,

I saw that almost each OS version, on ios and macos, handles differently changing includeAllNetworks while the tunnel is running. On some the entire OS reports no-net, while others, specially latest versions, handle this fine.

Can includeAllNetworks be changed while the tunnel is running, or the tunnel must be stopped and restarted with the new value? e.g. the tunnel is started with it set to false, but later is changed to true into VPN profile.

And on the same note, regarding setTunnelNetworkSettings, can this be called multiple times while the tunnel is running? For example if the VPN server IP changes. Because what I've saw each call to setTunnelNetworkSettings after VPN connected results in at least DNS leaks, because the routing table is recreated.

Let me know if it is easier to track to create separate questions.

Thanks

Boost

Answer 1

DTS Engineer OP

Apple

Jun ’23

… while others, specially latest versions, handle this fine.

Can includeAllNetworks be changed while the tunnel is running

Given that this is working on the latest system, that sounds like a bug that we fixed.

And on the same note, regarding [setTunnelNetworkSettings(_:completionHandler:)], can this be called multiple times while the tunnel is running?

That’s expected to work.

what I've saw each call to [setTunnelNetworkSettings(_:completionHandler:)] after VPN connected results in at least DNS leaks, because the routing table is recreated.

I don’t understand what you mean by “DNS leak”.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

0

Answer 2

smaryus OP

Jun ’23

regarding includeAllNetworks, if we reproduce this on e.g. iOS 14 or 15, what do you recommend, does it make sense to create a ticket for it, or those versions will not get fixed?

DNS leak = DNS query requests that doesn't go through the tunnel.

From what I've saw when setTunnelNetworkSettings(_:completionHandler:) is called, from the call point until almost its completion block is executed, the route to utun is deleted from system and then recreated. Because of this, requests made in this short time will not be able to go thru the tunnel and will most escape on e.g. en0. In the same time mDNS will fire lots of DNS queries at every network configuration change and some of the requests will manage to go around the tunnel, until the route is recreated.

0

Answer 3

DTS Engineer OP

Apple

Jun ’23

does it make sense to create a ticket for [iOS 14 and 15]

Probably not. In recent years Apple has started shipping updates for older OS versions but my experience is that they are very focused on security issues.

DNS query requests that doesn't go through the tunnel.

Ah, thanks for the explanation.

So, calling setTunnelNetworkSettings(_:completionHandler:) works just fine in general, but it produces a window where you don’t get the security you need. It’s definitely worth filing a bug about this. Or that an enhancement request? (-: I’m in two minds on that front but, either way, it needs to go into Radar.

Please post your bug number, just for the record.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

0