Excluding a single application from full tunnel packet tunnel.

We have a Developer Id signed VPN application using both NEPacketTunnelProvider and NEAppProxyProvider packaged as a single system extension.

The requirement is for the application to implement a full tunnel VPN (has default route 0.0.0.0 on the utun interface) with the exception of another specific Developer Id signed application which needs its connections to bypass the tunnel.

Originally, we attempted to use NETransparentProxyProvider to bypass the tunnel (for the single application) with the idea being to intercept the flows for the desired application in the transparent proxy and proxy these flows via a new NWConnection forced via the direct interface to bypass the tunnel. The problem we ran into was that the NEPacketTunnelProvider always get the packets before the NETranparentProxyProvider even though the proxy is started before the packet tunnel.

So next attempt was to use NEAppProxyProvider with an NEAppRule set to capture flows for the specific application of interest. The good news is we get the application flows prior to the packet tunnel but the problem is the NEAppRule only seems to work for App Store signed applications, for example Safari. For Developer Id signed applications (for example Chrome) flows are actually blocked when an NEAppRule is added to the proxy configuration. This seems like a bug to me. The system log will show some messages about the http flow being blocked by policy. For the Safari case, when the NEAppRule is added we can see socket redirect policies added (system log). In the Developer Id signed apps there appears to be an error when OS is checking the apps certificate.

What is the recommended way to implement our apps requirement? We have a full packet tunnel with the exception of a single, Developer Id signed, application.

The problem we ran into was that the NEPacketTunnelProvider always get the packets before the NETranparentProxyProvider even though the proxy is started before the packet tunnel. What is the recommended way to implement our apps requirement? We have a full packet tunnel with the exception of a single, Developer Id signed, application.

As you have eluded to in your post, your packet tunnel will always get your traffic first because it sounds like your policies are overlapping. For example, if you have a packet tunnel that is claiming all traffic on the system and then you have a transparent proxy that is claiming specific network rules then your packet tunnel will pick up the traffic first because it's policies were installed first. If you absolutely need two providers then I would only try to claim the specific destination IP addresses for the addresses that need to run through the packet tunnel and then pickup the rest with your proxy.

Problem is we need the packet tunnel to claim all IP traffic (IP based VPN) except for a single application which we need to bypass the VPN. Do you know why the app proxy works for App Store apps but not Developer Id apps? Is that a bug or by design?

Problem is we need the packet tunnel to claim all IP traffic (IP based VPN) except for a single application which we need to bypass the VPN.

Have you looked at excludedRoutes property to set on your settings? That way this excluded traffic can traverse the main physical interface?

Regarding:

Do you know why the app proxy works for App Store apps but not Developer Id apps? Is that a bug or by design?

Not sure what's happening here. I would try to just use one provider here if possible.

When you say "I would try to just use one provider here if possible"

I meant try to either use a NEPacketTunnelProvider or NETransparentProxyProvider for your solution.

Problem is it doesnt seem possible to use just one of these providers. Any suggestion on how to have a full tunnel VPN but exclude flows from a single application from the tunnel?

@meaton @mkilburn we have similar use case to allow network traffic only for our application, could you suggest if we can achieve it with any any of our apis?

https://developer.apple.com/forums/thread/742962

Excluding a single application from full tunnel packet tunnel.
 
 
Q