VPN: excludedRoutes IPs are going via virtual adapter

App & System Services Core OS
Shweta-mittal19 OP
Created Apr ’24
Replies 3
Boosts 0
Views 580
Participants 2

[iOS 17] We are trying to configure below Tunnel Provider configuration and we are saving it in NETunnelProviderManager preferences before calling startTunnelWithOptions

tunnelProvider.protocolConfiguration.includeAllNetworks = YES;

tunnelProvider.protocolConfiguration.excludeLocalNetworks = NO;

tunnelProvider.protocolConfiguration.enforceRoutes = NO;

We are adding an IP in the excludeRoutes which belongs to server address[10.97.6.244]. Please refer the below network settings for VPN

    IPv4Settings = {
    configMethod = manual
    addresses = (
        10.97.4.188,
    )
    subnetMasks = (
        255.255.255.255,
    )
    includedRoutes = (
        {
            destinationAddress = 0.0.0.0
            destinationSubnetMask = 0.0.0.0
        },
    )
    excludedRoutes = (
        {
            destinationAddress = 10.97.6.244
            destinationSubnetMask = 255.255.255.255
        },
    )
    overridePrimary = NO
}

Issue: when we are trying to access server address, it's getting tunneled because of that few of our APIs are sending failure and we are unable to connect to VPN.

Expected Results : excludedRoutes IPs should go via physical interface.

STEPS TO REPRODUCE

  1. Configure VPN packet tunnel provider config as mentioned above and add some IPs in excludeRoutes
  2. Save the configuration to NETunnelProviderManager preferences using “saveToPreferencesWithCompletionHandler”
  3. Try to connect to VPN
  4. excludeRoutes are tunneled via VA
Replies  3
Boosts  0
Views  580
Participants  2
DTS Engineer OP
Apple
Apr ’24

The relationship between includeAllNetworks and the routing properties (includedRoutes and excludedRoutes) is complex. Our expectation is that a full tunnel, one that that sets includeAllNetworks, would not also set the routing properties. That’s the case that we fully support.

If you also set enforceRoutes then they system might do what you want, that is, honour the routing properties even though you’ve set includeAllNetworks. However, I discussed your situation with the folks who work on this stuff and they tell me that this isn’t an option that we officially support. It might work, it might not.

Try this out and reply back here with the results. I’m curious.

Also, if this configuration is important to you then I recommend that you file a bug report with details about your use case. Please post your bug number, just for the record.

You should do this even if the setup currently works. In that case we’ll use your bug as an indicator that folks are relying on this.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

0
Shweta-mittal19 OP
Apr ’24

Hi @eskimo , Please refer this https://developer.apple.com/forums/thread/747963?login=true&page=1#784413022

0
DTS Engineer OP
Apple
Apr ’24

Please refer this

That seems like a different issue to me. Specifically, in this case you’re setting includeAllNetworks and that other thread you’re not.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

0
VPN: excludedRoutes IPs are going via virtual adapter
First post date Last post date
 
 
Q