I've come to the conclusion that TPP and UDP are just utterly wonky together.
This is my relevant code:
let host = NWHostEndpoint(hostname: "", port: "0")
let udpRule = NENetworkRule(destinationNetwork: host, prefix: 0, protocol: .UDP)
let tcpRule = NENetworkRule(destinationNetwork: host, prefix: 0, protocol: .TCP)
let settings = NETransparentProxyNetworkSettings(tunnelRemoteAddress:"127.0.0.1")
/*
* These three lines are a hack and experiment
*/
let quicHost_1 = NWHostEndpoint(hostname: "", port: "80")
let quicHost_2 = NWHostEndpoint(hostname: "", port: "443")
let quicRule_1 = NENetworkRule(destinationNetwork: quicHost_1, prefix: 0, protocol: .UDP)
let quicRule_2 = NENetworkRule(destinationNetwork: quicHost_2, prefix: 0, protocol: .UDP)
settings.includedNetworkRules = [quicRule_1, quicRule_2, tcpRule]
settings.excludedNetworkRules = nil
- Directing UDP through a TPP breaks FaceTime, AirDrop, and a bunch of VPNs
- Despite the documentation implication that you can't do DNS control with a TPP ("A port string of 53 is not allowed. Use Destination Domain-based rules to match DNS traffic."), if I opt into UDP (
settings.includedNetworkRules = [udpRule, tcpRule]), then I see traffic to port 53, and can do things with it. - If I use a wild-card network rule (the code above), then the TPP does not seem to get any UDP flows at all.
- If I use a wild-card exclusion rule (using
NWHostEndpoint(hostname: "", port: "53")), then everything starts breaking. - If I use
NENetworkRule(destinationHost: host, protocol: .UDP), it complains because the prefix must be 32 or less.
I've filed feedbacks, and engaged with eskimo (really, thank you), and looked at previous threads, so mostly this is begging: has anyone gotten this to work as expected? I no longer think I'm being obviously wrong with my code, but I would be super delighted to find out I've missed some tricks or angles.