Will turning on a network filter cut off VPNs?

What type of VPN? Is this using one of the built-in VPN transports? Or a custom VPN transport from a third-party developer?

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

I can't see it in the network settings of the computer preferences. It is built into the app and can be used after logging into the app. I added the following code to allow the VPN-related domain name and IP before defining the filtering rules. After testing, I found that it would not cause the VPN to disconnect. Why is this? When adding the following code rules and starting the network filter, will the connection of the VPN domain name in the rule not be cut off?

NWHostEndpoint remoteEndpoint1 = [NWHostEndpoint endpointWithHostname:@".vpn..com" port:@"443"]; 

NENetworkRule* allownetworkRule1 = [[NENetworkRule alloc] initWithRemoteNetwork:remoteEndpoint1 remotePrefix:32 localNetwork:nil localPrefix:0 protocol:NENetworkRuleProtocolAny direction:NETrafficDirectionOutbound ];

NEFilterRule* allowfilterRule1 = [[NEFilterRule alloc] initWithNetworkRule:allownetworkRule1 action:NEFilterActionAllow]; 

networkRule = [[NENetworkRule alloc] initWithRemoteNetwork:nil remotePrefix:0 localNetwork:nil localPrefix:0 protocol:NENetworkRuleProtocolAny direction:NETrafficDirectionOutbound]; 

filterRule = [[NEFilterRule alloc] initWithNetworkRule:networkRule action:NEFilterActionFilterData];

filterSettings = [[NEFilterSettings alloc] initWithRules:@[allowfilterRule1, filterRule] defaultAction:NEFilterActionAllow];

I can't see it in the network settings of the computer preferences. It is built into the app and can be used after logging into the app.

Which app? An app from some other third-party developer?

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Yes, it is developed by a third-party app.

I used the above code configuration to avoid the inability to access websites that can only be accessed through VPN after turning on the network filter. I observed the VPN connection through the “netstat -an | grep tcp” command line, and did not add allowfilterRule1 before the configuration rule filterRule. After turning on the network filter, I observed that my VPN connection disappeared through "netstat -an | grep tcp".

However, when configuring the rule (filterSettings = [[NEFilterSettings alloc] initWithRules:@[allowfilterRule1, filterRule] defaultAction:NEFilterActionAllow]; ), I added allowfilterRule1 before filterRule. I turned on the network filter and observed that my VPN connection was still there through "netstat -an | grep tcp", and the status was "ESTABLISHED".

Will NEFilterSettings filter in the order of the configuration rules? If NEFilterActionAllow is configured to allow my VPN network rule, will my VPN network connection not be cut off? From my test so far, this is the case.

I’m presuming this is on macOS. Lemme know if that’s wrong.

The challenge on macOS is that there’s two ways for an app to have a built-in VPN that doesn’t show up in System Settings:

• The VPN can literally be built in to the app, that is, it only applies to network connections made by that app (A).

• The app can create a VPN using legacy ad hoc techniques, that is, not using the Network Extension infrastructure (B).

This matters because I’d expect case A to be affected by your filter but not case B.

When you install this VPN app, does it request privilege escalation? If it does, that suggests case B.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Yes, it is a macOS device, which should belong to B. After its app is turned on, it can access specific addresses like a browser or other apps. However, I did not receive a reminder of permission upgrade when installing it, because I am a supervised device and I don’t know whether some permission files have been issued to allow its installation. However, after the software is turned on, the proxy’s automatic configuration proxy will be automatically turned on and the pac file connection will be configured.

After adding the whitelist, I first turned on my network filter and then logged into the vpn app. Because the whitelist has been set, I printed all intercepted traffic information through the network filter. I no longer see the tcp connection of my vpn in the log printed by the network filter. Is it because I configured its whitelist (NEFilterActionAllow) before?

In fact, what I want to know most is that when I configure the network rules to allow a certain ip to be NEFilterActionAllow and put the rule at the front, is it true that when I turn on the network filter, the tcp connection that already exists with the ip will not be cut off by the NEFilterActionFilterData rule behind it.

which should belong to B.

OK. That makes things tricky. DTS stopped supporting legacy ad hoc VPN techniques back when Apple introduced NE support on the Mac. That means I only have limited experience with them. However, the experience I do have suggests they use a variety of different techniques, meaning it’s hard to predict exact how they’ll interact with other NE providers.

is it true that when I turn on the network filter, the tcp connection that already exists with the ip will not be cut off by the NEFilterActionFilterData rule behind it.

No. As a general rule, starting an NE filter will close any existing network connections regardless of how the filter is configured. That gives the filter the opportunity to inspect the replacement connections.

Not all filters want this but, sadly, there’s no way to opt out. We have a bug on file requesting an API for that (r. 99402484).

The wrinkle here is VPN. I think that this closing of connections wouldn’t apply to an NE packet tunnel provider because it exists ‘lower’ in the networking stack. However, I haven’t ever testing that. And in this case it doesn’t really matter because the VPN isn’t using NE anyway.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"