Hi, I developed a system extension that uses the content filter providers of the network extension. When I am using a VPN, I turn on the network extension and the VPN is disconnected. Can this problem be avoided? How to prevent VPN disconnection
Will turning on a network filter cut off VPNs?
What type of VPN? Is this using one of the built-in VPN transports? Or a custom VPN transport from a third-party developer?
Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"
I can't see it in the network settings of the computer preferences. It is built into the app and can be used after logging into the app. I added the following code to allow the VPN-related domain name and IP before defining the filtering rules. After testing, I found that it would not cause the VPN to disconnect. Why is this? When adding the following code rules and starting the network filter, will the connection of the VPN domain name in the rule not be cut off?
NWHostEndpoint remoteEndpoint1 = [NWHostEndpoint endpointWithHostname:@".vpn..com" port:@"443"];
NENetworkRule* allownetworkRule1 = [[NENetworkRule alloc] initWithRemoteNetwork:remoteEndpoint1 remotePrefix:32 localNetwork:nil localPrefix:0 protocol:NENetworkRuleProtocolAny direction:NETrafficDirectionOutbound ];
NEFilterRule* allowfilterRule1 = [[NEFilterRule alloc] initWithNetworkRule:allownetworkRule1 action:NEFilterActionAllow];
networkRule = [[NENetworkRule alloc] initWithRemoteNetwork:nil remotePrefix:0 localNetwork:nil localPrefix:0 protocol:NENetworkRuleProtocolAny direction:NETrafficDirectionOutbound];
filterRule = [[NEFilterRule alloc] initWithNetworkRule:networkRule action:NEFilterActionFilterData];
filterSettings = [[NEFilterSettings alloc] initWithRules:@[allowfilterRule1, filterRule] defaultAction:NEFilterActionAllow];
I can't see it in the network settings of the computer preferences. It is built into the app and can be used after logging into the app.
Which app? An app from some other third-party developer?
Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"
Yes, it is developed by a third-party app.
I used the above code configuration to avoid the inability to access websites that can only be accessed through VPN after turning on the network filter. I observed the VPN connection through the “netstat -an | grep tcp” command line, and did not add allowfilterRule1 before the configuration rule filterRule. After turning on the network filter, I observed that my VPN connection disappeared through "netstat -an | grep tcp".
However, when configuring the rule (filterSettings = [[NEFilterSettings alloc] initWithRules:@[allowfilterRule1, filterRule] defaultAction:NEFilterActionAllow]; ), I added allowfilterRule1 before filterRule. I turned on the network filter and observed that my VPN connection was still there through "netstat -an | grep tcp", and the status was "ESTABLISHED".
Will NEFilterSettings filter in the order of the configuration rules? If NEFilterActionAllow is configured to allow my VPN network rule, will my VPN network connection not be cut off? From my test so far, this is the case.
I’m presuming this is on macOS. Lemme know if that’s wrong.
The challenge on macOS is that there’s two ways for an app to have a built-in VPN that doesn’t show up in System Settings:
-
The VPN can literally be built in to the app, that is, it only applies to network connections made by that app (A).
-
The app can create a VPN using legacy ad hoc techniques, that is, not using the Network Extension infrastructure (B).
This matters because I’d expect case A to be affected by your filter but not case B.
When you install this VPN app, does it request privilege escalation? If it does, that suggests case B.
Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"