What is the behavior when there are multiple apps implementing NETunnelProvider class of APIs

I want to understand what is the behavior that iOS supports if there are multiple apps that implement NEFilterManager class of APIs. In general muliple apps implementing Network Extension frameworks.


Q1. Which app gets the priority for filtering decisions?

Q2. If one app allows website A but the other app disallows website A, how would OS decide?

Q3. If there are multiple apps implementing NETunnelProviderManager with default route, who will get the utun packets?

Q4. Why is NEAppProxyProvider allowed only for managed apps? Is there any particular reason for this?


Any help would be greatly appreciable.

Up vote post of abhinavbansal8 Down vote post of abhinavbansal8
1.7k views
Posted by
abhinavbansal8
Reply
Add a Comment

Accepted Reply

Q1. Which app gets the priority for filtering decisions?

Q2. If one app allows website A but the other app disallows website A, how would OS decide?

This is actually covered by the documentation, but you have to read between the lines a little. Specifically, the NEFilterManager Class Reference has this to say about the 

enabled
property.

Setting this property to true and saving the configuration will disable all other network content filters on the system …

Thus, it’s not possible to have multiple filter providers active simultaneously, and thus the situations you described can’t crop up.

Q3. If there are multiple apps implementing NETunnelProviderManager with default route, who will get the utun packets?

This is also covered by the documentation, this time in the NETunnelProviderManager Class Reference.

VPN configurations created using NETunnelProviderManager are classified as regular enterprise VPN configurations (as opposed to the Personal VPN configurations created by NEVPNManager). Only one enterprise VPN configuration can be enabled on the system at a time. If both a Personal VPN and an enterprise VPN are active on the system simultaneously, the enterprise VPN takes precedence, meaning that if the routes for the two VPNs conflict then the routes for the enterprise VPN will take precedence. The Personal VPN will remain active and connected while the enterprise VPN is active and connected, and any traffic that is routed to the Personal VPN and is not routed to the enterprise VPN will continue to traverse the Personal VPN.

So you can’t have two tunnel providers active simultaneously, which obviates your specific question, and the relationship between Personal VPN and regular VPN is clearly defined.

Q4. Why is NEAppProxyProvider allowed only for managed apps? Is there any particular reason for this?

We’ve never specifically given a reason but, in terms of practicality, the per-app VPN infrastructure needs to be able to accurately identify an app and that’s done via the MDM infrastructure.

Share and Enjoy

Quinn "The Eskimo!"
Apple Developer Relations, Developer Technical Support, Core OS/Hardware 

let myEmail = "eskimo" + "1" + "@apple.com"

… who read the documentation closely today (-:

Posted by
eskimo
Up vote reply of eskimo Down vote reply of eskimo
Post marked as solved
Add a Comment

Replies

Q1. Which app gets the priority for filtering decisions?

Q2. If one app allows website A but the other app disallows website A, how would OS decide?

This is actually covered by the documentation, but you have to read between the lines a little. Specifically, the NEFilterManager Class Reference has this to say about the 

enabled
property.

Setting this property to true and saving the configuration will disable all other network content filters on the system …

Thus, it’s not possible to have multiple filter providers active simultaneously, and thus the situations you described can’t crop up.

Q3. If there are multiple apps implementing NETunnelProviderManager with default route, who will get the utun packets?

This is also covered by the documentation, this time in the NETunnelProviderManager Class Reference.

VPN configurations created using NETunnelProviderManager are classified as regular enterprise VPN configurations (as opposed to the Personal VPN configurations created by NEVPNManager). Only one enterprise VPN configuration can be enabled on the system at a time. If both a Personal VPN and an enterprise VPN are active on the system simultaneously, the enterprise VPN takes precedence, meaning that if the routes for the two VPNs conflict then the routes for the enterprise VPN will take precedence. The Personal VPN will remain active and connected while the enterprise VPN is active and connected, and any traffic that is routed to the Personal VPN and is not routed to the enterprise VPN will continue to traverse the Personal VPN.

So you can’t have two tunnel providers active simultaneously, which obviates your specific question, and the relationship between Personal VPN and regular VPN is clearly defined.

Q4. Why is NEAppProxyProvider allowed only for managed apps? Is there any particular reason for this?

We’ve never specifically given a reason but, in terms of practicality, the per-app VPN infrastructure needs to be able to accurately identify an app and that’s done via the MDM infrastructure.

Share and Enjoy

Quinn "The Eskimo!"
Apple Developer Relations, Developer Technical Support, Core OS/Hardware 

let myEmail = "eskimo" + "1" + "@apple.com"

… who read the documentation closely today (-:

Posted by
eskimo
Up vote reply of eskimo Down vote reply of eskimo
Post marked as solved
Add a Comment

Thanks a lot Eskimo.


I have one more question on NETunnelProviderManager:


Is there a way to configure protocol specific routes. For example if I only want to handle TCP/IPv4 traffic and not UDP/IPv4 and ICMP through my VPN tunnel, how can I configue the routes?

Posted by
abhinavbansal8
Up vote reply of abhinavbansal8 Down vote reply of abhinavbansal8
Add a Comment

Is there a way to configure protocol specific routes. For example if I only want to handle TCP/IPv4 traffic and not UDP/IPv4 and ICMP through my VPN tunnel, how can I configue the routes?

I don’t think that’s possible right now (I’m not even sure it’s possible within the kernel’s routing architecture). I recommend you file an enhancement request describing your use case. Please post your bug number, just for the record.

Share and Enjoy

Quinn "The Eskimo!"
Apple Developer Relations, Developer Technical Support, Core OS/Hardware 

let myEmail = "eskimo" + "1" + "@apple.com"
Posted by
eskimo
Up vote reply of eskimo Down vote reply of eskimo
Add a Comment

Hi Eskimo,


Could I use NEAppProxyExtension in my app? even my solution is not related with MDM or an enterprise solution?


Thanks,

Chang

Posted by
Luion
Up vote reply of Luion Down vote reply of Luion
Add a Comment

Hi Eskimo ,

I am looking for implementing Per App VPN with help of NEPacketTunnel Provider and requested for entitlement and meanwhile looking into Sample App of NetworkExtension Framework given by Apple . Currently i am going through the following classes for implementing the Per App VPN with NEPacketTunnelProvider,

1.PacketTunnel Folder Classes

2.SimpleTunnelServices Folder Classes


So these are all about that i have to look for only ? am i going in right direction ? or i have to deal with tunnel_server classes in XCode project also ?

Thanks!

Posted by
HimJun
Up vote reply of HimJun Down vote reply of HimJun
Add a Comment

am i going in right direction ?

More or less.

So these are all about that i have to look for only?

Two things:

  • You’ll want to look at 

    SimpleTunnel
    , for code related to the host app.

  • If you’re implementing Per-App VPN, you’ll want 

    AppProxy
    instead of 
    PacketTunnel
    .

or i have to deal with tunnel_server classes in XCode project also ?

That is only relevant if you’re implementing your own VPN server. It’s necessary for the sample code because the sample code needs to be able to talk to something, and real world VPN servers introduce a whole world of other complexities.

So, if you have a VPN server you’re already talking to, you can ignore 

tunnel_server
.

ps If you have follow-up questions about VPN, you should start a new thread. That’s better than mixing your question in with a question that’s already been answered.

Share and Enjoy

Quinn "The Eskimo!"
Apple Developer Relations, Developer Technical Support, Core OS/Hardware 

let myEmail = "eskimo" + "1" + "@apple.com"
Posted by
eskimo
Up vote reply of eskimo Down vote reply of eskimo
Add a Comment

I dont understand this statement:

>>If you’re implementing Per-App VPN, you’ll want

AppProxy
instead of 
PacketTunnel
.

The documentation states NETunnelProvider has routingMethod property DestinationIP or SourceApplication.

Since NEPacketTunnelProvider inherits from NETunnelProvider, the routing method should be SourceApplication when per-app-vpn profile is installed. Please help me understand why per-app-vpn does not work with NEPacketTunnelProvider


Posted by
Vbk
Up vote reply of Vbk Down vote reply of Vbk
Add a Comment

PacketTunnel works at IP level, so there is no way to distinguish which app the packet comes from.

Posted by
vzrao
Up vote reply of vzrao Down vote reply of vzrao
Add a Comment