FQDN based split tunnelling

Hi,


Is it possible to acheive FQDN based split tunnelling on iOS using packet tunnel?


I'm thinking of capturing DNS responses and update tunnel network settings (include / exclude) route at runtime? Would this solution work?


Thanks.

Replies

There’s no direct support for this. Your proposed solution is unlikely to work because of virtual hosting: It’s not uncommon for two DNS names to map to the same IP address. It’s possible you could implement this using the app proxy infrastructure — where, at least in the connect-by-name case, the proxy gets the DNS name of the connection — but you have to accept the deployment limitations on per-app VPN.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

Thank you for the quick reply.

I afraid we cannot use App proxy here as we need the whole device traffic.

@eskimo,


When we are talking about virtual hosting, I've done a simple POC now to test this behaviour but it seems as soon as I update the include route and set tunnel network settings it seems it disrupts the existing TCP connections.


Is it possible to update the tunnel routes once the VPN is up?

Is it possible to update the tunnel routes once the VPN is up?

Yes, you’ve already confirmed that (-: I believe you’re actually asking whether it’s possible to do this without disrupting existing TCP connections. I can’t see why not, as long as your changes don’t affect the source address or routing of those connections. Still, if that’s not how things work already, there’s nowt you can do about it, other than to file a bug report.

If you do file a bug report, make sure to explain the bigger picture context for this problem. Oh, and please post your bug number, just for the record.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

I've started upload in one app and updated the routes (which will not affect the existing upload's Ip addresses). I can see the upload freezes sometimes.


Behaviour is intermittent. I'll file a bug report and update the ticket number here. Thanks.