Local internet tunnel means my WAN/LAN internet connection
OK, thanks for clarifying that.
[FYI, labelling your default Internet connection as a “tunnel” is kinda weird. Normally we reserve the word “tunnel” for situations where you have network traffic nested within other network traffic, as is typically done by VPN.]
Yes the app is for the general users.
This is going to be a challenge. There are two basic approaches for implementing per-app VPN on the Mac:
NKEs were officially deprecated in macOS 10.15, and I recommend that you avoid going down that path.
On the NE front, there are four standard ways to create per-app VPN:
An NE app proxy provider app extension
An NE packet tunnel provider app extension in per-app VPN mode
The system extension variants of the above
Note If you’re not familiar with how these parts fit together, I strongly encourage you to watch WWDC 2019 Session 714 Network Extensions for the Modern Mac, which is a great overview of these technologies.
The drawback to all of these is configuration. Per-app VPN is, by design, restricted for use in managed environments. On iOS the target apps must be installed via MDM. This restriction is not as tight on macOS, but there’s still no API to configure which apps run over which VPN configurations. Rather, this mapping is set up via a configuration profile using the
com.apple.vpn.managed.appmapping
payload, and that’s not a great user experience.
You may be able to make some headway using a NE transparent proxy system extension and then looking at each flow’s metadata [1] to decide whether to route it via your VPN or not. Honestly, I’m not sure whether that will work because I’m not sure whether the metadata is available in the transparent proxy case.
Share and Enjoy
—
Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware
let myEmail = "eskimo" + "1" + "@apple.com"
[1] The
metaData
property of the
NEAppProxyFlow
class, which is the base class for both
NEAppProxyTCPFlow
and
NEAppProxyUDPFlow
.