Content Filter Providers & L2TP VPN

Hi,


we offer web content filtering functionality in our app using the NEFilterDataProvider and NEFilterControlProvider APIs.

The functionality is well tested and has worked as expected so far.


Currently, we are encoutering a problem that I could not find a solution for online or in the Apple documentations:


  • As soon as the content filtering is activated, it is not possible to connect to an L2TP VPN on the same device.
  • As soon as the content filtering is deactivated, it is possible to connect to the same L2TP VPN on the same device.
  • The VPN connection is configured directly in the iOS system settings (General -> VPN -> Add VPN Configuration) and not via a 3rd party app.
  • We only filter browser flows and not socket flows.


Is there any reason why the content filtering might hinder the VPN connection being established successfully?


Thanks in advance & Kind regards

Accepted Reply

In iOS 13.5 there were known issues with Content Filters. I am currently tracking 6 bugs for this topic with the majority being resolved in iOS 13.6. The main issues associated with these bugs were that handleNewFlow and handleRemediation did not work properly, but these bugs were mainly associated with filtering web traffic and using Web Content Filter profiles. This could have been what you are seeing and also explain why it is resolved in iOS 13.6.


Matt Eaton
DTS Engineering, CoreOS
meaton3@apple.com

Replies

Is there any reason why the content filtering might hinder the VPN connection being established successfully?

Not that I can think of. If you (temporarily) replace your content filtering code with no-op code (just return

.allow()
to all new flow requests in your data provider), do you still see the problem?

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

> If you (temporarily) replace your content filtering code with no-op code (just return

.allow()
to all new flow requests in your data

> provider), do you still see the problem?


Yes, I still see the problem, even after returning an allow verdict in every method of my data provider.


The only way I can connect again to the VPN is by removing the configuration profile that contains the "Web Content Filter".


After removing the configuration profile, I can see that the "-stopFilterWithReason:completionHandler:" method of my data provider is called. From this point on, the VPN connection can be established successfully.

Yes, I still see the problem, even after returning an allow verdict in every method of my data provider.

OK, I’m going to label that as a bug. Please file it as such, and post your bug number, just for the record. Make sure to

  • Include a sysdiagnose log taken shortly after you notice the problem

  • Before doing this, install the Network Diagnostics for iOS profile from our Bug Reporting > Profiles and Logs page

  • Also the VPN (Network Extension) for iOS profile

It would also help if you included a project containing that cut down version of your filter, one that resolves every flow with

.allow()
.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"
Hello,

it looks like this issue has been fixed with iOS 13.6.

Can you confirm this? Has there been an internal bug report that lead to a fix with iOS 13.6?

Thanks & Kind regards.
In iOS 13.5 there were known issues with Content Filters. I am currently tracking 6 bugs for this topic with the majority being resolved in iOS 13.6. The main issues associated with these bugs were that handleNewFlow and handleRemediation did not work properly, but these bugs were mainly associated with filtering web traffic and using Web Content Filter profiles. This could have been what you are seeing and also explain why it is resolved in iOS 13.6.


Matt Eaton
DTS Engineering, CoreOS
meaton3@apple.com
Thank you for the quick reply!