Filter content through VPN

Hi,

I created a iOS vpn client using IPSec protocol. ( Writen in Swift 4.0 )

Is there any way to drop few packets / url's based on a rule built.?

Replies

Are you using a built-in VPN transport? Or a custom transport that you created via the Network Extension packet tunnel provider mechanism?

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

I've created a VPN using NEVPNManager with IPSec as protocol configuration. (like below)

let ipSec = NEVPNProtocolIPSec()

ipSec.username = "xxxx@gmail.com"

ipSec.authenticationMethod = .sharedSecret

ipSec.useExtendedAuthentication = true

ipSec.serverAddress = "xxxx.xxxx.xxxx.xxxx";

self.vpnManager.saveToPreferences(completionHandler: { (error) in

})


Can you help me to understand what is built-in VPN transport?
Also, how to filter the data.?



What is the difference between VPN Configurations and Personal VPN in Settings -> VPN?

I've installed some apps which have VPN and does filtering. Now, in VPN Configurations, If I click on the VPN then it shows the details. In that I've seen "Server" value as 127.xx.xx.x. It means it has an internal VPN running.
Can you let me know how to do it.?

Can you help me to understand what is built-in VPN transport?

A VPN transport is the subsystem responsible for managing a VPN connection. VPN transports falls into two groups:

  • Built-in VPN transports are those built in to the system, including IKEv2, IPsec, and the legacy L2TP.

  • Custom VPN transports are those implemented by third-parties. These include:

    • Network Extension providers, which are the currently supported way for a third-party developer to create a custom VPN transport.

    • Legacy VPN plug-ins, which are old, scary, and deprecated!

I've created a VPN using NEVPNManager with IPSec as protocol configuration.

Your use of

NEVPNProtocolIPSec
indicates that you’re using one of the built-in VPN transports, namely IPsec.

The built-in VPN transports do not have any explicit support for client-side filtering. Most folks in your situation would do this filtering at the VPN server.

What is the difference between VPN Configurations and Personal VPN in Settings -> VPN?

Personal VPN is the name we use for VPN configurations that were created using the

NEVPNManager
API and that use the built-in VPN transports.

Note Personal VPN only supports two transports, IKEv2 and IPsec. You can’t configure the legacy L2TP transport using Personal VPN.

VPN configurations can also be created by:

  • The user, using the Settings app

  • Third-party apps that implement a custom VPN transport

  • A configuration profile

The latter can target both built-in VPN transports and custom VPN transports.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

Thanks for your reply.

I've tried to create a NETunnelProviderManger and start the VPN Tunnel.


I see that we need to set the serverAdress to NETunnelProviderManger instance.


Can you please help me to understand what this serverAddress is?

I've tried to give my external VPN Server address like 172.x.x .x. Always it shows connecting and never connects.

Also, I've seen for one of the application the server address in the iPhone VPN Configurations screen says "127.0.X.X" . Can you please let me know how to create the local server address as above.?



Thanks.

I've tried to create a

NETunnelProviderManger
and start the VPN Tunnel.

I see that we need to set the

serverAdress
to
NETunnelProviderManger
instance.

Can you please help me to understand what this

serverAddress
is?

The server address is typically the address of the VPN server in use, however, when you’re creating a custom VPN transport, which is the only case where

NETunnelProviderManger
comes into play, the exact format of the server address is not defined by the system, but is rather interpreted by the Network Extension VPN provider you’re creating.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

Thanks for your help.

Now, I'm able to create a custom transport using Network Extension packet tunnel provider mechanism.


I would like to know if there is any way to read the source URL from packet passing through the tunnel.?

I would like to know if there is any way to read the source URL from packet passing through the tunnel?

No there is not. By the time you get down to the packet level this sort of information has been lot. Even getting one part of the URL, the server’s DNS name, is tricky:

  • For HTTP you can get this by reconstructing the TCP flow and look at the

    Host
    header.
  • For older versions of TLS you can look at the certificate that comes back from the server.

  • For TLS 1.3 you have to rely on the SNI extension in the Client Hello.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"


WWDC runs Mon, 4 Jun through to Fri, 8 Jun. During that time all of DTS will be at the conference, helping folks out face-to-face.

Thanks

Is there any way to filter the content that is being passed through my tunnel.

I've seen NEFilterFlow, but can we use it for normal devices apart from supervised devices? If not is there any other way to filter the data?

I've seen

NEFilterFlow
, but can we use it for normal devices apart from supervised devices?

No. If you’re trying to use a tunnel provider to filter, you’ll have to build a bunch of your own infrastructure. How hard this is depends on the type of tunnel provider:

  • For an app proxy provider it’s relatively easy. App proxy providers work in terms of flows, and the TCP flow (

    NEAppProxyTCPFlow
    ) gives you access to the flow of data running through the TCP connection.

    IMPORTANT App proxy providers are only support on managed devices (except on macOS).

  • For a packet tunnel provider things get more complex. Here you don’t get a flow of data through a TCP connection, but rather a flow of packets. If you want to look at the data in the TCP connection, you will have to re-assemble those packets yourself. This is quite tricky.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"


WWDC runs Mon, 4 Jun through to Fri, 8 Jun. During that time all of DTS will be at the conference, helping folks out face-to-face.