Per-App Tunneling in VPN without profile configuration

Hi guys,


I'm going to develop VPN app and had some API investigation meanwhile. As far as I understand from API, you can create per app split tunneling only using profile configuration. But I installed expressVPN (Mac OS) and there is ability to filter traffic per app. And there is no profile configuration added to my preferences. So, it means that it possible to implement that. Can anyone give me any guide how to implement per app tunneling in VPN connection without profile configuration.


Thanks

Up vote post of avolo Down vote post of avolo
1.8k views
Posted by
avolo
Reply
Add a Comment

Replies

Per-app VPN (this includes app proxy providers and packet tunnel providers in per-app mode) can only be configured via a configuration profile (using both the 

com.apple.vpn.managed.applayer
and 
com.apple.vpn.managed.appmapping
payloads).

Note iOS does not support the 

com.apple.vpn.managed.applayer
, so on iOS you can only set this up via MDM.

The above assumes you’re using Network Extension (NE) providers, which is what I recommend. If you ship outside of the Mac App Store (MAS), you can’t use NE providers for your VPN (NE providers are only supported in Mac App Store apps). There are, however, a bunch of other techniques that non-MAS apps can use to implement VPN. I recommend that you steer clear of these because I’m concerned about their long-term viability (DTS has stopped providing formal support for non-NE VPN for similar reasons).

I can’t comment on other developer’s products, but if I were in your shoes I’d first check their distribution channel.

The best long-term solution for this problem would be for Apple to support per-app VPN outside of managed environments. We already have a bug on file tracking this request (r. 22708173), but I think it’s worthwhile you filing your own enhancement request describing your own specific requirements.

Please post your bug number, just for the record.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware 

let myEmail = "eskimo" + "1" + "@apple.com"
Posted by
eskimo
Up vote reply of eskimo Down vote reply of eskimo
Add a Comment

they use openvn.

When you parser ip packet ,you can find srcip:srcport , then use libporc https://github.com/networkextension/DarwinCore/blob/master/DarwinCore/libproc.h find which pid use this src:port , then find the process name or packet bundleid.

Posted by
yarshure
Up vote reply of yarshure Down vote reply of yarshure
Add a Comment

use libpproc

While I’m not going to comment on other developer’s products, I must caution you about using any PID-based approach. The issue here is that modern systems distribute work across multiple processes, and there’s no supported way to determine the relationship between those processes.

A critical example here is 

WKWebView
. All of its networking is done in a separate process. The system keeps track of the relationship between the original process and the helper process, and ensures that per-app VPNs based on the NE provider architecture do the right thing. There is, alas, no supported way for non-NE VPNs to do this.

This, by the way, is a perfect example of why DTS has stopped supporting non-NE VPNs.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware 

let myEmail = "eskimo" + "1" + "@apple.com"
Posted by
eskimo
Up vote reply of eskimo Down vote reply of eskimo
Add a Comment