5 Replies
      Latest reply on May 16, 2019 5:30 AM by Meera Mohideen
      Meera Mohideen Level 1 Level 1 (0 points)

        Hi,

         

        Is it possible to acheive FQDN based split tunnelling on iOS using packet tunnel?

         

        I'm thinking of capturing DNS responses and update tunnel network settings (include / exclude) route at runtime? Would this solution work?

         

        Thanks.

        • Re: FQDN based split tunnelling
          eskimo Apple Staff Apple Staff (11,265 points)

          There’s no direct support for this.  Your proposed solution is unlikely to work because of virtual hosting: It’s not uncommon for two DNS names to map to the same IP address.  It’s possible you could implement this using the app proxy infrastructure — where, at least in the connect-by-name case, the proxy gets the DNS name of the connection — but you have to accept the deployment limitations on per-app VPN.

          Share and Enjoy

          Quinn “The Eskimo!”
          Apple Developer Relations, Developer Technical Support, Core OS/Hardware
          let myEmail = "eskimo" + "1" + "@apple.com"

            • Re: FQDN based split tunnelling
              Meera Mohideen Level 1 Level 1 (0 points)

              Thank you for the quick reply.

              I afraid we cannot use App proxy here as we need the whole device traffic.

              • Re: FQDN based split tunnelling
                Meera Mohideen Level 1 Level 1 (0 points)

                @eskimo,

                 

                When we are talking about virtual hosting, I've done a simple POC now to test this behaviour but it seems as soon as I update the include route and set tunnel network settings it seems it disrupts the existing TCP connections.

                 

                Is it possible to update the tunnel routes once the VPN is up?

                  • Re: FQDN based split tunnelling
                    eskimo Apple Staff Apple Staff (11,265 points)

                    Is it possible to update the tunnel routes once the VPN is up?

                    Yes, you’ve already confirmed that (-:  I believe you’re actually asking whether it’s possible to do this without disrupting existing TCP connections.  I can’t see why not, as long as your changes don’t affect the source address or routing of those connections.  Still, if that’s not how things work already, there’s nowt you can do about it, other than to file a bug report.

                    If you do file a bug report, make sure to explain the bigger picture context for this problem.  Oh, and please post your bug number, just for the record.

                    Share and Enjoy

                    Quinn “The Eskimo!”
                    Apple Developer Relations, Developer Technical Support, Core OS/Hardware
                    let myEmail = "eskimo" + "1" + "@apple.com"