Some traffic bypassing VPN

Hello !
We are developing application, which automatically logins to WiFi captive portal, initiates VPN and then should then send all traffic through VPN tunnel.
Traffic sent through VPN is "free of charge" and traffic sent directly to WiFi interfaces if "charged" to end user.
Everything works as it should, except some traffic is still sent directly over WiFi interface instead of tunnel, and thus will be "charged". One example is Facebook Messenger STUN traffic. VPN is wiregard using Network Extension framework.


#tcpdump -k -X -n -i rvi0 -Q "proc=Messenger"

12:03:26.722675 (en0, proc Messenger:27325, svc BE, out) IP 192.168.99.155.58168 > 157.240.20.6.3478: UDP, length 20
  0x0000:  fcec da43 1245 044b ed47 841b 0800 4500  ...C.E.K.G....E.
  0x0010:  0030 479d 0000 4011 5ce6 c0a8 639b 9df0  .0G...@.\...c...
  0x0020:  1406 e338 0d96 001c a266 0001 0000 2112  ...8.....f....!.
  0x0030:  a442 2b54 6e62 4771 2b34 6b45 594f       .B+TnbGq+4kEYO

12:03:26.749385 (en0, proc Messenger:27325, svc BE, in) IP 157.240.20.6.3478 > 192.168.99.155.58168: UDP, length 32
  0x0000:  044b ed47 841b fcec da43 1245 0800 4500  .K.G.....C.E..E.
  0x0010:  003c d407 4000 5611 7a6f 9df0 1406 c0a8  .<..@.V.zo......
  0x0020:  639b 0d96 e338 0028 f435 0101 000c 2112  c....8.(.5....!.
  0x0030:  a442 2b54 6e62 4771 2b34 6b45 594f 0001  .B+TnbGq+4kEYO..
  0x0040:  0008 0001 e338 c2cc 06fd                 .....8....

192.168.99.155 here is WiFi interface IP address. Most other traffic correctly travels over VPN tunnel.
Probably there is something wrong in setup - any hints?
best regards,
Taavi Talvik

Up vote post of taavi013 Down vote post of taavi013
2.4k views
Posted by
taavi013
Reply
Add a Comment

Replies

Did some mory study of this issue. Studied more tcpdumps etc.


Actually Facebook Messanger sends traffic to all active interfaces in iOS. It even sends tarffic out trough Cellular, when mobile data is disabled from settings.


Hypotesis is, that Facebook Messenger actually searches for all active interfaces/addresses in iOS system, then binds socket to all addresses/interfaces. And then sends data out through all those interfaces. Thus using scoped routing it is able to bypass VPN and/or default route.


Like described in https://forums.developer.apple.com/thread/76711#226101

Is there any way at all to change this behavour? Without supervision/MDM?
Or are applications really capable bypassing VPN/routing table at will?
Or I am doing something seriously wrong way?

Posted by
taavi013
Up vote reply of taavi013 Down vote reply of taavi013
Add a Comment

I can’t speak to the behaviour of specific third-party clients, but I will say that it’s perfectly feasible for clients to force traffic to run over a specific interface.

As to what you can do about this, my recommendation is that you look at the 

includeAllNetworks
and 
excludeLocalNetworks
properties we added to 
NEVPNProtocol
in iOS 13 beta.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware 

let myEmail = "eskimo" + "1" + "@apple.com"
Posted by
eskimo
Up vote reply of eskimo Down vote reply of eskimo
Add a Comment

Hello !
We did check with built in IPSEC profiles also. No any customizations whatever.
Behaviour was similar, that Facebook Messenger was able to send out packets using IP address of underlying Wifi interface (and 4G). Even created .mobileconfig profile, which included ` OverridePrimary=1`.
Still same behaviour on 12.3.1.
Will try your suggestion with `includeAllNetworks` on iOS 13 beta.
Btw. do you have deeper documentation on behaviour than on
https://developer.apple.com/documentation/networkextension/nevpnprotocol/3143658-excludelocalnetworks?language=objc
best regards,
taavi

Posted by
taavi013
Up vote reply of taavi013 Down vote reply of taavi013
Add a Comment

Even created .mobileconfig profile, which included 

OverridePrimary=1
.

The 

OverridePrimary
flag makes that VPN interface the default route; that won’t affect traffic that’s been forced to run over a specific interface.

do you have deeper documentation on behaviour [of 

includeAllNetworks
and 
excludeLocalNetworks
]

I’m pretty sure we discussed them during WWDC 2019 Session 714 Network Extensions for the Modern Mac.

However, that was a Mac-specific session, which caused me to to take another look at those properties. I’m sad to say that they are currently macOS only.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware 

let myEmail = "eskimo" + "1" + "@apple.com"
Posted by
eskimo
Up vote reply of eskimo Down vote reply of eskimo
Add a Comment