SimpleTunnel: responses not routed back to the tunnel

Hi all,

there are a variety of posts disseminated around about this, but I didn't find any of the suggested solution working neither it's clear if anyone has managed to make this work (see at the end of the posts for a variety of non resolutive answers in realted posts).


I am running SimpleTunnel on iOS and I am able to route the web traffic via the tunnel to my Mac where tunnel_server runs: while browsing Safari, I can see the DNS queries reaching the server end of the tunnel on utun2, leaving the Mac's wi-fi interface en0 towards the WI-FI router, the DNS response coming back from the router but I have never been able to get the response back into the tunnel and to the client (therefore the iPhone cannot display any web content).


Configuration: with iPhone and Mac sitting in the same Wi-Fi home network that communicated to the internet via the NetGear router.


NetGear router IP: 10.0.0.1

Mac WIFI adapter: en0

Mac IP: 10.0.0.11

Tunnel Virtual interface: utun2

Tunnel IP: 192.168.2.2 (as defined by the tunnel server's config.plist start address)

iPhone IP: 10.0.0.15


NAT

I have setup nat port forwarding on the Mac. I have tried a variation of configurations there, among the ones working I have set for the following:


mc-lon-mb8633:Debug mmanni$ cat /etc/pf.anchors/simpleTunnel

nat on en0 inet from 192.168.2.0/24 to any -> en0


Config.plist

the file in tunnel_server is left as for the original project, therefore specyfying only the POOL dictionary with start address of 192.168.2.2 and end address of 192.168.2.10.

P.s: I have tried over time a few different configurations, including what suggested in a related post: setting the ROOT with Netmask and Address, but I have found that the latter would stop the traffic going through the tunnel. You would get the iPhone to browse normally, but that was because we would be bypassing the tunnel alltogether -


The following is the sequence of step to reproduce my problem (assume tunnel_server is already running adn assume the the entry in SimpleTunnel created):

1) I toggle the VPN on in SimpleTunnel. The server accepts a new connection and logs:

Accepted a new connection

Tunnel received Open command

Allocated address Optional("192.168.2.2")

*** Virtual Interface setup: ("utun2", "192.168.2.2")


2) The VPN symbol appears on the iPhone.

3) I open the browser and type: www.bbc.co.uk.

4) WireShark on utun2 show the following entry: 192.168.2.2 10.0.0.1 DNS
Standard query 0x86d1 A www.bbc.co.uk - (this confirms the request is tunnelled)

5) WireShark on en0 shows the following entries:

  • 10.0.0.11 10.0.0.1 DNS Standard query 0x61dd A www.bbc.co.uk - (etun2 natted to en0 / Mac WiFi interface)
  • 10.0.0.1 10.0.0.11 DNS Standard query response 0x61dd A www.bbc.co.uk CNAME www.bbc.net.uk A 212.58.246.55 .... (Netgear responds)
  • 10.0.0.11 10.0.0.1 ICMP Destination unreachable (Port unreachable)


The last line is the one where I would have expected the DNS response to be natted back to etun2 and returned to the client, whilst it looks like the backwards mapping doesn't know that that packet needs to be mapped back to the Virtual Interface. I have spent two days trying to understand what it's wrong with it,

and I am left now with the hope that someone that has gone through a seccessful setup will wander around this post and share his experience.


Related posts:

https://forums.developer.apple.com/thread/36453

https://forums.developer.apple.com/message/117304#117304

https://forums.developer.apple.com/message/78853#78853

https://forums.developer.apple.com/thread/49858


Accepted Reply

Just FYI, I discuss this issue (off Mac routing with the SimpleTunnel VPN server) with VPN Engineering a while back and their response is simply that it’s not something we support. That’s pretty much where I left things. So, while there may be a way to make this work, I’m not able to offer any advice on that front.

This isn’t a problem for most VPN developers because they use the SimpleTunnel client and server to get something up and limping, and then immediately switch to having their client talk to their actual VPN server.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

Replies

Just FYI, I discuss this issue (off Mac routing with the SimpleTunnel VPN server) with VPN Engineering a while back and their response is simply that it’s not something we support. That’s pretty much where I left things. So, while there may be a way to make this work, I’m not able to offer any advice on that front.

This isn’t a problem for most VPN developers because they use the SimpleTunnel client and server to get something up and limping, and then immediately switch to having their client talk to their actual VPN server.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

Thanks Eskimo, at least this tells me I shouldn't spend more time on it. As SimpleTunnel was advertised to be both the client and server component of a sample tunnelling infrastructure, I kind of took for granted that it would haver served the purpose to crearte an end-to-end POC. As I am still validating the technology choice at this level, I was aimining for a demonstrable demo without having to involve the backend guys to crerate a proper VPN server. I've also went for a brief attempt to building tunnel_sever on Linux where port routing is easier, but as the working branch of it it's Swift 2.x it lacks all the Swift Foundation liibraries that came with Swift 3.

At this point I'll follow the advice to build my own VPN server for testing, while waiting fot the opened DTS regarding AlwayON VPN to decide whether the the TunnelProvider API can server the purrpose of enforced tunnelling or I'd better fallback onto NEVPNManager with IKEv2.