Per-App VPN through Enterprise Systemwide VPN

You are, alas, in the wrong place. Apple Developer Forums is a place to discuss developer issues and VPN configuration is a user-level issue, albeit a very advanced one. You should ask your question over in Apple Support Communities, run by Apple Support, and specifically the in Business and Education topic areas, where you’re more likely to find folks with VPN experience. If that doesn’t work out, you contact Apple Support formally [1].

Share and Enjoy
—
Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

[1] Normal Apple support channels will probably baulk at this question, but Apple Support offers a variety of more robust paid-for support options. I don’t work for Apple Support, and thus am not able to discuss those options in detail, but I figured you might find the following links useful:

• AppleCare for Enterprise

• AppleCare Pay-Per-Incident Support

Thanks for your response Eskimo.

We are developing a custom VPN solution with our own VPN client plugin for per-app use, but this system architecture unknown is currently the missing peice of the puzzle as to whether it is possible to develop a nested VPN solution.

Kind regards,

Jordan

So, with reference to the diagram you posted earlier, which part are you developing?

Share and Enjoy
—
Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

We'll be developing a VPN client plugin, which will be configured as a 'Per-App VPN'. It will be a SSL/TLS VPN tunnel combined with our own custom crypto. Ideally we would like to set up nested VPNs, so that our App traffic is double encrypted through the systemwide VPN, configured as Always-On (preferred) or On-Demand. With respect to the diagram, the bottom left section is the part we are implementing.

Note that in the diagram I had the SSL VPN endpoint for the systemwide enterprise VPN and an IPSec endpoint for the Per-App VPN, which contradicts my paragrapgh above. This was just for demonstration purposes, and was to try to simplify the diagram.

Kind regards,

Jordan

I do not know if it’s possible to layer a per-app VPN on top of a system-wide VPN. Moreover, the answer may vary depending on whether you’re creating an app proxy provider or a packet tunnel provider in per-app VPN mode. My recommendation is that you open a DTS tech support incident so I can take the time to look into this for you.

Share and Enjoy
—
Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

Thanks - I've submitted a DTS tech support incident regarding this.

Kind regards,

Jordan

Hi,

We are investigating a similar issue. We have a device wide enterpise VPN using Packet Tunnel Provider. If there is another third-party VPN provider providing per-app VPN facility our question is :

1. If per app VPN is via a packet tunnel provider, will the packets go through per-app VPN or go through device wide VPN?

As per our understanding, only one Packet Tunnel Provider can be active at a time and packets will go through the VPN which is currently active...Is this understanding correct?

2. If per app VPN is via a App Proxy Provider, will packets go through per app VPN or device wide VPN?