Thanks for being a part of WWDC25!

How did we do? We’d love to know your thoughts on this year’s conference. Take the survey here

Change includeAllNetworks from NetworkExtension while tunnel is running

App & System Services Networking
smaryus
smaryus OP
Created Jun ’23
Replies 5
Boosts 0
Views 925
Participants 3

Hi,

I saw that almost each OS version, on ios and macos, handles differently changing includeAllNetworks while the tunnel is running. On some the entire OS reports no-net, while others, specially latest versions, handle this fine.

Can includeAllNetworks be changed while the tunnel is running, or the tunnel must be stopped and restarted with the new value? e.g. the tunnel is started with it set to false, but later is changed to true into VPN profile.

And on the same note, regarding setTunnelNetworkSettings, can this be called multiple times while the tunnel is running? For example if the VPN server IP changes. Because what I've saw each call to setTunnelNetworkSettings after VPN connected results in at least DNS leaks, because the routing table is recreated.

Let me know if it is easier to track to create separate questions.

Thanks

Answered by DTS Engineer in 756086022

does it make sense to create a ticket for [iOS 14 and 15]

Probably not. In recent years Apple has started shipping updates for older OS versions but my experience is that they are very focused on security issues.

DNS query requests that doesn't go through the tunnel.

Ah, thanks for the explanation.

So, calling setTunnelNetworkSettings(_:completionHandler:) works just fine in general, but it produces a window where you don’t get the security you need. It’s definitely worth filing a bug about this. Or that an enhancement request? (-: I’m in two minds on that front but, either way, it needs to go into Radar.

Please post your bug number, just for the record.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Replies  5
Boosts  0
Views  925
Participants  3
Apple Staff, DTS Engineer
DTS Engineer OP
Apple
Jun ’23

… while others, specially latest versions, handle this fine.

Can includeAllNetworks be changed while the tunnel is running

Given that this is working on the latest system, that sounds like a bug that we fixed.

And on the same note, regarding [setTunnelNetworkSettings(_:completionHandler:)], can this be called multiple times while the tunnel is running?

That’s expected to work.

what I've saw each call to [setTunnelNetworkSettings(_:completionHandler:)] after VPN connected results in at least DNS leaks, because the routing table is recreated.

I don’t understand what you mean by “DNS leak”.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

0
smaryus
smaryus OP
Jun ’23

regarding includeAllNetworks, if we reproduce this on e.g. iOS 14 or 15, what do you recommend, does it make sense to create a ticket for it, or those versions will not get fixed?

DNS leak = DNS query requests that doesn't go through the tunnel.

From what I've saw when setTunnelNetworkSettings(_:completionHandler:) is called, from the call point until almost its completion block is executed, the route to utun is deleted from system and then recreated. Because of this, requests made in this short time will not be able to go thru the tunnel and will most escape on e.g. en0. In the same time mDNS will fire lots of DNS queries at every network configuration change and some of the requests will manage to go around the tunnel, until the route is recreated.

0
Apple Staff, DTS Engineer
DTS Engineer OP
Apple
Jun ’23
Recommended

does it make sense to create a ticket for [iOS 14 and 15]

Probably not. In recent years Apple has started shipping updates for older OS versions but my experience is that they are very focused on security issues.

DNS query requests that doesn't go through the tunnel.

Ah, thanks for the explanation.

So, calling setTunnelNetworkSettings(_:completionHandler:) works just fine in general, but it produces a window where you don’t get the security you need. It’s definitely worth filing a bug about this. Or that an enhancement request? (-: I’m in two minds on that front but, either way, it needs to go into Radar.

Please post your bug number, just for the record.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

0
or_b
or_b OP
Mar ’25

Hi, we are facing the same issue. Every time we call setTunnelNetworkSettings(_:completionHandler:), we have a leak of requests out of the tunnel. There is any solution or workaround for this?

0
Apple Staff, DTS Engineer
DTS Engineer OP
Apple
Mar ’25

I’m gonna give you the same advice I gave smaryus:

  • It’s definitely worth filing a bug about this.

  • Please post your bug number, just for the record.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

0
Change includeAllNetworks from NetworkExtension while tunnel is running
First post date Last post date
 
 
Q