Thanks for being a part of WWDC25!

How did we do? We’d love to know your thoughts on this year’s conference. Take the survey here

iOS VPN Issue -Disconnecting VPN from Packet Tunnel Network Extension Causes Loss of Internet Connectivity

App & System Services Networking
KhothAmit
KhothAmit OP
Created Jun ’24
Replies 4
Boosts 0
Views 574
Participants 3

Feedback Ticket: FB13812251

Problem Statement: We are currently facing internet connectivity issue with our VPN application where we try to disconnect the VPN from the Packet Tunnel Network Extension using - (void)cancelTunnelWithError:(nullable NSError *)error. Which API to use to disconnect the VPN from Packet Tunnel as VPN app is not running such that device retains its internet connectivity as soon as VPN disconnects.

Configuration: We have configured PacketTunnelProvider with the following settings: (NETunnelProviderManager *)tunnelProvider.protocolConfiguration.includeAllNetworks = YES; (NETunnelProviderManager *)tunnelProvider.protocolConfiguration.excludeLocalNetworks = NO; (NETunnelProviderManager *)tunnelProvider.protocolConfiguration.enforceRoutes = NO;

These settings are applied from the VPN app and allow us to successfully establish a VPN connection, with all traffic being routed through the tunnel as expected.We are setting above properties to address local net attack.

Issue we are facing: However, we encounter a problem when we attempt to disconnect the VPN from. When we call the following method from PacketTunnel network extension:

  • (void)cancelTunnelWithError:(nullable NSError *)error

Upon calling this method, the VPN disconnects as expected, but the device loses all internet connectivity and is unable to access any resources. This is not the desired behavior.

Observation : Interestingly, when we call the following method from the app side. The VPN disconnects and the device retains its internet connectivity. [enabledConfig.connection stopVPNTunnel];

We would like to achieve the same behavior when disconnecting the VPN from the Network Extension. So we are looking for an API that could be called from NE without causing any internet connectivity issue. Any guidance on how to resolve this issue would be greatly appreciated.

Answered by DTS Engineer in 837406022

I’ve no info to share on FB13812251, other than my usual advice:

  • You can check its status using Feedback Assistant. See my Bug Reporting: How and Why? post for details on that.

  • It’s a good idea to re-test with beta releases as we seed them.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Replies  4
Boosts  0
Views  574
Participants  3
Apple Staff, Systems Engineer
Systems Engineer OP
Apple
Jun ’24
Observation : Interestingly, when we call the following method from the app side. The VPN disconnects and the device retains its internet connectivity. [enabledConfig.connection stopVPNTunnel];

Right, it looks like there was a response on the radar mentioning that this is happening because includeAllNetworks is set and cancelling the tunnel from the provider side can leave the system in this state. While this is being worked out, please disconnect the VPN from the application side or through the VPN UI.

0
KhothAmit
KhothAmit OP
Jun ’24

I got this response from Apple: The behavior seen is expected with includeAllNetworks enabled. Once the VPN config is enabled, default drop is enabled, meaning traffic will be dropped unless they are tunneled. This is to prevent data leak across tunnel flaps. This sounds like exactly what is happening in your use case. If you leave the config enabled, and from your extension, you try to cancel the tunnel. This will leave the default drop enabled without tunnel, traffic will get dropped until tunnel comes back up.

Query: But Now Which API to use to disconnect the VPN on NE side so that it doesn't causes any internet connectivity issue?

0
KhothAmit
KhothAmit OP
Apr ’25

@Systems Engineer We are still facing the same internet issue on iPhone devices.

  1. Packet tunnel to crash unexpectedly.Observe that the NE process (Packet Tunnel) restarts automatically, as expected and attempts to reconnect the VPN;
  2. however, the device now lacks internet connectivity, preventing VPN reconnection.
  3. Try accessing resources using Safari or any other internet-dependent app, resulting in an error indicating the device is not connected to the internet.
0
Apple Staff, DTS Engineer
DTS Engineer OP
Apple
Apr ’25
Recommended

I’ve no info to share on FB13812251, other than my usual advice:

  • You can check its status using Feedback Assistant. See my Bug Reporting: How and Why? post for details on that.

  • It’s a good idea to re-test with beta releases as we seed them.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

0
iOS VPN Issue -Disconnecting VPN from Packet Tunnel Network Extension Causes Loss of Internet Connectivity
First post date Last post date
 
 
Q