In-tunnel networking when `includeAllNetworks` is set.

Question

Created Feb ’25

Replies 7

Boosts 3

Participants 2

When setting up a packet tunnel with a profile that has includeAllNetworks set to true, we seemingly cannot send any traffic inside the tunnel using any kind of an API. We've tried using BSD sockets, as we ping a host only reachable within the tunnel to establish whether we have connectivity - this does not work. When using NWConnection from the Network framework and specifying the required interface via virtualInterface from the packet tunnel, the connection state never reaches ready. Our interim solution is to, as ridiculous as it sounds, include a whole userspace networking stack so we can produce valid TCP packets just to send into our own tunnel. We require a TCP connection within our own tunnel to do some configuration during tunnel setup. Is there no better solution?

Answered by DTS Engineer in 830240022

Sorry it’s taken so long to get back to you.

Thanks again for filing FB16748087. I discussed this with some folks internally and, yeah, as far as we can tell that’s Just A Bug™.

I checked on your bug and it’s landed in the right place. I’ve no info to share as to how things will evolve from there.

I can’t think of any good way to work around it (while I admire the dedication of your ‘embed an entire TCP/IP stack’ workaround, I’m not gonna label that as “good” :-).

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Boost

Answer 1

DTS Engineer OP

Apple

Feb ’25

Hmmm, I would expect this to work.

Just for testing purposes, do the legacy in-provider networking APIs work?

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

0

Answer 2

emilsp OP

Feb ’25

The legacy in-provider networking APIs did not work either, with the same symptoms.

0

Answer 3

DTS Engineer OP

Apple

Feb ’25

This is still iOS, right?

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

0

Answer 4

emilsp OP

Feb ’25

This is still iOS, and this has been the case since, I believe, iOS 15. It is certainly the case on iOS 16, 17 and 18, as those are the devices we have tested this behavior recently.

0

Answer 5

DTS Engineer OP

Apple

Feb ’25

Hmmm, interesting. I suspect that this is tied to the implementation of includeAllNetworks, itself introduced in iOS 14.

Anyway, I don’t see any code-level workaround here (other than to not set includeAllNetworks but I presume that you’re setting that for a good reason). My advice is that you file a bug about this. Enable additional logging per the VPN (Network Extension) for iOS/iPadOS instructions on our Bug Reporting > Profiles and Logs.

Once you’re done, please post the bug number here. I wanna do a little more digging on this issue, but I need you bug number to start that process.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

0

Answer 6

emilsp OP

Mar ’25

I've finally gotten around to submitting the bug report (FB16748087).

Best regards, Emīls

0

Answer 7

DTS Engineer OP

Apple

Mar ’25

Recommended

Sorry it’s taken so long to get back to you.

Thanks again for filing FB16748087. I discussed this with some folks internally and, yeah, as far as we can tell that’s Just A Bug™.

I checked on your bug and it’s landed in the right place. I’ve no info to share as to how things will evolve from there.

I can’t think of any good way to work around it (while I admire the dedication of your ‘embed an entire TCP/IP stack’ workaround, I’m not gonna label that as “good” :-).

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

0