I've implemented a custom system extension VPN for macOS using Packet Tunnel Provider. The VPN is configured with on-demand, and a rule to always connect whenever there's traffic:
onDemandRules = [NEOnDemandRuleConnect()]
As expected, if the VPN isn't active, all traffic gets blocked until it is ready.
Not expected: In the following scenario, there is some 'traffic leak':
- Use only WiFi (not wired cable)
- Connect the VPN
- Disable the WiFi and wait for the VPN to disconnect
- Enable the WiFi
- Some packets are routed outside the VPN, and aren't being blocked
- Some moments after, all traffic will be blocked, and the VPN will start the 'connecting' process.
Is the above scenario a 'known' issue? Can it be a race condition in the OS, where some packets can be sent after the network is brought back before the VPN process starts? Is there any way to fix this problem?
P.S: I'm not using flags such as 'capture all network'
VPN On Demand wasn’t designed as a mechanism to prevent ‘leaks’. For that we have Always-on VPN. At least, we do with the built-in IKEv2 VPN transports. We don’t support that for third-party VPNs (r. 33804980).
I'm not using flags such as 'capture all network'
Is this in reference to the includeAllNetworks property? If so, then you should definitely explore that option. It is the closest to Always-on VPN that you can get with a third-party VPN.
Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"