0

Right now I have implemented a simple Packet Tunnel extension using Network Extension APIs for iOS 11+. I want to make it App only VPN so that traffic from My app can be tunneled through our VPN and proxy. So, my questions are

  1. How to stop Tunneling as User switch to other apps - One option is to use app delegate methods -(void)applicationWillResignActive:(UIApplication *)application or -(void)applicationDidEnterBackground:(UIApplication *)application.
  2. If User directly terminates the app by Force Quit than also VPN should get turned off - We may use -(void)applicationWillTerminate:(UIApplication *)application but when I tried that sometimes it was not working properly.
  3. What to implement to handle the same case when the app gets crashed. - As a workaround, I was thinking to implement something like ping-pong mechanism where if the app is active then it should keep pinging or updating any shared data which would be accessed by the Packet Tunnel Extension. So, in case if the app stops or quits, Tunnel will come to know about the inactivity of App and it will stop tunneling by itself.
  4. To keep VPN tunneling active we need to update token periodically so is there any way to update the VPN Preferences and reflect the changes immediately without restarting(Stop and start again) the Tunnel.

Please suggest proper solutions or workaround for the above scenarios. It would be a great help to me.

Mrug
  • 4,963
  • 2
  • 31
  • 53

1 Answers1

0

I don't think you can reliably achieve what you are hoping for programatically within your application.

You could set up your VPN as a Per-App VPN and associate only your app with the VPN. This should meet most of your requirements. The restriction with this is that it can only be deployed via a Mobile Device Management (MDM) solution.

Another option could be to run the VPN as a standard VPN and have all applications tunnelled through it, but in the VPN Network Extension use NEPacketTunnelFlow::readPacketObjects(), fetch the NEFlowMetaData from the NEPacket response, and use the sourceAppUniqueIdentifier parameter to identify your app. You could then code your packet handling in the Network Extension such that data from your app could then be sent through your VPN and Proxy, and all other received packets could potentially then be forwarded to their intended recipients.

Jordan Johnson
  • 669
  • 3
  • 16
  • The 2nd option is also limited to per-app VPNs, i.e. also requires MDM: "This metadata is only present for data flowing through per-app VPN providers, that is, app proxy providers and packet tunnel providers in per-app VPN mode". – LBC Apr 12 '20 at 23:02