0

I'm porting an Android device's VPN App to iOS (using NEPacketTunnelProvider).

Android provides a mechanism to bypass VPN for some tcp/udp connections, using the following API:

class VpnService {

  // ...
  
  public boolean protect(int socket) { /* ... */ }

I don't see equivalent API in iOS. How do I implement something equivalent for iOS?

Top-Master
  • 7,611
  • 5
  • 39
  • 71
  • If you want to include or exclude traffic from being received by your network extension, specifically Packet Tunnel Provider, it is supported via include and exclude routes. The class used for this is [NEPacketTunnelNetworkSettings](https://developer.apple.com/documentation/networkextension/nepackettunnelnetworksettings). This will allow OS to decide whether to direct certain traffic to your VPN extension or not. However, there is no way to bypass VPN once your NE has received the traffic. You must handle traffic you receive in your NE. – dispatchMain Sep 08 '21 at 16:01
  • You need more experience with VPN; the question is about selectively excluding connections (from being routed), and not entire IP address at once. – Top-Master Sep 08 '21 at 17:14
  • "`once your NE has received the traffic`" the question is about excluding connections the service itself creates, and that before any traffic is made (e.g. exactly what mentioned `protect` method does). – Top-Master Sep 08 '21 at 17:23

1 Answers1

2

Coming from Android and knowing nothing of Apple API (except Swift and ObjC++ languages), I will try to point out what a normal developer would like to know.

An iOS App's life ends the moment the views are closed, hence a permanent VPN-Service is ONLY possible in an extension, which is a completely different target than that of your views (because iOS has no Service concept).

In addition to knowing above, learn the fact that any connection (aka Socket) created from within your extension is magically excluded (aka protected) from going through packetFlow (aka Tunnel), no matter if it's a Raw-socket made by C/C++ or OOP-Wrapped class in Swift5.

Surprisingly enough, actually making your extension's socket go through tunnel is much harder,
and you would need to use NEPacketTunnelProvider class's methods:

- createTCPConnectionThroughTunnelToEndpoint:enableTLS:TLSParameters:delegate:

- createUDPSessionThroughTunnelToEndpoint:fromEndpoint:

Note that above are instance methods, which is what minus sign in ObjC means,
so only available in extension context (but there is no escaping from the tunnel for App-targets anyway).

See also: https://developer.apple.com/forums/thread/94430

Top-Master
  • 7,611
  • 5
  • 39
  • 71