wireguard.lists.zx2c4.com archive mirror
 help / color / mirror / Atom feed
From: Jeroen Massar <jeroen@massar.ch>
To: Juraj Hilje <juraj.hilje@gmail.com>
Cc: wireguard@lists.zx2c4.com
Subject: Re: [wireguard-apple] [iOS] Changing network fails with includeAllNetworks (Kill Switch)
Date: Wed, 22 Sep 2021 10:19:46 +0200	[thread overview]
Message-ID: <20076636-54BD-46DF-A4F2-ADD0E559C5F3@massar.ch> (raw)
In-Reply-To: <B3A4A27C-1FBF-4098-B38F-9F87F8C115B5@gmail.com>

That flag, is a MAJOR privacy improvement.

If "All" really includes "all" networks.

Before, "some" undefined traffic to Apple systems might be routed outside the VPN.

I guess this is so that Apple Private Relay is private, and other VPNs, eg wireguard, can't say "but you still route traffic elsewhere" like before, which would be an unfair advantage.


Thanks Apple Employee X who arranged getting this in! Very very much appreciated!

Greets,
 Jeroen


> On 20210921, at 12:55, Juraj Hilje <juraj.hilje@gmail.com> wrote:
> 
> If NETunnelProviderProtocol is configured with includeAllNetworks=true (Kill Switch), when network change is detected the device connectivity goes offline instead of routing VPN tunnel traffic through a new network.
> 
> Here are some logs from the moment of this event:
> 2021-09-20 12:07:26.735453: [NET] Network change detected with unsatisfied route and interface order [en0, utun4, pdp_ip0]
> 2021-09-20 12:07:26.736186: [NET] Connectivity offline, pausing backend.
> 2021-09-20 12:07:26.736732: [NET] Device closing
> 2021-09-20 12:07:26.737503: [NET] Routine: TUN reader - stopped
> 2021-09-20 12:07:26.738970: [NET] Routine: event worker - stopped
> 2021-09-20 12:07:26.739613: [NET] Routine: receive incoming v4 - stopped
> 2021-09-20 12:07:26.742070: [NET] Routine: receive incoming v6 - stopped
> 2021-09-20 12:07:26.746712: [NET] peer(eN1f…Oymc) - Stopping
> 2021-09-20 12:07:26.751550: [NET] peer(eN1f…Oymc) - Routine: sequential receiver - stopped
> 2021-09-20 12:07:26.751597: [NET] peer(eN1f…Oymc) - Routine: sequential sender - stopped
> 2021-09-20 12:07:26.753433: [NET] Device closed
> 2021-09-20 12:07:26.754097: [NET] Routine: decryption worker 5 - stopped
> 
> Tested on devices: iOS 14.8, iPadOS 15
> WireGuardKit: 79aeb0be0d0aa3f6c8bd24309aaa8dcf03216fb4
> 
> More info on includeAllNetworks option:
> https://developer.apple.com/documentation/networkextension/nevpnprotocol/3131931-includeallnetworks
> 
> Can someone confirm this issue or point to a possible workaround?
> Thanks!
> 
> Juraj H.


      parent reply	other threads:[~2021-09-22 13:29 UTC|newest]

Thread overview: 10+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2021-09-21 10:55 Juraj Hilje
2021-09-22  8:08 ` Andrej Mihajlov
2021-09-22  8:55   ` Juraj Hilje
2021-09-22  8:59     ` Andrej Mihajlov
2021-09-22 13:26       ` Juraj Hilje
2021-09-28 11:03         ` Andrej Mihajlov
2021-10-19  9:54           ` Andrej Mihajlov
2021-10-19 12:22             ` Juraj Hilje
2021-09-22 14:41   ` Jeffrey Walton
2021-09-22  8:19 ` Jeroen Massar [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20076636-54BD-46DF-A4F2-ADD0E559C5F3@massar.ch \
    --to=jeroen@massar.ch \
    --cc=juraj.hilje@gmail.com \
    --cc=wireguard@lists.zx2c4.com \
    --subject='Re: [wireguard-apple] [iOS] Changing network fails with includeAllNetworks (Kill Switch)' \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).