[wireguard-apple] [iOS] Changing network fails with includeAllNetworks (Kill Switch)

Jeroen Massar jeroen at massar.ch
Wed Sep 22 08:19:46 UTC 2021


That flag, is a MAJOR privacy improvement.

If "All" really includes "all" networks.

Before, "some" undefined traffic to Apple systems might be routed outside the VPN.

I guess this is so that Apple Private Relay is private, and other VPNs, eg wireguard, can't say "but you still route traffic elsewhere" like before, which would be an unfair advantage.


Thanks Apple Employee X who arranged getting this in! Very very much appreciated!

Greets,
 Jeroen


> On 20210921, at 12:55, Juraj Hilje <juraj.hilje at gmail.com> wrote:
> 
> If NETunnelProviderProtocol is configured with includeAllNetworks=true (Kill Switch), when network change is detected the device connectivity goes offline instead of routing VPN tunnel traffic through a new network.
> 
> Here are some logs from the moment of this event:
> 2021-09-20 12:07:26.735453: [NET] Network change detected with unsatisfied route and interface order [en0, utun4, pdp_ip0]
> 2021-09-20 12:07:26.736186: [NET] Connectivity offline, pausing backend.
> 2021-09-20 12:07:26.736732: [NET] Device closing
> 2021-09-20 12:07:26.737503: [NET] Routine: TUN reader - stopped
> 2021-09-20 12:07:26.738970: [NET] Routine: event worker - stopped
> 2021-09-20 12:07:26.739613: [NET] Routine: receive incoming v4 - stopped
> 2021-09-20 12:07:26.742070: [NET] Routine: receive incoming v6 - stopped
> 2021-09-20 12:07:26.746712: [NET] peer(eN1f…Oymc) - Stopping
> 2021-09-20 12:07:26.751550: [NET] peer(eN1f…Oymc) - Routine: sequential receiver - stopped
> 2021-09-20 12:07:26.751597: [NET] peer(eN1f…Oymc) - Routine: sequential sender - stopped
> 2021-09-20 12:07:26.753433: [NET] Device closed
> 2021-09-20 12:07:26.754097: [NET] Routine: decryption worker 5 - stopped
> 
> Tested on devices: iOS 14.8, iPadOS 15
> WireGuardKit: 79aeb0be0d0aa3f6c8bd24309aaa8dcf03216fb4
> 
> More info on includeAllNetworks option:
> https://developer.apple.com/documentation/networkextension/nevpnprotocol/3131931-includeallnetworks
> 
> Can someone confirm this issue or point to a possible workaround?
> Thanks!
> 
> Juraj H.



More information about the WireGuard mailing list