Is it possible that this is not getting called? I had a couple of os_logs there and nothing in the console.

Thanks for the clarifications. I am more than happy to not touch DNS.. I tried using this crazy code to get all the routes: swift class func getIFAddresses() - [NetInfo] { var addresses = [NetInfo]() var ifaddr : UnsafeMutablePointerifaddrs? = nil if getifaddrs(&ifaddr) == 0 { var ptr = ifaddr; while ptr != nil { let flags = Int32((ptr?.pointee.ifa_flags)!) var addr = ptr?.pointee.ifa_addr.pointee if (flags & (IFF_UP|IFF_RUNNING|IFF_LOOPBACK)) == (IFF_UP|IFF_RUNNING) { if addr?.sa_family == UInt8(AF_INET) || addr?.sa_family == UInt8(AF_INET6) { var hostname = [CChar](repeating: 0, count: Int(NI_MAXHOST)) if (getnameinfo(&addr!, socklen_t((addr?.sa_len)!), &hostname, socklen_t(hostname.count), nil, socklen_t(0), NI_NUMERICHOST) == 0) { if let address = String.init(validatingUTF8:hostname) { var net = ptr?.pointee.ifa_netmask.pointee var netmaskName = [CChar](repeating: 0, count: Int(NI_MAXHOST)) getnameinfo(&net!, socklen_t((net?.sa_len)!), &netmaskName, socklen_t(netmaskName.count), nil, socklen_t(0), NI_NUMERICHOST) if let netmask = String.init(validatingUTF8:netmaskName) { addresses.append(NetInfo(ip: address, netmask: netmask)) } } } } } ptr = ptr?.pointee.ifa_next } freeifaddrs(ifaddr) } return addresses } Which seemed to work. Does the ordering of includedRoutes matter? Since I tried to claim all routes the above code returned (for IPV4 anyway) and then also the default() route which seemed to broke a few apps.

Hi, from what I understand it appears this is not possible to set on-the-fly and it can be configured only when installing the profile.. In my testing this includeAllNetworks behaves quite similarly to settings includedRoutes on the IPV4Settings to NEIPv4Route.default(). This could possibly be set when starting the tunnel, so you would need to stop and start again to toggle this.

Apologies for talking to myself there 🤪 but I made interesting discovery. If I use the includeAllNetworks configuration - https://developer.apple.com/documentation/networkextension/nevpnprotocol/3131931-includeallnetworks, then this finally seems to rein in Messenger and does not let is around the tunnel. That is great but it has the side-effect of once again breaking Signal, WhatsApp and probably other similar apps. I checked Signal debug logs and found that I cannot find a server by hostname. Which suggested DNS issue. So I re-added DNS configuration, added these IPs to the excludedRoutes and now Signal works but only one way. I can send messages, they are delivered but I cannot receive messages. I still think that the fact that Messenger can just go around the tunnel is the main issue.

Found the enforceRules configuration property. - https://developer.apple.com/documentation/networkextension/nevpnprotocol/3689459-enforceroutes A Boolean value that indicates whether route rules for this tunnel take precendence over any locally defined routes. Which kind of sounds like something I need, but setting it to true does nothing regarding Messenger.

Yes, but I tried it with the cellular data turned off. So even if Messenger were to bind to this interface, it should not go through?

RE: my recent post. So actually the reason for Messenger to circumvent the tunnel is that it somehow fallbacks to cellular data. It did not occur to me to investigate this option

So in the end I managed to make some progress. Getting all the IP4 routes and setting them manually seems to help. But I discovered that Facebook Messenger is somehow bypassing my VPN. This is the only app that seems to do this. But even if I completely stop the traffic going through (just for the test), then nothing obviously works, but sending messages with Messenger works fine. How is this possible? Another point I discovered is that if I include the NEIPv4Route.default() then this alone causes Signal and WhatsApp to not work. 🤔