Per-App VPN stuck connecting after calling startTunnelWithOptions

App & System Services Networking
boscpear OP
Created Jan ’23
Replies 4
Boosts 0
Views 936
Participants 2

This issue only happens once in a while. But after calling NETunnelProviderSession startTunnelWithOptions for a perApp VPN the Per-App VPN will get stuck in a connecting state. In PacketTunnelProvider, logging shows that it finishes init but startTunnelWithOptions is never called. On the console logs, the neagent has an extension request started: neagent Extension request with extension <extension name> started with identifier... However, when the issue occurs there is never a later log for neagent [Host <extension name>]: Starting with options....

There aren't any crashes or Jetsam events reported when it happens.

It looks like this issue can be avoided by not trying to manually connect the Per-App VPN and just letting the app trigger the connection. Is manually connecting a Per-App VPN not supported?

Replies  4
Boosts  0
Views  936
Participants  2
Systems Engineer OP
Apple
Jan ’23

Is manually connecting a Per-App VPN not supported?

I don't think there is anything technically wrong with this because as you mentioned it's not causing a crash or issue, but the trigger for Per-App VPNs is traffic from one of the configured VPN that was setup in the configuration. From the documentation:

The Per-App VPN app rules serve as both routing rules and VPN On Demand rules. This is in contrast to IP destination-based routing, where the VPN On Demand rules are configured separately from the routing rules. When the onDemandEnabledproperty is set to true and an app that matches the Per-App VPN rules attempts to communicate over the network, the VPN will be started automatically.

That documentation is here: https://developer.apple.com/documentation/networkextension/netunnelprovidermanager#2110139

0
boscpear OP
Jan ’23

There is an issue although it does not occur all the time. The VPN gets stuck in a connecting state until forced to disconnect. I can't say with certainty it is caused by trying to manually connect the Per-App VPN. Should manually connecting a Per-App VPN be avoided then?

0
boscpear OP
Jan ’23

Actually I may have been able to repro by calling NETunnelProviderSession startTunnelWithOptions on a Destination IP VPN. Whether it got stuck connecting seemed to depend on the timing of when it was called. What could be causing it to get stuck in a connecting state? Is there a good way to automatically recover when it does get stuck connecting?

0
Systems Engineer OP
Apple
Jan ’23

 What could be causing it to get stuck in a connecting state? Is there a good way to automatically recover when it does get stuck connecting?

With the destination IP case, yes, there are a number of reasons that could cause this:

  1. VPN authentication issues.
  2. Poor network connectivity.
  3. A bug in you packet tunnel provider.

To diagnose or debug this try looking at your client and server side logs, this should get you started.

Regarding:

Should manually connecting a Per-App VPN be avoided then?

The Per-App VPN should kick on when traffic from the configured app is initiated so you shouldn't need to manually connect a Per-App VPN.

0
Per-App VPN stuck connecting after calling startTunnelWithOptions
First post date Last post date
 
 
Q