Add killswitch to prevent clearnet leaks

[x13a]

For the macOS version it will be very useful to add killswitch. Many VPN providers have this builtin in their clients. Main purpose of this to pass traffic only through VPN and block through clearnet, except DNS resolution for VPN only, and local networks traffic.

[keeshux]

It's already this way with on-demand. No kill switch needed.

[x13a]

Sorry for disturbing you, but have you checked this? Because as I know, on-demand on iOS is not a killswitch and can leak. This is an example of on-demand leak ike2-2019.

[keeshux]

Which is about Apple’s IPSec, so apples and oranges here.

Have you had any leak with this app? Cause if you report an issue, you should at least prove that you had the issue.

[x13a]

OK, let's dig into this.

Using AirVPN UDP profile. Connect On-Demand is turned on.
macOS Big Sur 11.2.3. Macbook Air M1.
App Version 1.15.2 (2652)

Steps to reproduce:

• connect to VPN
• run tcpdump
• close lid and wait some time for sleep
• open and see DNS leaks while reconnect

$ sudo tcpdump -n -i en0 udp port 53

tcpdump

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on en0, link-type EN10MB (Ethernet), capture size 262144 bytes
22:04:36.080769 IP 192.168.71.52.65504 > 8.8.8.8.53: 11764+ PTR? lb._dns-sd._udp.0.71.168.192.in-addr.arpa. (59)
22:04:36.080773 IP 192.168.71.52.56399 > 8.8.8.8.53: 44625+ A? example.org. (29)
22:04:36.080879 IP 192.168.71.52.50579 > 8.8.8.8.53: 12785+ PTR? 52.71.168.192.in-addr.arpa. (44)
22:04:36.085500 IP 192.168.71.52.64113 > 8.8.8.8.53: 47009+ A? detectportal.firefox.com. (42)
22:04:36.088780 IP 192.168.71.52.60324 > 8.8.8.8.53: 5495+ A? ipv4only.arpa. (31)
22:04:36.117102 IP 192.168.71.52.61986 > 8.8.8.8.53: 56629+ A? dns.google. (28)
22:04:36.153955 IP 8.8.8.8.53 > 192.168.71.52.50579: 12785 NXDomain 0/0/0 (44)
22:04:36.153968 IP 8.8.8.8.53 > 192.168.71.52.60324: 5495 2/0/0 A 192.0.0.170, A 192.0.0.171 (63)
22:04:36.153971 IP 8.8.8.8.53 > 192.168.71.52.65504: 11764 NXDomain 0/0/0 (59)
22:04:36.153974 IP 8.8.8.8.53 > 192.168.71.52.56399: 44625 1/0/0 A 93.184.216.34 (45)
22:04:36.153975 IP 8.8.8.8.53 > 192.168.71.52.64113: 47009 3/0/0 CNAME detectportal.prod.mozaws.net., CNAME prod.detectportal.prod.cloudops.mozgcp.net., A 34.107.221.82 (153)
22:04:36.199254 IP 8.8.8.8.53 > 192.168.71.52.61986: 56629 2/0/0 A 8.8.8.8, A 8.8.4.4 (60)
22:04:47.408576 IP 192.168.71.52.64123 > 8.8.8.8.53: 59971+ PTR? lb._dns-sd._udp.0.71.168.192.in-addr.arpa. (59)
22:04:47.408582 IP 192.168.71.52.51476 > 8.8.8.8.53: 27645+ A? api.apple-cloudkit.com. (40)
22:04:47.408582 IP 192.168.71.52.50451 > 8.8.8.8.53: 26447+ A? www.apple.com. (31)
22:04:47.408585 IP 192.168.71.52.57953 > 8.8.8.8.53: 13489+ A? time.euro.apple.com. (37)
22:04:47.408586 IP 192.168.71.52.55713 > 8.8.8.8.53: 51283+ A? 1-courier.sandbox.push.apple.com. (50)
22:04:47.408587 IP 192.168.71.52.54619 > 8.8.8.8.53: 20784+ A? 1-courier.push.apple.com. (42)
22:04:47.470218 IP 192.168.71.52.49712 > 8.8.8.8.53: 34882+ A? nl.vpn.airdns.org. (35)
22:04:47.787749 IP 192.168.71.52.58428 > 8.8.8.8.53: 58760+ Type65? mesu.apple.com. (32)
22:04:47.787894 IP 192.168.71.52.62267 > 8.8.8.8.53: 52465+ A? mesu.apple.com. (32)
22:04:47.859615 IP 8.8.8.8.53 > 192.168.71.52.58428: 58760 4/1/0 CNAME mesu-cdn.apple.com.akadns.net., CNAME mesu-cdn.origin-apple.com.akadns.net., CNAME mesu.apple.com.edgekey.net., CNAME e1329.g.akamaiedge.net. (239)
22:04:47.861362 IP 192.168.71.52.49600 > 8.8.8.8.53: 47365+ Type65? e1329.g.akamaiedge.net. (40)
22:04:47.861532 IP 192.168.71.52.54902 > 8.8.8.8.53: 31930+ A? e1329.g.akamaiedge.net. (40)
22:04:47.870108 IP 8.8.8.8.53 > 192.168.71.52.62267: 52465 5/0/0 CNAME mesu-cdn.apple.com.akadns.net., CNAME mesu-cdn.origin-apple.com.akadns.net., CNAME mesu.apple.com.edgekey.net., CNAME e1329.g.akamaiedge.net., A 23.61.197.17 (197)
22:04:47.898880 IP 8.8.8.8.53 > 192.168.71.52.49600: 47365 0/1/0 (101)
22:04:47.910030 IP 8.8.8.8.53 > 192.168.71.52.54902: 31930 1/0/0 A 23.61.197.17 (56)
22:04:47.920377 IP 192.168.71.52.57308 > 8.8.8.8.53: 1050+ A? init.itunes.apple.com. (39)
22:04:47.987076 IP 8.8.8.8.53 > 192.168.71.52.57308: 1050 4/0/0 CNAME init-cdn.itunes-apple.com.akadns.net., CNAME itunes.apple.com.edgekey.net., CNAME e673.dsce9.akamaiedge.net., A 23.54.10.254 (180)
22:04:48.238535 IP 192.168.71.52.64123 > 8.8.8.8.53: 59971+ PTR? lb._dns-sd._udp.0.71.168.192.in-addr.arpa. (59)
22:04:48.238597 IP 192.168.71.52.57953 > 8.8.8.8.53: 13489+ A? time.euro.apple.com. (37)
22:04:48.238926 IP 192.168.71.52.51476 > 8.8.8.8.53: 27645+ A? api.apple-cloudkit.com. (40)
22:04:48.239150 IP 192.168.71.52.50451 > 8.8.8.8.53: 26447+ A? www.apple.com. (31)
22:04:48.239464 IP 192.168.71.52.55713 > 8.8.8.8.53: 51283+ A? 1-courier.sandbox.push.apple.com. (50)
22:04:48.239694 IP 192.168.71.52.54619 > 8.8.8.8.53: 20784+ A? 1-courier.push.apple.com. (42)
22:04:48.273182 IP 8.8.8.8.53 > 192.168.71.52.64123: 59971 NXDomain 0/0/0 (59)
22:04:48.285454 IP 8.8.8.8.53 > 192.168.71.52.50451: 26447 4/0/0 CNAME www.apple.com.edgekey.net., CNAME www.apple.com.edgekey.net.globalredir.akadns.net., CNAME e6858.dscx.akamaiedge.net., A 95.100.177.76 (181)
22:04:48.291330 IP 8.8.8.8.53 > 192.168.71.52.55713: 51283 3/0/0 CNAME 1.courier-sandbox-push-apple.com.akadns.net., CNAME us-sandbox-courier-e4.push-apple.com.akadns.net., A 17.57.146.4 (170)
22:04:48.300150 IP 8.8.8.8.53 > 192.168.71.52.54619: 20784 4/0/0 CNAME 1.courier-push-apple.com.akadns.net., CNAME eu-north-courier-4.push-apple.com.akadns.net., A 17.57.146.117, A 17.57.146.116 (167)
22:04:48.300168 IP 8.8.8.8.53 > 192.168.71.52.57953: 13489 6/0/0 CNAME time-osx.g.aaplimg.com., A 17.253.38.125, A 17.253.54.125, A 17.253.54.251, A 17.253.54.123, A 17.253.38.253 (150)
22:04:48.317045 IP 8.8.8.8.53 > 192.168.71.52.51476: 27645 5/0/0 CNAME api.apple-cloudkit.fe.apple-dns.net., A 17.248.237.4, A 17.248.237.3, A 17.248.237.2, A 17.248.237.1 (153)
22:04:48.511358 IP 192.168.71.52.49712 > 8.8.8.8.53: 34882+ A? nl.vpn.airdns.org. (35)
22:04:48.546277 IP 8.8.8.8.53 > 192.168.71.52.49712: 34882 1/0/0 A 213.152.161.243 (51)
22:04:48.708994 IP 192.168.71.52.54807 > 8.8.8.8.53: 4957+ A? xp.apple.com. (30)
22:04:48.763524 IP 8.8.8.8.53 > 192.168.71.52.54807: 4957 4/0/0 CNAME xp.itunes-apple.com.akadns.net., CNAME xp.apple.com.edgekey.net., CNAME e17437.dscb.akamaiedge.net., A 95.100.176.87 (162)
22:04:52.899152 IP 192.168.71.52.59238 > 8.8.8.8.53: 14327+ A? example.org. (29)
22:04:52.899944 IP 192.168.71.52.63387 > 8.8.8.8.53: 17340+ PTR? lb._dns-sd._udp.0.71.168.192.in-addr.arpa. (59)
22:04:52.900834 IP 192.168.71.52.63148 > 8.8.8.8.53: 4270+ PTR? 52.71.168.192.in-addr.arpa. (44)
22:04:52.901024 IP 192.168.71.52.54464 > 8.8.8.8.53: 26715+ A? ipv4only.arpa. (31)
22:04:52.903505 IP 192.168.71.52.53285 > 8.8.8.8.53: 27066+ A? detectportal.firefox.com. (42)
22:04:52.936191 IP 8.8.8.8.53 > 192.168.71.52.59238: 14327 1/0/0 A 93.184.216.34 (45)
22:04:52.937911 IP 192.168.71.52.58901 > 8.8.8.8.53: 62570+ A? dns.google. (28)
22:04:52.948622 IP 8.8.8.8.53 > 192.168.71.52.54464: 26715 2/0/0 A 192.0.0.170, A 192.0.0.171 (63)
22:04:52.954777 IP 8.8.8.8.53 > 192.168.71.52.53285: 27066 3/0/0 CNAME detectportal.prod.mozaws.net., CNAME prod.detectportal.prod.cloudops.mozgcp.net., A 34.107.221.82 (153)
22:04:52.954791 IP 8.8.8.8.53 > 192.168.71.52.63148: 4270 NXDomain 0/0/0 (44)
22:04:52.954793 IP 8.8.8.8.53 > 192.168.71.52.63387: 17340 NXDomain 0/0/0 (59)
22:04:52.975193 IP 8.8.8.8.53 > 192.168.71.52.58901: 62570 2/0/0 A 8.8.8.8, A 8.8.4.4 (60)
22:05:45.467976 IP 192.168.71.52.61294 > 8.8.8.8.53: 36839+ A? dns.google. (28)
22:05:45.467981 IP 192.168.71.52.56458 > 8.8.8.8.53: 280+ A? example.org. (29)
22:05:45.467983 IP 192.168.71.52.54811 > 8.8.8.8.53: 4095+ A? detectportal.firefox.com. (42)
22:05:45.467985 IP 192.168.71.52.52016 > 8.8.8.8.53: 26809+ A? time.euro.apple.com. (37)
22:05:45.467987 IP 192.168.71.52.59478 > 8.8.8.8.53: 47031+ A? api.apple-cloudkit.com. (40)
22:05:45.467987 IP 192.168.71.52.54580 > 8.8.8.8.53: 60341+ A? www.apple.com. (31)
22:05:45.467989 IP 192.168.71.52.58720 > 8.8.8.8.53: 59900+ PTR? lb._dns-sd._udp.0.71.168.192.in-addr.arpa. (59)
22:05:45.467990 IP 192.168.71.52.53097 > 8.8.8.8.53: 10005+ A? api.apple-cloudkit.com. (40)
22:05:45.467991 IP 192.168.71.52.49791 > 8.8.8.8.53: 5976+ A? www.apple.com. (31)
22:05:45.467992 IP 192.168.71.52.55863 > 8.8.8.8.53: 23764+ A? 1-courier.sandbox.push.apple.com. (50)
22:05:45.467994 IP 192.168.71.52.52799 > 8.8.8.8.53: 28751+ A? 1-courier.push.apple.com. (42)
22:05:45.467995 IP 192.168.71.52.54976 > 8.8.8.8.53: 19124+ A? nl.vpn.airdns.org. (35)
22:05:45.606452 IP 8.8.8.8.53 > 192.168.71.52.54580: 60341 4/0/0 CNAME www.apple.com.edgekey.net., CNAME www.apple.com.edgekey.net.globalredir.akadns.net., CNAME e6858.dscx.akamaiedge.net., A 95.100.177.76 (181)
22:05:45.701644 IP 8.8.8.8.53 > 192.168.71.52.54976: 19124 1/0/0 A 213.152.162.98 (51)
22:05:45.810708 IP 192.168.71.52.60107 > 8.8.8.8.53: 59286+ Type65? api.apple-cloudkit.com. (40)
22:05:45.849138 IP 8.8.8.8.53 > 192.168.71.52.60107: 59286 1/1/0 CNAME api.apple-cloudkit.fe.apple-dns.net. (159)
22:05:45.851466 IP 192.168.71.52.63901 > 8.8.8.8.53: 34736+ A? api.apple-cloudkit.fe.apple-dns.net. (53)
22:05:45.851470 IP 192.168.71.52.57480 > 8.8.8.8.53: 30509+ Type65? api.apple-cloudkit.fe.apple-dns.net. (53)
22:05:45.894042 IP 8.8.8.8.53 > 192.168.71.52.57480: 30509 0/1/0 (126)
22:05:45.929818 IP 8.8.8.8.53 > 192.168.71.52.63901: 34736 4/0/0 A 17.248.237.2, A 17.248.237.4, A 17.248.237.1, A 17.248.237.3 (117)

Diagnostics

22:04:47 - Starting tunnel...
22:04:47 - App version: Passepartout 1.15.2 (2652)
22:04:47 - 	Protocols: [UDP:443]
22:04:47 - 	Cipher: AES-256-CBC
22:04:47 - 	Digest: HMAC-SHA1
22:04:47 - 	Compression framing: comp-lzo
22:04:47 - 	Compression algorithm: disabled
22:04:47 - 	Client verification: enabled
22:04:47 - 	TLS wrapping: auth
22:04:47 - 	TLS security level: 0
22:04:47 - 	Keep-alive interval: never
22:04:47 - 	Keep-alive timeout: never
22:04:47 - 	Renegotiation: never
22:04:47 - 	Server EKU verification: enabled
22:04:47 - 	Host SAN verification: disabled
22:04:47 - 	Gateway: not configured
22:04:47 - 	DNS: not configured
22:04:47 - 	MTU: default
22:04:47 - 	Debug: true
22:04:47 - 	Masks private data: true
22:04:47 - Will use DNS resolution
22:04:47 - Current SSID: '<masked>'
22:04:47 - Creating link session
22:04:47 - No endpoints available, will resort to DNS resolution
22:04:47 - DNS resolve hostname: <masked>
22:04:48 - DNS resolved addresses: <masked>
22:04:48 - Unrolled endpoints: <masked>
22:04:48 - Pick current endpoint: <masked>
22:04:48 - Will connect to <masked>:443
22:04:48 - Socket type is NEUDPSocket
22:04:48 - Socket state is preparing (endpoint: <masked> -> in progress)
22:04:48 - Socket state is ready (endpoint: <masked> -> <masked>)
22:04:48 - Starting VPN session
22:04:48 - Send hard reset
22:04:48 - Negotiation key index is 0
22:04:48 - Control: Enqueued 1 packet [0]
22:04:48 - Control: Write control packet {HARD_RESET_CLIENT_V2 | 0, sid: 8f628ee9cbc142dc, pid: 0, [0 bytes]}
22:04:48 - Send control packet (42 bytes): <REDACTED>
22:04:48 - Control: Try read packet with code HARD_RESET_SERVER_V2 and key 0
22:04:48 - Control: Read packet {HARD_RESET_SERVER_V2 | 0, sid: e07148efc947d1eb, acks: {[0], 8f628ee9cbc142dc}, pid: 0}
22:04:48 - Send ack for received packetId 0
22:04:48 - Control: Write ack packet {ACK_V1 | 0, sid: 8f628ee9cbc142dc, acks: {[0], e07148efc947d1eb}}
22:04:48 - Control: Remote sessionId is e07148efc947d1eb
22:04:48 - Start TLS handshake
22:04:48 - TLS.connect: Pulled ciphertext (293 bytes)
22:04:48 - Control: Enqueued 1 packet [1]
22:04:48 - Control: Write control packet {CONTROL_V1 | 0, sid: 8f628ee9cbc142dc, pid: 1, [293 bytes]}
22:04:48 - Send control packet (335 bytes): <REDACTED>
22:04:48 - Ack successfully written to LINK for packetId 0
22:04:48 - Control: Try read packet with code CONTROL_V1 and key 0
22:04:48 - Control: Read packet {CONTROL_V1 | 0, sid: e07148efc947d1eb, acks: {[1], 8f628ee9cbc142dc}, pid: 1, [1118 bytes]}
22:04:48 - Send ack for received packetId 1
22:04:48 - Control: Write ack packet {ACK_V1 | 0, sid: 8f628ee9cbc142dc, acks: {[1], e07148efc947d1eb}}
22:04:48 - TLS.connect: Put received ciphertext (1118 bytes)
22:04:48 - Control: Try read packet with code CONTROL_V1 and key 0
22:04:48 - Control: Read packet {CONTROL_V1 | 0, sid: e07148efc947d1eb, pid: 2, [1118 bytes]}
22:04:48 - Send ack for received packetId 2
22:04:48 - Control: Write ack packet {ACK_V1 | 0, sid: 8f628ee9cbc142dc, acks: {[2], e07148efc947d1eb}}
22:04:48 - TLS.connect: Put received ciphertext (1118 bytes)
22:04:48 - Control: Try read packet with code CONTROL_V1 and key 0
22:04:48 - Control: Read packet {CONTROL_V1 | 0, sid: e07148efc947d1eb, pid: 3, [477 bytes]}
22:04:48 - Send ack for received packetId 3
22:04:48 - Control: Write ack packet {ACK_V1 | 0, sid: 8f628ee9cbc142dc, acks: {[3], e07148efc947d1eb}}
22:04:48 - TLS.connect: Put received ciphertext (477 bytes)
22:04:48 - TLS.connect: Send pulled ciphertext (2338 bytes)
22:04:48 - Control: Enqueued 3 packets [2-4]
22:04:48 - Control: Write control packet {CONTROL_V1 | 0, sid: 8f628ee9cbc142dc, pid: 2, [1000 bytes]}
22:04:48 - Control: Write control packet {CONTROL_V1 | 0, sid: 8f628ee9cbc142dc, pid: 3, [1000 bytes]}
22:04:48 - Control: Write control packet {CONTROL_V1 | 0, sid: 8f628ee9cbc142dc, pid: 4, [338 bytes]}
22:04:48 - Send control packet (1042 bytes): <REDACTED>
22:04:48 - Send control packet (1042 bytes): <REDACTED>
22:04:48 - Send control packet (380 bytes): <REDACTED>
22:04:48 - TLS.connect: Handshake is complete
22:04:48 - TLS.auth: Local options: V4,dev-type tun,comp-lzo,keydir 1,cipher AES-256-CBC,auth SHA1,keysize 256,tls-auth,key-method 2,tls-client
22:04:48 - TLS.auth: Put plaintext (396 bytes)
22:04:48 - TLS.auth: Pulled ciphertext (418 bytes)
22:04:48 - Control: Enqueued 1 packet [5]
22:04:48 - Control: Skip writing packet with packetId 2 (sent on 2021-04-22 19:04:48 +0000, 0.012037038803100586 seconds ago)
22:04:48 - Control: Skip writing packet with packetId 3 (sent on 2021-04-22 19:04:48 +0000, 0.012423992156982422 seconds ago)
22:04:48 - Control: Skip writing packet with packetId 4 (sent on 2021-04-22 19:04:48 +0000, 0.01238703727722168 seconds ago)
22:04:48 - Control: Write control packet {CONTROL_V1 | 0, sid: 8f628ee9cbc142dc, pid: 5, [418 bytes]}
22:04:48 - Send control packet (460 bytes): <REDACTED>
22:04:48 - Control: Skip writing packet with packetId 2 (sent on 2021-04-22 19:04:48 +0000, 0.014582037925720215 seconds ago)
22:04:48 - Control: Skip writing packet with packetId 3 (sent on 2021-04-22 19:04:48 +0000, 0.014604926109313965 seconds ago)
22:04:48 - Control: Skip writing packet with packetId 4 (sent on 2021-04-22 19:04:48 +0000, 0.014580011367797852 seconds ago)
22:04:48 - Control: Skip writing packet with packetId 5 (sent on 2021-04-22 19:04:48 +0000, 0.0022150278091430664 seconds ago)
22:04:48 - Ack successfully written to LINK for packetId 1
22:04:48 - Ack successfully written to LINK for packetId 2
22:04:48 - Ack successfully written to LINK for packetId 3
22:04:48 - Control: Try read packet with code ACK_V1 and key 0
22:04:48 - Control: Read packet {ACK_V1 | 0, sid: e07148efc947d1eb, acks: {[2], 8f628ee9cbc142dc}}
22:04:48 - Control: Try read packet with code ACK_V1 and key 0
22:04:48 - Control: Read packet {ACK_V1 | 0, sid: e07148efc947d1eb, acks: {[3], 8f628ee9cbc142dc}}
22:04:48 - Control: Try read packet with code CONTROL_V1 and key 0
22:04:48 - Control: Read packet {CONTROL_V1 | 0, sid: e07148efc947d1eb, acks: {[4], 8f628ee9cbc142dc}, pid: 4, [158 bytes]}
22:04:48 - Send ack for received packetId 4
22:04:48 - Control: Write ack packet {ACK_V1 | 0, sid: 8f628ee9cbc142dc, acks: {[4], e07148efc947d1eb}}
22:04:48 - TLS.connect: Put received ciphertext (158 bytes)
22:04:48 - Control: Try read packet with code CONTROL_V1 and key 0
22:04:48 - Control: Read packet {CONTROL_V1 | 0, sid: e07148efc947d1eb, acks: {[5], 8f628ee9cbc142dc}, pid: 5, [246 bytes]}
22:04:48 - Send ack for received packetId 5
22:04:48 - Control: Write ack packet {ACK_V1 | 0, sid: 8f628ee9cbc142dc, acks: {[5], e07148efc947d1eb}}
22:04:48 - TLS.connect: Put received ciphertext (246 bytes)
22:04:48 - Pulled plain control data (224 bytes)
22:04:48 - TLS.auth: Parsed server random
22:04:48 - TLS.auth: Parsed server options: "V4,dev-type tun,link-mtu 1558,tun-mtu 1500,proto UDPv4,comp-lzo,keydir 0,cipher AES-256-CBC,auth SHA1,keysize 256,tls-auth,key-method 2,tls-server"
22:04:48 - TLS.ifconfig: Put plaintext (PUSH_REQUEST)
22:04:48 - TLS.ifconfig: Send pulled ciphertext (35 bytes)
22:04:48 - Control: Enqueued 1 packet [6]
22:04:48 - Control: Write control packet {CONTROL_V1 | 0, sid: 8f628ee9cbc142dc, pid: 6, [35 bytes]}
22:04:48 - Send control packet (77 bytes): <REDACTED>
22:04:48 - Parsed control message (0 bytes)
22:04:48 - Parsed control message (0 bytes)
22:04:48 - Parsed control message (0 bytes)
22:04:48 - Parsed control message (0 bytes)
22:04:48 - Parsed control message (0 bytes)
22:04:48 - Parsed control message (0 bytes)
22:04:48 - Ack successfully written to LINK for packetId 4
22:04:48 - Ack successfully written to LINK for packetId 5
22:04:48 - Control: Write control packet {CONTROL_V1 | 0, sid: 8f628ee9cbc142dc, pid: 6, [35 bytes]}
22:04:48 - Send control packet (77 bytes): <REDACTED>
22:04:49 - Control: Try read packet with code ACK_V1 and key 0
22:04:49 - Control: Read packet {ACK_V1 | 0, sid: e07148efc947d1eb, acks: {[6], 8f628ee9cbc142dc}}
22:04:49 - Control: Try read packet with code CONTROL_V1 and key 0
22:04:49 - Control: Read packet {CONTROL_V1 | 0, sid: e07148efc947d1eb, pid: 6, [240 bytes]}
22:04:49 - Send ack for received packetId 6
22:04:49 - Control: Write ack packet {ACK_V1 | 0, sid: 8f628ee9cbc142dc, acks: {[6], e07148efc947d1eb}}
22:04:49 - TLS.connect: Put received ciphertext (240 bytes)
22:04:49 - Pulled plain control data (218 bytes)
22:04:49 - Parsed control message (217 bytes)
22:04:49 - Received PUSH_REPLY: "<masked>"
22:04:49 - Set up encryption
22:04:49 - 	Negotiated cipher: AES-256-GCM
22:04:49 - 	Negotiated compression framing: comp-lzo
22:04:49 - 	Negotiated compression algorithm: disabled
22:04:49 - 	Negotiated keep-alive interval: 10s
22:04:49 - 	Negotiated keep-alive timeout: 1m
22:04:49 - Session did start
22:04:49 - Returned ifconfig parameters:
22:04:49 - 	Remote: <masked>
22:04:49 - 	IPv4: addr <masked> netmask 255.255.255.0 gw <masked> routes []
22:04:49 - 	IPv6: not configured
22:04:49 - 	Gateway: ["IPv4"]
22:04:49 - 	DNS: ["<masked>"]
22:04:49 - 	Search domains: not configured
22:04:49 - Routing.IPv4: Setting default gateway to <masked>
22:04:49 - DNS: Using servers <masked>
22:04:49 - Ack successfully written to LINK for packetId 6
22:04:49 - Control: Try read packet with code ACK_V1 and key 0
22:04:49 - Control: Read packet {ACK_V1 | 0, sid: e07148efc947d1eb, acks: {[6], 8f628ee9cbc142dc}}
22:04:49 - Reasserting flag cleared
22:04:49 - Tunnel interface is now UP
22:04:53 - Stopping tunnel...
22:04:53 - Trigger shutdown on request
22:04:53 - Session did stop
22:04:53 - Failed LINK read: Error Domain=NSPOSIXErrorDomain Code=89 "Operation canceled"
22:04:53 - Socket state is cancelled (endpoint: <masked> -> <masked>)
22:04:53 - Cleaning up...
22:04:53 - Tunnel did stop on request
22:04:53 - Flushing log...
--- EOF ---
22:05:45 - Starting tunnel...
22:05:45 - App version: Passepartout 1.15.2 (2652)
22:05:45 - 	Protocols: [UDP:443]
22:05:45 - 	Cipher: AES-256-CBC
22:05:45 - 	Digest: HMAC-SHA1
22:05:45 - 	Compression framing: comp-lzo
22:05:45 - 	Compression algorithm: disabled
22:05:45 - 	Client verification: enabled
22:05:45 - 	TLS wrapping: auth
22:05:45 - 	TLS security level: 0
22:05:45 - 	Keep-alive interval: never
22:05:45 - 	Keep-alive timeout: never
22:05:45 - 	Renegotiation: never
22:05:45 - 	Server EKU verification: enabled
22:05:45 - 	Host SAN verification: disabled
22:05:45 - 	Gateway: not configured
22:05:45 - 	DNS: not configured
22:05:45 - 	MTU: default
22:05:45 - 	Debug: true
22:05:45 - 	Masks private data: true
22:05:45 - Will use DNS resolution
22:05:45 - Current SSID: '<masked>'
22:05:45 - Creating link session
22:05:45 - No endpoints available, will resort to DNS resolution
22:05:45 - DNS resolve hostname: <masked>
22:05:45 - DNS resolved addresses: <masked>
22:05:45 - Unrolled endpoints: <masked>
22:05:45 - Pick current endpoint: <masked>
22:05:45 - Will connect to <masked>:443
22:05:45 - Socket type is NEUDPSocket
22:05:45 - Socket state is preparing (endpoint: <masked> -> in progress)
22:05:45 - Socket state is ready (endpoint: <masked> -> <masked>)
22:05:45 - Starting VPN session
22:05:45 - Send hard reset
22:05:45 - Negotiation key index is 0
22:05:45 - Control: Enqueued 1 packet [0]
22:05:45 - Control: Write control packet {HARD_RESET_CLIENT_V2 | 0, sid: 7388e7b5b74ff49f, pid: 0, [0 bytes]}
22:05:45 - Send control packet (42 bytes): <REDACTED>
22:05:45 - Control: Try read packet with code HARD_RESET_SERVER_V2 and key 0
22:05:45 - Control: Read packet {HARD_RESET_SERVER_V2 | 0, sid: 03bd3bc3dc309e91, acks: {[0], 7388e7b5b74ff49f}, pid: 0}
22:05:45 - Send ack for received packetId 0
22:05:45 - Control: Write ack packet {ACK_V1 | 0, sid: 7388e7b5b74ff49f, acks: {[0], 03bd3bc3dc309e91}}
22:05:45 - Control: Remote sessionId is 03bd3bc3dc309e91
22:05:45 - Start TLS handshake
22:05:45 - TLS.connect: Pulled ciphertext (293 bytes)
22:05:45 - Control: Enqueued 1 packet [1]
22:05:45 - Control: Write control packet {CONTROL_V1 | 0, sid: 7388e7b5b74ff49f, pid: 1, [293 bytes]}
22:05:45 - Send control packet (335 bytes): <REDACTED>
22:05:45 - Ack successfully written to LINK for packetId 0
22:05:45 - Control: Try read packet with code CONTROL_V1 and key 0
22:05:45 - Control: Read packet {CONTROL_V1 | 0, sid: 03bd3bc3dc309e91, acks: {[1], 7388e7b5b74ff49f}, pid: 1, [1118 bytes]}
22:05:45 - Send ack for received packetId 1
22:05:45 - Control: Write ack packet {ACK_V1 | 0, sid: 7388e7b5b74ff49f, acks: {[1], 03bd3bc3dc309e91}}
22:05:45 - TLS.connect: Put received ciphertext (1118 bytes)
22:05:45 - Ack successfully written to LINK for packetId 1
22:05:45 - Control: Try read packet with code CONTROL_V1 and key 0
22:05:45 - Control: Read packet {CONTROL_V1 | 0, sid: 03bd3bc3dc309e91, pid: 2, [1118 bytes]}
22:05:45 - Send ack for received packetId 2
22:05:45 - Control: Write ack packet {ACK_V1 | 0, sid: 7388e7b5b74ff49f, acks: {[2], 03bd3bc3dc309e91}}
22:05:45 - TLS.connect: Put received ciphertext (1118 bytes)
22:05:45 - Control: Try read packet with code CONTROL_V1 and key 0
22:05:45 - Control: Read packet {CONTROL_V1 | 0, sid: 03bd3bc3dc309e91, pid: 3, [477 bytes]}
22:05:45 - Send ack for received packetId 3
22:05:45 - Control: Write ack packet {ACK_V1 | 0, sid: 7388e7b5b74ff49f, acks: {[3], 03bd3bc3dc309e91}}
22:05:45 - TLS.connect: Put received ciphertext (477 bytes)
22:05:45 - TLS.connect: Send pulled ciphertext (2338 bytes)
22:05:45 - Control: Enqueued 3 packets [2-4]
22:05:45 - Control: Write control packet {CONTROL_V1 | 0, sid: 7388e7b5b74ff49f, pid: 2, [1000 bytes]}
22:05:45 - Control: Write control packet {CONTROL_V1 | 0, sid: 7388e7b5b74ff49f, pid: 3, [1000 bytes]}
22:05:45 - Control: Write control packet {CONTROL_V1 | 0, sid: 7388e7b5b74ff49f, pid: 4, [338 bytes]}
22:05:45 - Send control packet (1042 bytes): <REDACTED>
22:05:45 - Send control packet (1042 bytes): <REDACTED>
22:05:45 - Send control packet (380 bytes): <REDACTED>
22:05:45 - TLS.connect: Handshake is complete
22:05:45 - TLS.auth: Local options: V4,dev-type tun,comp-lzo,keydir 1,cipher AES-256-CBC,auth SHA1,keysize 256,tls-auth,key-method 2,tls-client
22:05:45 - TLS.auth: Put plaintext (396 bytes)
22:05:45 - TLS.auth: Pulled ciphertext (418 bytes)
22:05:45 - Control: Enqueued 1 packet [5]
22:05:45 - Control: Skip writing packet with packetId 2 (sent on 2021-04-22 19:05:45 +0000, 0.012348055839538574 seconds ago)
22:05:45 - Control: Skip writing packet with packetId 3 (sent on 2021-04-22 19:05:45 +0000, 0.012614011764526367 seconds ago)
22:05:45 - Control: Skip writing packet with packetId 4 (sent on 2021-04-22 19:05:45 +0000, 0.012581944465637207 seconds ago)
22:05:45 - Control: Write control packet {CONTROL_V1 | 0, sid: 7388e7b5b74ff49f, pid: 5, [418 bytes]}
22:05:45 - Send control packet (460 bytes): <REDACTED>
22:05:45 - Control: Skip writing packet with packetId 2 (sent on 2021-04-22 19:05:45 +0000, 0.014961004257202148 seconds ago)
22:05:45 - Control: Skip writing packet with packetId 3 (sent on 2021-04-22 19:05:45 +0000, 0.01507103443145752 seconds ago)
22:05:45 - Control: Skip writing packet with packetId 4 (sent on 2021-04-22 19:05:45 +0000, 0.015114903450012207 seconds ago)
22:05:45 - Control: Skip writing packet with packetId 5 (sent on 2021-04-22 19:05:45 +0000, 0.0024210214614868164 seconds ago)
22:05:45 - Ack successfully written to LINK for packetId 2
22:05:45 - Ack successfully written to LINK for packetId 3
22:05:45 - Control: Try read packet with code ACK_V1 and key 0
22:05:45 - Control: Read packet {ACK_V1 | 0, sid: 03bd3bc3dc309e91, acks: {[2], 7388e7b5b74ff49f}}
22:05:45 - Control: Try read packet with code ACK_V1 and key 0
22:05:45 - Control: Read packet {ACK_V1 | 0, sid: 03bd3bc3dc309e91, acks: {[3], 7388e7b5b74ff49f}}
22:05:45 - Control: Try read packet with code CONTROL_V1 and key 0
22:05:45 - Control: Read packet {CONTROL_V1 | 0, sid: 03bd3bc3dc309e91, acks: {[4], 7388e7b5b74ff49f}, pid: 4, [158 bytes]}
22:05:45 - Send ack for received packetId 4
22:05:45 - Control: Write ack packet {ACK_V1 | 0, sid: 7388e7b5b74ff49f, acks: {[4], 03bd3bc3dc309e91}}
22:05:45 - TLS.connect: Put received ciphertext (158 bytes)
22:05:45 - Ack successfully written to LINK for packetId 4
22:05:46 - Control: Try read packet with code CONTROL_V1 and key 0
22:05:46 - Control: Read packet {CONTROL_V1 | 0, sid: 03bd3bc3dc309e91, acks: {[5], 7388e7b5b74ff49f}, pid: 5, [246 bytes]}
22:05:46 - Send ack for received packetId 5
22:05:46 - Control: Write ack packet {ACK_V1 | 0, sid: 7388e7b5b74ff49f, acks: {[5], 03bd3bc3dc309e91}}
22:05:46 - TLS.connect: Put received ciphertext (246 bytes)
22:05:46 - Pulled plain control data (224 bytes)
22:05:46 - TLS.auth: Parsed server random
22:05:46 - TLS.auth: Parsed server options: "V4,dev-type tun,link-mtu 1558,tun-mtu 1500,proto UDPv4,comp-lzo,keydir 0,cipher AES-256-CBC,auth SHA1,keysize 256,tls-auth,key-method 2,tls-server"
22:05:46 - TLS.ifconfig: Put plaintext (PUSH_REQUEST)
22:05:46 - TLS.ifconfig: Send pulled ciphertext (35 bytes)
22:05:46 - Control: Enqueued 1 packet [6]
22:05:46 - Control: Write control packet {CONTROL_V1 | 0, sid: 7388e7b5b74ff49f, pid: 6, [35 bytes]}
22:05:46 - Send control packet (77 bytes): <REDACTED>
22:05:46 - Parsed control message (0 bytes)
22:05:46 - Parsed control message (0 bytes)
22:05:46 - Parsed control message (0 bytes)
22:05:46 - Parsed control message (0 bytes)
22:05:46 - Parsed control message (0 bytes)
22:05:46 - Parsed control message (0 bytes)
22:05:46 - Ack successfully written to LINK for packetId 5
22:05:46 - Control: Write control packet {CONTROL_V1 | 0, sid: 7388e7b5b74ff49f, pid: 6, [35 bytes]}
22:05:46 - Send control packet (77 bytes): <REDACTED>
22:05:46 - Control: Try read packet with code ACK_V1 and key 0
22:05:46 - Control: Read packet {ACK_V1 | 0, sid: 03bd3bc3dc309e91, acks: {[6], 7388e7b5b74ff49f}}
22:05:46 - Control: Try read packet with code CONTROL_V1 and key 0
22:05:46 - Control: Read packet {CONTROL_V1 | 0, sid: 03bd3bc3dc309e91, pid: 6, [240 bytes]}
22:05:46 - Send ack for received packetId 6
22:05:46 - Control: Write ack packet {ACK_V1 | 0, sid: 7388e7b5b74ff49f, acks: {[6], 03bd3bc3dc309e91}}
22:05:46 - TLS.connect: Put received ciphertext (240 bytes)
22:05:46 - Pulled plain control data (218 bytes)
22:05:46 - Parsed control message (217 bytes)
22:05:46 - Received PUSH_REPLY: "<masked>"
22:05:46 - Set up encryption
22:05:46 - 	Negotiated cipher: AES-256-GCM
22:05:46 - 	Negotiated compression framing: comp-lzo
22:05:46 - 	Negotiated compression algorithm: disabled
22:05:46 - 	Negotiated keep-alive interval: 10s
22:05:46 - 	Negotiated keep-alive timeout: 1m
22:05:46 - Session did start
22:05:46 - Returned ifconfig parameters:
22:05:46 - 	Remote: <masked>
22:05:46 - 	IPv4: addr <masked> netmask 255.255.255.0 gw <masked> routes []
22:05:46 - 	IPv6: not configured
22:05:46 - 	Gateway: ["IPv4"]
22:05:46 - 	DNS: ["<masked>"]
22:05:46 - 	Search domains: not configured
22:05:46 - Routing.IPv4: Setting default gateway to <masked>
22:05:46 - DNS: Using servers <masked>
22:05:46 - Control: Try read packet with code ACK_V1 and key 0
22:05:46 - Control: Read packet {ACK_V1 | 0, sid: 03bd3bc3dc309e91, acks: {[6], 7388e7b5b74ff49f}}
22:05:46 - Ack successfully written to LINK for packetId 6
22:05:46 - Reasserting flag cleared
22:05:46 - Tunnel interface is now UP
22:05:56 - Send ping

[keeshux]

Fair enough!

[MahdiNazemi]

Does v2.0.0 suffer from this issue?

[keeshux]

Self note: https://developer.apple.com/documentation/networkextension/nevpnprotocol/3131931-includeallnetworks

@MahdiNazemi not sure if this test is relevant.

[keeshux]

@x13a hey, can you please share why you closed this issue on Jul 23? It's quite important, thanks.

[ldavis2020]

Agreed this is a really important task.

[x13a]

Hey @keeshux , I was in a bad mood and closed all the issues I have opened. Sorry for this.