ivpn/ios-app

Add "Disable LAN traffic" option

jurajhilje opened this issue · 1 comments

jurajhilje commented

Description

The iOS app allows LAN access when VPN is connected by default.
We want to add "Disable LAN traffic" option.

By implementing a combination of includeAllNetworks and excludeLocalNetworks APIs, it is possible to route LAN traffic through VPN tunnel. excludeLocalNetworks only has effect if includeAllNetworks is set to True. Note that using these APIs causes reliability issues (loosing connectivity is the most common).

QA Notes

This feature can be tested by inspecting LAN traffic with Wireshark. Test method requires iOS and macOS device on the same LAN.

Steps:

  1. Connect iOS and macOS devices to the same WiFi
  2. Note local IP addresses for both devices, e.g. 192.168.1.10 is iPhone and 192.168.1.20 is Mac
  3. Connect to VPN on iPhone
  4. Start monitoring iOS device traffic with Wireshark
  5. Filter Wireshark traffic with ip.addr == 192.168.1.10 and ip.addr == 192.168.1.20
  6. Start using Apple's apps that use the handoff feature, e.g. Mail, Safari, Maps, Notes, Find My etc. Or send a file via AirDrop from iPhone to Mac
  7. Observe network packets where iPhone and Mac are both source and destination. This means that iPhone is sending traffic to the Mac directly (outside VPN tunnel).

If "Disable LAN traffic" option is enabled, after completing the same test, there should be no network packets with iPhone (192.168.1.10) as source. Additionally, handoff features which rely on devices connected to same local network will stop working, e.g. AirDrop.

gorkapernas commented

Verified on 2.10.1 (4), there was an issue with IKv2 which has already been fixed, alerts have been added when attempting to use the protocol with "Disabled LAN traffic" ON.

Tested the option "Disabled LAN traffic" and no more issues have been found.
When pinging the local IP address of the IOS device on another machine (macOS) while capturing packets with WireShark (both in the same local network), the iOS and macOS network packets are both source and destination, however if disabling LAN on iOS, the ping request on the macOS machine times-out and only the macOS sends traffic to iOS, but not from iOS to macOS.
Also tested with Airdrop, when "Disable LAN traffic" is ON, the iOS device does not find the macOS device, same the other way around, if "Disable LAN traffic" is OFF, Airdrop works again.

All the above has been tested with OpenVPN and WireGuard.