Lightrun
question-mark
Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Some UDP traffic appear to be able to escape the VPN tunnel on iOS

See original GitHub issue

Describe the bug Some UDP traffic can’t be tunneling on iOS even though the server has UDP support.

To Reproduce Steps to reproduce the behavior:

  1. Start a go-shadowsocks2 server with command:
# By default has UDP support
go-shadowsocks2 -s 'ss://AES-256-CFB:my-password@:8486' -verbose
  1. Connect Outline iOS App with the corresponding ss key.
  2. Open WeChat App, choose a contact and start a Video Call. (It seems that WeChat uses UDP for real-time video streaming)

Expected behavior All UDP traffic are tunneling to the server as long as the server has UDP support.

Screenshots Here are some Wireshark screenshots I captured during the test. 192.168.137.20 is the IP address of my iOS phone, 35.220.206.186 is the IP address of my proxy server. 203.205.208.74 appears to be one of the IP address of WeChat servers.

I am using a USB WiFi Adapter on a Windows system which runs inside a VirtualBox machine that hosted on macOS. And my phone is connected to this WiFi in order to capture traffic via Wireshark.

screen shot 2019-03-08 at 1 53 32 am screen shot 2019-03-08 at 1 54 03 am

Smartphone (please complete the following information):

  • Device: iPhone XR
  • OS: iOS 12.1.4
  • Outline Version: 1.2.6

Issue Analytics

  • State:open
  • Created 5 years ago
  • Comments:6 (2 by maintainers)

github_iconTop GitHub Comments

1reaction
alalamavcommented, Mar 22, 2019

@joeysino, @studentmain, in Android we use a whitelist model (due to the VPN APIs), meaning that 203.128.0.0/9 is routed through the VPN. The iOS bypass subnets use a blacklist model.

@noeruh, we’re still trying to recreate your setup to reproduce this issue. I also suspect this could be related to bypassing reserved subnets.

0reactions
ghostcommented, Mar 22, 2019

I find out that only 203.0.113.0/24 should be reserved, according to: https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml

Read more comments on GitHub >

github_iconTop Results From Across the Web

I found that some UDP packets did
As an iOS developer, I am developing a VPN app. I found that the UDP packets of some apps did not enter the...
Read more >
Testing UDP works over a VPN via console?
From my Cisco 877 and 1841 with ADSL consoles, how can I test that a UDP port is able to reach a remote...
Read more >
VPNs on iOS are a scam - Michael Horowitz
The nature of the bug is that the VPN tunnel does not assimilate all the bits. Some escape. The Borg would not be...
Read more >
Use the macOS or iOS Native IPSec VPN Client
Apple iOS devices (iPhone, iPad, and iPod Touch) and macOS 10.6 and higher devices include a native Cisco IPSec VPN client. You can...
Read more >
IPsec (Internet Protocol Security)
Before we can protect any IP packets, we need two IPsec peers that build the IPsec tunnel. To establish an IPsec tunnel, we...
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Dev.to Post

No results found

github_iconTop Related Hashnode Post

No results found
Previous page

Linux build 1.0.8 is broken

Next page

Export with Developer ID signature error - Mac App