Big Sur + VPN + Apple Apps Bypassing ?

Got a problem with Viscosity or need help? Ask here!

Traveller1

Posts: 3
Joined: Mon Feb 09, 2015 10:52 pm

Post by Traveller1 » Thu Nov 26, 2020 1:27 am
Hello,
So, I have read about Apple apps bypassing VPNs on Big Sur. Apparently, it is an issue, but not as big as originally hyped, as far as I an determine.

So, my question.

Essentially, how well does Viscosity deal with Big Sur and Apple apps bypassing a VPN? I am using AirVPN. AirVPN advises to use Hummingbird as a command line app to run their VPN to ensure maximum security.

Quote:
"Yes, both Hummingbird and Eddie are free and open source software by AirVPN. They are available for Mac too. They both enforce "Network Lock" by using pf (pre-installed by default on macOS by Apple) so you don't have to worry about traffic leaks outside the VPN tunnel. "

Can Viscosity do the same? What should I do?

Thanks :)

James

User avatar
Posts: 2313
Joined: Thu Sep 04, 2008 9:27 pm

Post by James » Thu Nov 26, 2020 1:35 am
Hi Traveller1,

I've included below a recent reply of ours to a email asking a similar question:
Viscosity operates at the IP level, using the computer’s routing table to direct traffic. Viscosity does not use the NetworkExtension framework or the related Filter Data Provider or App Proxy Provider APIs. It is these APIs that have been in the news recently for Apple excluding their own apps from.

As Viscosity is distributed outside of the App Store we are not forced to use the NetworkExtension framework or APIs to implement VPN functionality. Viscosity instead operates at a lower level, rather than using the high level NetworkExtension framework, to implement VPN connections.

I will mention that we haven’t actually confirmed whether Apple’s apps do in-fact bypass the NetworkExtension APIs, so please don’t take this email as confirmation that Apple’s apps are indeed bypassing VPN clients that use these APIs. As this doesn’t affect Viscosity it’s not something we’ve taken the time to look into ourselves.

In fact, if I had to speculate, it would be that the news is probably overblown, and that normal NetworkExtension-style VPN tunnels are not being bypassed. As indicated by the Twitter posts you’ve alluded to, the ContentFilterExclusionList has only been confirmed to apply to the Filter Data Provider and App Proxy Provider APIs. These APIs aren’t typically used to create a VPN tunnel. Instead they’re used to implement firewalls/filtering (like Little Snitch) or per-app VPNs (where all traffic isn’t going through the VPN connection by default). Some VPN Service Provider apps likely use them to implement “kill switch” functionality as well. They’re not typically used when creating a VPN tunnel that all traffic is going through by default, as used with VPN Service Providers.

Again, the above is just speculation. As it’s not relevant to Viscosity’s functionality it’s not something we’ve looked into. Viscosity is not affected by apps bypassing the NEFilterDataProvider or NEAppProxyProviders APIs.

Finally, it appears it has been confirmed that Apple’s apps don’t bypass filtering at the IP level, so macOS’s inbuilt firewall (aka packet filtering or “pf”) can be used to block non-VPN traffic on your normal network interfaces if desired. You can use the “pfctl” command in the Terminal to configure this, or use a GUI tool like Murus.
Cheers,
James
Web: https://www.sparklabs.com
Support: https://www.sparklabs.com/support
Twitter: https://twitter.com/sparklabs

Traveller1

Posts: 3
Joined: Mon Feb 09, 2015 10:52 pm

Post by Traveller1 » Thu Nov 26, 2020 12:38 pm
Thanks James. It is a complicated world for a simple boy like me to navigate.
3 posts Page 1 of 1