- It's physically impossible for your devices to bypass the VPN.
- It also works with devices that have poor or non existent VPN support (e.g. Roku, smart TV, etc.).
- You only have to configure it once vs having to configure it on all your devices.
- You can easily and quickly toggle the VPN by switching to a Wifi that doesn't have VPN setup.
I've been using GL.iNet's travel routers for many years and can't recommend enough (no affiliation other than being a customer). Just ordered their new Beryl router[0].
Without that focus, web sites would have a lot of trouble identifying IP traffic routed over a personal VPN from any other traffic. I suppose they could just block entire clouds, for those who run VPN servers on AWS, Azure, et al. But that would cause a lot of other problems.
I just route all of my devices through a single node I run at one physical location that appears like a genuine client node. I've never seen anything blocking it.
I feel like "quickly" and "easily" a little overstated. Then again, this is someone who is willing to install their a separate firmware on a router, so...
Yes, setting it up in the first place may be fairly involved.
I replaced my router recently and changed my strategy. Now the router is only a router (and firewall of course).
I have a raspi sitting next to it providing the wireguard vpn. This is easy to update and everything actually works better than in past. I attribute a large part of that to wireguard over openvpn, though...
Double it, OpenWRT functionality beats any production router firmware. Bought Linksys some time ago, now searching a cable to flash OpenWRT on it 'cause original firmware feels crazy dumb.
It's not true. There are bugs and vulnerabilities, some of them can be exploited remotely. OpenWRT is no exception here. Better than many maybe, but not invulnerable.
And please, let's stick to professional terminology and call these "VPNs" what they are - transparent L2/L3 proxies.
Also I don’t think your terminology is really all that helpful. These services are literally VPNs. Trying to make a distinction doesn’t really add anything when VPN is already an established well understood term. This just adds confusion when there are already L3 proxies.
So there are no true VPN apps in Big Sur at all? Or true firewalls?
Honestly, this is so hard to believe that it cannot be untrue. They are totally sick at Apple.
So yes, Apple is in the wrong.
Edit: The article headline is technically accurate (if a little clickbaity): "Apple apps on Big Sur bypass firewalls and VPNs". Yes the do! Not all firewalls. But they bypass some of the most popular ones, like Little Snitch.
What, are they working with someone? Five eyes? China? Spain? The Soviet Block?
Honestly, this is either utter imbecility or straight ill-will. There are no greys here. At all. When you do a think like this either you are stupid or you DO know the risks and are OK.
Great: now people in Hong-Kong cannot use Big Sur because they should be afraid of the apps they are using.
Not sure how well any of that works though. I'm not touching Big Sur or the new macs with a 10' pole until all the software that I rely on is updated to not require kexts 100% (including Little Snitch full support) and Apple silicon has virtualization support so I can run Docker.
I'm really glad I just upgraded to the latest intel mbp a few months ago.
How can I know that the option to edit the whitelist won‘t be removed as fast as the default entries were added to the whitelist?
1: https://tinyapps.org/blog/202010210700_whose_computer_is_it....
At least there seems to be a way to try and fight it.
What a mess, man...
VPN work just fine for me. Some Apple apps mat bypass the VPN, but I don’t see a reason those apps would need to connect to the company intranet in the first place.
Nevermind that your VPN might have the purpose of bypassing shitty, insecure public wifi.
Nevermind you may not be trusting your local/national internet infrastructure.
Apple knows best. Trust them.
/s
That being said, I think many comments here are out of touch. We're talking about a specialized security feature which is not easily available on other platforms is only used by a minority of users and still works for most programs.
What exactly are your threat models that this is causing a problem for you? Are you sure that you can even use a mainstream OS if you need to block all outbound connections? If I had to have complete control over my outbound connections, I would use a hardware/software solution sitting between the computer and router.
Secondly, is this really bypassing VPNs or only the new firewall API? e.g. is it bypassing WireGuard?
If I connect to a public wifi hotspot and use a VPN, I used to be under the general assumption that my network traffic would be sent through my network tunnel and not be accessible to other users of the same hotspot.
One of the points of having a VPN is to be able to run software without every single middle man on the network knowing what you are running.
For example, say someone hypothetically wanted to post a comment on twitter that, again, hypothetically, was politically inconvenient for some authority figure.
The fact they launched twitter at about the time that comment was posted might be something they would prefer to not have reported on the internet at all, and certainly not without encryption.
Generally, this falls into the general category of "I may disagree with what you say, but I will fight for your right to say it".
Some VPNs were using kexts before Big Sur, some weren't. Wireguard for example is a normal AppStore app which integrates with the OS VPN support. It would suck to be confirmed that it's leaking traffic.
For what it's worth, a VPN will not protect you from threats on a hostile network.
“ A virtual private network (VPN) is a form of network tunnel where a VPN client uses the public Internet to create a connection to a VPN server and then passes private network traffic over that connection. If you want to build a VPN client that implements a flow-oriented, custom VPN protocol—one that works with the data passing through a TCP connection rather than the packets used to transport that data—create an app proxy provider app extension. When the system starts a VPN configuration that uses your app proxy provider, it launches your app extension, instantiates your app proxy provider subclass within that app extension, and starts forwarding flows to your provider. Each flow represents either a TCP connection or a conversation over UDP. Your provider is expected to open a tunnel to a VPN server and forward each flow over that tunnel. Similarly, if your provider receives flow data from the tunnel, it should pass that back to the system via the appropriate flow. App proxy providers are one form of per-app VPN, the other being a Packet Tunnel Provider in source application mode. App proxy providers are supported in iOS on managed devices only, and in macOS for Mac App Store apps only.” https://developer.apple.com/documentation/networkextension/a...
More explanation here: https://twitter.com/lorisscandurra/status/132793682910295244...
I'm confused by this statement. We are talking about being able to implement firewalls and VPNs which can filter/redirect all outgoing connections. These are both abilities easily available on Windows and Linux.
I would like my computer to not connect to anyone or anything when it's powered on if I'm not running interactive apps that I specifically wish to use the network.
It's sort of like the bad old days with linux distros coming with like 47 listening services enabled by default. It took a while before they realized that defaulting things to "off" was the best move.
I encourage you to look at the pcaps coming out of a fresh macOS install with everything turned off: App Store, iCloud, analytics, FaceTime, iMessage. You'd be surprised how much it's doing when it's sitting there "doing nothing".
Such firewalls are used for protection against asshole developers which want to collect analytics without asking for confirmation. Apple are one of the assholes and LS can only be an interim solution against the OS developer. This was bound to happen... and I guess only a HW solution will help now.
Traditional VPNs that cover the whole system and route traffic based on destination IP (such as OpenVPN in UTUN mode) use the Packet Tunnel Provider in Destination IP mode. To the best of my knowledge, global VPNs routing based on destination IP (ie. non per-app VPNs) still route traffic from all applications, including Apple ones.
See this for more details on the Packet Tunnel Provider: https://developer.apple.com/documentation/networkextension/n...
You can't claim that these apps were not meant to do the very thing they used to do until Apple made such operation effectively impossible.
I'm not denying that NEFilterDataProvider is an inferior solution for per-app firewalls like Little Snitch, compared to their previous kernel extension.
It looks like a lot of people are under the assumption that enabling VPN means system wide.
More info on the purpose of per-app VPNs: https://support.apple.com/en-us/guide/deployment-reference-i...
That said, I am curious which laptop brands today are most compatible with Linux. I've heard good things about Lenovo and Dell XPS. As for which flavor of Linux, I have my eyes on Arch...
Why just not buy preinstalled Linux? https://puri.sm/products/
Furthermore- Dell's WD19TB dock works on most kernels (and all newer XPS models) as well. I'm talking power, USB, network, and 3 2k@60 (or 1 4k@144 & 1 1080@60) displays all on a single cable. The future we were promised 4 years ago is finally here.
I bought a system 76 which comes with Linux (Ubuntu or Popos). I’m using pop and things work (jet brains, bitwig, I compiled unreal engine..).
Those machines are rebranded clevos (so they say) but I know drivers will work. Build quality is decent but the machine has lasted. It’s been good and pretty much maintenance free. The os updates frequently.
My only complaint is the machine has 2 video cards and will only drive externals with the nvidia one. Switching requires a reboot. The battery life isn’t great when driving the nvidia card. Maybe the new ones fixed this (onyx pro)
(btw, I admit that some of this has to do with a general lack of support for Linux by software and hardware companies, but there's only one side of this Linux distros can work on and that is making it a more pleasant environment for end users and most Linux users seem to sneer at that thought)
In my past experiences a big frustration was configuring/debugging some random thing and ending up with a solution that - given 12 months of time - i needed to tweak and cannot remember what i did. Or worse, i upgrade software and something breaks. I identified that this effort was wasted if i couldn't roll back easily, or incrementally document my steps through the OS.
To tackle this i chose to go with NixOS. It's got a lot of rough edges, but a few days of dedicated learning time was enough to make me feel mostly productive. I still have a lot of hanging questions, but with NixOS + Flakes + Home Manager i have a system that i feel confident about stability and my ability to roll back as needed. This softens the blow for me personally of needing to figure stuff out that i otherwise wouldn't of had to on OSX.
Since my focus is building a beast PC (that i don't want to pay Apple for) i might still use Mac Laptops, and as a bonus my Nix setup can still be applied on Apple. From NixPkgs to Home Manager dotfiles i plan on using my setup on both Mac and NixOS.
I switched fully ~4 weeks ago, and my only real complaints are (as a Linux Desktop beginner):
1. X11 seems awful. Notably i have one 4k Monitor and two 1080p Monitors and .. it's annoying to setup. I'm using XFCE because it was notably faster than KDE and especially GNOME, and so i set XFCE to 2x Window Scaling but that scales all 3 monitors. So i have to use xrandr to tweak the scalings, and that has been a chore. Lots of experimentation for a janky experience, but i've got it working good enough for me. Wayland will hopefully improve this, but that's a long ways out it seems.
2. Basic features like scaling seem hit or miss. On KDE i recall it working pretty well with all my normal windows. On XFCE if i set 2x Scaling, Spotify and Zoom don't recognize the scaling. Resulting in very small text. I'm willing to overlook a lot of the Mac "pretty" - but i really wish Desktop Environments would perfect the basics.
3. Discoverability on Linux (any distro, imo) is .. bad. We all know the trend of immediately going to Google for everything if you're unfamiliar with the toolset or the domain, but i feel like there's got to be a better way to navigate a OS from both CLI and UI. Linux has the same discoverability problem that Windows has, it's just easier to Google things.. and that feels bad. For a hacker friendly OS i think we could do better here. NixOS, while equally terrible on this front, strikes me as something uniquely fit to be discoverable - given that nearly the entire experience is immutably configured.
All in all, so far i'm quite happy with my switch and looking forward to buying a Zen3 to build a new workstation. Hope this summary of my month long journey is of use to someone lol. It's far from over.
I'm also genuinely curious, what is the main benefit of doing this and if it's done by design.
I wouldn't be surprised if there are still apple apps installed as system apps on iOS that could just come through the store or are using some special Apple-only API to do something trivial.
The article suggests that Apple may be exempting its own apps from user-defined network traffic protection measures in order to clamp down on geographical licensing loopholes, or to keep its app traffic out of VPN servers. Either case would be to the benefit of Apple and the detriment of the customer/user IMO.
Linux also lets you create VPN connections for individual apps if you use network namespacing. Before Wireguard, I used use network namespaces with OpenVPN[2] to create individual tunnels for different apps, and it worked nicely.
you can use the following in the terminal the see the list of whitelisted programs:
cat /System/Library/Frameworks/NetworkExtension.framework/Versions/A/Resources/Info.plist
As for ‘happening out of the taxpayer’s purse’ - currently those who spend the money from the taxpayers purse in almost all jurisdictions are seeking to outlaw or seriously curtail encryption that they cannot break.
If you want to accelerate and make permanent the loss of control, get the government involved.
What we need is to build the infrastructure that would allow for decentralized trust of software and to make it as easy to use as an App Store.
If you can't have meaningful competitive advantage or differentiation, it's kind of hard to make money.
Which is what happens when a government sails in and starts granting monopolies.
Copyright is an artificial monopoly. Patents are artificial monopolies. There are a bunch of weird people out there who call themselves "libertarians", but somehow favor the government creating such restrictions on people's liberty. They're confused and should be ignored.
Trade secrets are perhaps slightly less artificial, but they are clearly destructive in an enormous number of ways.
If, as lawgiver, one were to totally eliminate all imaginary property and outlaw commercial secrets, one could arrange a society where a lot of people could make a very nice living. It might be harder to become a tycoon. Which would be all to the good.
A bit like what QubeOS does.
They commented on all the *gates and even the ocsp issue which reached mainstream media.
But this is so low level (normal people don’t know or care about firewalls except it’s running, or understand why it’s bad for Apple to bypass it) that it won’t become big enough to get that kind of press and response.
Once it’s exploited and has a pretty name, maybe.
I can understand why they think they can do this - they create the OS, so you implicitly "trust" them - but that position doesn't mean you shouldn't be able to grant others that same trust, IMHO.
Apple marketing is disgusting.
From https://www.apple.com/privacy/ :
Privacy is a fundamental human right. At Apple, it’s also one of our core values. Your devices are important to so many parts of your life. What you share from those experiences, and who you share it with, should be up to you. We design Apple products to protect your privacy and give you control over your information. It’s not always easy. But that’s the kind of innovation we believe in.
The hardware may be outstanding and the OS could have been top choice for me if only I knew it is my machine. As it is not the case, I will be sticking to Linux laptop for good and bad.
However, every other point you make here is accurate.
This is beyond irresponsible. Apple knows there's going to be bugs in their code. Doing it anyway is completely hypocritical to their own privacy-focused marketing.
Such an application is extremely annoying for normal users.
You can't customize the OS, the software for the platform is available on Windows and Linux, and the hardware is overpriced and underpowered, and then there's stuff like this where Apple decides how you should use _your_ computer. I sincerely do not understand why anyone would ever purchase an Apple computer, and yet here we are, again.
Especially confusing to me is how many of my fellow web developer peers I see choosing Apple devices over literally any other laptop with Windows or Linux which will run circles around a Macbook of the same price range.
Some universities used to (and probably still do) provide internet access over unencrypted Wi-Fi networks, with the VPN gateway as the only reachable host.
Hypocrites. The whole Industry.
I was hopeful to switch to Apple silicon.
This architectural decision alone is enough to make Big Sur and its successors a permanent non-starter.
