Apple apps on Big Sur bypass some firewalls and VPNs

Apple apps do bypass NEFilterDataProvider (used by application firewalls like Little Snitch), and the per-app VPN mechanism (using NEAppProxyProvider). Thus, per-app VPNs can&#x27;t be applied to Apple applications, but per-app VPNs were never intended to globally intercept traffic. Claiming that Apple apps bypass (all) VPNs in Big Sur is deceptive - they only bypass per-app VPNs that were never intended to cover all system traffic in the first place.<p>Traditional VPNs that cover the whole system and route traffic based on destination IP (such as OpenVPN in UTUN mode) use the Packet Tunnel Provider in Destination IP mode. To the best of my knowledge, global VPNs routing based on destination IP (ie. non per-app VPNs) still route traffic from all applications, including Apple ones.<p>See this for more details on the Packet Tunnel Provider: <a href="https:&#x2F;&#x2F;developer.apple.com&#x2F;documentation&#x2F;networkextension&#x2F;netunnelprovidermanager" rel="nofollow">https:&#x2F;&#x2F;developer.apple.com&#x2F;documentation&#x2F;networkextension&#x2F;n...</a>

If you&#x27;re serious about using a VPN, I strongly recommend getting an OpenWRT capable router and setting up your VPN there. Some benefits:<p>- It&#x27;s physically impossible for your devices to bypass the VPN.<p>- It also works with devices that have poor or non existent VPN support (e.g. Roku, smart TV, etc.).<p>- You only have to configure it once vs having to configure it on all your devices.<p>- You can easily and quickly toggle the VPN by switching to a Wifi that doesn&#x27;t have VPN setup.<p>I&#x27;ve been using GL.iNet&#x27;s travel routers for many years and can&#x27;t recommend enough (no affiliation other than being a customer). Just ordered their new Beryl router[0].<p>[0] <a href="https:&#x2F;&#x2F;www.gl-inet.com&#x2F;products&#x2F;gl-mt1300&#x2F;" rel="nofollow">https:&#x2F;&#x2F;www.gl-inet.com&#x2F;products&#x2F;gl-mt1300&#x2F;</a>

So, there is no software way to prevent this? This is as crazy as it gets, and totally unbelievable.<p>So there are no true VPN apps in Big Sur <i></i>at all<i></i>? Or true firewalls?<p>Honestly, this is so hard to believe that it cannot be untrue. They are totally sick at Apple.

Well, this is great news for malware developers (including intelligence agencies)! Apple might as well just have said: &quot;Here, malware developers, focus your efforts on these few apps. The payout when you find an exploitable vulnerability is fully unmonitored, unfettered access to the network (by default) to do as you please.&quot;<p>This is beyond irresponsible. Apple <i>knows</i> there&#x27;s going to be bugs in their code. Doing it anyway is completely hypocritical to their own privacy-focused marketing.

This type of crap is why I stopped using windows and macos. I don&#x27;t want my security to be compromised because of some idiot in a suit making a bad call.

&gt;The big question though is why the company’s doing this. So far, it hasn’t said why Apple apps on Big Sur are exempt from firewalls and VPNs, but there are some theories.<p>I&#x27;m also genuinely curious, what is the main benefit of doing this and if it&#x27;s done by design.

This is another example of apples platform treating apple apps &quot;preferentially&quot; - one of the points raised in the ongoing appstore complaint.<p>I can understand why they think they can do this - they create the OS, so you implicitly &quot;trust&quot; them - but that position doesn&#x27;t mean you shouldn&#x27;t be able to grant others that same trust, IMHO.

I&#x27;m getting more and more incentive to just drop macOS and start using Linux as my daily driver. Apple has absolutely no excuse for this, and I hope they correct it.<p>That said, I am curious which laptop brands today are most compatible with Linux. I&#x27;ve heard good things about Lenovo and Dell XPS. As for which flavor of Linux, I have my eyes on Arch...

Stallman, for all his faults, predicted exactly this and fought an uphill battle to prevent it. If only there was money in GPL software to make it competitive on the desktop, not just usable. It&#x27;s something that would have to happen out of taxpayer&#x27;s purse, I&#x27;m afraid.

Big Sur(veillance). This should be illegal.

I&#x27;m glad that people are putting pressure on Apple to fix this and hope that they do.<p>That being said, I think many comments here are out of touch. We&#x27;re talking about a specialized security feature which is not easily available on other platforms is only used by a minority of users and <i>still works</i> for most programs.<p>What exactly are your threat models that this is causing a problem for you? Are you sure that you can even use a mainstream OS if you need to block all outbound connections? If I had to have complete control over my outbound connections, I would use a hardware&#x2F;software solution sitting between the computer and router.<p>Secondly, is this <i>really</i> bypassing VPNs or only the new firewall API? e.g. is it bypassing WireGuard?

We are getting towards the point where we will have to boot up into a full screen Linux VM because the outer operating system is too laden with crap like this (and secure boot).

Besides the privacy&#x2F;security implications, this seems like it would also break these apps for all network topologies that only grant internet access through a VPN.<p>Some universities used to (and probably still do) provide internet access over unencrypted Wi-Fi networks, with the VPN gateway as the only reachable host.

Serious question, what does Apple offer that brings people back to them after an event like this, or the last one, or the one before that?<p>You can&#x27;t customize the OS, the software for the platform is available on Windows and Linux, and the hardware is overpriced and underpowered, and then there&#x27;s stuff like this where Apple decides how you should use _your_ computer. I sincerely do not understand why anyone would ever purchase an Apple computer, and yet here we are, again.<p>Especially confusing to me is how many of my fellow web developer peers I see choosing Apple devices over literally any other laptop with Windows or Linux which will run circles around a Macbook of the same price range.

I see a bright future for Linux.

so much for their much hyped Safety and Security and Privacy ...<p>Hypocrites. The whole Industry.

Why hasn’t Apple responded to this? What the hell?

Color me depressed.<p>I was hopeful to switch to Apple silicon.<p>This architectural decision alone is enough to make Big Sur and its successors a permanent non-starter.

&quot;Apple appliances are not allowed in this building. You can leave them in the bin next to the umbrellas. Thank you.&quot;

On Linux I can configure programs to use VPN link or not to use it so I guess it would also be the case with Mac? I would expect apps not to bypass default route settings, not being Mac user I can only guess default route can be set there, but would OS somehow provide alternative routes if it detects default route is VPN?

Does this really matter to anyone except a select few people? Thats the issue I see here over and over. Missing the forest for the trees. No solution is perfect, but there&#x27;s a feeling of exceptionalism that permeates this website.

pocket router with DDWRT running and open vpn is my solution lately.

Remember this when their ads touting privacy&#x2F;security inevitability are presented to you.<p>Apple marketing is disgusting.

its not a bug, its a feature!

You need to understand, when buying this kind of device, it is not yours. It may be convenient, shiny and powerful, but somebody else decides what it does and that means you are not in control.<p>The hardware may be outstanding and the OS could have been top choice for me if only I knew it is my machine. As it is not the case, I will be sticking to Linux laptop for good and bad.