from Hacker News

The Future of Tun and Tap VPNs on macOS (2020)

by wener on 2/24/22, 6:46 AM with 15 comments

  • by willcipriano on 2/24/22, 8:07 AM

    I ran into this at work with virtual box. Upgrade to Monterey helpfully tells you that a lot of your apps aren't going to work, after you have upgraded. Then anything using those system extensions fails every few days without explanation so you have to reinstall everything and push the car up the hill again.

  • by digitalsushi on 2/24/22, 1:57 PM

    Someone correct my foggy experience with this -

    The 'tun' (tunnel) interface is user accessible, because it's creating a layer 3 packet/datagram, and programs are expected to need to be able to write these to do their job (web browsers send packets to a web server; email clients send packets to a mail server, et cetera)

    The 'tap' (like a viper's fang injecting venom) interface is not user accessible. It requires a privilege escalation to perform the operation of receiving all of the layer 2 frames on a network interface. This allows the software access to greater information, and allows the reception and introduction of broadcast traffic, snooping on frames destined for other stations, and allows for a more comprehensive managing of the local network.

    It's been a very long time.

  • by skissane on 2/24/22, 8:15 AM

    Could a VM be used as a workaround? Assumably VMs are still going to support Ethernet. Maybe someone could write a super-lightweight VM (maybe using a unikernel) which just gets forwards Ethernet packets to/from a virtual socket?

  • by disruptiveink on 2/25/22, 10:43 AM

    > Apple proposes that programs such as Tunnelblick be modified to use a different method to accomplish the function that the system extensions currently perform. The current Tunnelblick developers do not have the time or expertise to use the new method Apple proposes and have no plans to do so. Tunnelblick's value proposition is that it's a way to use OpenVPN on MacOS. What's its point if if stops doing that?

    I'd have much more sympathy if it was a cross-platform application or if they had to keep rewriting/refactoring code multiple times because Apple kept changing different APIs from under their feet. That's not the case. Their only platform is macOS and AFAIK this is the only meaningful API migration they are being forced to do in 11 years. I know we cannot demand anything from Open Source maintainers, but is it really too much to ask that if you're the maintainer of a very popular security related application, you either learn how to code for the platform you're targeting or you pass on the torch?

    I just don't understand the obsession with clinging on to being the unwilling maintainer for something that you don't master when the option of passing on the torch is always there. Someone willing will always pick up something as important as an OpenVPN client for an extremely popular operating system.

  • by plandis on 2/24/22, 5:48 PM

    I recently started working on implementing a user space IP/TCP implementation on my MacBook and honestly configuring the utun driver is a huge pain, there isn’t really any good documentation for it and I ended up having to reverse engineer how to use it by looking at the source code of other projects that configured it (shout out to CloudFlares wire guard implementation!)

    On top of that utun devices seem to add weird 4 bytes of data to the front of layer 3 packets to indicate the protocol (which was also confusing and undocumented AFAICT)

  • by wut42 on 2/24/22, 4:26 PM

    Tuns are easily fixed by using utuns. Tap is mostly an issue, but also a not-so-much an issue. There's a ok workaround of using `feth` interfaces with a `bpf` socket.

  • by WayToDoor on 2/24/22, 8:03 AM

    I think this is (2020)

  • by jamesy0ung on 2/24/22, 8:53 AM

    I usually use OpenVPN Connect.