A VPN for me but not you: a surprise when tethering to my phone

April 14, 2019

My phone supports VPNs, of course, and I have it set up to talk to our work VPN. This is convenient for reasons beyond mere privacy when I'm using it over networks I don't entirely trust; there are various systems at work that can only be reached from 'inside' machines (including the VPN server), or which are easier to use that way.

My phone also supports tethering other devices to it to give them Internet access through the phone's connection (whatever that is at the time). This is built in to iOS as a standard function, not supplied through a provider addition or feature (as far as I know Apple doesn't allow cellular providers any control over whether iOS allows tethering to be used), and is something that I wind up using periodically.

As I found out the first time I tried to do both at once, my phone has what I consider an oddity: only the phone's traffic uses the (phone) VPN, not the traffic from any tethered devices. The VPN is for the phone only, not for any attached devices; they're on their own, which is sometimes inconvenient for me. It would be a fair bit easier if any random machine I tethered to the phone could take advantage of the phone's VPN and didn't have to set up a VPN configuration itself.

(In fact we've had problems on our VPN servers in the past when there were multiple VPN connections from the same public IP, which is what I'd get if I had both the phone and a tethered machine using the VPN at the same time. I think those aren't there any more, although I'm not sure.)

As far as I know, there is no technical requirement that forces this; in general you certainly could route NAT'd tethered traffic through the VPN connection too. If anything, my phone may have to go out of its way to route locally originated traffic in one way and tethered traffic in another way (although this depends on how NAT and VPNs interact in the iOS kernel). Doing things this way seems likely to be mostly or entirely a policy decision, especially by now (after so many years of iOS development, and a succession of people asking about this on the Internet, and so on).

(I don't currently have a position on whether it's a good or a bad policy decision, although I think it is a bit surprising. I certainly expected tethered traffic to be handled just the same way as local traffic from the phone itself.)

Comments on this page:

By mtk@acm.org at 2019-04-14 22:29:27:

been a while since i tried but i believe my android phone w/nordvpn does the right thing.

I'll go ahead and assert that this is probably a bad policy decision, since it seems to violate the principle of least astonishment. I think that "I certainly expected tethered traffic to be handled just the same way as local traffic from the phone itself." is a pretty reasonable expectation and unless there's some very good reason I'm not aware of, they shouldn't have gone against that.

(Full disclosure: I work for Google, but not on Android. This comment is solely my own opinion; I don't even know whether Android does the "right" thing according to me.)

It can be controlled by the carrier on iOS these days. I'm on Straight Talk (wal-mart branded tracfone) in the US, and I can get a dialog box pointing me to the tracfone website to set it up. IIRC, there wasn't any option when I got the service a couple years back; it just said "not supported by your carrier."

(I'm not going to dig any deeper today. I assume it's so they can charge me extra for literally no work on their part, since they're "low cost.")

By Tom at 2019-04-16 15:14:13:

It is maybe a bad policy decision if you only ever tether your own devices. It is probably common enough to let other people use your tether, in which case they should not have access to the VPN, that the default seems reasonable.

There are also implications here for managed phones (i.e., those that are owned and managed by a company or other organization and over which they have the same control as any other company computers). It's probably a given that most companies are going to demand at least the option to disable routing of traffic from outside the phone via the VPN, so the real question here is whether Apple wants to go to the trouble of providing the other option as well.

There seem to be a few places where Apple has cut useful features, possibly in the interest of ease of use for the less sophisticated. For example, on my Android phone I leave Bluetooth network tethering permanently on because it uses basically no power. This is quite convenient; I pull out my tablet or laptop and it's connected. But on an iPhone you need always to manually turn tethering on and off to save power because there's only one switch for it that switches both power-light Bluetooth and power-hungry WiFi tethering together.

Written on 14 April 2019.
« Remembering that Prometheus expressions act as filters
How Linux starts non-system software RAID arrays during boot under systemd »

Page tools: View Source, View Normal, Add Comment.
Login: Password:
Atom Syndication: Recent Comments.

Last modified: Sun Apr 14 20:59:30 2019
This dinky wiki is brought to you by the Insane Hackers Guild, Python sub-branch.