With iOS devices using an Always-on VPN there is no way for apps to access resources on their local network.
If I exempt an app to allow traffic outside the VPN tunnel, then it does not use the VPN tunnel at all.
What I would like to be able to do is to allow an app to access to the local network but still use the Always-on VPN as it's default route.
Has anyone figured out a way to make something like this work?
I see your point for the majority of cases. It wouldn't be an issue really if iOS would actually route all traffic over the VPN, but it does not route the subnet your phone is connected to. For example if you're connected to wi-fi that is using 192.168.1.0/24 that subnet is dead. The phone won't route it over the VPN and also won't allow access to it directly.
Then that's the way it is. They want all traffic going through their security gateway, that's what happens. You can't access resources on your local network.
Is it a company owned device, or your own personal device? If it's your personal device, then opt out and don't use it for business.
Contact your company IT organization and ask whether they can and are willing to enable on-LAN access for AirPrint printing or whatever.
That's the way a properly configured VPN is supposed to work. That's how it keeps the target network secure. Allowing access to both the local network and the target network creates a hole in the security of the target network.
Artooro wrote:
We have all the outside tunnel options turned on, for Air Print, Voicemail, Cellular Services.
If you’re on the current VPN client version, escalate a support request to the VPN provider for assistance establishing whatever particular local network access is required here, then.
VPN debugging can be “fun” with access to the VPN client and VPN server, and a switch port mirrored into packet capture.
Remotely debugging an unknown VPN (not) connecting to an unknown local service through forum postings...
The use-case here is to force all Internet traffic to go over a security gateway. Because they don't want to allow users to turn it off, on-demand VPNs don't work, so always-on is what we are using.
They are company owned devices. Well thanks for your clarification, I wanted to make sure I wasn't missing some option somewhere.
We have all the outside tunnel options turned on, for Air Print, Voicemail, Cellular Services.
That's correct. That is how a properly configured VPN is supposed to work.
Why are you using an always on VPN? Is this something mandated by your employer to access their network?
Access to LAN when using Always-on VPN
