User profile for user: TimSto
TimSto Author
User level: Level 1
8 points

HomeKit camera + VPN connectivity issues

If a HomeKit compatible camera’s live stream becomes inaccessible to an iOS device because you’re running a VPN or private DNS service, it may help to exclude the following routes.


I’m using Cloudflare’s 1.1.1.1 WARP, and had live-stream connectivity issues, so I entered each of the following into the Excluded Routes list, checking for camera connectivity after each entry, and restarting the 1.1.1.1. app, and the Apple Home app.


It was a trial-and-error process using Bonjour service domain info from IBM, and Bonjour service nomenclature from Apple Developer.


In the 1.1.1.1 app:

—> Menu

—> Advanced

—> Connection Options

—> Excluded Routes


Scroll to the bottom and add one route at a time (no app restarts necessary, since you’re not testing like I was):


  • 169.254.0.0/32
  • NSNetService
  • NSNetServiceBrowser
  • CFNetService
  • CFNetServiceBrowser


Adding just the Bonjour service domain (first in the list) wasn’t enough to effect a change, so I added the underlying services.


I’d appreciate any input from Bonjour-, networking-, or iOS-savvy folks on any unintended consequences of the Excluded Routes I used. My terminology may be off, but I hope my method was understandable — I’m an unqualified but curious, middle-aged run-of-the-mill user. ✌🏼

iPhone XS Max

Posted on Jul 25, 2023 12:15 PM

Reply
Question marked as Best reply
User profile for user: MrHoffman
MrHoffman
Community+ 2024
User level: Level 10
117,843 points

Posted on Jul 25, 2023 2:58 PM

Enabling Private Relay enables encrypted DNS via ODoH, though it is possible to provision an iPhone or iPad to use your preferred DoH DNS provider without using Private Relay.


Private Relay adds at least one hop to connections, as part of its two-hop design intended to mask the connection source from the destination, and from intermediate routers past the relay.


ODoH / DoH / DoT will add hops to the DNS server you’re referencing, with the usual barrage of hops behind that DNS server to the root servers and then authoritative DNS servers for the host names or host addresses not already in the DNS server local cache. ODoH / DoH / DoT can potentially get you to a faster DNS, or can get you toma DNS server wit less of your stuff in its cache, but it does prevent intermediate routers from reading and potentially logging your DNS traffic. The destination DNS server can still log that, of course. That’s where ODoH helps.


Getting a first-few-hops VPN involved makes routing that much more complex (as both traditional full-path VPNs and usually-overhyped first-few-hops VPNs both do), can disable encrypted DNS (DoH or DoT), and—outside of geolocation shifting for testing websites or such—not providing appreciably better security than the existing end-to-end encrypted connections the VPN badly wraps just part of, and all that at the cost of some of your privacy.


169.254.0.0/16 is a self-assigned IP address block, and finding hosts using addresses from that block usually means the local DHCP server isn’t playing well with others.


Some reading: https://www.apple.com/privacy/docs/iCloud_Private_Relay_Overview_Dec2021.PDF


It’s nice to be able help the young folks, such as yourself. 🤭


View in context

Similar questions

4 replies
Question marked as Best reply
User profile for user: MrHoffman
MrHoffman
Community+ 2024
User level: Level 10
117,843 points

Jul 25, 2023 2:58 PM in response to TimSto

Enabling Private Relay enables encrypted DNS via ODoH, though it is possible to provision an iPhone or iPad to use your preferred DoH DNS provider without using Private Relay.


Private Relay adds at least one hop to connections, as part of its two-hop design intended to mask the connection source from the destination, and from intermediate routers past the relay.


ODoH / DoH / DoT will add hops to the DNS server you’re referencing, with the usual barrage of hops behind that DNS server to the root servers and then authoritative DNS servers for the host names or host addresses not already in the DNS server local cache. ODoH / DoH / DoT can potentially get you to a faster DNS, or can get you toma DNS server wit less of your stuff in its cache, but it does prevent intermediate routers from reading and potentially logging your DNS traffic. The destination DNS server can still log that, of course. That’s where ODoH helps.


Getting a first-few-hops VPN involved makes routing that much more complex (as both traditional full-path VPNs and usually-overhyped first-few-hops VPNs both do), can disable encrypted DNS (DoH or DoT), and—outside of geolocation shifting for testing websites or such—not providing appreciably better security than the existing end-to-end encrypted connections the VPN badly wraps just part of, and all that at the cost of some of your privacy.


169.254.0.0/16 is a self-assigned IP address block, and finding hosts using addresses from that block usually means the local DHCP server isn’t playing well with others.


Some reading: https://www.apple.com/privacy/docs/iCloud_Private_Relay_Overview_Dec2021.PDF


It’s nice to be able help the young folks, such as yourself. 🤭


Reply
User profile for user: MrHoffman
MrHoffman
Community+ 2024
User level: Level 10
117,843 points

Jul 25, 2023 12:30 PM in response to TimSto

Remove the add-on first-few-hops VPN, remove the 1.1.1.1 app, remove any locally-added DNS references, enable iCloud+ Private Relay, and see if that works better.


This falls back to the existing tunnels including for DNS rather than double-wrapping the first few hops of the network traffic and upgrades the connection to what is effectively a two-hop Tor connection to mask originating IP addresses.

Reply
User profile for user: TimSto
TimSto Author
User level: Level 1
8 points

Jul 25, 2023 1:03 PM in response to MrHoffman

MrHoffman, cutting 1.1.1.1 out of the process fixes everything. Feel free to laugh, but in my ignorance, I thought WARP may be helpful to cover potential gaps/shortcomings in Private Relay — likely misinterpreting info from a Wired article or something addressing the question, “Is Private Relay REALLY Enough For Most Users, Or…” 🥸


I was aware that Cloudflare works with Apple for the provision of Private Relay, but unaware of the (now obvious) problematic redundancy of using both 1.1.1.1 and Private Relay simultaneously. I wasn’t adding more hops, was I? Just hopping twice in the same two places! Thanks for your input. 🤘🏼


Edits: typos

Reply
User profile for user: TimSto
TimSto Author
User level: Level 1
8 points

Jul 25, 2023 3:52 PM in response to MrHoffman

Thanks for your explanation and the linked PDF (which, I wish I’d read when Private Relay was introduced).


I have no need for geolocation shifting, and my DNS security requirements are modest, so using Private Relay on my iPhone seems to suffice.


I enjoy being able to streamline a process without compromising the desired end-state. Cheers! 🍻

Reply

HomeKit camera + VPN connectivity issues

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple ID.
Learn more Sign up