MacOS Sequoia blocking VPN, won't allow use of Messages and iCloud

Hold on there, @JDJD630 - the only VPN working have some work-arounds that even they do not fully recommend. I've never used Express VPN and have no skin in this, but before you jump ship you should consider this seems to be a change Apple made that will impact all VPN vendors. For now, you can either export your config and add an IKEv2 VPN profile manually, or else wait for a fix from Express VPN or Apple. If you try other VPN's, I am sorry to say you'll be just as dissatisfied.

And on that note, some fault has to go to the VPN vendors here. Apple makes the beta available to them, and the noise they are all making now really should have been made when the bug was noticed by users during pre-release testing. Granted, Apple released despite the user reports of VPN issues, but Express VPN should have issued a "Do Not Update" warning to users as well. So there is a lot of blame to go around, I guess is my admittedly unproductive comment.

UR403 wrote:

• I worked with Express VPN support and was able to get things to work.

Something to consider when using ExpressVPN:

• https://www.zdnet.com/article/trust-but-verify-an-in-depth-analysis-of-expressvpns-terrible-horrible-no-good-very-bad-week/

And for a VPN in general:

• https://gist.github.com/joepie91/5a9909939e6ce7d09e29
• https://overengineer.dev/blog/2019/04/08/very-precarious-narrative/

It is best to be informed before making a choice to use a VPN if you think you are doing it for security purposes. Using one supplied by your employer that is tailored to tunnel into their network is a legitimate use for one.

Apple has publicly released notes on the upcoming 15.1 version:

• Fixed an issue preventing iMessage and other third-party notifications from being received while your device is connected on a VPN. (136775545)

macOS Sequoia 15.1 RC Release Notes | Apple Developer Documentation

I can confirm Proton VPN works but other services like little snitch I had to allow incoming connections in firewall for making it work. normally I always blocked the incoming connection. But the latest 15.1.1 there still not been a fox for this issue.

Hi

I managed to make the things work, like going into the firewall advanced settings and let the security apps have the permissions. I guess we have too get used to the firewall works for once I guess me and many other are not used to it lol. But that is a good thing.

The latest release, MacOS Sequoia 15.1 appears to have fixed this issue.

Using NordVPN and I'm not experiencing any of these issues. On Sequoia 15.1.

So...I just tried sending iMessages and testing some file syncs to iCloud while ProtonVPN is active on the Mac Mini I upgraded to Sequoia yesterday. Everything works fine for me...no sign of disconnect/reconnects nor any issues with apps moving data around the cloud.

You may have other issues. Or this is specific to EU configurations, maybe (I'm in NA)?

Cthulhu wrote:

I also worked with TorGuard, ExpressVPN, and PIA (plus our corporate IT for their VPN). None of them work despite a lot of creative workarounds.

OK. Full stop here.

Sequoia made some significant changes to low-level networking. If you have some kind of requirement where you are also doing something funky with low-level networking, then you should not upgrade to Sequoia without significant testing. Ideally, you would've done that three months ago. You can certainly start your testing now if you want, but you should be testing on your dedicated test rig, not your production device. You do have a dedicated test rig, don't you?

If you need a VPN for work, then it is your employer's responsibility to perform all of this testing. Then, you can upgrade your device when your employer's IT direct you to do so. I realize that not everyone has competent IT support at work. That's what resumés are for.

Going beyond that, don't expect much from any of those consumer-grade VPNs. It's kind of like fine wine. If the wine has a swear word on the label, then it probably isn't fine. Same with VPNs. And if you are trusting your security to a VPN company, do some research on the company and see if they used to have a swear word in their name. Give them credit for changing their name, but don't give them your money or your data. These are security and privacy issues. Don't entrust your data to chest-bumping, venture-funded tech-bros who paint the internet with ads.

And please don't double-down and entrust your security to open-source political activists, or worse, US government intelligence agencies. That's the wrong direction.

There are really only a handful of legitimate and quasi-legitimate VPNs. Most of the VPN/"security" industry changes corporate ownership like most people change socks. I don't care who you thought you had entrusted your data to last month, somebody else has access to it this month.

And last but not least, review those changes in Sequoia. Review any other changes that you've made. Review any other 3rd party system modifications that you've installed. All of that matters - a lot.

ssd550 wrote:

I assume you are familiar with the concept of breaking changes. If Apple made breaking changes for Sequoia (who knows if Apple pays any mind to semantic versioning, but their current numbering scheme indicates some level of awareness) that were not communicated to the VPN vendors, then it's on Apple. If the breaking change was publicized in the beta releases, then it's on the VPN vendors for not being ready.

It really makes no difference what Apple does. Apple does what it does and all the crap where vendors have to react to what Apple does.

I can’t remember what it was, it was a couple of macOS versions ago, the release candidate worked without issue, but they changed something on the final release that broke a bunch of things.

If you do anything “enterprise,” you should never update anything until the enterprise IT clears it.

helpless55 wrote:

I can confirm Proton VPN works but other services like little snitch I had to allow incoming connections in firewall for making it work. normally I always blocked the incoming connection. But the latest 15.1.1 there still not been a fox for this issue.

That would appear to be working exactly as expected. By default the Firewall is turned off, so if you turned it on you would need to allow the connection to Little Snitch. It should not work if that connection has been blocked. In the past the application firewall was basically useless, which is why it was off by default. There seems to be some improvement in the Firewall and glad it is now working better than what it has. I leave my firewall off because I am not managing a local network and just using a single computer behind a router. Your computer is not exposed when behind a router unless you have enabled port forwarding to your specific computer. The only IP address visible is your router.

Just tested, I added the VPN app to the firewall allowed list on Mac and worked.

Fixed by 15.1 w/r/t Cloudflare 1.1.1.1 WARP.

Not mentioned in the release notes or I would've installed it a few hours earlier. Sigh.

Are you positive that it did not just sync while you were switching VPNs? Because I tried PIA, TorGuard, and a corporate Cisco and while the VPN is on with any app (from the vendor, or just OpenVPN) Messages does not sync.

Interesting, for some reason I'm pretty certain that Apple's end-to-end encryption mechanisms force Apple's own apps into a cipher tunnel separate from other network connections including 3rd party VPNs.

Something isn't playing nice - I wonder if it is just OpenVPN tunnels or if WireGuard tunnels have the same issue.

I have the same issue with a different VPN service. If the killswitch is engaged, it prevents any traffic from being transmitted outside the VPN, and post-update to Sequoia, this prevents the Messages app from working. If the killswitch is engaged, messages can be sent. So something in Sequoia is trying to force message traffic outside the VPN, instead of routing through the VPN. Messages should be respecting our VPN settings, not trying to work around them.