MacOS Sequoia blocking VPN, won't allow use of Messages and iCloud

I have the same issue with a different VPN service. If the killswitch is engaged, it prevents any traffic from being transmitted outside the VPN, and post-update to Sequoia, this prevents the Messages app from working. If the killswitch is engaged, messages can be sent. So something in Sequoia is trying to force message traffic outside the VPN, instead of routing through the VPN. Messages should be respecting our VPN settings, not trying to work around them.

In a tech support call with ExpressVPN, I was told ExpressVPN is aware of the issue and it has been escalated to get fixed. For the time being, in your ExpressVPN settings, in the "general" tab, uncheck the box "Network Lock: Stop all internet traffic if the VPN disconnects unexpectedly." This seemed to work to allow messages to be sent and received, as well as allows FaceTime calls through Mac OS's newest upgrade.

I investigated how protonvpn works - it leaks everything to apple servers, does not send over VPN. Probably they use "Apple APIs" to setup the VPN. The VPNs having issues right now are the ones not using Apple APIs (manually setting up tun devices). The VPNs having issues DO NOT LEAK everything automatically to apple, that is why they have problems. Once they whitelist apple servers (to allow out the physical interface) then iMessages, etc start working again.

But i have much more faith in the VPNs that do not work with iMessages currently, as they don't leak by default.

g_wolfman wrote:

Well, admittedly my comment about MITM was a bit hyperbolic...

Don't mind me. I was just pointing out a few "features" of the forum software that people might have missed, perhaps due to the grey-on-white text.

Alas, there's nothing that can be done about internet misinformation. Probably our last hope now is that AI chatbots will be able to inject some sanity and reason. It seems like those are the only thing people believe anymore.

Hold on there, @JDJD630 - the only VPN working have some work-arounds that even they do not fully recommend. I've never used Express VPN and have no skin in this, but before you jump ship you should consider this seems to be a change Apple made that will impact all VPN vendors. For now, you can either export your config and add an IKEv2 VPN profile manually, or else wait for a fix from Express VPN or Apple. If you try other VPN's, I am sorry to say you'll be just as dissatisfied.

And on that note, some fault has to go to the VPN vendors here. Apple makes the beta available to them, and the noise they are all making now really should have been made when the bug was noticed by users during pre-release testing. Granted, Apple released despite the user reports of VPN issues, but Express VPN should have issued a "Do Not Update" warning to users as well. So there is a lot of blame to go around, I guess is my admittedly unproductive comment.

I've got the same issue with Messages when connected to VPN (Cisco Secure Client 5.1.5.65) where I'm unable to send or receive messages. As soon as I disconnect from VPN it works. This started when I upgraded to macOS 15.

I reported to ExpressVPN support that the new version 11.61.1 didn't solve the problem, but they did then tell me about a new somewhat hidden feature in the new version under General that says "Allow Apple Services to bypass the VPN", which I have now turned on. Overnight I still had Messages blocked, but after a restart this morning they did show up. Can't say yet that the problem is fixed with this release of ExpressVPN and Sequoia 15.0.1, but will try it today to see. It does look like it requires a reboot of the Mac to get things corrected though.

helpless55 wrote:

I can confirm Proton VPN works but other services like little snitch I had to allow incoming connections in firewall for making it work. normally I always blocked the incoming connection. But the latest 15.1.1 there still not been a fox for this issue.

That would appear to be working exactly as expected. By default the Firewall is turned off, so if you turned it on you would need to allow the connection to Little Snitch. It should not work if that connection has been blocked. In the past the application firewall was basically useless, which is why it was off by default. There seems to be some improvement in the Firewall and glad it is now working better than what it has. I leave my firewall off because I am not managing a local network and just using a single computer behind a router. Your computer is not exposed when behind a router unless you have enabled port forwarding to your specific computer. The only IP address visible is your router.

Mac Jim ID wrote:

…Your computer is not exposed when behind a router unless you have enabled port forwarding to your specific computer. The only IP address visible is your router.

To add to that, if somebody is running a VPN with an endpoint “behind” the gateway-router box, then services behind the gateway-router on the host running the VPN and on the local network can potentially become visible to remote users.

VPN network connections can and variously do work in both directions, depending on the VPN and its configuration details.

I worked with Express VPN support and was able to get things to work.

TLDR:

• Download the latest Mac client from Express VPN (they've made an update - more on this below)
• Completely uninstall Express VPN - I used AppCleaner to remove left over files
• Uninstall the left over IKEv2 Network configuration
• Reboot
• Install newly downloaded version of Express VPN
• Login and configure Express VPN but do not select the new "Allow Apple Services to bypass VPN checkbox" - more on this below.
• Enjoy

Further history:

• I was unable to get iCloud drive, notes, or messages to sync
• The only workaround for me that worked was switching to IKEv2 (you have to turn off advanced protection to do that).
• I reached out to support and had a long chat where we tested many things.
• They have created a new version with a new checkbox to allow Apple Services to bypass VPN. See https://www.expressvpn.com/support/knowledge-hub/network-lock/#apple-services
• For some reason Express VPN did not suggest the update. Maybe it is on a rolling canary and it would have in the next few weeks.
• I installed the new version on top of the my existing version and tried enabling the new setting based on advice from support.
• This messed my machine up further. iCloud stopped syncing even when quitting Express VPN. I tried multiple configuration permutations but could not sync.
• I told support I was going to do a full uninstall and did the steps listed above. At that point it was working even without turning on the new "Allow Apple service to bypass VPN..." checkbox.
• But I was curious and checked it and did more testing. It seems that did allow Messages to work. But iCloud drive and Notes would not sync. My suspicion is that in a rush to fix it they only tested Messages and somehow made things worse for the other Apple services.
• I've gone back to using what is working for me which is the uninstall / reinstall of a the new version with the settings I normally used (auto protocol, Advanced Protection turned on, network lock and allow access to network devices. But I did no not have "Allow Apple Services...".
  • Note that this new setting like the Allow network devices setting is tied to network lock. If you do not have network lock enabled, it is irrelevant and apple services will work regardless of it being set.

All of this makes me wonder if the change Apple made is causing issues with pre-installed VPNs but somehow allows traffic for newly installed ones. It seems to either be that or some other change Express VPN made in the new release.

I hope this helps someone else.

I also worked with TorGuard, ExpressVPN, and PIA (plus our corporate IT for their VPN). None of them work despite a lot of creative workarounds.

PIA have an alpha out that fixes this, it's a pinned to the top of their sub-reddit. Works great for me!