MacOS Sequoia blocking VPN, won't allow use of Messages and iCloud

Cthulhu wrote:

As an information security professional, your advice is irresponsible, and some items in the link are uninformed or out of date. Many of us require a VPN for work, many of us for travel, and others use them to greatly reduce the advertising traffic which, if you've ever used one, you'd know can be a transformative online experience.

Please everyone saying "just stop using the VPN" - stop giving us advice. If you have no helpful advice on the topic, please just stay silent.

So many of us are reeling from the loss of services after this update, and we're trying together to find a solution. The solution is not to stop using a VPN. Just move on, please.

As an information security professional, you are undoubtedly well aware the difference between end-to-end VPNs intended to connect into the internal network of an affiliated organization, and the first-few-hops VPNs.

The former are useful and necessary in some cases, though zero trust / beyondcorp is where many folks are new headed.

The latter first-few-hops VPNs provide negligible added security given widely-known credentials, and at substantial added overhead around the existing and secure end-to-end connections, while also being perfectly positioned to collect personally-identified network connection metadata. to many of the vendors running these services appear sketchy, as well.

If you somehow do need a first-few-hops tunnel for CDN testing or geo-testing or such (and if somehow your own end-to-end VPN doesn't provide egress to the internet), an option that avoids the metadata collection of the commercial first-few-hops servers is running your own Algo VPN server.

If you want fewer ads, load an ad blocker. (Apple has been going to some effort to make data collection more difficult for entities with those ad blockers, too.)

In addition to the existing end-to-end encryption, Apple iCloud+ Private Relay also includes ODoH (which can be configured to the server of your choice) and obfuscates source and destination IP addresses; somewhat analogous to a two-hop Tor connection.

I did not read it that way and do not see it as sloppy. It does technically bypass the VPN for all Apple Services services, and leaks your real IP to Apple in VPN parlance (assuming no other layers of networking protection). And while I don't have any particular distrust of Apple, exceptions like this without split tunneling specifically configured by a user is not a pattern you want to start seeing. And there are important reasons in some parts of the world to be sure your data is properly proxied.

YES YES YES , SAME HERE BEEN USING VPN FOR YEAR

UPDATED SEQUOIA 15 and VPN ON , IMESSAGES WONT WORK

I REACHED OUT TO APPLE SERVICE , THEY HAVE TOLD ME

THERE HUNDREDS IF NOT THOUSANDS OF US IN THE SAME BOAT as YOU n I

She said that they will fix this with next UPDATE VERSION , God know when that will be , but it really made me double think about APPLE PRODUCTS AGAIN ,

long story short you not the only one that is extremely dissapointed with this update

ssd550 wrote:

etresoft wrote:

But that is a very important debugging step. If you turn the VPN off and that corrects the problem, then you know, with certainty, that the VPN is the problem.

Using the same logic: if you upgrade the OS and that breaks Messages and other apps while using a VPN, then you know, with certainty, that the OS is the problem?

No, it doesn’t work that way. Logic is rarely invertible. If A then B does not imply if B then A.

System modifications must be written to work with the OS. It does not work the other way around.

The moderator removed the last statement I made (because it "because it contained information about beta software"). It actually referenced the early release versions of 15.0. My point was that if breaking changes were introduced in Sequoia (already released at this point so this post is also not revealing any pre-release information, and it's common for major releases to change APIs) and VPN vendors did not make updates to handle those changes, then the VPN vendors are to blame for issues. The moderator-edited version makes it look like I'm blaming Apple. I'm not, as I don't have enough information. The same is true for the VPN vendors. I'm just hoping for a quick resolution.

The updated version provided to me by PIA today did not work.

I've got the same issue with Messages when connected to VPN (Cisco Secure Client 5.1.5.65) where I'm unable to send or receive messages. As soon as I disconnect from VPN it works. This started when I upgraded to macOS 15.

When the issues started to crop up with Apple News and Stocks, the VPN vendor informed me that they were aware of the situation and were looking to Apple for a fix as it was out of their hands.

I can’t fully recall if this VPN issue started before macOS 15 moved out of beta, but I want to say it started with macOS 14.x.x.

At the time of this writing, Apple News, Stocks, and iCloud is working, but Messages is fully blocked.

I also worked with TorGuard, ExpressVPN, and PIA (plus our corporate IT for their VPN). None of them work despite a lot of creative workarounds.

This is from PIA Support:  "This is a known and reported bug and our engineers are already working on it."

yes express vpn , so now i have to cancell the subsicroption and purchase another VPN

ExpressVPN may well be a great program, but it sure doesn't work with MacOS15.1

Immediately blocks all network traffic.

Problem goes away once it is turned off.

Bad news - I’ve even tried contacting ExpressVpn to tell them that Apple Mac users who have upgraded to Sequoia in Europe are now unable to send IMessages etc if using ExpressVpn. ……. Despite pleading with them to help I get a sense it’s just sending out AI responses as nothing they have suggested so far has worked.

any one able to get a sensible answer from actual engineers at ExpressVPN. ????

Same here. I am able to use all the client-side certs and crazy complicated things to access various sites/portals, and all the low-level daemons and comms apps we work on are all up with no issues. All of that was well-tested before we updated, as was the VPN we were issued. I'd like to call out Apple for clearly not even trying Messages and FaceTime on any VPN, but, uh - neither did we. So blame all around, I suppose. Unfortunately it's the "corporate" VPN that I really need for work, but I did try ProtonVPN without success. We're wading through Wireshark traces, and we're stumped. I don't think it's something we or the VPN vendors can fix at this point. I am hoping it's something so obvious that we're all missing it looking deep in the weeds. :-)