Jump to content
Not connected, Your IP: 3.147.78.117
AirVPN
Maggie144

NetworkLock on macOS 11

By Maggie144, ... in Eddie - AirVPN Client

Recommended Posts

Maggie144    12

Maggie144
Posted ...

The direction apple is taking is getting ridiculous.

https://openradar.appspot.com/radar?id=5064458556669952

Guess with this problem, one can not apply a proper NetworkLock anymore. Any thoughts?

Share this post

Link to post

OpenSourcerer    1435

OpenSourcerer
Posted ...

Sounds slightly japanese to me (not an Apple guy) but NetLock is first and foremost a set of firewall rules, and AFAIK it's applied with pf on macOS, not with whatever this thing is supposed to be. So I'm guessing you're slightly on the wrong track here.

NOT AN AIRVPN TEAM MEMBER. USE TICKETS FOR PROFESSIONAL SUPPORT.

LZ1's New User Guide to AirVPN « Plenty of stuff for advanced users, too!

Want to contact me directly? All relevant methods are on my About me page.

Share this post

Link to post

Monotremata    22

Monotremata
Posted ...

Be careful, according to the Little Snitch dev there are some serious bugs in Big Sur with DNS tunneling and encryption. I cant use Eddie at all with Little Snitch on macOS 11, it kernel panics every time the two work together. Its either one or the other. It seems to be related to the network lock too. If its not active, it seems to work, but with the network lock on, kernel panic about 2 minutes after you boot. Ive had to use the Viscosity beta the last couple of weeks because Im scared to try out Eddie (Little Snitch's pre-release notes still say it may be fixed when Big Sur is finally released but doesn't look like it has yet).

Share this post

Link to post

Overkill    4

Overkill
Posted ...

Now that the macOS Big Sur (11) has been released, how does Eddie's network lock behave under these circumstances?

Share this post

Link to post

knaxclub    0

knaxclub
Posted ... (edited)
16 hours ago, Overkill said:

Now that the macOS Big Sur (11) has been released, how does Eddie's network lock behave under these circumstances?


Everytime I run the latest EDDIE, I have to reboot! 😞

It got privileges, establishs obviously a network lock EVEN IF I DON'T ACTIVATE THE LOCK AND crashes immediately!!! I have the latest LITTLE SNITCH running, too without restrictions for EDDIE. Edited ... by knaxclub

Share this post

Link to post

jeuia3e9x74uxu6wk0r2u9kdos    30

jeuia3e9x74uxu6wk0r2u9kdos
Posted ...

Possibly related?

https://mullvad.net/en/blog/2020/11/16/big-no-big-sur-mullvad-disallows-apple-apps-bypass-firewall/
https://blog.jacopo.io/en/post/apple-ocsp/
https://www.theverge.com/2020/11/16/21569316/apple-mac-ocsp-server-developer-id-authentication-privacy-concerns-encryption-promises-fix
https://news.ycombinator.com/item?id=25115509
https://thenextweb.com/plugged/2020/11/16/apple-apps-on-big-sur-bypass-firewalls-vpns-analysis-macos/

@Staff, @OpenSourcerer could you please check if this is the case? could be useful creating a post explaining the issue VPNs-Big Sur?

Share this post

Link to post

korsko    2

korsko
Posted ...
44 minutes ago, jeuia3e9x74uxu6wk0r2u9kdos said:

Possibly related?

https://mullvad.net/en/blog/2020/11/16/big-no-big-sur-mullvad-disallows-apple-apps-bypass-firewall/
https://blog.jacopo.io/en/post/apple-ocsp/
https://www.theverge.com/2020/11/16/21569316/apple-mac-ocsp-server-developer-id-authentication-privacy-concerns-encryption-promises-fix
https://news.ycombinator.com/item?id=25115509
https://thenextweb.com/plugged/2020/11/16/apple-apps-on-big-sur-bypass-firewalls-vpns-analysis-macos/

@Staff, @OpenSourcerer could you please check if this is the case? could be useful creating a post explaining the issue VPNs-Big Sur?


Highly interesting. Does eddy leak apple traffic as well or is it tunneled like mullvad achieves it?

Best regards

Share this post

Link to post

OpenSourcerer    1435

OpenSourcerer
Posted ...
6 hours ago, jeuia3e9x74uxu6wk0r2u9kdos said:

could be useful creating a post explaining the issue VPNs-Big Sur?


Some of the websites you linked to are misleading (thenextweb.com), are irrelevant (jacopo.io) or actually answer the question (Mullvad, Hacker News).
And you dare quoting The Verge:D

NOT AN AIRVPN TEAM MEMBER. USE TICKETS FOR PROFESSIONAL SUPPORT.

LZ1's New User Guide to AirVPN « Plenty of stuff for advanced users, too!

Want to contact me directly? All relevant methods are on my About me page.

Share this post

Link to post

Overkill    4

Overkill
Posted ...
9 hours ago, Staff said:
@jeuia3e9x74uxu6wk0r2u9kdos
@korsko
@Overkill

Hello!

Both AirVPN software for macOS, Eddie and Hummingbird, enforce Network Lock via pf rules, therefore nothing changes and leaks prevention stays as effective as usual even in macOS Big Sur.

Kind regards
 

Thank you.
I was concern given all those orwellian news about Apple apps bypassing firewalls.

Share this post

Link to post

Guest   

Guest
Posted ...

I have confirmed leak to: api.smoot.apple.com via NSExtension 

<key>NSExtension</key>
<dict>
    <key>NSExtensionPointIdentifier</key>
    <string>com.apple.networkextension.filter-data</string>
    <key>NSExtensionPrincipalClass</key>
    <string>MyCustomFilterDataProvider</string>
</dict>

i wrote a .py script to enforce override to host to loop back to 127.0.0.0.  however this is on an opencore hackintosh as i do not own a mac.

Share this post

Link to post

Staff    9968

Staff
Posted ...

Hello!

More about macOS Big Sur, Eddie and Hummingbird.

Eddie and Hummingbird enforce Network Lock through pf rules. The mentioned problem is that kernel extensions are deprecated, and the new API NetworkExtensions includes exceptions to filtering rules which allow 56 Apple apps and services to bypass any filtering rule enforced via the API (which is quite atrocious and says a lot about Apple's respect toward its customers, but that's how it is). However, pf is the system firewall which is autonomous from NetworkExtensions API and its exceptions. Therefore Eddie and Hummingbird Network Lock are working fine just as usual.

Note that the NetworkExtensions exceptions were active even in Catalina. However, nobody noticed them because third-party firewalls bypassed them by relying on kernel extensions (kexts). Now that kexts don't work well anymore, the problem has exploded, but as usual you are safe with AirVPN Network Lock both in Eddie and Hummingbird.

Kind regards
 

stupid are cocksure reacted to this

Share this post

Link to post

traveller    0

traveller
Posted ...

Hello, I am considering upgrading to a new Macbook Air and Big Sur (obviously), but have been concerned about these security issues. I have read this thread, but a few questions:

a. I am using Viscosity to run my AirVPN connections. Is this adequate to "enforce Network Lock through pf rules" which I gather will not allow Apple apps to 'phone home' and bypass my VPN and hence create a security issue?
b. Mention of "Eddie and Hummingbird". I will confess I don't know what these are. I assume apps to run my AirVPN connections? Should I get one of these and use instead of Viscosity?

Thanks for your help.

Share this post

Link to post

Staff    9968

Staff
Posted ...
@traveller

Hello!

Yes, both Hummingbird and Eddie are free and open source software by AirVPN. They are available for Mac too. They both enforce "Network Lock" by using pf (pre-installed by default on macOS by Apple) so you don't have to worry about traffic leaks outside the VPN tunnel. Please see here:
https://airvpn.org/macos

Kind regards
 

Share this post

Link to post

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
×
  • Security Check
    Play CAPTCHA Audio
    Refresh Image
Go To Topic Listing
×
×
  • Create New...