How do I bypass a VPN for Continuity to Work?
https://apple.stackexchange.com/questions/394230
-
28-05-2021 - |
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianQuestion
When on a VPN (such as Private Internet Access) Continuity and Handoff stop working. Some VPN's such as PIA have a feature to exclude certain IP addresses, networks, or executables from the VPN. To make continuity work to place and receive calls using my iPhone, an executable needs to be excluded. What executable should be excluded?
Solution
By excluding the executable \usr\sbin\mDNSResponder executable and either rebooting for killing the existing process, Continuity properly works to make and receive phone calls using an iPhone. This means VPN users can exclude that process and still gain functionality of Continuity if they want.
It should be noted that by excluding that executable they would be exposing it's network traffic to the network without the protection of the VPN. Thus if on an insecure network it might be possible for the network provider to see what the user is doing (though the actual call traffic is encrypted, IIRC).
Different VPN's have different mechanisms, I know what works for PIA to exclude the executable but I'm not familiar with all VPN packages. The PIA application UI doesn't allow for excluding just bare executables, but it is possible. Pulling from this post on the PIA forum one needs to install a package called jq using Homebrew.
Once installed, it can be excluded via:
piactl -u applysettings '{"splitTunnelRules":'"$(cat /Library/Preferences/com.privateinternetaccess.vpn/settings.json | jq '.splitTunnelRules + [{"linkTarget":"","mode":"exclude","path":"/usr/sbin/mDNSResponder"}]' -c)"'}'
The FaceTime application should also be excluded, but that can be done through the PIA UI without any trouble.
The change is persistent and survives a reboot. Before changes work a person will have to reboot or kill the mDNSResponder process to force it to reload. Other services offer Split Tunnel as well to exclude certain applications, but as I said I don't know how to make it work for anything but PIA. Excluding the executable should work, so long as there is a way to do that.
As an addon, I've also found that I need to exclude /System/Library/PrivateFrameworks/IDS.framework/identityservicesd.app as well as /usr/libexec/avconferenced from the VPN in order to make the connection reliable when using WiFi Calling. It appears the system establishes a VPN of its own using identityservicesd and while I could not actually see any activity over the network from avconferenced the system got really flakey about establishing a phone call until I excluded it. Not sure why.
