Apps bypass the rules when the VPN is switched on

[ilitchmax]

Good morning!

macOS 13.3.1 Lulu 2.4.3 MacBook Pro M1 Shadowrocket 2.2.28

Firstly, thank you very much for such a great app. I've been using it for a couple of years now, the rules work, internet access is blocked, but recently I've needed to use the VPN a lot and that's when things started to get tricky.

The problem is that the apps bypass Lulu's rules when the VPN is enabled. So, for example, if I create a rule that completely denies Spotify access to the internet, everything works fine. However, if I turn on the VPN, Spotify starts working and accesses the internet.

I'm assuming it's probably because Lulu is ignoring the local network, but I don't understand what to do about it. Could you please help with a solution to this problem?

[mdjunior]

I did some tests trying to reproduce your scenario but I couldn't. I believe you can provide more information to enable a better investigation, such as Lulu's logs when you connect to the VPN and do a simple access (like the ping command).

For simplicity, I created a rule for the ping utility (/sbin/ping) that allowed everything and blocked only the IP 1.1.1.1.

To get Lulu logs, run the command:

log stream --level debug --predicate="subsystem='com.objective-see.lulu'"

2023-05-28 16:49:35.299538-0300 0x16ccd    Debug       0x0                  15670  0    com.objective-see.lulu.extension: [com.objective-see.lulu:extension] remote endpoint: 1.1.1.1:0 / url: (null)
2023-05-28 16:49:35.299890-0300 0x16ccd    Debug       0x0                  15670  0    com.objective-see.lulu.extension: [com.objective-see.lulu:extension] no process found in cache, will create
2023-05-28 16:49:35.303695-0300 0x16ccd    Debug       0x0                  15670  0    com.objective-see.lulu.extension: [com.objective-see.lulu:extension] generated process key: com.apple.ping
2023-05-28 16:49:35.306182-0300 0x16ccd    Debug       0x0                  15670  0    com.objective-see.lulu.extension: [com.objective-see.lulu:extension] extracted parent ID 1 for process: 1275
2023-05-28 16:49:35.306282-0300 0x16ccd    Debug       0x0                  15670  0    com.objective-see.lulu.extension: [com.objective-see.lulu:extension] extracted parent ID 0 for process: 1
2023-05-28 16:49:35.306299-0300 0x16ccd    Debug       0x0                  15670  0    com.objective-see.lulu.extension: [com.objective-see.lulu:extension] retrieving audit token for 16054
2023-05-28 16:49:35.306320-0300 0x16ccd    Debug       0x0                  15670  0    com.objective-see.lulu.extension: [com.objective-see.lulu:extension] retrieved audit token
2023-05-28 16:49:35.306447-0300 0x16ccd    Debug       0x0                  15670  0    com.objective-see.lulu.extension: [com.objective-see.lulu:extension] looking for rule for com.apple.ping -> /sbin/ping
2023-05-28 16:49:35.306510-0300 0x16ccd    Debug       0x0                  15670  0    com.objective-see.lulu.extension: [com.objective-see.lulu:extension] rule match: 'any'
2023-05-28 16:49:35.306523-0300 0x16ccd    Debug       0x0                  15670  0    com.objective-see.lulu.extension: [com.objective-see.lulu:extension] rule port is any ('*'), will check host/url
2023-05-28 16:49:35.306557-0300 0x16ccd    Debug       0x0                  15670  0    com.objective-see.lulu.extension: [com.objective-see.lulu:extension] checking 1.1.1.1 against (
    "1.1.1.1"
) and just 1.1.1.1
2023-05-28 16:49:35.306571-0300 0x16ccd    Debug       0x0                  15670  0    com.objective-see.lulu.extension: [com.objective-see.lulu:extension] checking 1.1.1.1 vs. 1.1.1.1
2023-05-28 16:49:35.306593-0300 0x16ccd    Debug       0x0                  15670  0    com.objective-see.lulu.extension: [com.objective-see.lulu:extension] rule match: 1.1.1.1
2023-05-28 16:49:35.306605-0300 0x16ccd    Debug       0x0                  15670  0    com.objective-see.lulu.extension: [com.objective-see.lulu:extension] rule match: 'partial' (endpoint addr)
2023-05-28 16:49:35.306946-0300 0x16ccd    Debug       0x0                  15670  0    com.objective-see.lulu.extension: [com.objective-see.lulu:extension] found matching rule for 16054/ping: RULE: pid: all, path: /sbin/ping, name: ping, code signing info: {
    signatureAuthorities =     (
        "Software Signing",
        "Apple Code Signing Certification Authority",
        "Apple Root CA"
    );
    signatureIdentifier = "com.apple.ping";
    signatureSigner = 1;
    signatureStatus = 0;
}, endpoint addr: 1.1.1.1, endpoint port: *, action: 0, type: 3
2023-05-28 16:49:35.306972-0300 0x16ccd    Debug       0x0                  15670  0    com.objective-see.lulu.extension: [com.objective-see.lulu:extension] setting verdict to: BLOCK
2023-05-28 16:49:35.307008-0300 0x16ccd    Debug       0x0                  15670  0    com.objective-see.lulu.extension: [com.objective-see.lulu:extension] verdict: 
    drop = YES
    remediate = NO
    needRules = NO
    shouldReport = NO
    pause = NO
    urlAppendString = NO
    filterInbound = NO
    peekInboundBytes = 0
    filterOutbound = NO
    peekOutboundBytes = 0
    statisticsReportFrequency = none

I also tried looking for that VPN Shadowrocket 2.2.28 but it seems to be an iOS/Android only app. I was in doubt if it could be another network extension, since some sites report that it captures all content for proxying.

[charlie0129]

I'm afraid this is expected. Shadowrocket is not a VPN, but a proxy. If proxy is set, requests will go to the proxy first, then Shadowrocket will send the actual requests. So the firewall can only see the one sends the actual requests.

[1551255004]

Indeed, I have disabled the China version of Evernote from accessing the internet, but as soon as I use a VPN, the internet connection is restored.