I'm reading the documentation of the App Proxy Provider and the Packet Tunnel Provider and am a bit puzzled.
The docs state that packet tunnel providers send and receive packets from/to the system, while app proxy providers send/receive flows to/from the system.
What's confusing from the packet tunnel provider documentation:
Packet tunnel providers can run in destination IP mode or source-application mode. The latter is one form of per-app VPN (the other form is an App Proxy Provider).
But in the NETunnelProvider class it says:
The default is NETunnelProviderRoutingMethodDestinationIP.
So by default, the Packet Tunnel Provider is actually an App Proxy Provider? What am I missing? Could someone explain their difference?
The AppProxy and PacketTunnel are options to implement VPN.
The AppProxy works with so called Flow objects, each flow is started by some application. AppProxy receives the flow and forward it to somewhere.
The PacketTunnel works with packets. It receives the packet and could do something with it (like, modify) before it goes to the network.
Now, the part of documentation may causing you troulbes relates to the question: what exeactly flows/packets do AppProxy and PacketTunnel receives?
AppProxy:
The NEAppProxyProvider class provides access to flows of network data in the form of NEAppProxyFlow objects. Each NEAppProxyFlow object corresponds to a socket opened by an app that matches the app rules specified in the current App Proxy configuration.
That means, you will have all flows matches your rules go to your class method first, and then routed to some new address.
PacketTunnel:
Packet tunnel providers can run in destination IP mode or source-application mode.
That mean, you can set the rule like "each packet that goes to "list of ip addresses", I want you to go through my class method and then into the tunnel" - and this will be destination IP mode.
Or you can set the rule like "all packets from app with bundle id com.my.app now go to my class method first and then into the tunnel" This is source-application mode.
This (the source application mode of PacketTunnelProvider) is one of per-app VPN forms, because it focused on the application, that produces traffic.
The AppProxy also focused on application that produces traffic, so it is the other form of per-app VPN, but it will give you the flow object app produces, not the packets with ip and tcp/udp headers.