MacOS Sequoia blocking VPN, won't allow use of Messages and iCloud

As an information security professional, your advice is irresponsible, and some items in the link are uninformed or out of date. Many of us require a VPN for work, many of us for travel, and others use them to greatly reduce the advertising traffic which, if you've ever used one, you'd know can be a transformative online experience.

Please everyone saying "just stop using the VPN" - stop giving us advice. If you have no helpful advice on the topic, please just stay silent.

So many of us are reeling from the loss of services after this update, and we're trying together to find a solution. The solution is not to stop using a VPN. Just move on, please.

This is from PIA Support:  "This is a known and reported bug and our engineers are already working on it."

I had the same problem. ExpressVPN support asked me to change the protocol (had it set to Automatic) to IKEv2. That fixed it for me.

This resolved for VyprVPN as well. Wireguard prevented Messages from flowing, changing to IKEv2 fixed it.

I know a lot of people are saying the problem exists with the VPN, but I am not sure that is correct. Following proper debugging techniques, I have figured out that the problem has to be with something that Sequoia has changed. I have been using the same VPN client (Tunnelblick 6.0beta 6), with the same OVPN credentials and configuration, on the same piece of hardware (MacBook Pro M3 Pro). Before upgrading to Sequoia, I could message using iMessage, make SMS messages out and in, and have phone calls through my Mac; all while my VPN was connected. Since upgrading to Sequoia, all of those Continuity functions do not work at all while connected to the VPN.

So, given all of that information, something within Sequoia is not playing nice with VPN connections in regards to Apple's Continuity software.

Hopefully, Apple comes out with a patch that fixes these Continuity issues while an active VPN is on.

Cthulhu wrote:

As an information security professional, your advice is irresponsible, and some items in the link are uninformed or out of date. Many of us require a VPN for work, many of us for travel, and others use them to greatly reduce the advertising traffic which, if you've ever used one, you'd know can be a transformative online experience.

Please everyone saying "just stop using the VPN" - stop giving us advice. If you have no helpful advice on the topic, please just stay silent.

So many of us are reeling from the loss of services after this update, and we're trying together to find a solution. The solution is not to stop using a VPN. Just move on, please.

As an information security professional, you are undoubtedly well aware the difference between end-to-end VPNs intended to connect into the internal network of an affiliated organization, and the first-few-hops VPNs.

The former are useful and necessary in some cases, though zero trust / beyondcorp is where many folks are new headed.

The latter first-few-hops VPNs provide negligible added security given widely-known credentials, and at substantial added overhead around the existing and secure end-to-end connections, while also being perfectly positioned to collect personally-identified network connection metadata. to many of the vendors running these services appear sketchy, as well.

If you somehow do need a first-few-hops tunnel for CDN testing or geo-testing or such (and if somehow your own end-to-end VPN doesn't provide egress to the internet), an option that avoids the metadata collection of the commercial first-few-hops servers is running your own Algo VPN server.

If you want fewer ads, load an ad blocker. (Apple has been going to some effort to make data collection more difficult for entities with those ad blockers, too.)

In addition to the existing end-to-end encryption, Apple iCloud+ Private Relay also includes ODoH (which can be configured to the server of your choice) and obfuscates source and destination IP addresses; somewhat analogous to a two-hop Tor connection.

Oberon-Station wrote:

I've been using ExpressVPN for years for my work, recently I discovered I can't use iCloud while using VPN. I could work around it by simply using it on my phone, but it wasn't optimal. I also can't airdrop while using VPN.

Sounds like a bug with the VPN app.

Anyone else having this issue? I'd love a work around as right now, it's not at all ideal with the new OS.

Maybe try a different VPN or Apple's iCloud Private Relay.

Most of the features that I looked forward to aren't even available in Europe which makes no sense. I somewhat understand the AI issue, but the screen sharing with your iPhone isn't available? Why? If I can screen share with my local machines why not the iphone? Something doesn't sit right with me in these latest updates.

Because according to the new EU rules, Apple would have to give 3rd party developers the same level of access to the phone. That would be a huge security breach. This is all about compliance with law. Apple has to comply with EU law. But if EU law requires that Apple puts the safety or privacy of users at risk, then Apple will try to find some way to protect its users while still complying with the law. In some cases, that means EU users don't get certain features at all.

I have tried two different VPN services as well as our corporate VPN. No iCloud feature will work on the VPN - messages do not sync, and a myriad of other small things fail. This is not related to your VPN, it seems to be a widely reported issue. @Oberon-Station indicates protonVPN is working, but so far that is the only indication I can find online of any VPN working from any vendor.

AppleUserTech wrote:

In a tech support call with ExpressVPN, I was told ExpressVPN is aware of the issue and it has been escalated to get fixed. For the time being, in your ExpressVPN settings, in the "general" tab, uncheck the box "Network Lock: Stop all internet traffic if the VPN disconnects unexpectedly." This seemed to work to allow messages to be sent and received, as well as allows FaceTime calls through Mac OS's newest upgrade.

Even easier, remove the VPN app entirely.

I've tried OpenConnect, WireGuard, and OpenVPN all with identically bad results. It almost looked like the WireGuard client on the App Store was working, but ... it only appeared to work. What is actually happening is that it's dropping the connection frequently, and because there is no killswitch, the Apple apps are able to slip in and connect and partially sync while the VPN is down, and then the VPN pops back up after the configured re-try time.

Cthulhu wrote:

I also worked with TorGuard, ExpressVPN, and PIA (plus our corporate IT for their VPN). None of them work despite a lot of creative workarounds.

OK. Full stop here.

Sequoia made some significant changes to low-level networking. If you have some kind of requirement where you are also doing something funky with low-level networking, then you should not upgrade to Sequoia without significant testing. Ideally, you would've done that three months ago. You can certainly start your testing now if you want, but you should be testing on your dedicated test rig, not your production device. You do have a dedicated test rig, don't you?

If you need a VPN for work, then it is your employer's responsibility to perform all of this testing. Then, you can upgrade your device when your employer's IT direct you to do so. I realize that not everyone has competent IT support at work. That's what resumés are for.

Going beyond that, don't expect much from any of those consumer-grade VPNs. It's kind of like fine wine. If the wine has a swear word on the label, then it probably isn't fine. Same with VPNs. And if you are trusting your security to a VPN company, do some research on the company and see if they used to have a swear word in their name. Give them credit for changing their name, but don't give them your money or your data. These are security and privacy issues. Don't entrust your data to chest-bumping, venture-funded tech-bros who paint the internet with ads.

And please don't double-down and entrust your security to open-source political activists, or worse, US government intelligence agencies. That's the wrong direction.

There are really only a handful of legitimate and quasi-legitimate VPNs. Most of the VPN/"security" industry changes corporate ownership like most people change socks. I don't care who you thought you had entrusted your data to last month, somebody else has access to it this month.

And last but not least, review those changes in Sequoia. Review any other changes that you've made. Review any other 3rd party system modifications that you've installed. All of that matters - a lot.

Bad news - I’ve even tried contacting ExpressVpn to tell them that Apple Mac users who have upgraded to Sequoia in Europe are now unable to send IMessages etc if using ExpressVpn. ……. Despite pleading with them to help I get a sense it’s just sending out AI responses as nothing they have suggested so far has worked.

any one able to get a sensible answer from actual engineers at ExpressVPN. ????

ottmar288 wrote:

I don't think you can get all that from macOS as easily as through Express VPN.

Why do you believe you need to "get all that?"

Stop listening to the hype designed to sell those products. I would call them lies, but that are at the very least extreme hyperbole. There aren't hoards of baddies lurking on the internet trying to steal your personal information.

Effective defenses against malware and ot… - Apple Community