Apple devices iCloud private relay

[cchewanik]

Hello great project thank you developer(s) for your hard work!! I've noticed my iCloud private relay connections are being blocked. I have a simple config - just whitelisted CA region. How does one handle this situation?

Seems these are the icloud private relay ip ranges for reference...
https://mask-api.icloud.com/egress-ip-ranges.csv

Thank you

[friendly-bits]

Hi

For now, I'm only 1 developer here. Thank you for the compliments.

Basically, the best solution is adding support for specifying ip's to allow in a custom file. Another user has already asked for this. I will implement this, hopefully soon.

For now, geoip-shell supports specifying trusted ip addresses (or ip ranges) via the command line:
geoip-shell configure -t <"ip_addresses">

Example:
geoip-shell configure -t "104.28.103.0/24 146.75.188.0/24 172.224.238.0/24"

With such a large number of ip ranges, this is less practical, of course. What you can do is (sequentially):

1. Filter the list to remove any irrelevant ip addresses. For example, if your country is CA (Canada) then this will do it:
   ca_ips="$(curl -L "https://mask-api.icloud.com/egress-ip-ranges.csv" | grep ',CA,CA-')"
2. Filter on specific ip family. For ipv4, this will do it (for ipv6, replace the \. grep argument with :)
   ca_ipv4="$(printf '%s\n' "$ca_ips" | cut -d, -f1 | grep '\.')"
3. Within the specific ip family, aggregate the ip ranges to reduce their number. You can use my other project for this purpose:
   https://github.com/friendly-bits/shell-ip-tools

# download the script
if curl -LO "https://raw.githubusercontent.com/friendly-bits/shell-ip-tools/main/shell-ip-tools.sh"; then
	# source the script
	if . ./shell-ip-tools.sh; then
		printf '%s\n' "$ca_ipv4" |
		sed 's~/.*~/24~' | # change all prefixes to 24
		aggregate_subnets ipv4 | # this will trim input ip ranges to 24 bits and eliminate duplicates
		sort | # this is self-explanatory
		tr '\n' ' ' # convert newlines to whitespaces
		printf '\n' # add a newline
	fi
fi

This currently produces a manageable list of 38 ip ranges which you can then provide as an argument to geoip-shell.

All of the above commands condensed (for ipv4):

if curl -LO "https://raw.githubusercontent.com/friendly-bits/shell-ip-tools/main/shell-ip-tools.sh" && . ./shell-ip-tools.sh; then \
	curl -L "https://mask-api.icloud.com/egress-ip-ranges.csv" | grep ',CA,CA-' | cut -d, -f1 | grep '\.' | sed 's~/.*~/24~' | aggregate_subnets ipv4 | sort | tr '\n' ' '; \
	printf '\n'; \
fi

If allowing ipv4 ip ranges is not enough, you can similarly generate a reduced number of ipv6 ranges and allow them as well (note that in that case you will need to include ip ranges for both families in one geoip-shell configure command). Not sure which prefix length would be ideal for ipv6, so you may need to try a few options (generally the smaller the prefix, the wider the ip range).

Please let me know if this helped. And I'll try to find the time to implement support for local allowlist file.

[cchewanik]

Thank you for the detailed explanation!! It worked perfectly thank you so much!

[friendly-bits]

That's good to hear. By the way, which source are you using (RIPE/ipdeny/MaxMind)?
I should have asked this earlier. Likely your issue is caused by the source ip list missing the specific range needed for iCloud in your region. Geoip data is inherently not 100% reliable but generally Maxmind seems to provide more accurate data, so if using RIPE or ipdeny then possibly switching to MaxMind would have been a simpler solution.

[cchewanik]

I was using RIPE - all good your solution is working great so far!

[friendly-bits]

P.s. if running this on a router or other device with flash storage which is prone to wear, cd /tmp before running the above commands.