Hi Quinn, I worked through it progressively like you suggested and I was able to route UDP traffic and receive a response. The problem I see now is that I can't use the systems DNS resolver. It seems if I capture all the traffic: settings.ipv4Settings?.includedRoutes = [NEIPv4Route.default()] then I MUST set the DNS settings: let dnsSettings = NEDNSSettings(servers: [DNS_SERVER]) settings.dnsSettings = dnsSettings I thought if I set: dnsSettings.matchDomains = [""] then DNS_SERVER will only be used for the domains in the matchDomains list and the system resolver used for everything else but this doesn't seem to be the case. Is this a bug? Thanks, Dave

Yes the tunnel is in .destinationMode. I'm not sure what you mean say if I claim all traffic I need to provide a working DNS configuration. Does this mean the tunnel's DNS overrides the devices resolver? Will the traffic still pass through the tunnel but be routed to the tunnels DNS server? I tried adding this and it doesn't seem to make any difference. I still can't resolve anything. let dnsSettings = NEDNSSettings(servers: ["8.8.8.8"]) settings.dnsSettings = dnsSettings Apart from the API docs is there any other information available on configuring the tunnel? Sorry, I wasn't using writePacketObjects(...) for anything. I was just trying to get at packets coming in.

Thanks Quinn. Seems like excluding the DNS traffic isn't the way to go. I'll debug it further and see why I'm not getting any in the Tunnel.

Thanks for that. I don't see the DNS traffic enter the tunnel so I need to debug that separately. I have two general questions: Could the DNS traffic be excluded using the ipv4Settings.excludedRoutes? Is excluded traffic just dropped or is it routed "normally", i.e. as if the tunnel wasn't running?

Just wondering if anyone else has ever submitted one of these requests and how long it takes? Is there a way to check the status of the request?

Hi Quinn, Thanks for your answer and those links. My app is a VPN app and the cert is packaged with the profile (mobile config). It's used by for some API calls to configure the VPN. Does that seem like a reasonable use case to create a DTS Tech support ticket for access to the com.apple.managed.vpn.shared keychain group? I'm assuming access would solve my problem. Thanks for all your help.

Thanks for the answer Quinn. Can you target Safari via the NETestAppMapping key in the info.plist if its an Enterprise build?