By the way, if anyone is trying this on a Mac M1 (apple silicon) and rvictl says FAILED, its because you need to enable mac system extensions - https://support.apple.com/guide/mac-help/change-startup-disk-security-settings-a-mac-mchl768f7291/mac - basically say "reduced security" and check all the freaking boxes that say enable kernel extensions and all that. And after you bootup, you have to again go to system---security&preferences and there will be an "allow" button you have to click there which will again make you reboot. I wasted freaking a day on this crap and finally after lot of browsing I figured thats the reason. I enabled system extensions and its working fine

And yes, I agree, this is seriously suboptimal.  @eskimo, my frustration was not about having to enable the kernel extension - that took me 5 mins and thats perfectly acceptable to me. My frustration was that rvictl FAILEd as a google search did not lead to any help page or anything, what it led to was this thread with potpourri of random suggestions. I am not kidding when I said I wasted a WHOLE DAY (at least) on this - I even thought that its probably that my ipad (attached to my mac mini) is too old and hence I drove one hour up and down to an apple store and got a new one, only to see that had the same issue. Then I kept at google searches till some kind soul somewhere had hinted about having to enable kernel extensions. So my point was that along with rvictl FAILEd, if there was one more line of message that said "please enable kernel extensions", that would have made my experience with apple development far more smoother

@matt Thx for the reply. I am aware of the metadata that can be seen in wireshark .. The ONLY INTERFACE in all of the metadata in wireshark is interface en0 (on my ipad), occassionaly there are some broadcasts and multicasts on some "en2" interface which I dont know what it is, but there is no metadata that points to any "tunnel" interface - so THAT was the question - it looks like rvictl captures everything on "physical" interfaces (like en0) only ??

codesign -dv NextensioAppMac.app Executable=/Users/gopakumarchoorakkotedakkunni/NXT/NextensioAppMac.app/Contents/MacOS/NextensioAppMac Identifier=io.nextensio.agent1 Format=app bundle with Mach-O thin (arm64) CodeDirectory v=20500 size=959 flags=0x10000(runtime) hashes=19+7 location=embedded Signature size=9009 Timestamp=May 26, 2021 at 3:47:08 PM Info.plist entries=25 TeamIdentifier=3S6YLTX9PM Runtime Version=11.3.0 Sealed Resources version=2 rules=13 files=13 Internal requirements count=1 size=212

cat NextensioAppMac.app/Contents/PlugIns/NextensioPacketTunnelMac.appex/Contents/Info.plist <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>BuildMachineOSBuild</key> <string>20E241</string> <key>CFBundleDevelopmentRegion</key> <string>en</string> <key>CFBundleDisplayName</key> <string>NextensioPacketTunnel</string> <key>CFBundleExecutable</key> <string>NextensioPacketTunnelMac</string> <key>CFBundleIdentifier</key> <string>io.nextensio.agent1.tunnel</string> <key>CFBundleInfoDictionaryVersion</key> <string>6.0</string> <key>CFBundleName</key> <string>NextensioPacketTunnelMac</string> <key>CFBundlePackageType</key> <string>XPC!</string> <key>CFBundleShortVersionString</key> <string>0.1.4</string> <key>CFBundleSupportedPlatforms</key> <array> <string>MacOSX</string> </array> <key>CFBundleVersion</key> <string>1</string> <key>DTCompiler</key> <string>com.apple.compilers.llvm.clang.1_0</string> <key>DTPlatformBuild</key> <string>12E262</string> <key>DTPlatformName</key> <string>macosx</string> <key>DTPlatformVersion</key> <string>11.3</string> <key>DTSDKBuild</key> <string>20E214</string> <key>DTSDKName</key> <string>macosx11.3</string> <key>DTXcode</key> <string>1250</string> <key>DTXcodeBuild</key> <string>12E262</string> <key>LSMinimumSystemVersion</key> <string>11.1</string> <key>NSExtension</key> <dict> <key>NSExtensionPointIdentifier</key> <string>com.apple.networkextension.packet-tunnel</string> <key>NSExtensionPrincipalClass</key> <string>NextensioPacketTunnelMac.PacketTunnelProvider</string> </dict> </dict> </plist>

cat NextensioAppMac.app/Contents/Info.plist <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>BuildMachineOSBuild</key> <string>20E241</string> <key>CFBundleDevelopmentRegion</key> <string>en</string> <key>CFBundleExecutable</key> <string>NextensioAppMac</string> <key>CFBundleIconFile</key> <string>AppIcon</string> <key>CFBundleIconName</key> <string>AppIcon</string> <key>CFBundleIdentifier</key> <string>io.nextensio.agent1</string> <key>CFBundleInfoDictionaryVersion</key> <string>6.0</string> <key>CFBundleName</key> <string>Nextensio</string> <key>CFBundlePackageType</key> <string>APPL</string> <key>CFBundleShortVersionString</key> <string>0.1.4</string> <key>CFBundleSupportedPlatforms</key> <array> <string>MacOSX</string> </array> <key>CFBundleURLTypes</key> <array> <dict> <key>CFBundleURLName</key> <string>io.nextensio.agent1</string> </dict> </array> <key>CFBundleVersion</key> <string>1</string> <key>DTCompiler</key> <string>com.apple.compilers.llvm.clang.1_0</string> <key>DTPlatformBuild</key> <string>12E262</string> <key>DTPlatformName</key> <string>macosx</string> <key>DTPlatformVersion</key> <string>11.3</string> <key>DTSDKBuild</key> <string>20E214</string> <key>DTSDKName</key> <string>macosx11.3</string> <key>DTXcode</key> <string>1250</string> <key>DTXcodeBuild</key> <string>12E262</string> <key>LSApplicationCategoryType</key> <string>public.app-category.utilities</string> <key>LSMinimumSystemVersion</key> <string>11.1</string> <key>NSMainStoryboardFile</key> <string>Main</string> <key>NSPrincipalClass</key> <string>NSApplication</string> </dict> </plist>

Sorry about the delay responding here. I thought I would post in detail in case it helps someone else. The first mistake I made is in assuming that converting a packet tunnel to system extension is just a matter of updating the entitlements to say that I am using system extension, but I figured out that its incorrect - I needed to delete my old network extension target and create a NEW target in xcode selecting the type as system-extension. So I guess that makes xcode to package the application differently - the system extension app has the Library/SystemExtension folder with my system extension code inside it etc.. which will happen only if we create a target specifically marked as system-extension in xcode. Then in developer.apple.com for the app IDs, the UI APP ID has BOTH network and system extension checked, the packet-tunnel app ID has Network extension checked but NOT system extension. Then of course I had to mention it in my entitlements. I am listing it here for anyone's future reference Packet tunnel entitlement: UI App entitlement: And then I built the image, and uploaded to apple for "Developer ID" signing and it was signed all well and fine and then I exported the signed app as a mac app. Now this is where it was frustrating as hell - the app would work fine on my laptop, I can open it and it will ask permission to install system extension etc.., but it would NOT work on anyone else's laptop - it would not ask for permission to install system extension, radio silence. And in the system logs there is really nothing legible that says what the problem is. I spent at least a couple of days complete waste of time chasing this - and finally figured that the developer ID signed app has to be moved to the Applications folder and only then the system extension would work. And how did I find that out ? There was this slide deck - https://objectivebythesea.com/v3/talks/OBTS_v3_sKnight.pdf - where somewhere deep inside it there was an allusion to the need to move the app to Applications folder, and thanks to this kind soul who made the pdf, my pain ended in two days. These are the things which apple has been terrible in documenting. Does no one at apple run through the sequence end to end and see what are the steps required and document it ??? At any rate, after the above, it all works fine - it asks for permission to install system extension and I allow it and it creates a seperate process with my system extension code - that is a thing to note when writing system extensions, unlike the previous packet tunnel mechanism, the system extension code runs as a seperate process that keeps running for ever as long as the system extension is installed, ie it keeps running even after your app is terminated. And when you relaunch the app and again activate system extension, the process will still be the same, its not restarted - ie make sure to cleanup and have the process start from a clean state without actually restarting the process