Recently I experienced some weird issues with iOS VPN including personal VPN(IPsec VPN) and enterprise VPN(custom ssl VPN) when running some applications on both mac and iOS. I coded a network extension program which can run on both mac and iOS. In the network extension it intercepts the packets from the NEPacketTunnelFlow and encap them with a self defined header which is 16 bytes and send them via a UDP session to the remote server. test env: Xcode 12.0.1 / iOS 14.0 SDK / iPhone iOS 12.4.8 Here are some test results as following. IPSec VPN(personal VPN) which is supported natively by iOS: when running Speedtest from OOKLA it failed to test on mobile network(in my case it's 4G). The message shows ERROR Test failed to complete. Check your internet connection and try again OK There is no such issue on WIFI network. custom ssl VPN(enterprise VPN) created by using NETunnelProviderManager: On WIFI network run Roblox application on iPhone it failed when joining the server with error message Disconnected Failed to connect to the Game.(ID=17:Connection attempt failed.)(Error Code: 279) Leave I suspect it's related to the mtu setting so I tried with different tunnelOverheadBytes or mtu values:  on wifi network(my router's mtu is 1480):     work: -100/-16/20 (<=20)     not work: 21 (> 20)  on mobile network:     work:0/-16/-100(very slow)     not work: 1/2/5/10/20/21/28 (> 0)    It's weird that negative numbers work for overhead setting. And it seems on WIFI network the range of x <= 20 work for the Roblox game application( can join the server and play some games without any problems) and on mobile network the range is x <=0. Or set mtu instead of tunnelOverheadBytes:   on wifi network:     work:1480/1485/1490/1500     not work:1464/1479/1600     on mobile network:     work:1480/1485/1490/1500     not work:1464/1479/1600/2000 It seems the working value range is [1480, 1500] for both WIFI and mobile network. And also, Speedtest works on WIFI network but not on mobile network. To my understanding in the network extension we only need to set the tunnelOverheadBytes and the iOS will compute the mtu size and we don't need to care about the difference between different type of network. But actually there are differences. Now I'm totally confused. Apparently the value of tunnelOverheadBytes or mtu is quite critical for the network traffic. How to correctly set the tunnelOverheadBytes in the network extension for both WIFI and mobile network?

I have an MDM-managed iPhone 6(iOS 12.5.1) with IPSec(IKEv2) VPN enabled. VPN connects onDemandRules were set in the profiles. When the VPN is connected and running(both mobile and WIFI network are switched on) I switched off the mobile network, then the VPN stuck on Connecting... state. And I can always reproduce the same issue with the same operations. I checked the log on the Console and the following messages seems suspicous: default 11:30:27.808837+0800 nesessionmanager NESMIKEv2VPNSession[blob VPN:C350FBBE-06BE-41AD-8558-277DCECC5C4A]: got On Demand start message from pid 98 default 11:30:27.809324+0800 nesessionmanager NESMIKEv2VPNSession[blob VPN:C350FBBE-06BE-41AD-8558-277DCECC5C4A]: Received a start command from apsd[98] default 11:30:27.809504+0800 nesessionmanager NESMIKEv2VPNSession[blob VPN:C350FBBE-06BE-41AD-8558-277DCECC5C4A]: Skip a start command from apsd[98]: session in state reasserting info 11:30:27.809952+0800 nesessionmanager Handling a com.apple.networkextension.file-descriptor-maintainer event debug 11:30:27.810134+0800 nesessionmanager Ignoring additional event in owner mode To my understanding, it seems that when I toggled off the mobile network the VPN went into a reasserting state, and at that moment an onDemandRule was matched but was skipped due to the reasserting state. When I tried the same operations on an iPhone 12 mini(14.2) there is no such issue. Is it a known issue on iOS 12?

Recently found some different results on iOS 12 and iOS 14. I have an application that is using NEPacketTunnelProvider to establish a VPN tunnel with a remote server. The VPN tunnel is using NWUDPSession and process the inbound packets with the open func setReadHandler(_ handler: @escaping ([Data]?, Error?) -> Void, maxDatagrams: Int) If I shutdown the remote VPN server, on iOS 12 an error will occur Error Domain=NSPOSIXErrorDomain Code=89 "Operation canceled" but on iOS 14+ there will be no such error happens. Is this a bug in iOS 14+ compared with iOS 12?

Hello Apple Developer Community, I have been investigating the challenges with captive portal authentication on Apple devices, particularly regarding Google's OAuth 2.0 authorization in embedded WebViews and the resulting disallowed_useragent error. For Wi-Fi networks providing a captive portal with a 'Sign in with Google' option, reconnecting to the network after forgetting it triggers the portal page. However, attempting to sign in with Google results in an error. Additionally, on macOS Sonoma 14.1.1, clicking the Google Authenticate button elicits no response. I recently discovered that this issue has been resolved in an iPad Pro updated to iOS 17.1.1. However, I've also tested with an iPhone 7 running iOS 15.4.1 and found that the issue persists on this version. Could you provide information on which versions of iOS, macOS, and iPadOS have addressed this issue? It would be immensely helpful for developers and users to know from which version onwards this fix has been implemented, ensuring a consistent and secure experience across Apple platforms. Thank you for your assistance and looking forward to your response.

Is NEDNSProxyProvider supported on macOS? According to this page - https://developer.apple.com/documentation/networkextension/nednsproxyprovider Availability iOS 11.0+ macOS 10.15+ Mac Catalyst 13.0+ But on this page - https://developer.apple.com/documentation/networkextension/dns_proxy_provider it says DNS proxy providers are only supported on supervised iOS devices. I tested a DNS proxy application on the mac which runs well on iOS devices(I made some project settings change such as profiles, platform settings) and got following error in the console logs Looking for an extension with identifier com.blob.macappproxy.dns and extension point com.apple.networkextension.dns-proxy Failed to find an app extension with identifier com.blob.macappproxy.dns and extension point com.apple.networkextension.dns-proxy: (null) And in the network preferences there is a DNS proxy service added but not running, it shows a message on the panel says Please use "macappproxy" to control this DNS proxy configuration. Can someone tell me what's the cause of this error and how can I fix it? Thanks a lot!

Recently I tested my VPN application on iOS 15 beta 8 / Xcode 13 beta 5. It looks like that the precedence is IPSec VPN > iCloud private relay > NEPacketTunnelProvider VPN. When the iCloud private relay is switched on if use IPSec VPN(I think it's using the IPSec interface) the browser's network traffic is still being routed to the IPSec tunnel. But for the implementation with NEPacetTunnelProvider VPN(UTUN interface) the browser's traffic is being routed to the private relay. I don't see any doc describing this but it seems this is the design. And another question is the IncludeAllNetworks setting for the VPN. If set the IncludeAllNetworks to be 1 then the device global traffic would be routed to the VPN, but the excludedRoutes settings in the VPN would be unavailable, no routes would be excluded. Is the above understanding correct?