Hi, we are facing the same issue. Every time we call setTunnelNetworkSettings(_:completionHandler:), we have a leak of requests out of the tunnel. There is any solution or workaround for this?

I'm waiting to receive an ACK from the server and then call the completion handler but I never getting the ACK. It happening only in the -sleepWithCompletionHandler method.

Yes, I mean encrypted DNS. The problem is that the OS not fallback to the non-encrypted DNS if the encrypted one can’t resolved the request. Can I disable this automatic prefer of the encrypted DNS and enable the old behavior?

Yes

The ALPN is shown in the application_layer_protocol_negotiation extension. I mean if I can add some data to a custom extension type? I know that in OpenSSL you can do it with SSL_CTX_add_client_custom_ext

Hi, I had the same problem with the background-darkAqua. There is any solution for it or a workaround? Thanks

The container app is a UI app. I'm using the same value that is in the NEMachServiceName for creating the NSXPCListener and for creating the NSXPCConnection. But do I need to set com.apple.security.temporary-exception.mach-lookup.global-name or com.apple.security.temporary-exception.mach-register.global-name entitlement?

I want to add some configuration that I have: The extension is created the listener: let newListener = NSXPCListener(machServiceName: machServiceName) newListener.delegate = self newListener.resume() and the app is registered: let newConnection = NSXPCConnection(machServiceName: machServiceName, options: [])     // The exported object is the delegate.     newConnection.exportedInterface = NSXPCInterface(with: AppCommunication.self)     newConnection.exportedObject = delegate     // The remote object is the provider's IPCConnection instance.     newConnection.remoteObjectInterface = NSXPCInterface(with: ProviderCommunication.self)     currentConnection = newConnection     newConnection.resume()     guard let providerProxy = newConnection.remoteObjectProxyWithErrorHandler({ registerError in       DDLogError("Failed to register with the provider: \(registerError.localizedDescription)")       self.currentConnection?.invalidate()       self.currentConnection = nil       completionHandler(false)     }) as? ProviderCommunication else {       DDLogError("Failed to create a remote object proxy for the provider")       completionHandler(false)       return     }     providerProxy.register(completionHandler) With the same machServiceName. Do I need to add com.apple.security.temporary-exception.mach-lookup.global-name and com.apple.security.temporary-exception.mach-register.global-name to the app entitlement file or to the extension entitlement file? If yes, which entitlement need to be in the app and which one in the extension and what should be the value?

The bundle id of my app is: com.MyApp. The bundle id of my Network System Extension is: com.MyApp.MyExtension. The MachServiceName is: teamId.com.MyApp.MyExtension. systemextensionsctl tell me that MyExtension 2 version is activated enabled My app and extension are sendboxing

Hi, I'm facing the same problem. After the replacing of the network system extension I saw this on the logs: Default 0x0 561 0 sysextd: changing state of extension com.company.myapp.SysExtension to activated_enabled. Activity 0x4e1f 153 0 authd: (Security) SecTrustEvaluateIfNecessary Default 0x0 720 0 myapp: (NetworkExtension) [com.apple.networkextension:] Last disconnect error for *** VPN changed from "The VPN app used by the VPN configuration is not installed" to "The operation couldn’t be completed. (NEAgentErrorDomain error 2.)" When I use the workaround for Apple bug 32073323 (and described here), adding exit(0) at the end of the stopTunnel() method, it solves the problem but I don't think that is the right way to solve it.