I've implemented a custom system-extension VPN (Packet Tunnel Provider) for macOS. At the extension, I need to use a 3rd party dynamic lib. The steps I did: Build phases: Copy files, with Frameworks destination Link Binary With Libraries Build Settings: I set 'Dynamic Library Install Name', 'Dynamic Library Install Name Base', and 'Library Search Path' to the lib folder I set 'Header Search Path' to the headers folder But when running the extension, it's crashing with the error Termination Reason: Namespace DYLD, Code 1 Library missing Library not loaded: @loader_path/somelib.dylib And Reason: tried: '/Library/SystemExtensions/A1111-someID-11111/com.myapp.myappSysExtension.systemextension/Contents/MacOS/libwavmodapi.dylib' (no such file), '/usr/local/lib/libwavmodapi.dylib' (no such file), '/usr/lib/libwavmodapi.dylib' (no such file) (terminated at launch; ignore backtrace) Any idea what I'm doing wrong here? Also, is it even possible to use dynamic libs from a sys-ext?

I have some questions regarding life cycle of Packet Tunnel Provider: I have some static vars at the PacketTunnelProvider. The user connected to the VPN, then disconnected, so I called the relevant compilation handler. After some time, the user will start VPN again, PacketTunnelProvider will be recreated. Will it use the same class as before, and all static vars will hold their last value? Or would it create a new PacketTunnelProvider? Is it the same behavior for Network Extension vs System Extension? Is it the same behavior for macOS vs iOS? What about running threads? If I created a thread, and then I called the completion handler, will this thread continue to run? P.S If I'm adding exit(0) before 'quitting' the Packet Tunnel Provider, it will force cleaning the memory. But I guess it's not a good behavior for a System Extension to use exit(0) class PacketTunnelProvider: NEPacketTunnelProvider { static var isInitiated = false ... } override func startTunnel(options: [String : NSObject]?, completionHandler: @escaping (Error?) -> Void) { ... PacketTunnelProvider.isInitiated = true ...

I've developed a VPN app for iOS and macOS with Packet Tunnel Provider.Once the VPN is enabled all the traffic should go via the VPN. The VPN is configured to be on demand (isOnDemandEnabled is set), with a rule to always connect.There are some cases where this configuration might cause a problem -When the user goes to a place with a captive portal, the VPN won't be able to connect (because the user will first need to login to the captive portal), but the user also won't be able to login to the captive portal (because all traffic triggers the network extension).In such a case, I need that the captive portal will be shown to the user, and I also need to exclude at least some of the traffic from the VPN, so the user would be able to login to the captive portal (but I don't want to open all traffic, just the traffic needed for the login).Is there any API for those cases? If the answer is no, I'll try to detect this case at the Extension. But I won't be able to open the captive portal from there, so the only thing I would be able to do is to display a message to the user, correct?

I've implemented a custom VPN app for macOS (using Packet Tunnel Provider). I set includeAllNetworks at the protocolConfiguration. When this field is set, I can't connect and I can't send traffic even at the extension. Even simple calls at the extension, like getaddrinfo or curl fails. If I'm unsetting this variable (includeAllNetworks = false) then I can connect without a problem. In addition I can see those lines at the Xcode Console: Connection 2: encountered error(1:53) Connection 3: encountered error(1:53) Connection 1: encountered error(1:53) And those lines at the Console: No mDNS_Keepalive for interface en8/IOSkywalkLegacyEthernetInterface kr 0xE00002C0 NetWakeInterface: en8 <private> no WOMP uDNS_CheckCurrentQuestion: host unreachable error for DNS server <private> for question failed to send packet on InterfaceID 0x5 en8/4 to <private>:53 skt 74 error -1 errno 65 (No route to host) 

The feature of phased release is very useful for our company, but a big minus for us is that the 'Percentage of Users' starts very slow, and at the last two days it's go up very fast. For now what we can do is to start the phased release, pause it after 50% of users get the new version, and after a weak - resume the release. I know it's not the purpose of the pause/resume but we want a better control at the percentages/days of the phase release. Is it possible to change those somehow? Change the percentages per day/ change number of days for the phased release?

While working on a dev version of my custom macOS VPN (Network Extension, Packet Tunnel Provider), I had cases where the VPN was suppose to start, but it didn't. It's configured with an on-demand rule to always connect, and also to be on the safe side, I called connection.startVPNTunnel() From the Console logs I see the following: myClientClient Saving configuration myClient example - myname_mfa.mynameaccount with existing signature {length = 20, bytes = 0x3be5a6633b963d04c5e0a226cccff4c83a799e14} default 12:33:36.686853+0200 secd myClientClient[8416]/1#11 LF=0 copy_matching Error Domain=NSOSStatusErrorDomain Code=-50 "query missing class name" (paramErr: error in user parameter list) UserInfo={numberOfErrorsDeep=0, NSDescription=query missing class name} default 12:33:36.687705+0200 myClientClient MacOS error: -25304 default 12:33:36.690077+0200 myClientClient MacOS error: -25304 NESMVPNSession[Primary Tunnel:myClient example - myname_mfa.mynameaccount:2A6C1B7D-19E8-4EF7-8872-C1D0F8899A17:(null)]: Received a start command from myClientClient[8416] default 12:33:36.763724+0200 nesessionmanager Registering session NESMVPNSession[Primary Tunnel:myClient example - myname_mfa.mynameaccount:2A6C1B7D-19E8-4EF7-8872-C1D0F8899A17:(null)] default 12:33:36.764739+0200 nesessionmanager Received a com.apple.neconfigurationchanged notification with token 23 default 12:33:36.765486+0200 nesessionmanager Clearing E853F1E7-23BD-4F01-915B-65DCBB9D9AB8 from the loaded configurations default 12:33:36.765604+0200 nesessionmanager Clearing 8A4A1803-C370-42A1-8758-35E3D4337959 from the loaded configurations default 12:33:36.765717+0200 nesessionmanager Clearing 2A6C1B7D-19E8-4EF7-8872-C1D0F8899A17 from the loaded configurations nesessionmanager nw_network_agent_open_control_socket Successfully connected netagent socket 8 default 12:33:36.760869+0200 SystemUIServer Received a com.apple.neconfigurationchanged notification with token 48 default 12:33:36.790775+0200 neagent Looking for an extension with identifier com.myClientexample.mac.myClientClient.myClientClientExtension and extension point com.apple.networkextension.packet-tunnel default 12:33:36.791728+0200 neagent [d private] PKHost:0x7f9bc9c29fb0 Beginning discovery for flags: 0, point: com.apple.networkextension.packet-tunnel default 12:33:36.794692+0200 pkd Waiting on thread private until Launch Services database seeding is complete. default 12:33:36.783780+0200 nesessionmanager NESMVPNSession[Primary Tunnel:myClient example - myname_mfa.mynameaccount:2A6C1B7D-19E8-4EF7-8872-C1D0F8899A17:(null)]: status changed to connecting default 12:33:36.811018+0200 neagent [d private] PKHost:0x7f9bc9c29fb0 Completed discovery. Final of matches: 1 default 12:33:36.762607+0200 myClientClient startToggled default 12:33:36.811362+0200 nesessionmanager com.myClientexample.mac.myClientClient[743]: disposing default 12:33:36.811575+0200 nesessionmanager com.myClientexample.mac.myClientClient[743]: Tearing down agent connection default 12:33:36.811641+0200 nesessionmanager NESMVPNSession[Primary Tunnel:myClient example - myname_mfa.mynameaccount:2A6C1B7D-19E8-4EF7-8872-C1D0F8899A17:(null)]: Plugin is installed default 12:33:36.763228+0200 myClientClient starting vpn tunnel default 12:33:36.811729+0200 nesessionmanager NESMVPNSession[Primary Tunnel:myClient example - myname_mfa.mynameaccount:2A6C1B7D-19E8-4EF7-8872-C1D0F8899A17:(null)]: Enabling VPN On Demand default 12:33:36.811145+0200 neagent Found 1 extension(s) with identifier com.myClientexample.mac.myClientClient.myClientClientExtension and extension point com.apple.networkextension.packet-tunnel default 12:33:36.813142+0200 nesessionmanager NESMVPNSession[Primary Tunnel:myClient example - myname_mfa.mynameaccount:2A6C1B7D-19E8-4EF7-8872-C1D0F8899A17:(null)]: Matched no on demand rule default 12:33:36.784619+0200 myClientClient vpnStatusDidChange: Connecting default 12:33:36.784729+0200 myClientClient display Connecting default 12:33:36.813445+0200 nesessionmanager NESMVPNSession[Primary Tunnel:myClient example - myname_mfa.mynameaccount:2A6C1B7D-19E8-4EF7-8872-C1D0F8899A17:(null)]: Matched on demand rule action = connect interfaceTypeMatch = any And after that there is a very big amount of "Received a start command from" and "Skip a start command from " (and I copied only part of the log), but the VPN stays at the 'connecting' phase. Any idea what's causing it? Can it happen also on the production version of my app? I never reproduced it at the Store version, but it's not always reproduces anyway..

I've implemented a VPN app with Packet Tunnel Provider for MacOS and iOS.I have two questions regarding the Extension's sleep/wake functions:1. If the VPN configuration is set with disconnectOnSleep = false, and at the extension I'm sending keep-alives every X seconds, What would happen when the device enters sleep mode? Will it keep sending keep-alive (because the VPN is configured with disconnectOnSleep=false) ?2. If the VPN configuration is set with disconnectOnSleep = true, and also isOnDemandEnabled = true. When the device enters sleep mode, do I need to disconnect the VPN myself? Or the OS would take care of it? And if I should disconnect it myself, the on-demand won't try to turn it on again (because the on-demand) ?

I've implemented a VPN app (with Packet tunnel Provider) for MacOS.Each user has a password, which I'm saving at the keychain with a persistentReference.For some users (not many), the app fails to save the password and I got error -25308 which is User interaction is not allowed.Why does it happening and how can I solve it?

I've implemented a custom VPN for iOS using a Packet Tunnel Provider. I have the entitlement for 'com.apple.managed.vpn.shared'. One option to connect is to use a certificate - this can be done by distributing a VPN payload with the required certificate for the connection. My question is if there's any way to distribute multiple certificates and that I'll be able to read them on my iOS app. For example, on the Certificates payload, I can add multiple certificates, but on the VPN payload, I can choose only one of them. So, can my app read more than one certificate?

I've implemented a custom system extension VPN for macOS using Packet Tunnel Provider. The VPN is configured with on-demand, and a rule to always connect whenever there's traffic: onDemandRules = [NEOnDemandRuleConnect()] As expected, if the VPN isn't active, all traffic gets blocked until it is ready. Not expected: In the following scenario, there is some 'traffic leak': Use only WiFi (not wired cable) Connect the VPN Disable the WiFi and wait for the VPN to disconnect Enable the WiFi Some packets are routed outside the VPN, and aren't being blocked Some moments after, all traffic will be blocked, and the VPN will start the 'connecting' process. Is the above scenario a 'known' issue? Can it be a race condition in the OS, where some packets can be sent after the network is brought back before the VPN process starts? Is there any way to fix this problem? P.S: I'm not using flags such as 'capture all network'

I have an iOS app and a MacOS app in which I want to display to the user it's device's local IP.If there is more than one IP, I would dispaly one of them, not matter which one.This is the code I'm using:func getIFAddresses() -> String { //var addresses = [String]() var address = "N/A" deviceLocalIp = "N/A" // Get list of all interfaces on the local machine: var ifaddr : UnsafeMutablePointer? guard getifaddrs(&ifaddr) == 0 else { return address } guard let firstAddr = ifaddr else { return address } // For each interface ... for ptr in sequence(first: firstAddr, next: { $0.pointee.ifa_next }) { let flags = Int32(ptr.pointee.ifa_flags) var addr = ptr.pointee.ifa_addr.pointee // Check for running IPv4, IPv6 interfaces. Skip the loopback interface. if (flags & (IFF_UP|IFF_RUNNING|IFF_LOOPBACK)) == (IFF_UP|IFF_RUNNING) { if addr.sa_family == UInt8(AF_INET) || addr.sa_family == UInt8(AF_INET6) { let interfaceName = String.init(cString: &ptr.pointee.ifa_name.pointee) //DDLogInfo("interfaceName:\(interfaceName)") // Convert interface address to a human readable string: var hostname = [CChar](repeating: 0, count: Int(NI_MAXHOST)) if (getnameinfo(&addr, socklen_t(addr.sa_len), &hostname, socklen_t(hostname.count), nil, socklen_t(0), NI_NUMERICHOST) == 0) { if interfaceName == "en0" { deviceLocalIp = String(cString: hostname) address = deviceLocalIp break } //if we don't have address from en0 - try get it from another interface //(but prefer from en0) if address == "N/A" && (interfaceName == "en0" || interfaceName == "en1" || interfaceName == "en2" || interfaceName == "pdp_ip" || interfaceName == "ap1") { deviceLocalIp = String(cString: hostname) address = deviceLocalIp } } } } } freeifaddrs(ifaddr) return address } }For IPv4 it seems to work well.For IPv6 (via Mac's Internet Sharing), I'm getting an IPv6 address, but it's not the address I'm expecting to connect -at the Network I see that my device is connected and has the IP address X and the result I'm getting with this code is address Y.P.S -For debugging, I printed all the IPs, not just the first, and still didn't get the correct one..

I've implemented a VPN app with Packet Tunnel Provider for macOS.To send the packets, I'm using BSD sockets.I noticed that when sending big files (1GB), in most of the time the uploading fails, and the relevant errors I see at the console are the following errors:[Extension com.myExtension]: IPC detached NESMVPNSession[Primary Tunnel:My Company - myUserName:6EF9650B-D1DA-418B-B617-AE0874DDCBD3:(null)] in state NESMVPNSessionStateRunning: plugin NEVPNTunnelPlugin(com.MyContainingApp]) did detach from IPC [NOTICE] : networking grace period is over for #lifetime boringssl_context_message_handler(2257) [C6.1:2][0x1048aeac0] Writing SSL3_RT_ALERT 2 bytes boringssl_context_handle_warning_alert(1892) [C6.1:2][0x1048aeac0] write alert, level: warning, description: close notify boringssl_session_disconnect(539) [C6.1:2][0x1048aeac0] SSL_shutdown 0 nw_flow_disconnected [C6.1 20.185.73.23:443 cancelled socket-flow ((null))] Output protocol disconnected nw_connection_report_state_with_handler_on_nw_queue [C6] reporting state cancelled Connection 6: destroyed nw_protocol_boringssl_remove_input_handler(1012) [C6.1:2][0x1048aeac0] nw_protocol_boringssl_remove_input_handler forced true nw_protocol_boringssl_remove_input_handler(1030) [C6.1:2][0x1048aeac0] Transferring nw_protocol_boringssl_t handle back into ARC for autoreleaseSo I'm guessing it's related to "did detach from IPC" or to "SSL3_RT_ALERT 2 bytes", but what's the next step here? How can I try to figure out what's causing this?P.S: It seems that the VPN stays connected and functional, it's just the uploading that fails.

At my app I have a SecKey which I want to sign some Data with it, and at my sever I need to do the verification process, but this time with openSSL. I didn't find any common key or any steps to achieve this between Apple Security framework and OpenSSL. For example, I've tried the following: Signing (Apple Security): let signedStrCFData = SecKeyCreateSignature(key, .rsaSignatureRaw, plaintextData, &error) Verifying (OpenSSL): ret = RSAverify(NIDrsaSignature, (const unsigned char *)challenge, (unsigned int)strlen(challenge), challengeenc, challengeenc_size, rsa); Which key to choose is not really important to me (as long as it's a reasonable signing key), so I tried multiple types of keys, but I wasn't able to do it. Any idea what I'm missing here?

I've implemented a custom VPN app for macOS (Network Extension, Packet Tunnel Provider). I got some reports that my app crashed. I asked for the Console logs, and I saw this log: MyAppExtension[85331]: BUG in libdispatch client: vnode, monitored resource vanished before the source cancel handler was invoked { 0x7f9debe12120[source], ident: 5 / 0x5, handler: 0x107f09ced } This log appeared multiple times (every couple of hours), each time with a different PID: MyAppExtension[85765]: BUG in libdispatch client: vnode, monitored resource vanished before the source cancel handler was invoked { 0x7fe76fc1ae70[source], ident: 5 / 0x5, handler: 0x1007d5ced } Is it what crashed the app? The PID was different each time, so I guess it did crash the app. What info can I get from this message (how to debug it)?

I have a scenario where the user needs to login using SSO, and then the server will use a url-scheme to communicate with my app. If I'm opening an external browser - everything works great. But I tried to use an embedded browser instead (WebView), and for some reason I'm getting this unclear error: [ProcessSwapping] 0x11fd863f0 - ProvisionalPageProxy::didFailProvisionalLoadForFrame: pageProxyID=23 webPageID=34, frameID=3, navigationID=4 At the Console I saw more similar issues, like: 0x11fd863f0 - ProvisionalPageProxy::didFailProvisionalLoadForFrame: pageProxyID=23 webPageID=34, frameID=3, navigationID=4 <nw_activity 16:1 [E08406EE-456B-4302-913A-6C46229FDFC7] (reporting strategy default) complete (reason cancelled)> complete with reason 4 (cancelled), duration 599ms How can I tell what's the problem and how to fix it? P.S In order to debug/fix it, I tried to implement the WKNavigationDelegate protocol, so I could see that I'm getting this error as well: error:Error Domain= Code=0 "Redirection to URL with a scheme that is not HTTP(S)" UserInfo={_WKRecoveryAttempterErrorKey=<WKReloadFrameErrorRecoveryAttempter: 0x600002b1c200>, NSErrorFailingURLStringKey=mycustomurlscheme://someresponse I'm not sure why the url scheme must be http(s) in this case.