Now that the flag includeAllNetworks is working as expected (see https://developer.apple.com/forums/thread/722156), I tried to set it and also the ExcludeLocalNetworks flag. As described in the documentation, I'm able to use AirPlay and AirDrop while being connected, but what I was hoping for was to exclude from the tunnel all the LAN traffic, including pings to local hosts, ssh, printer access, etc. Isn't it what ExcludeLocalNetworks should accomplish? If not, how can I exclude LAN traffic from a full tunnel (i.e. not a split tunnel)? [Custom VPN, macOS, Packet Tunnel Provider, system extension]

[Network Extension, Packet Tunnel Provider, iOS, split tunnel] I've implemented a custom network extension app for iOS using Packet Tunnel Provider. A customer enabled a split tunnel, set the tunnel's DNS servers, and added relevant 'search domains' and 'match domains'. Then, he reported an error related to DNS, specifically, DNS Over HTTPS. He noticed that DNS queries were sent over HTTPS. He also has the corresponding app for Mac (Packet Tunnel Provider, macOS, system extension), and everything works fine with the same DNS configuration, and the DNS queries were sent as a 'clear text', not DoH. Is DoH the default behavior on iOS? Is it the default on macOS? Can we somehow change this behavior? Are DoH queries reach the tunnel as plain DNS queries?

Is it possible to have both 'includeAllNetworks' and split-tunnel simultaneously? I want to enable a split tunnel so only some of the traffic will reach the tunnel, but at the same time, to make sure that the above traffic will always reach the tunnel - even if it's coming from some low-level networking API or even if the traffic started before creating the tunnel. Setting the 'includeAllNetworks' flag will help with the above cases, but then I'll get all the traffic via the tunnel without consideration in the split tunnel configuration. (Details: System-extension, PacketTunnelProvider)

The feature of phased release is very useful for our company, but a big minus for us is that the 'Percentage of Users' starts very slow, and at the last two days it's go up very fast. For now what we can do is to start the phased release, pause it after 50% of users get the new version, and after a weak - resume the release. I know it's not the purpose of the pause/resume but we want a better control at the percentages/days of the phase release. Is it possible to change those somehow? Change the percentages per day/ change number of days for the phased release?

I've implemented a custom VPN (Packet Tunnel Provider) for macOS. I'm using lib-curl from the provider. The traffic is not going via the tunnel. Is it possible to pass this traffic to the tunnel? What should happen if I'll set the 'capture all traffic' flag? Will the traffic created from lib-curl at the provider will reach the tunnel?

I've implemented a custom VPN app for macOS (Packet Tunnel Provider, network extension). In my app there's a situation where the user tries to connect (vpn is starting), the server rejects the connection (vpn stops), and the user should enter some code and then the vpn will reconnect again (vpn should start again). Most of the time this works as expected, but every now and then - the second connection (after the user entered the code) is stuck - the VPN goes into 'connecting' state, but it stays as connecting, without changing the state to connected or disconnected. The extension is not starting in this case. I saw those logs at the Console: failed to create the delegate Tearing down XPC connection due to setup error: Error Domain=NEAgentErrorDomain Code=2 There are more related logs, but I think the above logs are the problematic ones. After this issue, if I'm pressing the 'connect' button again, it will connect without a problem. So I think it's something related to the OS. P.S - I also saw this thread, which looks very similar - https://developer.apple.com/forums/thread/652708?login=true

Is it possible to use a custom VPN (Packet Tunnel Provider, for macOS) and inspect traffic via a proxy tool like Charles (https://developer.apple.com/documentation/network/taking_advantage_of_third-party_network_debugging_tools) at the same time ?

I've developed a system-extension custom VPN app for macOS. As expected, the containing app is running under 'user' permissions, and the system-extension is running under 'root' permissions. The containing app and the sys-ext can create (and save) log files. The containing app has a button to 'collect' the logs from both the containing app and from the extension. However, it can't really access to the extension's logs since it's under root/ What I'm doing is to ask the extension to send the logs via IPC, but what should I do if the VPN is not connected? In this case the extension is not running, and I can't get it's logs. Is there another way to get the file, or maybe to write logs from the extension to somewhere directly accessible to the containing app?

I've implemented a custom VPN system extension for macOS (Packet Tunnel Provider). I created a tunnel, and I have a VPN connection, with the default (IPv4) routes. My question is about sending traffic which was originated at the extension, via the tunnel. Is it possible to create a BSD socket at the extension, and bind it to a specific interface, so the traffic (that was created from the extension) for this socket will be routed via the tunnel?

I have a question very similar to this one, from 5 years ago: https://developer.apple.com/forums/thread/75710 I have a macOS app, in which I have a webview, which loads a login page for the user. The user can log in using an SSO, and the SSO login process might require verifying that a certificate is installed on the user's machine. The certificate and the user login credentials aren't related to my app in any way. The certificate should be already installed at the Keychain. My question is related to the function webView(_ webView: WKWebView, didReceive challenge:) Should I implement this function? As I said, the certificate is not related to my app, so it would be better to let the OS handle the challenge, if possible. In case I have to implement this function, is there any way for my app to answer this challenge? Any example on how to do it?

I've implemented a custom system extension VPN for macOS, using a Packet Tunnel Provider. I saw something suspicious on macOS 15.2.0: When I disconnected my VPN, the UTUN was not being cleared. This results in a lot of UTUNs when the user connects and disconnects multiple times. utun77: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1500 utun78: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1500 This happens only on macOS 15.2. I tried the same app on older versions (15.0, 15.1.x), and it didn't reproduce. Can those 'dirty' UTUNs cause a networking problem? Since it happens only on macOS 15.2, is there a bug in this OS version? How can I check if something in my code causes this behavior? How can I 'fix' it or force clean the 'dirty' UTUNs?

I've implemented a custom system extension VPN for macOS, using Packet Tunnel Provider. I have a XPC connection, from the containing app to the (system) extension. What is the expected behavior after the Mac's sleep/wake? Will the same XPC remain valid? Should I start a new connection?

-I've implemented a VPN app (with Packet Tunnel Provider).I have an ovserver for NEVPNStatusDidChangeNotification.When the user press the "connect" button, 90 % of the time I get the notifications where the connection.status goes from Disconnected to Connecting and then to Connected.But I've already encounterd several cases, where the connection succeeded, but the notifications I got wereDisconnected -&amp;gt; Connecting - &amp;gt; InvalidAnd as I said, the connection been made and the VPN had been activated, so why I got the Invalid state ?Edit:Those are some of the system logs:name = &amp;lt;40-char-str&amp;gt; identifier = some-identifier-I-dont-know-1 applicationName = myApp application = myAppBundle grade = 1 VPN = { enabled = YES onDemandEnabled = YES onDemandRules = ( { action = connect interfaceTypeMatch = any }, ) protocol = { type = plugin identifier = some-identifier-I-dont-know-2 serverAddress = &amp;lt;16-char-str&amp;gt; username = &amp;lt;24-char-str&amp;gt; password = { identifier = some-identifier-I-dont-know-1 domain = user } passwordReference = &amp;lt;67656e70 00000000 00000417&amp;gt; identityDataImported = NO disconnectOnSleep = YES disconnectOnIdle = NO disconnectOUpdated network agent (inactive)vpnStatusDidChange: InvalidNESMVPNSession in state NESMVPNSessionStateIdle: update configuration NESMVPNSession: Received a start command from myApp

I've developed a VPN app for iOS and macOS with Packet Tunnel Provider.Once the VPN is enabled all the traffic should go via the VPN. The VPN is configured to be on demand (isOnDemandEnabled is set), with a rule to always connect.There are some cases where this configuration might cause a problem -When the user goes to a place with a captive portal, the VPN won't be able to connect (because the user will first need to login to the captive portal), but the user also won't be able to login to the captive portal (because all traffic triggers the network extension).In such a case, I need that the captive portal will be shown to the user, and I also need to exclude at least some of the traffic from the VPN, so the user would be able to login to the captive portal (but I don't want to open all traffic, just the traffic needed for the login).Is there any API for those cases? If the answer is no, I'll try to detect this case at the Extension. But I won't be able to open the captive portal from there, so the only thing I would be able to do is to display a message to the user, correct?

I've implemented a VPN app with Packet Tunnel Provider for macOS.To send the packets, I'm using BSD sockets.I noticed that when sending big files (1GB), in most of the time the uploading fails, and the relevant errors I see at the console are the following errors:[Extension com.myExtension]: IPC detached NESMVPNSession[Primary Tunnel:My Company - myUserName:6EF9650B-D1DA-418B-B617-AE0874DDCBD3:(null)] in state NESMVPNSessionStateRunning: plugin NEVPNTunnelPlugin(com.MyContainingApp]) did detach from IPC [NOTICE] : networking grace period is over for #lifetime boringssl_context_message_handler(2257) [C6.1:2][0x1048aeac0] Writing SSL3_RT_ALERT 2 bytes boringssl_context_handle_warning_alert(1892) [C6.1:2][0x1048aeac0] write alert, level: warning, description: close notify boringssl_session_disconnect(539) [C6.1:2][0x1048aeac0] SSL_shutdown 0 nw_flow_disconnected [C6.1 20.185.73.23:443 cancelled socket-flow ((null))] Output protocol disconnected nw_connection_report_state_with_handler_on_nw_queue [C6] reporting state cancelled Connection 6: destroyed nw_protocol_boringssl_remove_input_handler(1012) [C6.1:2][0x1048aeac0] nw_protocol_boringssl_remove_input_handler forced true nw_protocol_boringssl_remove_input_handler(1030) [C6.1:2][0x1048aeac0] Transferring nw_protocol_boringssl_t handle back into ARC for autoreleaseSo I'm guessing it's related to "did detach from IPC" or to "SSL3_RT_ALERT 2 bytes", but what's the next step here? How can I try to figure out what's causing this?P.S: It seems that the VPN stays connected and functional, it's just the uploading that fails.