Is it possible to use a custom VPN (Packet Tunnel Provider, for macOS) and inspect traffic via a proxy tool like Charles (https://developer.apple.com/documentation/network/taking_advantage_of_third-party_network_debugging_tools) at the same time ?

Sry for the duplicate - I added a comment on an old post, but it's tagged only with 'System Extension' and without 'Network Extension', so I'm posting it here as well: Original post: https://developer.apple.com/forums/thread/133933?login=true&page=1#694688022 My question: Bumping this old thread - I have the same scenario, I created a VPN + Certificate payload, installed it, and now I have a VPN conf which I can access to only from the containing app, but I need to access it from the system-extension. As I read above it's not possible, I send messages between the extension and the app, and it worked fine for the SecCertificate, which I sent as a Data to the extension (using SecCertificateCopyData() and sendProviderMessage functions). The problem is that at the extension I need also the SecKey, and I couldn't find any way to pass it from the containing app to the extension. I even tried to pass it via IPC, but it crashed ( "This coder only encodes objects that adopt NSSecureCoding"). Is there any way to pass SecKey to the Extension, or to access it directly from there?

As I mentioned in this thread https://developer.apple.com/forums/thread/695207 I want my containing app to be active after Mac restarts. I thought about something that could work - I wrote a "helper" embedded app which will be added to the login items, and after a restart this "helper" app will open the containing app. However, after archiving the project (with developer ID, it will be distributed outside the App Store), I see the following error at the Console: Non-fatal error enumerating at , continuing: Error Domain=NSCocoaErrorDomain Code=260 "The file “PlugIns” couldn’t be opened because there is no such file." UserInfo={NSURL=PlugIns/ -- file:///Applications/MyMainApp.app/Contents/Library/LoginItems/LauncherApplication.app/Contents/, NSFilePath=/Applications/MyMainApp.app/Contents/Library/LoginItems/LauncherApplication.app/Contents/PlugIns, NSUnderlyingError=0x7fc5cb02c6f0 {Error Domain=NSPOSIXErrorDomain Code=2 "No such file or directory"}} I see that there's really no plugin folder, but why? Is it a certificate/signing issue?

I've developed a system-extension for macOS (Packet Tunnel Provider, Developer ID, distribution outside the App Store). There's a scenario where I want to present some webpages with the WebKit. It works fine, but on of my testing Macs the webpage display the page for a split second, and then becomes white. I saw that the WebKit crashed, but I'm not sure why. I attached the crash report. Also, at the crash report, I saw this: "is_first_party":1,"bug_type":"309" Did my application cause this crash? Any advise on how to debug it or on how can I prevent if from happening? com.apple.WebKit.WebContent-2021-12-12-063048.txt

I've developed a system-extension custom VPN app for macOS. As expected, the containing app is running under 'user' permissions, and the system-extension is running under 'root' permissions. The containing app and the sys-ext can create (and save) log files. The containing app has a button to 'collect' the logs from both the containing app and from the extension. However, it can't really access to the extension's logs since it's under root/ What I'm doing is to ask the extension to send the logs via IPC, but what should I do if the VPN is not connected? In this case the extension is not running, and I can't get it's logs. Is there another way to get the file, or maybe to write logs from the extension to somewhere directly accessible to the containing app?

Hi I've developed a custom VPN app for macOS (system-extension, Packet Tunnel Provider), and I have the following problem: I'm connected vie Ethernet only (not Wi-Fi). I configured on the Ethernet interface HTTP and HTTPS proxies. I'm connecting to my VPN: If I'm using a 'full tunnel' - the traffic won't pass to the Ethernet proxies, this is expected If I'm using a split tunnel - even the routes included on the tunnel will reach the Ethernet proxies, this is not expected. Am I right that this behavior is not expected? How can I fix this issue?

I've developed a custom VPN system extension (macOS, Packet Tunnel Provider). On a first installation, the user has to allow installation of the system extension (via  Security & Privacy). My question is, what should happen when the user updates the app to a newer version - will he get the 'allow system extension installation' popup again? Or is it a 'one time popup' only?

I have a question very similar to this one, from 5 years ago: https://developer.apple.com/forums/thread/75710 I have a macOS app, in which I have a webview, which loads a login page for the user. The user can log in using an SSO, and the SSO login process might require verifying that a certificate is installed on the user's machine. The certificate and the user login credentials aren't related to my app in any way. The certificate should be already installed at the Keychain. My question is related to the function webView(_ webView: WKWebView, didReceive challenge:) Should I implement this function? As I said, the certificate is not related to my app, so it would be better to let the OS handle the challenge, if possible. In case I have to implement this function, is there any way for my app to answer this challenge? Any example on how to do it?

I've implemented a custom VPN for macOS (system extension, Packet Tunnel Provider). I've configured disconnectOnSleep = false, and at the Provider I've implemented the sleep() and wake() functions. At the wake() func, I'm trying to re-establish the connection, and most of the time it's working well. However, there are times when even after wake() is called, it seems that the interfaces aren't ready/available, and I'm getting "Network is unreachable" errors (I'm working with BSD Sockets). Any idea why the interfaces aren't available at this point, after wake() had been called? Any idea on how to be updated when the interfaces are available?

Is it possible to distribute my custom system extension VPN for macOS via the App Store? Or can the system extension be distributed only via 'independent' distribution?

Now that the flag includeAllNetworks is working as expected (see https://developer.apple.com/forums/thread/722156), I tried to set it and also the ExcludeLocalNetworks flag. As described in the documentation, I'm able to use AirPlay and AirDrop while being connected, but what I was hoping for was to exclude from the tunnel all the LAN traffic, including pings to local hosts, ssh, printer access, etc. Isn't it what ExcludeLocalNetworks should accomplish? If not, how can I exclude LAN traffic from a full tunnel (i.e. not a split tunnel)? [Custom VPN, macOS, Packet Tunnel Provider, system extension]

I downloaded the ES sys-ext sample project. I built the 'NOTIFY' extension, and I was able to install it. However, it doesn't seem to work (or - it doesn't report anything). This is what I did: I download the project I renamed the bundle IDs I disabled SIP I tried both signing options - let 'Xcode automatically manage signing', and I also tried to use my 'Developer ID' I moved the app to the Applications folder I grant the 'Full Disk Access' permission to the extension I verified that the extension is running I did not get the needed entitlement yet, but since SIP is disabled, I don't think it's a problem I did get the message 'Successfully installed the extension ✅' At the terminal, I tried to capture relevant logs: log stream --style compact --predicate 'sender == "myBundleId"' (I tried it with the app bundleID, and with the extension's bundleId) And yet, 'ps' triggers no logs. *At the Console, I get those messages: "Unsatisfied entitlements: com.apple.developer.endpoint-security.client" Disallowing: myBundleId amfid: Restricted entitlements not validated, bailing out. Error: Error Domain=AppleMobileFileIntegrityError Code=-413 "No matching profile found" UserInfo={NSURL=, unsatisfiedEntitlements=, NSLocalizedDescription=No matching profile found} Any idea where's the problem at?

I've implemented a custom system extension VPN for macOS using a Packet Tunnel Provider. At the Protocol Configuration, the 'includeAllNetworks' flag is unset. At the provider, I included all routes (IPv4 default route). What is the expected behavior for LAN traffic? Should the LAN traffic go via the VPN? By 'LAN traffic', I'm referring to local hosts, ssh, printer access, etc.

I've implemented a custom VPN for macOS (system extension, Packet Tunnel Provider, Developer ID). My tunneling logic uses BSD sockets. My VPN is configured with on-demand and should always connect when there's traffic: targetManager?.isOnDemandEnabled = true targetManager?.onDemandRules = [NEOnDemandRuleConnect()] I have encountered some issues when the device enters sleep (or waking up from sleep). I've tried two scenarios. Scenario 1: protocolConfiguration?.disconnectOnSleep = true With this flag set, the OS will disconnect the VPN just before entering to sleep. However, there were cases when the OS disconnected the VPN but immediately restarted it - probably because of how I defined the on-demand rules. This resulted in the VPN disconnection, then trying to reconnect, and then the Mac entered sleep. When the Mac woke up, the VPN didn't work well. Is there a way to avoid waking up, just before the Mac enters sleep? Scenario 2: protocolConfiguration?.disconnectOnSleep = false Disconnect on sleep is unset, and I've implemented the sleep/wake functions at the provider. With this configuration, the OS won't disconnect the VPN, so even in sleep, the extension should stay 'alive,' so it won't have the problem from (1). But in this case, I had other problems: On sleep, I'm disconnecting the tunnel. But sometimes, on wake(), all my network calls fail. Are the interfaces still down? How can I detect this case from the system extension? Is it possible that the OS would call sleep and then quickly call wake? Is it possible that after sleep, the OS would call the startTunnelWithOptions() function? Is it possible to restart the extension from a clean state right from the wake() function?

I've implemented a custom system extension VPN for macOS, using Packet Tunnel Provider. I have a XPC connection, from the containing app to the (system) extension. What is the expected behavior after the Mac's sleep/wake? Will the same XPC remain valid? Should I start a new connection?