Is it possible to use a custom VPN (Packet Tunnel Provider, for macOS) and inspect traffic via a proxy tool like Charles (https://developer.apple.com/documentation/network/taking_advantage_of_third-party_network_debugging_tools) at the same time ?

Sry for the duplicate - I added a comment on an old post, but it's tagged only with 'System Extension' and without 'Network Extension', so I'm posting it here as well: Original post: https://developer.apple.com/forums/thread/133933?login=true&page=1#694688022 My question: Bumping this old thread - I have the same scenario, I created a VPN + Certificate payload, installed it, and now I have a VPN conf which I can access to only from the containing app, but I need to access it from the system-extension. As I read above it's not possible, I send messages between the extension and the app, and it worked fine for the SecCertificate, which I sent as a Data to the extension (using SecCertificateCopyData() and sendProviderMessage functions). The problem is that at the extension I need also the SecKey, and I couldn't find any way to pass it from the containing app to the extension. I even tried to pass it via IPC, but it crashed ( "This coder only encodes objects that adopt NSSecureCoding"). Is there any way to pass SecKey to the Extension, or to access it directly from there?

I configured my VPN to be 'on-demand' and I restarted my Mac. After the restart, my Packet Tunnel Provider started (it was called by the OS, because of the on-demand). The containing app is inactive - it's open (the icon is at the menu bar, with a circle at the bottom) but 'applicationDidFinishLaunching' is not being called. Is there any way I can 'force start' the containing app? Any way will be good - if it's by sending a message from the provider, or if it's possible to programmatically ask the OS to start the containing app after Mac restart..

As I mentioned in this thread https://developer.apple.com/forums/thread/695207 I want my containing app to be active after Mac restarts. I thought about something that could work - I wrote a "helper" embedded app which will be added to the login items, and after a restart this "helper" app will open the containing app. However, after archiving the project (with developer ID, it will be distributed outside the App Store), I see the following error at the Console: Non-fatal error enumerating at , continuing: Error Domain=NSCocoaErrorDomain Code=260 "The file “PlugIns” couldn’t be opened because there is no such file." UserInfo={NSURL=PlugIns/ -- file:///Applications/MyMainApp.app/Contents/Library/LoginItems/LauncherApplication.app/Contents/, NSFilePath=/Applications/MyMainApp.app/Contents/Library/LoginItems/LauncherApplication.app/Contents/PlugIns, NSUnderlyingError=0x7fc5cb02c6f0 {Error Domain=NSPOSIXErrorDomain Code=2 "No such file or directory"}} I see that there's really no plugin folder, but why? Is it a certificate/signing issue?

I've developed a system-extension for macOS (Packet Tunnel Provider, Developer ID, distribution outside the App Store). There's a scenario where I want to present some webpages with the WebKit. It works fine, but on of my testing Macs the webpage display the page for a split second, and then becomes white. I saw that the WebKit crashed, but I'm not sure why. I attached the crash report. Also, at the crash report, I saw this: "is_first_party":1,"bug_type":"309" Did my application cause this crash? Any advise on how to debug it or on how can I prevent if from happening? com.apple.WebKit.WebContent-2021-12-12-063048.txt

I've developed a system-extension custom VPN app for macOS. As expected, the containing app is running under 'user' permissions, and the system-extension is running under 'root' permissions. The containing app and the sys-ext can create (and save) log files. The containing app has a button to 'collect' the logs from both the containing app and from the extension. However, it can't really access to the extension's logs since it's under root/ What I'm doing is to ask the extension to send the logs via IPC, but what should I do if the VPN is not connected? In this case the extension is not running, and I can't get it's logs. Is there another way to get the file, or maybe to write logs from the extension to somewhere directly accessible to the containing app?

I've developed a system-extension custom VPN app for macOS, which is in use by some internal testers. The app works fine, except for one user, which can't connect to the VPN. I saw that on his machine, the system extension is getting terminated, very shortly after he's approving it. Sometime it happens while he's trying to connect, but sometimes it happens even without a connection attempt, he's just approving the sysExt and wait. I saw at the logs the following lines: sysextd: [com.apple.sx:StateChange] **** advancing state from activated_enabling to activated_enabled sysextd: observer for **** reached success: activated_enabled sysextd: [com.apple.sx:XPC] client connection (pid 667) invalidated 2022-01-12 21:45:50.844914+0200 0x26fa Activity 0xf149 496 0 sysextd: (Security) SecTrustEvaluateIfNecessary 2022-01-12 21:45:50.926046+0200 0x26fa Default 0x0 496 0 sysextd: request contains no authorizationref 2022-01-12 21:45:50.926390+0200 0x26fa Default 0x0 496 0 sysextd: returning cdhash for arbitrary arch x86_64 of extension **** sysextd: [com.apple.sx:XPC] client connection (pid 1103) invalidated nesessionmanager: [com.apple.networkextension:] Adding event subscription 775 for provider *** with extension point com.apple.networkextension.packet-tunnel ... ... sysextd: received request to remove MDM payload with UUID **** sysextd: removed MDM payload with UUID **** sysextd: MDM payload change results in changed decision for Extension **** from Allow to UserOption sysextd: deactivateExtension called for **** in state "activated_enabled" sysextd: [com.apple.sx:StateChange] extension **** advancing state from activated_enabled to terminating_for_uninstall Is this issue related somehow to MDM profiles? Is it related to "client connection invalidated" ? And what is this thing? How can I debug it/ understand where's the problem?

Hi I've developed a custom VPN app for macOS (system-extension, Packet Tunnel Provider), and I have the following problem: I'm connected vie Ethernet only (not Wi-Fi). I configured on the Ethernet interface HTTP and HTTPS proxies. I'm connecting to my VPN: If I'm using a 'full tunnel' - the traffic won't pass to the Ethernet proxies, this is expected If I'm using a split tunnel - even the routes included on the tunnel will reach the Ethernet proxies, this is not expected. Am I right that this behavior is not expected? How can I fix this issue?

I've developed a custom VPN system extension (macOS, Packet Tunnel Provider). On a first installation, the user has to allow installation of the system extension (via  Security & Privacy). My question is, what should happen when the user updates the app to a newer version - will he get the 'allow system extension installation' popup again? Or is it a 'one time popup' only?

I have some questions regarding life cycle of Packet Tunnel Provider: I have some static vars at the PacketTunnelProvider. The user connected to the VPN, then disconnected, so I called the relevant compilation handler. After some time, the user will start VPN again, PacketTunnelProvider will be recreated. Will it use the same class as before, and all static vars will hold their last value? Or would it create a new PacketTunnelProvider? Is it the same behavior for Network Extension vs System Extension? Is it the same behavior for macOS vs iOS? What about running threads? If I created a thread, and then I called the completion handler, will this thread continue to run? P.S If I'm adding exit(0) before 'quitting' the Packet Tunnel Provider, it will force cleaning the memory. But I guess it's not a good behavior for a System Extension to use exit(0) class PacketTunnelProvider: NEPacketTunnelProvider { static var isInitiated = false ... } override func startTunnel(options: [String : NSObject]?, completionHandler: @escaping (Error?) -> Void) { ... PacketTunnelProvider.isInitiated = true ...

I've implemented a custom system-extension VPN (Packet Tunnel Provider) for macOS. At the extension, I need to use a 3rd party dynamic lib. The steps I did: Build phases: Copy files, with Frameworks destination Link Binary With Libraries Build Settings: I set 'Dynamic Library Install Name', 'Dynamic Library Install Name Base', and 'Library Search Path' to the lib folder I set 'Header Search Path' to the headers folder But when running the extension, it's crashing with the error Termination Reason: Namespace DYLD, Code 1 Library missing Library not loaded: @loader_path/somelib.dylib And Reason: tried: '/Library/SystemExtensions/A1111-someID-11111/com.myapp.myappSysExtension.systemextension/Contents/MacOS/libwavmodapi.dylib' (no such file), '/usr/local/lib/libwavmodapi.dylib' (no such file), '/usr/lib/libwavmodapi.dylib' (no such file) (terminated at launch; ignore backtrace) Any idea what I'm doing wrong here? Also, is it even possible to use dynamic libs from a sys-ext?

I've implemented a custom VPN system extension for macOS (Packet Tunnel Provider). I created a tunnel, and I have a VPN connection, with the default (IPv4) routes. My question is about sending traffic which was originated at the extension, via the tunnel. Is it possible to create a BSD socket at the extension, and bind it to a specific interface, so the traffic (that was created from the extension) for this socket will be routed via the tunnel?

I have a question very similar to this one, from 5 years ago: https://developer.apple.com/forums/thread/75710 I have a macOS app, in which I have a webview, which loads a login page for the user. The user can log in using an SSO, and the SSO login process might require verifying that a certificate is installed on the user's machine. The certificate and the user login credentials aren't related to my app in any way. The certificate should be already installed at the Keychain. My question is related to the function webView(_ webView: WKWebView, didReceive challenge:) Should I implement this function? As I said, the certificate is not related to my app, so it would be better to let the OS handle the challenge, if possible. In case I have to implement this function, is there any way for my app to answer this challenge? Any example on how to do it?

I've implemented a custom VPN for macOS (system extension, Packet Tunnel Provider). I've configured disconnectOnSleep = false, and at the Provider I've implemented the sleep() and wake() functions. At the wake() func, I'm trying to re-establish the connection, and most of the time it's working well. However, there are times when even after wake() is called, it seems that the interfaces aren't ready/available, and I'm getting "Network is unreachable" errors (I'm working with BSD Sockets). Any idea why the interfaces aren't available at this point, after wake() had been called? Any idea on how to be updated when the interfaces are available?

I've implemented a custom VPN for macOS (system extension, Packet Tunnel Provider). My question is related to the tunnel's DNS servers: I would like that even when a split-tunnel is enabled, all DNS queries will reach the tunnel's DNS, but I'm aware that this case is not 'working well', and the Packet Tunnel Provider is not supposed to capture all DNS queries, see those threads:https://developer.apple.com/forums/thread/662443, https://developer.apple.com/forums/thread/661601 So as a workaround, on a split-tunnel I have a list of 'match domains', and 'search domains'. But now it seems that the default interface will answer those queries as well, and they still won't reach the tunnel's DNS. To verify this, I connected with the VPN, and when I checked 'scutil --dns', I got the list of resolvers, where resolver #1, wasn't the utun (it was en7), and it handled all the 'match domain'/'search domains'. Any idea how to force some/add DNS queries to the tunnel's DNS even when for a split tunnel?