I've implemented a custom VPN for macOS (system extension, Packet Tunnel Provider). I've configured disconnectOnSleep = false, and at the Provider I've implemented the sleep() and wake() functions. At the wake() func, I'm trying to re-establish the connection, and most of the time it's working well. However, there are times when even after wake() is called, it seems that the interfaces aren't ready/available, and I'm getting "Network is unreachable" errors (I'm working with BSD Sockets). Any idea why the interfaces aren't available at this point, after wake() had been called? Any idea on how to be updated when the interfaces are available?

I'm tyring to implement a Packet Tunnel Provider for OSX.I have the entitlements, but when I try to run the app, it's immediatly crashing.At the console, I can see the following errors:Found 2 provisioning profiles com.apple.developer.networking.networkextension Disallowing com.myapp.MyApp[pid 73450] because its use of the com.apple.developer.networking.networkextension entitlement is not allowed killed com.myapp.MyApp[pid 73450] because its use of the com.apple.developer.networking.networkextension entitlement is not allowed (error code -67050)But as I said, I do have the entitlements, I'm using the correct provision profile, and I followed Eskimo tutorial at https://forums.developer.apple.com/message/75928#75928and everything looks as it should be.Any help would be appreciated!Edit: I created the provisioning profiles again, add them the network entitlements, cleaned the project, deleted the old profiles, and the problem still exists.

I've implemented a VPN app with Packet Tunnel Provider for MacOS and iOS.I have two questions regarding the Extension's sleep/wake functions:1. If the VPN configuration is set with disconnectOnSleep = false, and at the extension I'm sending keep-alives every X seconds, What would happen when the device enters sleep mode? Will it keep sending keep-alive (because the VPN is configured with disconnectOnSleep=false) ?2. If the VPN configuration is set with disconnectOnSleep = true, and also isOnDemandEnabled = true. When the device enters sleep mode, do I need to disconnect the VPN myself? Or the OS would take care of it? And if I should disconnect it myself, the on-demand won't try to turn it on again (because the on-demand) ?

I'm implementing a VPN client using PacketTunnelProvider.I have a C code that talk to my sever, and this C code also has callbacks to my Swift code.In those callbacks I just need to send / receive packets.I do not need to create a tunnel with the server, because the C code does it for me.So my question is, how to get all the packets ? I tried doing it with packetFlow, but without any success.(And as for the moment, i'm trying to do it at the startTunnelWithOptions function, but not sure if it's the right place)Thanks!

I've implemented a custom VPN app for macOS (Packet Tunnel Provider) The VPN has the following conf: disconnectOnSleep = true tunnelProviderManager.isOnDemandEnabled = true tunnelProviderManager.onDemandRules = [NEOnDemandRuleConnect()] So the VPN should be 'almost always-on' - it should connect whenever possible (the only rule is to 'always' connect) Also, the OS should kill the VPN when the Mac enters sleep, and restart it when the Mac awakes. The question: Some customers complained that sometimes after sleep/awake, the Mac loses all traffic. From the logs it seems that the Mac enters sleep, and then immediately the OS restarts the VPN (probably because of the 'connect' rule). This process can happen multiple times in a row: Sleep (disconnect VPN), and then immediately the state is changing to 'connecting' again. Then sleep->connecting, and so on.. How can I prevent this from happening? If the Mac enters sleep, the OS shouldn't restart the VPN. Is it a bug? Can I change something at the on-demand rules to 'make it better' but to keep the same behavior?

I've developed a system-extension custom VPN app for macOS, which is in use by some internal testers. The app works fine, except for one user, which can't connect to the VPN. I saw that on his machine, the system extension is getting terminated, very shortly after he's approving it. Sometime it happens while he's trying to connect, but sometimes it happens even without a connection attempt, he's just approving the sysExt and wait. I saw at the logs the following lines: sysextd: [com.apple.sx:StateChange] **** advancing state from activated_enabling to activated_enabled sysextd: observer for **** reached success: activated_enabled sysextd: [com.apple.sx:XPC] client connection (pid 667) invalidated 2022-01-12 21:45:50.844914+0200 0x26fa Activity 0xf149 496 0 sysextd: (Security) SecTrustEvaluateIfNecessary 2022-01-12 21:45:50.926046+0200 0x26fa Default 0x0 496 0 sysextd: request contains no authorizationref 2022-01-12 21:45:50.926390+0200 0x26fa Default 0x0 496 0 sysextd: returning cdhash for arbitrary arch x86_64 of extension **** sysextd: [com.apple.sx:XPC] client connection (pid 1103) invalidated nesessionmanager: [com.apple.networkextension:] Adding event subscription 775 for provider *** with extension point com.apple.networkextension.packet-tunnel ... ... sysextd: received request to remove MDM payload with UUID **** sysextd: removed MDM payload with UUID **** sysextd: MDM payload change results in changed decision for Extension **** from Allow to UserOption sysextd: deactivateExtension called for **** in state "activated_enabled" sysextd: [com.apple.sx:StateChange] extension **** advancing state from activated_enabled to terminating_for_uninstall Is this issue related somehow to MDM profiles? Is it related to "client connection invalidated" ? And what is this thing? How can I debug it/ understand where's the problem?

I've developed a custom VPN system extension (macOS, Packet Tunnel Provider). On a first installation, the user has to allow installation of the system extension (via  Security & Privacy). My question is, what should happen when the user updates the app to a newer version - will he get the 'allow system extension installation' popup again? Or is it a 'one time popup' only?

I have some questions regarding life cycle of Packet Tunnel Provider: I have some static vars at the PacketTunnelProvider. The user connected to the VPN, then disconnected, so I called the relevant compilation handler. After some time, the user will start VPN again, PacketTunnelProvider will be recreated. Will it use the same class as before, and all static vars will hold their last value? Or would it create a new PacketTunnelProvider? Is it the same behavior for Network Extension vs System Extension? Is it the same behavior for macOS vs iOS? What about running threads? If I created a thread, and then I called the completion handler, will this thread continue to run? P.S If I'm adding exit(0) before 'quitting' the Packet Tunnel Provider, it will force cleaning the memory. But I guess it's not a good behavior for a System Extension to use exit(0) class PacketTunnelProvider: NEPacketTunnelProvider { static var isInitiated = false ... } override func startTunnel(options: [String : NSObject]?, completionHandler: @escaping (Error?) -> Void) { ... PacketTunnelProvider.isInitiated = true ...

I've implemented a custom VPN for macOS (system extension, Packet Tunnel Provider). My question is related to the tunnel's DNS servers: I would like that even when a split-tunnel is enabled, all DNS queries will reach the tunnel's DNS, but I'm aware that this case is not 'working well', and the Packet Tunnel Provider is not supposed to capture all DNS queries, see those threads:https://developer.apple.com/forums/thread/662443, https://developer.apple.com/forums/thread/661601 So as a workaround, on a split-tunnel I have a list of 'match domains', and 'search domains'. But now it seems that the default interface will answer those queries as well, and they still won't reach the tunnel's DNS. To verify this, I connected with the VPN, and when I checked 'scutil --dns', I got the list of resolvers, where resolver #1, wasn't the utun (it was en7), and it handled all the 'match domain'/'search domains'. Any idea how to force some/add DNS queries to the tunnel's DNS even when for a split tunnel?

I've implemented a custom system extension VPN for macOS using a Packet Tunnel Provider. At the Protocol Configuration, the 'includeAllNetworks' flag is unset. At the provider, I included all routes (IPv4 default route). What is the expected behavior for LAN traffic? Should the LAN traffic go via the VPN? By 'LAN traffic', I'm referring to local hosts, ssh, printer access, etc.

I've implemented a custom system extension VPN for macOS using Packet Tunnel Provider. The VPN is configured with on-demand, and a rule to always connect whenever there's traffic: onDemandRules = [NEOnDemandRuleConnect()] As expected, if the VPN isn't active, all traffic gets blocked until it is ready. Not expected: In the following scenario, there is some 'traffic leak': Use only WiFi (not wired cable) Connect the VPN Disable the WiFi and wait for the VPN to disconnect Enable the WiFi Some packets are routed outside the VPN, and aren't being blocked Some moments after, all traffic will be blocked, and the VPN will start the 'connecting' process. Is the above scenario a 'known' issue? Can it be a race condition in the OS, where some packets can be sent after the network is brought back before the VPN process starts? Is there any way to fix this problem? P.S: I'm not using flags such as 'capture all network'

-I've implemented a VPN app (with Packet Tunnel Provider).I have an ovserver for NEVPNStatusDidChangeNotification.When the user press the "connect" button, 90 % of the time I get the notifications where the connection.status goes from Disconnected to Connecting and then to Connected.But I've already encounterd several cases, where the connection succeeded, but the notifications I got wereDisconnected -> Connecting - > InvalidAnd as I said, the connection been made and the VPN had been activated, so why I got the Invalid state ?Edit:Those are some of the system logs:name = <40-char-str> identifier = some-identifier-I-dont-know-1 applicationName = myApp application = myAppBundle grade = 1 VPN = { enabled = YES onDemandEnabled = YES onDemandRules = ( { action = connect interfaceTypeMatch = any }, ) protocol = { type = plugin identifier = some-identifier-I-dont-know-2 serverAddress = <16-char-str> username = <24-char-str> password = { identifier = some-identifier-I-dont-know-1 domain = user } passwordReference = <67656e70 00000000 00000417> identityDataImported = NO disconnectOnSleep = YES disconnectOnIdle = NO disconnectOUpdated network agent (inactive)vpnStatusDidChange: InvalidNESMVPNSession in state NESMVPNSessionStateIdle: update configuration NESMVPNSession: Received a start command from myApp

I've developed a VPN app for iOS and macOS with Packet Tunnel Provider.Once the VPN is enabled all the traffic should go via the VPN. The VPN is configured to be on demand (isOnDemandEnabled is set), with a rule to always connect.There are some cases where this configuration might cause a problem -When the user goes to a place with a captive portal, the VPN won't be able to connect (because the user will first need to login to the captive portal), but the user also won't be able to login to the captive portal (because all traffic triggers the network extension).In such a case, I need that the captive portal will be shown to the user, and I also need to exclude at least some of the traffic from the VPN, so the user would be able to login to the captive portal (but I don't want to open all traffic, just the traffic needed for the login).Is there any API for those cases? If the answer is no, I'll try to detect this case at the Extension. But I won't be able to open the captive portal from there, so the only thing I would be able to do is to display a message to the user, correct?

I've implemented a VPN app with Packet Tunnel Provider for macOS.To send the packets, I'm using BSD sockets.I noticed that when sending big files (1GB), in most of the time the uploading fails, and the relevant errors I see at the console are the following errors:[Extension com.myExtension]: IPC detached NESMVPNSession[Primary Tunnel:My Company - myUserName:6EF9650B-D1DA-418B-B617-AE0874DDCBD3:(null)] in state NESMVPNSessionStateRunning: plugin NEVPNTunnelPlugin(com.MyContainingApp]) did detach from IPC [NOTICE] : networking grace period is over for #lifetime boringssl_context_message_handler(2257) [C6.1:2][0x1048aeac0] Writing SSL3_RT_ALERT 2 bytes boringssl_context_handle_warning_alert(1892) [C6.1:2][0x1048aeac0] write alert, level: warning, description: close notify boringssl_session_disconnect(539) [C6.1:2][0x1048aeac0] SSL_shutdown 0 nw_flow_disconnected [C6.1 20.185.73.23:443 cancelled socket-flow ((null))] Output protocol disconnected nw_connection_report_state_with_handler_on_nw_queue [C6] reporting state cancelled Connection 6: destroyed nw_protocol_boringssl_remove_input_handler(1012) [C6.1:2][0x1048aeac0] nw_protocol_boringssl_remove_input_handler forced true nw_protocol_boringssl_remove_input_handler(1030) [C6.1:2][0x1048aeac0] Transferring nw_protocol_boringssl_t handle back into ARC for autoreleaseSo I'm guessing it's related to "did detach from IPC" or to "SSL3_RT_ALERT 2 bytes", but what's the next step here? How can I try to figure out what's causing this?P.S: It seems that the VPN stays connected and functional, it's just the uploading that fails.

I configured my VPN to be 'on-demand' and I restarted my Mac. After the restart, my Packet Tunnel Provider started (it was called by the OS, because of the on-demand). The containing app is inactive - it's open (the icon is at the menu bar, with a circle at the bottom) but 'applicationDidFinishLaunching' is not being called. Is there any way I can 'force start' the containing app? Any way will be good - if it's by sending a message from the provider, or if it's possible to programmatically ask the OS to start the containing app after Mac restart..