I've implemented a custom VPN app for macOS (Network Extension, Packet Tunnel Provider). I got some reports that my app crashed. I asked for the Console logs, and I saw this log: MyAppExtension[85331]: BUG in libdispatch client: vnode, monitored resource vanished before the source cancel handler was invoked { 0x7f9debe12120[source], ident: 5 / 0x5, handler: 0x107f09ced } This log appeared multiple times (every couple of hours), each time with a different PID: MyAppExtension[85765]: BUG in libdispatch client: vnode, monitored resource vanished before the source cancel handler was invoked { 0x7fe76fc1ae70[source], ident: 5 / 0x5, handler: 0x1007d5ced } Is it what crashed the app? The PID was different each time, so I guess it did crash the app. What info can I get from this message (how to debug it)?

I've implemented a custom VPN for macOS (system extension, Packet Tunnel Provider). I've configured disconnectOnSleep = false, and at the Provider I've implemented the sleep() and wake() functions. At the wake() func, I'm trying to re-establish the connection, and most of the time it's working well. However, there are times when even after wake() is called, it seems that the interfaces aren't ready/available, and I'm getting "Network is unreachable" errors (I'm working with BSD Sockets). Any idea why the interfaces aren't available at this point, after wake() had been called? Any idea on how to be updated when the interfaces are available?

I'm tyring to implement a Packet Tunnel Provider for OSX.I have the entitlements, but when I try to run the app, it's immediatly crashing.At the console, I can see the following errors:Found 2 provisioning profiles com.apple.developer.networking.networkextension Disallowing com.myapp.MyApp[pid 73450] because its use of the com.apple.developer.networking.networkextension entitlement is not allowed killed com.myapp.MyApp[pid 73450] because its use of the com.apple.developer.networking.networkextension entitlement is not allowed (error code -67050)But as I said, I do have the entitlements, I'm using the correct provision profile, and I followed Eskimo tutorial at https://forums.developer.apple.com/message/75928#75928and everything looks as it should be.Any help would be appreciated!Edit: I created the provisioning profiles again, add them the network entitlements, cleaned the project, deleted the old profiles, and the problem still exists.

Is it possible to distrubite my VPN app (with packet tunnel provider) for MacOS with a standalone installer (such as .pkg/.dmg file) ?I think the answer is that it can't be done, but the reason I'm asking is that there are some clients who want to preinstall the app on some people's Macs instead of sending them to the App Store.So is it possible? or maybe the way to go here is by Apple Configurator ?

I've implemented a VPN app with Packet Tunnel Provider for MacOS and iOS.I have two questions regarding the Extension's sleep/wake functions:1. If the VPN configuration is set with disconnectOnSleep = false, and at the extension I'm sending keep-alives every X seconds, What would happen when the device enters sleep mode? Will it keep sending keep-alive (because the VPN is configured with disconnectOnSleep=false) ?2. If the VPN configuration is set with disconnectOnSleep = true, and also isOnDemandEnabled = true. When the device enters sleep mode, do I need to disconnect the VPN myself? Or the OS would take care of it? And if I should disconnect it myself, the on-demand won't try to turn it on again (because the on-demand) ?

I'm implementing a VPN client using PacketTunnelProvider.I have a C code that talk to my sever, and this C code also has callbacks to my Swift code.In those callbacks I just need to send / receive packets.I do not need to create a tunnel with the server, because the C code does it for me.So my question is, how to get all the packets ? I tried doing it with packetFlow, but without any success.(And as for the moment, i'm trying to do it at the startTunnelWithOptions function, but not sure if it's the right place)Thanks!

I've implemented a VPN app for macOS with Packet Tunnel Provider.I've configured it to be onDemand, which should always connect:targetManager?.isOnDemandEnabled = true let onDemandRuleConnect = NEOnDemandRuleConnect() targetManager?.onDemandRules = [onDemandRuleConnectI've also set it to disconnect on sleep:targetManager?.protocolConfiguration?.disconnectOnSleep = trueThe question:From the logs I have I see that the Mac enters sleep mode, so stopTunnelWithReason is called with reason 15 (The device went to sleep and disconnect).Right after that, the VPN status changed to 'Disconnected' (as expected),but then, right after that, the VPN status changed to 'Connecting' - this is probably because of how I set the onDemand, but I'm not sure of it - if the device enters sleep, why does the system starts the VPN again?I think this behavior is causing me some problems.What's the best way to "fix" this?

I've implemented a VPN app for iOS and macOS using Packet Tunnel Provider.I released a macOS testing version for our QA (development distribution).On two different Macs the app works great, but on a third Mac, the app crashes when the extension tries to send local messages using UNUserNotificationCenter.The user chose (at the containing app) to not allow the app to send local notifications.At the extension, I'm trying to send a notification, but AFAIK this code should do nothing if the user didn't allow it. But it shouldn't crash the app.This is the exception:* Terminating app due to uncaught exception 'NSInternalInconsistencyException', reason: 'bundleProxyForCurrentProcess is nil: mainBundle.bundleURLAnd those are the logs from the Console:default 11:38:21.516927+0300 nesessionmanager nw_network_agent_add_to_interface_internal Successfully added agent to "utun2" default 11:38:21.517414+0300 nesessionmanager NESMVPNSession[Primary Tunnel:My App - someuser_w20.Myqa_bi_weekly:4FBF849B-F210-43B1-B567-43CCCFDA559D:(null)] in state NESMVPNSessionStateStarting: set configuration completed with result 1 default 11:38:21.517894+0300 MyAppExtension [Extension com.myappname.mac.MyApp.MyAppExtension]: reasserting set to 0 default 11:38:21.518080+0300 nesessionmanager NESMVPNSession[Primary Tunnel:My App - someuser_w20.Myqa_bi_weekly:4FBF849B-F210-43B1-B567-43CCCFDA559D:(null)] in state NESMVPNSessionStateStarting: plugin NEVPNTunnelPlugin(com.myappname.mac.MyApp[413]) status changed to connected default 11:38:21.518140+0300 nesessionmanager NESMVPNSession[Primary Tunnel:My App - someuser_w20.Myqa_bi_weekly:4FBF849B-F210-43B1-B567-43CCCFDA559D:(null)]: Leaving state NESMVPNSessionStateStarting default 11:38:21.518189+0300 nesessionmanager NESMVPNSession[Primary Tunnel:My App - someuser_w20.Myqa_bi_weekly:4FBF849B-F210-43B1-B567-43CCCFDA559D:(null)]: Entering state NESMVPNSessionStateRunning default 11:38:21.518235+0300 nesessionmanager NESMVPNSession[Primary Tunnel:My App - someuser_w20.Myqa_bi_weekly:4FBF849B-F210-43B1-B567-43CCCFDA559D:(null)]: status changed to connected default 11:38:21.519428+0300 configd nw_path_evaluator_start [1AEEC643-2DF1-4261-AC70-E4AB53F87A10 IPv4#e9b1bae6:0 generic, indefinite] path: satisfied (Path is satisfied), interface: utun2, ipv4, dns default 11:38:21.518306+0300 nesessionmanager NESMVPNSession[Primary Tunnel:My App - someuser_w20.Myqa_bi_weekly:4FBF849B-F210-43B1-B567-43CCCFDA559D:(null)]: Updated network agent (active, compulsory, not-user-activiated, not-kernel-activated) default 11:38:21.520052+0300 nesessionmanager NESMVPNSession[Primary Tunnel:My App - someuser_w20.Myqa_bi_weekly:4FBF849B-F210-43B1-B567-43CCCFDA559D:(null)]: Received an IPC establish request from MyApp[506] default 11:38:21.520288+0300 nesessionmanager NESMVPNSession[Primary Tunnel:My App - someuser_w20.Myqa_bi_weekly:4FBF849B-F210-43B1-B567-43CCCFDA559D:(null)] in state NESMVPNSessionStateRunning: received establish IPC message default 11:38:21.521861+0300 neagent Scheduing timer for extension failure/exit for C653C3F5-4B0B-430A-B76A-E3C187F0A116 error 11:38:21.522715+0300 neagent [u 53899132-92DD-4BC5-9C33-D7112356122B:m (null)] [()] Connection to plugin interrupted while in use. default 11:38:21.520565+0300 MyAppExtension no registered bundle with URL default 11:38:21.522779+0300 neagent [u 53899132-92DD-4BC5-9C33-D7112356122B:m (null)] [()] terminating default 11:38:21.521476+0300 nesessionmanager NESMVPNSession[Primary Tunnel:My App - someuser_w20.Myqa_bi_weekly:4FBF849B-F210-43B1-B567-43CCCFDA559D:(null)] in state NESMVPNSessionStateRunning: plugin NEVPNTunnelPlugin(com.myappname.mac.MyApp[413]) started with PID 887 error (null) default 11:38:21.520797+0300 MyAppExtension *** Assertion failure in +[UNUserNotificationCenter currentNotificationCenter], /BuildRoot/Library/Caches/com.apple.xbs/Sources/UserNotifications/UserNotifications-281.6/UNUserNotificationCenter.m:44 default 11:38:21.523380+0300 AirPlayXPCHelper PrimaryIPv4 changed: 10.41.183.51 default 11:38:21.521461+0300 MyAppExtension *** Terminating app due to uncaught exception 'NSInternalInconsistencyException', reason: 'bundleProxyForCurrentProcess is nil: mainBundle.bundleURL file:///private/var/folders/p5/qjrcgyl50fg2g609bmwhy3zm0000gn/T/AppTranslocation/2E09CAAF-06B1-44D4-90DB-E90EA54C806D/d/MyApp.app/Contents/PlugIns/MyAppExtension.appex/' *** First throw call stack: ( 0 CoreFoundation 0x00007fff2cff538b __exceptionPreprocess + 250 1 libobjc.A.dylib 0x00007fff6318a552 objc_exception_throw + 48 2 CoreFoundation 0x00007fff2d01e8b8 +[NSException raise:format:arguments:] + 88 3 Foundation 0x00007fff2f73b221 -[NSAssertionHandler handleFailureInMethod:object:file:lineNumber:description:] + 191 4 UserNotifications 0x00007fff3a942919 __53+[UNUserNotificationCenter currentNotificationCenter]_block_invoke + 922 5 libdispatch.dylib 0x00007fff6449350e _dispatch_client_callout + 8 6 l<…> default 11:38:21.523612+0300 AirPlayXPCHelper PrimaryIPv6 changed: << AF_UNSPEC >> default 11:38:21.523597+0300 sharingd PrimaryIP changed: IPv4 10.41.183.51, IPv6 << AF_UNSPEC >> error 11:38:21.523062+0300 neagent Extension com.myappname.mac.MyApp.MyAppExtension died unexpectedly default 11:38:21.524744+0300 AirPlayXPCHelper PrimaryIP changed: IPv4 10.41.183.51, IPv6 << AF_UNSPEC >> error 11:38:21.524288+0300 neagent [u 53899132-92DD-4BC5-9C33-D7112356122B:m (null)] [()] Connection to plugin invalidated while in use. default 11:38:21.525151+0300 UserEventAgent Received notification com.apple.system.config.network_change.nwi default 11:38:21.524935+0300 mDNSResponder default 11:38:21.525321+0300 UserEventAgent Not generating a network changed event because no configurations are present that need to react to network changes default 11:38:21.525027+0300 mDNSResponder default 11:38:21.525130+0300 mDNSResponder default 11:38:21.525191+0300 mDNSResponder default 11:38:21.525809+0300 UserEventAgent Received notification com.apple.system.config.network_change.dns default 11:38:21.525945+0300 UserEventAgent Not generating a network changed event because no configurations are present that need to react to network changes default 11:38:21.525971+0300 mDNSResponder default 11:38:21.526012+0300 mDNSResponder default 11:38:21.526062+0300 mDNSResponder default 11:38:21.526089+0300 mDNSResponder default 11:38:21.526120+0300 mDNSResponder default 11:38:21.526350+0300 mDNSResponder default 11:38:21.526381+0300 UserEventAgent Received notification com.apple.system.config.network_change default 11:38:21.526380+0300 mDNSResponder default 11:38:21.526479+0300 UserEventAgent Not generating a network changed event because no configurations are present that need to react to network changes default 11:38:21.526568+0300 mDNSResponder [Q7731] Sent UDP DNS Message 58 bytes from :56624 to :53 via utun2 (0xf) default 11:38:21.526623+0300 mDNSResponder [Q7731] DNS Query (58) (flags 0100) RCODE: NoErr (0) RD: 0/0/0 default 11:38:21.526707+0300 mDNSResponder [Q9943] Sent UDP DNS Message 42 bytes from :55555 to :53 via utun2 (0xf) default 11:38:21.526742+0300 mDNSResponder [Q9943] DNS Query (42) (flags 0100) RCODE: NoErr (0) RD: 0/0/0 default 11:38:21.527012+0300 mDNSResponder [Q14808] Sent UDP DNS Message 59 bytes from :63932 to :53 via utun2 (0xf) default 11:38:21.527050+0300 mDNSResponder [Q14808] DNS Query (59) (flags 0100) RCODE: NoErr (0) RD: 0/0/0 default 11:38:21.527159+0300 mDNSResponder [R2723] DNSServiceCreateConnection STOP PID[887](MyAppExten) default 11:38:21.527358+0300 mDNSResponder [R2732] DNSServiceCreateConnection STOP PID[99](configd) default 11:38:21.527410+0300 mDNSResponder [R2733] DNSServiceQueryRecord(4000D000, 0, , PTR) STOP PID[99](configd) default 11:38:21.527611+0300 mDNSResponder [R2734] DNSServiceCreateConnection START PID[99](configd) default 11:38:21.527728+0300 mDNSResponder [R2735] DNSServiceQueryRecord(4000D000, 0, , PTR) START PID[99](configd) default 11:38:21.527770+0300 mDNSResponder [R2735->Q60525] GetServerForQuestion: 0x7f8e6d8120b8 DNS server (0x7f8e6be0a940) :53 (Penalty Time Left 0) (Scope None:0x0:-1) for (PTR) default 11:38:21.528040+0300 mDNSResponder [Q60525] Sent UDP DNS Message 43 bytes from :55847 to :53 via utun2 (0xf) default 11:38:21.528074+0300 mDNSResponder [Q60525] DNS Query (43) (flags 0100) RCODE: NoErr (0) RD: 0/0/0 default 11:38:21.528413+0300 UserEventAgent Current file handles for com.apple.networkextension.file-descriptor-maintainer: ( "Network Agent Registration socket (144) 76B85C01-4206-46A4-ABDD-9E4C4AC0A326 E9D4862E-136E-4149-83CA-2FCCFC2CF016 1 (null) agent flags 0", "Policy Session MasterSession socket (151)", "Policy Session LowPrioritySession socket (159)", "Network Agent Registration socket (160) CECBD9A6-2BC0-429E-ACB8-593CAB46A8C6 95893C68-DAB9-427C-A0A6-B95CCDA2CA9F 1 (null) agent flags 0", "Network Agent Registration socket (161) 4FBF849B-F210-43B1-B567-43CCCFDA559D 71688951-856F-4617-A59E-9D4B71D812AE 1 (null) agent flags 0" ) default 11:38:21.528569+0300 UserEventAgent File Handle Maintainer listening for readable events on Network Agent Registration socket (144) 76B85C01-4206-46A4-ABDD-9E4C4AC0A326 E9D4862E-136E-4149-83CA-2FCCFC2CF016 1 (null) agent flags 0 default 11:38:21.528661+0300 UserEventAgent File Handle Maintainer listening for readable events on Network Agent Registration socket (160) CECBD9A6-2BC0-429E-ACB8-593CAB46A8C6 95893C68-DAB9-427C-A0A6-B95CCDA2CA9F 1 (null) agent flags 0 default 11:38:21.528794+0300 UserEventAgent File Handle Maintainer listening for readable events on Network Agent Registration socket (161) 4FBF849B-F210-43B1-B567-43CCCFDA559D 71688951-856F-4617-A59E-9D4B71D812AE 1 (null) agent flags 0 default 11:38:21.529865+0300 UserEventAgent Current file handles for com.apple.networkextension.file-descriptor-maintainer: ( "Network Agent Registration socket (162) 76B85C01-4206-46A4-ABDD-9E4C4AC0A326 E9D4862E-136E-4149-83CA-2FCCFC2CF016 1 (null) agent flags 0", "Policy Session MasterSession socket (163)", "Policy Session LowPrioritySession socket (164)", "Network Agent Registration socket (165) CECBD9A6-2BC0-429E-ACB8-593CAB46A8C6 95893C68-DAB9-427C-A0A6-B95CCDA2CA9F 1 (null) agent flags 0", "Network Agent Registration socket (167) 4FBF849B-F210-43B1-B567-43CCCFDA559D 71688951-856F-4617-A59E-9D4B71D812AE 1 (null) agent flags 0x1" ) default 11:38:21.530236+0300 UserEventAgent File Handle Maintainer listening for readable events on Network Agent Registration socket (162) 76B85C01-4206-46A4-ABDD-9E4C4AC0A326 E9D4862E-136E-4149-83CA-2FCCFC2CF016 1 (null) agent flags 0 default 11:38:21.530342+0300 UserEventAgent File Handle Maintainer listening for readable events on Network Agent Registration socket (165) CECBD9A6-2BC0-429E-ACB8-593CAB46A8C6 95893C68-DAB9-427C-A0A6-B95CCDA2CA9F 1 (null) agent flags 0 default 11:38:21.530534+0300 UserEventAgent File Handle Maintainer listening for readable events on Network Agent Registration socket (167) 4FBF849B-F210-43B1-B567-43CCCFDA559D 71688951-856F-4617-A59E-9D4B71D812AE 1 (null) agent flags 0x1 default 11:38:21.530710+0300 accountsd " () received" default 11:38:21.531075+0300 dmd Detected network change default 11:38:21.531177+0300 dmd Detected network change default 11:38:21.532351+0300 sharingd "The connection to ACDAccountStore was invalidated." default 11:38:21.533299+0300 nsurlsessiond received network changed event default 11:38:21.533770+0300 nsurlsessiond received network changed event default 11:38:21.536451+0300 symptomsd SCDynamicStore config_callback: k: State:/Network/Global/DNS default 11:38:21.536562+0300 symptomsd SCDynamicStore key: State:/Network/Global/DNS, interfaces: { } default 11:38:21.539227+0300 dmd Detected network change default 11:38:21.540195+0300 ReportCrash Parsing corpse data for pid 887 default 11:38:21.541575+0300 ReportCrash Parsing corpse data for process MyAppExtens [pid 887] error 11:38:21.543133+0300 ReportCrash Invalid receipt [0 bytes] -- [] error 11:38:21.685096+0300 kernel Sandbox: bluetoothd(142) deny(1) mach-lookup com.apple.server.bluetooth default 11:38:22.016202+0300 CommCenter #I On WiFi: true On Cellular: false

I've implemented a custom VPN app for macOS (Packet Tunnel Provider) The VPN has the following conf: disconnectOnSleep = true tunnelProviderManager.isOnDemandEnabled = true tunnelProviderManager.onDemandRules = [NEOnDemandRuleConnect()] So the VPN should be 'almost always-on' - it should connect whenever possible (the only rule is to 'always' connect) Also, the OS should kill the VPN when the Mac enters sleep, and restart it when the Mac awakes. The question: Some customers complained that sometimes after sleep/awake, the Mac loses all traffic. From the logs it seems that the Mac enters sleep, and then immediately the OS restarts the VPN (probably because of the 'connect' rule). This process can happen multiple times in a row: Sleep (disconnect VPN), and then immediately the state is changing to 'connecting' again. Then sleep->connecting, and so on.. How can I prevent this from happening? If the Mac enters sleep, the OS shouldn't restart the VPN. Is it a bug? Can I change something at the on-demand rules to 'make it better' but to keep the same behavior?

I've developed a system-extension custom VPN app for macOS, which is in use by some internal testers. The app works fine, except for one user, which can't connect to the VPN. I saw that on his machine, the system extension is getting terminated, very shortly after he's approving it. Sometime it happens while he's trying to connect, but sometimes it happens even without a connection attempt, he's just approving the sysExt and wait. I saw at the logs the following lines: sysextd: [com.apple.sx:StateChange] **** advancing state from activated_enabling to activated_enabled sysextd: observer for **** reached success: activated_enabled sysextd: [com.apple.sx:XPC] client connection (pid 667) invalidated 2022-01-12 21:45:50.844914+0200 0x26fa Activity 0xf149 496 0 sysextd: (Security) SecTrustEvaluateIfNecessary 2022-01-12 21:45:50.926046+0200 0x26fa Default 0x0 496 0 sysextd: request contains no authorizationref 2022-01-12 21:45:50.926390+0200 0x26fa Default 0x0 496 0 sysextd: returning cdhash for arbitrary arch x86_64 of extension **** sysextd: [com.apple.sx:XPC] client connection (pid 1103) invalidated nesessionmanager: [com.apple.networkextension:] Adding event subscription 775 for provider *** with extension point com.apple.networkextension.packet-tunnel ... ... sysextd: received request to remove MDM payload with UUID **** sysextd: removed MDM payload with UUID **** sysextd: MDM payload change results in changed decision for Extension **** from Allow to UserOption sysextd: deactivateExtension called for **** in state "activated_enabled" sysextd: [com.apple.sx:StateChange] extension **** advancing state from activated_enabled to terminating_for_uninstall Is this issue related somehow to MDM profiles? Is it related to "client connection invalidated" ? And what is this thing? How can I debug it/ understand where's the problem?

I've developed a custom VPN system extension (macOS, Packet Tunnel Provider). On a first installation, the user has to allow installation of the system extension (via  Security & Privacy). My question is, what should happen when the user updates the app to a newer version - will he get the 'allow system extension installation' popup again? Or is it a 'one time popup' only?

I have some questions regarding life cycle of Packet Tunnel Provider: I have some static vars at the PacketTunnelProvider. The user connected to the VPN, then disconnected, so I called the relevant compilation handler. After some time, the user will start VPN again, PacketTunnelProvider will be recreated. Will it use the same class as before, and all static vars will hold their last value? Or would it create a new PacketTunnelProvider? Is it the same behavior for Network Extension vs System Extension? Is it the same behavior for macOS vs iOS? What about running threads? If I created a thread, and then I called the completion handler, will this thread continue to run? P.S If I'm adding exit(0) before 'quitting' the Packet Tunnel Provider, it will force cleaning the memory. But I guess it's not a good behavior for a System Extension to use exit(0) class PacketTunnelProvider: NEPacketTunnelProvider { static var isInitiated = false ... } override func startTunnel(options: [String : NSObject]?, completionHandler: @escaping (Error?) -> Void) { ... PacketTunnelProvider.isInitiated = true ...

I've implemented a custom VPN for macOS (system extension, Packet Tunnel Provider). My question is related to the tunnel's DNS servers: I would like that even when a split-tunnel is enabled, all DNS queries will reach the tunnel's DNS, but I'm aware that this case is not 'working well', and the Packet Tunnel Provider is not supposed to capture all DNS queries, see those threads:https://developer.apple.com/forums/thread/662443, https://developer.apple.com/forums/thread/661601 So as a workaround, on a split-tunnel I have a list of 'match domains', and 'search domains'. But now it seems that the default interface will answer those queries as well, and they still won't reach the tunnel's DNS. To verify this, I connected with the VPN, and when I checked 'scutil --dns', I got the list of resolvers, where resolver #1, wasn't the utun (it was en7), and it handled all the 'match domain'/'search domains'. Any idea how to force some/add DNS queries to the tunnel's DNS even when for a split tunnel?

I've implemented a custom system extension VPN for macOS using a Packet Tunnel Provider. At the Protocol Configuration, the 'includeAllNetworks' flag is unset. At the provider, I included all routes (IPv4 default route). What is the expected behavior for LAN traffic? Should the LAN traffic go via the VPN? By 'LAN traffic', I'm referring to local hosts, ssh, printer access, etc.

I've implemented a custom system extension VPN for macOS using Packet Tunnel Provider. The VPN is configured with on-demand, and a rule to always connect whenever there's traffic: onDemandRules = [NEOnDemandRuleConnect()] As expected, if the VPN isn't active, all traffic gets blocked until it is ready. Not expected: In the following scenario, there is some 'traffic leak': Use only WiFi (not wired cable) Connect the VPN Disable the WiFi and wait for the VPN to disconnect Enable the WiFi Some packets are routed outside the VPN, and aren't being blocked Some moments after, all traffic will be blocked, and the VPN will start the 'connecting' process. Is the above scenario a 'known' issue? Can it be a race condition in the OS, where some packets can be sent after the network is brought back before the VPN process starts? Is there any way to fix this problem? P.S: I'm not using flags such as 'capture all network'