Thanks @meaton, but this is exactly what I've asked - I don't need to capture all DNS traffic, so I have a split tunnel for DNS, but it still not working well. I'm copying (and editing a bit) the relevant part from my original question: So as a workaround, on a split-tunnel I have a list of 'match domains', and 'search domains'. But now it seems that the default interface will answer those queries as well, and they won't reach the tunnel's DNS. To verify this, I connected with the VPN, and when I checked 'scutil --dns', I got the list of resolvers, where resolver #1, wasn't the utun (it was en7), and it handled all the 'match domains'/'search domains'. All DNS queries with those domains were answered by the system's DNS server, and not by the VPN DNS server. Any idea how to force those DNS queries to the tunnel's DNS for a split tunnel? It seems that the matchDomains is not working..

@meaton I also have questions regarding this thread: I want that my containing app would be able to talk to its system network extension, via IPC. This is what I've did: I've added temporary-exception.mach-lookup.global-name with the value '$(TeamIdentifierPrefix)com.a.b.c' to the containing app's entitlements I've added temporary-exception.mach-register.global-name with the same value, '$(TeamIdentifierPrefix)com.a.b.c', to the extension's entitlements I've added a code at the containing app, to call extensionMachServiceName(from:) with the same value, '$(TeamIdentifierPrefix)com.a.b.c' Are the above steps correct? Are they even needed? The containing app can download (when the user approves) an updated version of both the app and the extension. Then the containing app will replace the extension with the new version, and the containing app will re-launch. Is there any known problem with IPC communication after replacing the app and the extension?

Sounds related to the same issue I reported some years ago https://developer.apple.com/forums/thread/131827 (there were other threads too)

Great, thanks eskimo!

Should I disable AMFI? amfi_get_out_of_my_way

I have the same issue, on macOS 13.4. I've implemented a sysExt custom VPN, and when connecting to the VPN, I see two new utuns. When disconnecting, only one of them is cleaned-up. While this weird behavior seems to work fine, things change when reaching a big number of utuns (around 95 utuns): Customers reported about slow connectivity, or sometimes - no connectivity at all. It seems that from that point (95 utuns) there are troubles with the DNS responses (No answers for DNS queries). Restarting the Mac will solve this problem, as it cleans the utuns. As mentioned in this thread, the IPv6 routing table looks 'weird', but the IPv4 routing table looks good. I have exit(0) at the code, after calling the stopTunnel completionHandler - so I tried to remove the exit(0), and tried to keep it but adding a 0.5 sleep before calling it - but it changed nothing. Is there any way to force clean those 'dirty' utuns? Any idea if a big num of utuns, can really cause the above (DNS/networking) problems?

Update: I found the issue, which was related to my app, and not to the OS in any way.

@eskimo Thanks for the quick reply (as usual)! For some reason I didn't get a notification about it, so just saw it, but I've updated that this was a bug on my app.

@eskimo Sure, and actually, I'm still struggling with it. I'm connecting to the VPN from the containing app (startVPNTunnel). I assume this creates a utun. I'm also adding an observer for 'NEVPNStatusDidChange'. When I'm getting the status update for 'Connecting', I'm creating an IPC connection from the containing app to the system extension. For some reason, this creates a second utun. Disconnecting the VPN will clean only one of those utuns. So each connection/disconnection, results in an extra utun remaining on the system. If I'm changing the logic a bit, and register to the IPC only when I'm getting the 'Connected' update (and not 'Connecting'), there will be only one utun, as expected. But I do need the IPC conenction ASAP, so I'm searching for a way to do it while 'Connecting', without creating another utun.

Addon: It seems that even calling to sendProviderMessage while at the 'connecting' phase will create an additional utun

True - production, macOS 13. I'll do both options (bug + DTS) a bit later and will update here the relevant ticket. Thanks for the help!

If you push multiple VPN configuration payloads then all of their associated digital identities end up in com.apple.managed.vpn.shared. I can’t see anything that’d prevent you from querying the keychain for them all and then choosing between them. This is exactly what I've ended up with, just wanted to check if there's an option to do it all in a single payload. Thanks!

Thanks eskimo, but please let me rephrase the question: 'includeAllNetworks' is disabled. At the provider, all routes are included: [NEIPv4Route.default()] In this case, should the LAN traffic go via the VPN? Or is the LAN traffic excluded from the VPN?

Thanks eskimo! if you’re not using NWConnection, can you try it? Sure. I'm not working with NWConnection, and I'll try it soon. A related question to the above: I'll add the code to the wake() function. I assume I should wait for '.ready' and only then to start establishing the tunnel. But what if the check will stuck in '.waiting'? Should I, at any point in the wake() function, set the 'reasserting' variable?

If if you’re not using NWConnection, can you try it? I’m not suggesting that you rewrite all the networking code (well, not yet :-) but instead just try starting a parallel NWConnection and see how it behaves. For that, I'll have to add 'import Network' at the Packet Tunnel Provider. Then, my code to monitor path-change won't compile: let oldPathOpt = change?[.oldKey] as? NWPath //'NWPath' is ambiguous for type lookup in this context I also tried this one let oldPathOpt = change?[.oldKey] as? NetworkExtension.NWPath //Ambiguous type name 'NWPath' in module 'NetworkExtension' So, instead of NWConnection, would it be okay to use something like let configuration = URLSessionConfiguration.ephemeral configuration.waitsForConnectivity = true let session = URLSession(configuration: configuration) ?