@DreamLordOneiros I didn't try it yet but maybe the reason it's not working for me is that at the Extension I'm not using Extension native API (like createUDPSession() for example), and I'm using BSD sockets/openSSL instead.

No, includeAllNetworks is disabled (unset).

Thanks for the reply! I have few questions regarding this approach - It's supported only from OSXApplicationExtension 10.15, what can I use for earlier version? I already have the SecKey - how can I use it as an argument for one of the signing functions? Can I open a DTS for a little help on this one?

Thanks! I submitted DTS 747436627

Should I open a bug about this issue? Or is it something on my side?

A question regarding "use NEDNSSettings to capture only specific domains that your VPN is interested in and point them at a specific DNS server of your choice. Do not try and capture everyone else DNS traffic as well." Why? What about this description "If the VPN tunnel becomes the network’s default route, the servers listed earlier by NEDNSSettings become the default resolver and the matchDomains list is ignored." from https://developer.apple.com/documentation/networkextension/nednssettings/1406537-matchdomains? On full tunnel I want that all the queries will reach to the DNS servers I configured, is that a problem?

Bumping this after a year, there's no update for the feedback I submitted. Do you happen to know if the above behaviour for tunnel's DNS servers + split tunnel (include-routes) is a bug or by design?

P.S - the tag should be Network Extension

Thanks for your answer, but I have 2 small questions: Just to be sure - even if the tunnel is for the default route (capture all traffic), the tunnel's DNS servers are not suppose to answer all queries? 2. Even with what you said, I'm pretty sure there's a bug on your side here (and not an edge case). Please see those 2 lines of code: let searchDomains = ["myComp.net", "myComp.com", "com", "atlassian.net", "Kings.dev", "Kings", "MyABC.com", "ABC.com", "Kings.com", "myComp"] newSettings.dnsSettings?.searchDomains = searchDomains Now run 'ping google' at the terminal and it would work great ('google' will get the 'com' from the searchDomains). However, moving "com" to the fourth location at the array (instead of at the first three): let searchDomains = ["myComp.net", "myComp.com", "atlassian.net", "com", "Kings.dev", "Kings", "MyABC.com", "ABC.com", "Kings.com", "myComp"] And 'ping google' doesn't work anymore. It seems that searchDomains has only "room" for 3 domains. Isn't it a bug (and not an edge case)?

And just to clarify - the settings for my VPN is to use the default route (all traffic should go via my VPN, and the VPN tunnels should answer all queries). If this is not possible I'll look at the DNS provider extension.

I also want to point out Eskimo's answer from 4 years ago - https://developer.apple.com/forums/thread/35027?answerId=122209022#122209022 So, you normally set up a VPN in one of three ways: full tunnel — The VPN is the primary interface and its DNS server is used by default. split tunnel, match domains — The VPN is not the primary interface and the system consults its VPN server for just the specified match domains. split tunnel, wildcard match domains — The VPN is not the primary interface and the system consults its DNS server for all domains first. The third option is what I want, but it seems very buggy. I'm not sure that NEDNSProxyProvider is the answer, because of several reasons: It's another extension that the customers would have to approve "do this in the context of managed devices" - I want the tunnel's DNS server for all devices, not only for managed devices

I submitted feedback - FB8774831

Feedback FB8774971

Because at the moment the app is a Network Extension, I didn't convert it yet. It's on the road map, but it might take some time.

What is the release distribution method, Developer ID? Since it's a beta for two specific customers, the list method doesn't matter, as long as it's going to work on their Macs.