I've implemented a custom VPN app for macOS (Packet Tunnel Provider, network extension). In my app there's a situation where the user tries to connect (vpn is starting), the server rejects the connection (vpn stops), and the user should enter some code and then the vpn will reconnect again (vpn should start again). Most of the time this works as expected, but every now and then - the second connection (after the user entered the code) is stuck - the VPN goes into 'connecting' state, but it stays as connecting, without changing the state to connected or disconnected. The extension is not starting in this case. I saw those logs at the Console: failed to create the delegate Tearing down XPC connection due to setup error: Error Domain=NEAgentErrorDomain Code=2 There are more related logs, but I think the above logs are the problematic ones. After this issue, if I'm pressing the 'connect' button again, it will connect without a problem. So I think it's something related to the OS. P.S - I also saw this thread, which looks very similar - https://developer.apple.com/forums/thread/652708?login=true

I've implemented a custom VPN app for macOS (Network Extension, Packet Tunnel Provider). I got some reports that my app crashed. I asked for the Console logs, and I saw this log: MyAppExtension[85331]: BUG in libdispatch client: vnode, monitored resource vanished before the source cancel handler was invoked { 0x7f9debe12120[source], ident: 5 / 0x5, handler: 0x107f09ced } This log appeared multiple times (every couple of hours), each time with a different PID: MyAppExtension[85765]: BUG in libdispatch client: vnode, monitored resource vanished before the source cancel handler was invoked { 0x7fe76fc1ae70[source], ident: 5 / 0x5, handler: 0x1007d5ced } Is it what crashed the app? The PID was different each time, so I guess it did crash the app. What info can I get from this message (how to debug it)?

While working on a dev version of my custom macOS VPN (Network Extension, Packet Tunnel Provider), I had cases where the VPN was suppose to start, but it didn't. It's configured with an on-demand rule to always connect, and also to be on the safe side, I called connection.startVPNTunnel() From the Console logs I see the following: myClientClient Saving configuration myClient example - myname_mfa.mynameaccount with existing signature {length = 20, bytes = 0x3be5a6633b963d04c5e0a226cccff4c83a799e14} default 12:33:36.686853+0200 secd myClientClient[8416]/1#11 LF=0 copy_matching Error Domain=NSOSStatusErrorDomain Code=-50 "query missing class name" (paramErr: error in user parameter list) UserInfo={numberOfErrorsDeep=0, NSDescription=query missing class name} default 12:33:36.687705+0200 myClientClient MacOS error: -25304 default 12:33:36.690077+0200 myClientClient MacOS error: -25304 NESMVPNSession[Primary Tunnel:myClient example - myname_mfa.mynameaccount:2A6C1B7D-19E8-4EF7-8872-C1D0F8899A17:(null)]: Received a start command from myClientClient[8416] default 12:33:36.763724+0200 nesessionmanager Registering session NESMVPNSession[Primary Tunnel:myClient example - myname_mfa.mynameaccount:2A6C1B7D-19E8-4EF7-8872-C1D0F8899A17:(null)] default 12:33:36.764739+0200 nesessionmanager Received a com.apple.neconfigurationchanged notification with token 23 default 12:33:36.765486+0200 nesessionmanager Clearing E853F1E7-23BD-4F01-915B-65DCBB9D9AB8 from the loaded configurations default 12:33:36.765604+0200 nesessionmanager Clearing 8A4A1803-C370-42A1-8758-35E3D4337959 from the loaded configurations default 12:33:36.765717+0200 nesessionmanager Clearing 2A6C1B7D-19E8-4EF7-8872-C1D0F8899A17 from the loaded configurations nesessionmanager nw_network_agent_open_control_socket Successfully connected netagent socket 8 default 12:33:36.760869+0200 SystemUIServer Received a com.apple.neconfigurationchanged notification with token 48 default 12:33:36.790775+0200 neagent Looking for an extension with identifier com.myClientexample.mac.myClientClient.myClientClientExtension and extension point com.apple.networkextension.packet-tunnel default 12:33:36.791728+0200 neagent [d private] PKHost:0x7f9bc9c29fb0 Beginning discovery for flags: 0, point: com.apple.networkextension.packet-tunnel default 12:33:36.794692+0200 pkd Waiting on thread private until Launch Services database seeding is complete. default 12:33:36.783780+0200 nesessionmanager NESMVPNSession[Primary Tunnel:myClient example - myname_mfa.mynameaccount:2A6C1B7D-19E8-4EF7-8872-C1D0F8899A17:(null)]: status changed to connecting default 12:33:36.811018+0200 neagent [d private] PKHost:0x7f9bc9c29fb0 Completed discovery. Final of matches: 1 default 12:33:36.762607+0200 myClientClient startToggled default 12:33:36.811362+0200 nesessionmanager com.myClientexample.mac.myClientClient[743]: disposing default 12:33:36.811575+0200 nesessionmanager com.myClientexample.mac.myClientClient[743]: Tearing down agent connection default 12:33:36.811641+0200 nesessionmanager NESMVPNSession[Primary Tunnel:myClient example - myname_mfa.mynameaccount:2A6C1B7D-19E8-4EF7-8872-C1D0F8899A17:(null)]: Plugin is installed default 12:33:36.763228+0200 myClientClient starting vpn tunnel default 12:33:36.811729+0200 nesessionmanager NESMVPNSession[Primary Tunnel:myClient example - myname_mfa.mynameaccount:2A6C1B7D-19E8-4EF7-8872-C1D0F8899A17:(null)]: Enabling VPN On Demand default 12:33:36.811145+0200 neagent Found 1 extension(s) with identifier com.myClientexample.mac.myClientClient.myClientClientExtension and extension point com.apple.networkextension.packet-tunnel default 12:33:36.813142+0200 nesessionmanager NESMVPNSession[Primary Tunnel:myClient example - myname_mfa.mynameaccount:2A6C1B7D-19E8-4EF7-8872-C1D0F8899A17:(null)]: Matched no on demand rule default 12:33:36.784619+0200 myClientClient vpnStatusDidChange: Connecting default 12:33:36.784729+0200 myClientClient display Connecting default 12:33:36.813445+0200 nesessionmanager NESMVPNSession[Primary Tunnel:myClient example - myname_mfa.mynameaccount:2A6C1B7D-19E8-4EF7-8872-C1D0F8899A17:(null)]: Matched on demand rule action = connect interfaceTypeMatch = any And after that there is a very big amount of "Received a start command from" and "Skip a start command from " (and I copied only part of the log), but the VPN stays at the 'connecting' phase. Any idea what's causing it? Can it happen also on the production version of my app? I never reproduced it at the Store version, but it's not always reproduces anyway..

I've implemented a custom VPN (Packet Tunnel Provider) for macOS. I'm using lib-curl from the provider. The traffic is not going via the tunnel. Is it possible to pass this traffic to the tunnel? What should happen if I'll set the 'capture all traffic' flag? Will the traffic created from lib-curl at the provider will reach the tunnel?

I'm planning to covert my Network Extension to a System Extension (custom VPN, Packet Tunnel Provider, macOS). I have some questions regarding this process: I'm using keychain groups, so I would be able to get the user's password from the keychain both from app and from the Extension, is it possible to do also with a system extension? A similar question, but this time for a certificate - I have the entitlement for managed.vpn.shared - is it possible to use also from the system extension, and get the certificate for the VPN? I'm passing data between the containing app and the extension via 'App Groups' ("shared" user defaults). Can I do the same for the system extension?

I've added a deinit function at the Packet Tunnel Provider (Network Extension) deinit {         NSLog("PacketTunnelProvider deinit")     } And I noticed that it's not being called when I'm disconnecting the VPN Calling stopTunnelWithReason because: Configuration was disabled After a little investigation it seems that the problem is related to packetFlow: I have this function func readPacketsFromTUN(_ packets: [Data], protocols: [NSNumber]) { 	for i in 0...packets.count-1 { 		//handle packet 	} 	packetFlow.readPackets { inPackets, inProtocols in 			self.readPacketsFromTUN(inPackets, protocols:	 inProtocols) 	} } It seems that if (just for the test) I won't call packetFlow.readPackets each time, after I'm stopping the VPN it will get to the deinit function. However, I can't remove this call.. Is it a bug on my side, or at the Extension?

I've update my custom VPN app at the App Store to a newer version (Network Extension, Packet Tunnel Provider, macOS). It seems that the existing apps on the users' Macs can't be updated when they are connected to the VPN. Automatic update failed, and they also tried to go directly to the store, and manually download the new version. It seems that they are able to download the new version, but the installation fails. They are able to update to the new version only after they're disconnecting the VPN. This is probably a relevant log from their Console: pkd: [com.apple.PlugInKit:holds] hold refused. Busy plugins: <private> appstoreagent: (PlugInKit) [com.apple.PlugInKit:holds] <PKManager:0x7fea5e544f50> hold request for [<private>] with flags: 0x2 completed with error: Error Domain=PlugInKit Code=14 UserInfo={busyPlugInUUIDs=<private>, NS&#9;&#9;&#9; LocalizedDescription=<private>} I know that there are some reports here about this problem: https://developer.apple.com/forums/thread/128894?answerId=652178022#652178022 And even on StackOverflow. But I don't know about the status of this bug - are you familiar with it? I also opened FB8938775

The feature of phased release is very useful for our company, but a big minus for us is that the 'Percentage of Users' starts very slow, and at the last two days it's go up very fast. For now what we can do is to start the phased release, pause it after 50% of users get the new version, and after a weak - resume the release. I know it's not the purpose of the pause/resume but we want a better control at the percentages/days of the phase release. Is it possible to change those somehow? Change the percentages per day/ change number of days for the phased release?

My app can be opened using a URL scheme (via the func application(_ app: , url: , options:) -> Bool). I've noticed that on iOS 14, some of the URLs have the char '#' at the end of the URL. It happens only for some of the URLs, but even for those where it happens - trying them on a device with iOS 13 - this extra char doesn't appear. Any explanation for this? Did anyone else see this behaviour?

I've implemented a custom VPN app for macOS (Packet Tunnel Provider, network extension), which is already available at the App Store. For most of the users everything works great. The question here is about some other users who reported a problem - when they use my app, it starts good but after a short time, all traffic is extremely slow. Thos are very suspicious logs from their Console: “kernel: (Sandbox) Sandbox: myAppExtenstion(8025) deny(1) file-read-data /Users/ahale/Library/Preferences/com.apple.LaunchServices/com.apple.launchservices.secure.plist” After the above logs, they get a massive amount (over 42000) of these logs “myAppExtension: (NetworkExtension) NEVirtualInterface processing read event”. What are those logs mean? How can I fix, or at least debug this issue? I can't reproduce it and it happens only for some of the customers. How can I get more helpful information on this issue?

I want to release a beta version for my Mac app, but since it contains a Network Extension (Packet Tunnel Provider), I can't just send a DMG to the testers. I know there are two options here: Change the app to be a System Extension. I do not want to do that. Register the testers devices (UUID) and send them the app. Is there a better way to distribute this beta version?

(This is related to a thread from a year ago - https://developer.apple.com/forums/thread/113252?page=1#637604022) I've implemented a custom VPN app for macOS (Packet Tunnel Provider). If the user configured DNS servers for the tunnel, they should answer all DNS queries. This is done with dnsSettings.matchDomains = [""] This works good except for one combination - if the user enabled split tunnel with include routes + searchDomains, the DNS queries goes to the system DNS server, and not to the tunnel DNS. I found a partial solution - for the above case, if I'm setting dnsSettings.matchDomains with the searchDomains, the tunnel's DNS server will answer queries, but only those which related to a domain on that list. I want the tunnel's DNS servers to answer all queries, so this solution isn't good. Is it a bug or an intentional behaviour?

At my app I have a SecKey which I want to sign some Data with it, and at my sever I need to do the verification process, but this time with openSSL. I didn't find any common key or any steps to achieve this between Apple Security framework and OpenSSL. For example, I've tried the following: Signing (Apple Security): let signedStrCFData = SecKeyCreateSignature(key, .rsaSignatureRaw, plaintextData, &error) Verifying (OpenSSL): ret = RSAverify(NIDrsaSignature, (const unsigned char *)challenge, (unsigned int)strlen(challenge), challengeenc, challengeenc_size, rsa); Which key to choose is not really important to me (as long as it's a reasonable signing key), so I tried multiple types of keys, but I wasn't able to do it. Any idea what I'm missing here?

I've implemented a VPN app for macOS using Packet Tunnel Provider. The user can include routes of IPv4 and IPv6, and also to enable split-tunnel. However there's a combination that's not working well - if the user includes the IPv6 default route, but for IPv4 he enables the split tunnel and including only some routes, it seems that all IPv4 routes are included in the tunnel. A code example: let newSettings = NEPacketTunnelNetworkSettings(tunnelRemoteAddress: serverAddress) newSettings.ipv4Settings = NEIPv4Settings(addresses: [localAddressString], subnetMasks: ["255.255.255.255"]) newSettings.ipv6Settings = NEIPv6Settings(addresses: ["2001:0db8:85a3:0000:0000:8a2e:0370:7334"], networkPrefixLengths: [64]) //fake IPv6 address newSettings.ipv6Settings?.includedRoutes = [NEIPv6Route.default()] let someRoute = NEIPv4Route(destinationAddress: "x.x.x.x", subnetMask: "255.255.255.255") let someOtherRoute = NEIPv4Route(destinationAddress: "y.y.y.y", subnetMask: "255.255.255.255") var routesToIncludeArr = [NEIPv4Route]() routesToIncludeArr.append(someRoute) routesToIncludeArr.append(someOtherRoute) newSettings.ipv4Settings?.includedRoutes = routesToIncludeArr I think that at the Console logs, the tunnel configuration looks good: IPv4Settings = {         configMethod = PPP         addresses = (             <12-char-str>,         )         subnetMasks = (             255.255.255.255,         )         includedRoutes = (             {                 destinationAddress = <13-char-str>                 destinationSubnetMask = 255.255.0.0             },             {                 destinationAddress = <11-char-str>                 destinationSubnetMask = 255.255.255.255             },             {                 destinationAddress = <7-char-str>                 destinationSubnetMask = 255.255.255.255             },             {                 destinationAddress = <7-char-str>                 destinationSubnetMask = 255.255.255.255             },             {                 destinationAddress = <7-char-str>                 destinationSubnetMask = 255.255.255.255             },             {                 destinationAddress = <14-char-str>                 destinationSubnetMask = 255.255.255.255             },         )         overridePrimary = NO     }     IPv6Settings = {         configMethod = automatic         addresses = (             <3-char-str>,         )         networkPrefixLengths = (             128,         )         includedRoutes = (             {                 destinationAddress = <2-char-str>                 destinationNetworkPrefixLength = 0             },         )     } But when testing the VPN I see that all IPv4 traffic goes via the tunnel, and not only the included routes.

I've implemented a VPN app (using Packet Tunnel Provider) for macOS, and one of my users reported a problem - sometimes his app crashes. It's not always reproduces for him, and it might happen mainly after the Mac awakes from sleep. I didn't find any problems so I've asked the Console logs, and there I saw some related prints - this is probably the related log: "Extension remained dirty for too long after trying to exit. Killing." But also a lot of other "weird" prints, like: "com.apple.xpc.launchd[1] (com.apple.mdworker.single.07000000-0300-0000-0000-000000000000[56993]): Service exited due to SIGKILL" "BUG in libdispatch client: vnode, monitored resource vanished before the source cancel handler was invoked { 0x7fe30d92c160[source], ident: 5 / 0x5, handler: 0x10413dbfd }" "com.apple.xpc.launchd[1] (com.apple.xpc.launchd.domain.user.501): Service "com.apple.xpc.launchd.unmanaged.loginwindow.204" tried to register for endpoint "com.apple.tsm.uiserver" already registered by owner: com.apple.TextInputMenuAgent" It seems this error is related to the OS, am I correct? How can I solve this?