Thanks Quinn! I filed FB11856481. I also thought about showing an alert directly from the packet tunnel provider to ask the user to disable VPN from the container app using displayMessage completionHandler, however, this method stops working on my iOS 16 test devices. I know it's marked as deprecated, but it used to work just fine on my iOS 15 devices, do you have any insights on why it stops working? Thanks.

I tried both way: Disable SIP, enable developer mode and launch directly. Archive the project, move the DMG to the applications and launch from there. I can reproduce it using either of them.

It is a system network extension on macOS.

The only crashes I saw are all looking like this one and it seems like you are right, the process is killed by the system: OS Version: macOS 12.6 (21G115) Release Type: User Report Version: 104 Exception Type: EXC_CRASH (SIGKILL (Code Signature Invalid)) Exception Codes: 0x0000000000000000, 0x0000000000000000 Exception Note: EXC_CORPSE_NOTIFY Termination Reason: SIGNAL 15 Terminated: 15 Terminating Process: launchd [1] Highlighted by Thread: 0 Backtrace not available No thread state (register information) available Binary Images: Binary images description not available Error Formulating Crash Report: _dyld_process_info_create failed with 6 dyld_process_snapshot_get_shared_cache failed Failed to create CSSymbolicatorRef - corpse still valid ¯\_(ツ)_/¯ thread_get_state(PAGEIN) returned 0x10000003: (ipc/send) invalid destination port thread_get_state(EXCEPTION) returned 0x10000003: (ipc/send) invalid destination port thread_get_state(FLAVOR) returned 0x10000003: (ipc/send) invalid destination port However, this Code Signature Invalid doesn't make sense to me because I really didn't need to do anything but simply just re-enable the VPN to connect with no issue. Since I am not even re-compiling the project, how would code signature change for the second run?

Ok, I found some useful information from system logs: default 10:21:37.723793-0700 nesessionmanager NESMVPNSession[Primary Tunnel:VPN:F7D46517-00D5-48AB-A688-36E945AADA94:(null)]: Received a start command from VPN default 10:21:37.724400-0700 nesessionmanager <NESMServer: 0x122e0afb0>: Register Enterprise VPN Session: NESMVPNSession[Primary Tunnel:VPN:F7D46517-00D5-48AB-A688-36E945AADA94:(null)] error 10:21:37.723536-0700 analyticsd [XPC Server] managed connection recieved connection invalidated: Connection invalid default 10:21:37.727338-0700 nesessionmanager NEVPNTunnelPlugin(com.google.one.dev[inactive]): Sending start command default 10:21:37.727468-0700 nesessionmanager com.myvpn.dev[inactive]: starting error 10:21:37.728363-0700 nesessionmanager com.myvpn.dev[1300]: Tearing down XPC connection due to setup error: Error Domain=NEAgentErrorDomain Code=2 "(null)" default 10:21:37.731436-0700 nesessionmanager NESMVPNSession[Primary Tunnel:VPN:F7D46517-00D5-48AB-A688-36E945AADA94:(null)] in state NESMVPNSessionStateStarting: plugin NEVPNTunnelPlugin(com.myvpn.dev[inactive]) started with PID 0 error Error Domain=NEAgentErrorDomain Code=2 "(null)" error 10:21:37.728040-0700 neagent NEAgentSession: failed to create the delegate default 10:21:37.728519-0700 nesessionmanager com.myvpn.dev[1300]: XPC connection went away Not sure if I understand it, but it seems the packet tunnel provider is not started because of a XPC error?

Hi Rich, thanks for the quick response. I did verify that receipt validation returns the applicationName. Just want to double check, when the subscription renews, a SKPaymentTransaction object is also delivered to func paymentQueue(_ queue: SKPaymentQueue, updatedTransactions transactions: [SKPaymentTransaction]) method. And UUID string is not guaranteed to be returned in the SKPaymentTransaction.payment.applicationUsername field right?

https://developer.apple.com/documentation/storekit/skmutablepayment/1506088-applicationusername

The containing app runs as a menu bar app which not only provides the latest status of the VPN but also provides some other features such as allowing the user to stop VPN etc. As a result, the containing app is expected to be always running alongside with the packet tunnel provider. When the app crashes, we could: Show an alert to the user (which is doable) and stop the VPN (which is not doable because on-demand). Programmatically re-launch the containing app (which is this question). The major reason is because unlike iOS, macOS doesn't have an indicator of whether the VPN is running or not, also it doesn't have a VPN toggle in the Settings that is easy to find. That's why we need the containing app to serve as the go-to place for the user to manage their VPN.

Nice, I am finally able to launch the My PacketTunnelProvider code, however I am seeing this error in my console, not sure what it means: Sandbox: com.test.vpn.d(65504) deny(1) mach-lookup com.apple.AppSSO.service-xpc Violation:    deny(1) mach-lookup com.apple.AppSSO.service-xpc Process:     com.test.vpn.d [65504] Path:      /Library/SystemExtensions/2EA7CA6C-4185-4D33-A43B-8ACAE5C4BFFA/com.test.vpn.NetworkExtension.systemextension/Contents/MacOS/com.test.vpn.NetworkExtension Load Address:  0x101e01000 Identifier:   com.test.vpn.NetworkExtension Version:     1 (1.0) Code Type:    x86_64 (Native) Parent Process: launchd [1] Responsible:   /Library/SystemExtensions/2EA7CA6C-4185-4D33-A43B-8ACAE5C4BFFA/com.test.vpn.NetworkExtension.systemextension/Contents/MacOS/com.test.vpn.NetworkExtension User ID:     0 Date/Time:    2022-03-25 16:48:03.273 PDT OS Version:   macOS 12.3 (21E230) Release Type:  User Report Version: 8 MetaData: {"target":"com.apple.AppSSO.service-xpc","responsible-process-signing-id":"com.test.vpn.NetworkExtension","policy-description":"Sandbox","mach_namespace":1,"responsible-process-team-id":"QEXH8ZM8AV","normalized_target":["com.apple.AppSSO.service-xpc"],"profile-flags":0,"errno":1,"platform-policy":false,"primary-filter":"global-name","global-name":"com.apple.AppSSO.service-xpc","operation":"mach-lookup","platform-binary":false,"process-path":"\/Library\/SystemExtensions\/2EA7CA6C-4185-4D33-A43B-8ACAE5C4BFFA\/com.test.vpn.NetworkExtension.systemextension\/Contents\/MacOS\/com.test.vpn.NetworkExtension","platform_binary":"no","primary-filter-value":"com.apple.AppSSO.service-xpc","container":"\/private\/var\/root\/Library\/Containers\/com.test.vpn.NetworkExtension\/Data","hardware":"Mac","checker":"launchd","profile-in-collection":false,"sandbox_checker":"launchd","build":"macOS 12.3 (21E230)","action":"deny","summary":"deny(1) mach-lookup com.apple.AppSSO.service-xpc","checker-pid":1,"pid":65504,"process":"com.test.vpn.d","flags":5,"signing-id":"com.test.vpn.NetworkExtension","binary-in-trust-cache":false,"team-id":"QEXH8ZM8AV","responsible-process-path":"\/Library\/SystemExtensions\/2EA7CA6C-4185-4D33-A43B-8ACAE5C4BFFA\/com.test.vpn.NetworkExtension.systemextension\/Contents\/MacOS\/com.test.vpn.NetworkExtension","apple-internal":false,"uid":0,"release-type":"User"}

I did follow the steps, here are some critical snippet: - (void)request:(nonnull OSSystemExtensionRequest *)request didFinishWithResult:(OSSystemExtensionRequestResult)result { if (result != OSSystemExtensionRequestCompleted) return; [NETunnelProviderManager loadAllFromPreferencesWithCompletionHandler:^( NSArray<NETunnelProviderManager *> *managers, NSError *error) { if (error) { NSLog("load error: %@", error); return; } NETunnelProviderManager *manager = managers.firstObject; if (manager) { [self saveManager:manager options:options]; return; } NETunnelProviderProtocol *protocol = [[NETunnelProviderProtocol alloc] init]; protocol.serverAddress = @"unused"; protocol.disconnectOnSleep = NO; protocol.providerBundleIdentifier = @"com.test.vpn.NetworkExtension"; NETunnelProviderManager *newManager = [[NETunnelProviderManager alloc] init]; newManager.protocolConfiguration = protocol; newManager.localizedDescription = @"Test VPN"; newManager.enabled = YES; [self saveManager:newManager options:options]; }]; } } - (void)saveManager:(NETunnelProviderManager *)manager options:(NSDictionary<NSString *, id> *)options { [manager saveToPreferencesWithCompletionHandler:^(NSError *_Nullable saveError) { if (saveError) { NSLog(@"Failed to save with error: %@", saveError); return; } [manager loadFromPreferencesWithCompletionHandler:^(NSError *_Nullable loadError) { if (loadError) { NSLog(@"Failed to load with error: %@", loadError); return; } NSError *error; BOOL success = [manager.connection startVPNTunnelWithOptions:options andReturnError:&error]; if (!success || error) { NSLog(@"Failed to start with error: %@", error); return; } NSLog(@"Did start VPN") }]; }]; } When I run it on my Mac with SIP disabled, I am seeing error: Failed to save with error: Error Domain=NEVPNErrorDomain Code=5 "permission denied" UserInfo={NSLocalizedDescription=permission denied} This seems to indicate the NETunnelProviderManager.saveToPreferencesWithCompletionHandler is throwing an error. Any idea of what's going wrong here?

Thanks for the reply, I finally reached the point that I can generate a systemextension for my project: However, I still have a hard time launching the my VPN (Packet Tunnel Provider): If I disable SIP on my Mac, I am seeing this error: Error Domain=NEVPNErrorDomain Code=5 "permission denied" UserInfo={NSLocalizedDescription=permission denied} If I enable SIP on my Mac, I am seeing a different error: deny(1) mach-lookup com.apple.sysextd So I added following code into my container app's entitlements: <key>com.apple.security.temporary-exception.mach-lookup.global-name</key> <array> <string>com.apple.sysextd</string> </array> And now I am getting a different error again:  Error Domain=OSSystemExtensionErrorDomain Code=8 "Invalid code signature or missing entitlements" UserInfo={NSLocalizedDescription=Invalid code signature or missing entitlements} Any ideas about what I am missing again here?

Thanks Meaton for your response! There are two flavors of Network Extensions, Network System Extension and Network App Extensions. Network System Extension are require when deploying via Developer ID. Yeah, you are right, I am trying to create a system extension instead of an app extension. But I am not sure why it bundles an app extension into my final package. Is it related to my provisioning file? Or any there anything I missed? I am trying to reuse the packet tunnel subclass with iOS. Is this the root cause for it? Turn SIP back on. You are only making life harder on yourself. Thanks so much! I actually had a hard time to convince my security team regrading disabling SIP.

Sorry, the comment doesn't allow me to write the code with the pretty format, so I just copy and past here: One thing that is worth mentioning, we do wait for the network settings to be updated before we create a new session: - (NSError *)updateTunnelNetworkSettings:(NEPacketTunnelNetworkSettings *)settings { dispatch_semaphore_t semaphore = dispatch_semaphore_create(0); __block NSError *updateError; WEAKIFY(self); [self setTunnelNetworkSettings:settings completionHandler:^(NSError *_Nullable error) { STRONGIFY_OR_RETURN(self); if (error) { updateError = error; } dispatch_async(self->_tunnelProviderQueue, ^{ if (self->_startCompletionHandler) { self->_startCompletionHandler(nil); } self->_startCompletionHandler = nil; }); dispatch_semaphore_signal(semaphore); }]; dispatch_time_t timeout = dispatch_time(DISPATCH_TIME_NOW, kUpdateNetworkSettingsTimeout * NSEC_PER_SEC); if (dispatch_semaphore_wait(semaphore, timeout) != 0) { updateError = TIMEOUT_ERROR; } return updateError; }

Here is how I config the network settings, I am not doing any matches based on my own understanding: Objective-C NWHostEndpoint* hostEndpoint = [NWHostEndpoint endpointWithHostname:address port:port]; NSMutableArrayNSString ipv4Addresses = [[NSMutableArray alloc] init]; NSMutableArrayNSString ipv4Masks = [[NSMutableArray alloc] init]; NSMutableArrayNSString ipv6Addresses = [[NSMutableArray alloc] init]; NSMutableArrayNSNumber ipv6PrefixLengths = [[NSMutableArray alloc] init]; for (...) { if (ip == IPV4) { [ipv4Addresses addObject:[NSString stringWithUTF8String: ip]]; [ipv4Masks addObject: mask]; } if (ip == IPV6) { [ipv6Addresses addObject:[NSString stringWithUTF8String:ip]]; [ipv6PrefixLengths addObject:@(prefix())]; } } NEIPv4Settings* ipv4Settings = [[NEIPv4Settings alloc] initWithAddresses:ipv4Addresses subnetMasks:ipv4Masks]; ipv4Settings.includedRoutes = @[ [NEIPv4Route defaultRoute] ]; NEIPv6Settings* ipv6Settings = [[NEIPv6Settings alloc] initWithAddresses:ipv6Addresses networkPrefixLengths:ipv6PrefixLengths]; ipv6Settings.includedRoutes = @[ [NEIPv6Route defaultRoute] ]; NSMutableArrayNSString** dns = [[NSMutableArray alloc] init]; for (...) { [dns addObject:[NSString stringWithUTF8String: dns]]; } NEDNSSettings* dnsSettings = [[NEDNSSettings alloc] initWithServers:dns]; NEPacketTunnelNetworkSettings* networkSettings = [[NEPacketTunnelNetworkSettings alloc] initWithTunnelRemoteAddress:address]; networkSettings.DNSSettings = dnsSettings; networkSettings.IPv4Settings = ipv4Settings; networkSettings.IPv6Settings = ipv6Settings; [self setTunnelNetworkSettings:settings completionHandler:^(NSError *_Nullable error) { id session = [self createUDPSessionToEndpoint:hostEndpoint fromEndpoint:nil]; ... }];

Hi Quinn, Thanks for the response. I think we can use NWConnection over NWUDPSession as all we need is to connect to our VPN server to send/receive encrypted packets and perform handshakes. But I am not sure how I can pause reading packets using NWConnection either, one guess would be: func startReadingPackets() { connection.receiveMessage { [weak self] data, context, success, error in /* Handle packets or error here. */ while (self?.paused) {} self?.startReadingPackets() } }