Packet Tunnel Provider

Implement a VPN client for a packet-oriented, custom VPN protocol.

Overview

A virtual private network (VPN) is a form of network tunnel where a VPN client uses the public Internet to create a connection to a VPN server and then passes private network traffic over that connection. If you want to build a VPN client that implements a packet-oriented, custom VPN protocol, create a packet tunnel provider app extension.

When the system starts a VPN configuration that uses your packet tunnel provider, it launches your app extension, instantiates your packet tunnel provider subclass within that app extension, and starts forwarding packets to your provider. Your provider is expected to open a tunnel to a VPN server and send those packets over that tunnel. Similarly, if your provider receives packets from the tunnel, it should pass them back to the system.

Packet tunnel providers can run in destination IP mode or source-application mode. The latter is one form of per-app VPN (the other form is an App Proxy Provider).

Packet tunnel providers are supported in iOS and in macOS for Mac App Store apps only.

Topics

Essentials

Network Extensions Entitlement

The APIs an app can use to customize networking features.

Key: com.apple.developer.networking.networkextension

Packet Tunnel Provider

class NEPacketTunnelProvider

The principal class for a packet tunnel provider app extension.

class NETunnelProvider

An abstract base class shared by NEPacketTunnelProvider and NEAppProxyProvider.

class NEProvider

An abstract base class for all NetworkExtension providers.

class NEPacketTunnelNetworkSettings

The configuration for a packet tunnel provider’s virtual interface.

class NETunnelNetworkSettings

The configuration for a tunnel provider’s virtual interface.

Packet Handling

class NEPacketTunnelFlow

An object for reading and writing packets to and from the tunnel’s virtual interface.

class NEPacket

A network packet and its associated properties.

In-Provider Networking

Network APIs for use by all types of NetworkExtension providers and by hotspot helpers.

VPN Configuration

class NETunnelProviderManager

An object to create and manage the tunnel provider’s VPN configuration.

class NEVPNManager

An object to create and manage a Personal VPN configuration.

class NETunnelProviderProtocol

Configuration parameters for a VPN tunnel.

class NEAppRule

The identity of an app whose traffic is to be routed through the tunnel.

VPN On Demand Rules

Set up VPN On Demand.

VPN Control

class NETunnelProviderSession

An object to start and stop a tunnel connection and get its status.

class NEVPNConnection

An object to start and stop a Personal VPN connection and get its status.

See Also

Virtual Private Networks

Personal VPN

Create and manage a VPN configuration that uses one of the built-in VPN protocols (IPsec or IKEv2).

App Proxy Provider

Implement a VPN client for a flow-oriented, custom VPN protocol.