I'm implementing a VPN client using PacketTunnelProvider.I have a C code that talk to my sever, and this C code also has callbacks to my Swift code.In those callbacks I just need to send / receive packets.I do not need to create a tunnel with the server, because the C code does it for me.So my question is, how to get all the packets ? I tried doing it with packetFlow, but without any success.(And as for the moment, i'm trying to do it at the startTunnelWithOptions function, but not sure if it's the right place)Thanks!

I'm tyring to implement a Packet Tunnel Provider for OSX.I have the entitlements, but when I try to run the app, it's immediatly crashing.At the console, I can see the following errors:Found 2 provisioning profiles com.apple.developer.networking.networkextension Disallowing com.myapp.MyApp[pid 73450] because its use of the com.apple.developer.networking.networkextension entitlement is not allowed killed com.myapp.MyApp[pid 73450] because its use of the com.apple.developer.networking.networkextension entitlement is not allowed (error code -67050)But as I said, I do have the entitlements, I'm using the correct provision profile, and I followed Eskimo tutorial at https://forums.developer.apple.com/message/75928#75928and everything looks as it should be.Any help would be appreciated!Edit: I created the provisioning profiles again, add them the network entitlements, cleaned the project, deleted the old profiles, and the problem still exists.

I've implemented a VPN app with Packet Tunnel Provider.In my app, I'm tunneling only the IPv4 traffic.Also, my server supprort only IPv4 addresses.From what I understand - now I will have to controll the traffic of IPv6 as well? Or can I still continue as usual, and support only IPv4 ? (I do want to controll most traffic from the device)

-I've implemented a VPN app (with Packet Tunnel Provider).I have an ovserver for NEVPNStatusDidChangeNotification.When the user press the "connect" button, 90 % of the time I get the notifications where the connection.status goes from Disconnected to Connecting and then to Connected.But I've already encounterd several cases, where the connection succeeded, but the notifications I got wereDisconnected -> Connecting - > InvalidAnd as I said, the connection been made and the VPN had been activated, so why I got the Invalid state ?Edit:Those are some of the system logs:name = <40-char-str> identifier = some-identifier-I-dont-know-1 applicationName = myApp application = myAppBundle grade = 1 VPN = { enabled = YES onDemandEnabled = YES onDemandRules = ( { action = connect interfaceTypeMatch = any }, ) protocol = { type = plugin identifier = some-identifier-I-dont-know-2 serverAddress = <16-char-str> username = <24-char-str> password = { identifier = some-identifier-I-dont-know-1 domain = user } passwordReference = <67656e70 00000000 00000417> identityDataImported = NO disconnectOnSleep = YES disconnectOnIdle = NO disconnectOUpdated network agent (inactive)vpnStatusDidChange: InvalidNESMVPNSession in state NESMVPNSessionStateIdle: update configuration NESMVPNSession: Received a start command from myApp

Is it possible to distrubite my VPN app (with packet tunnel provider) for MacOS with a standalone installer (such as .pkg/.dmg file) ?I think the answer is that it can't be done, but the reason I'm asking is that there are some clients who want to preinstall the app on some people's Macs instead of sending them to the App Store.So is it possible? or maybe the way to go here is by Apple Configurator ?

I've implemented a MacOS app that among other things, uses keychain to save the user's password.For most of the time it works great, but every now and then, when I try to save the password - it crashes the app.The error I'm getting is:errSecNotAvailable (OSStatus -25291)I see that the description for this error is "No trust results are available."I can't repreduce it, but it's happened to some of my users.The code I'm using for the keychain part is taken from Apple's SimpleTunnel sampleWhat does this error means? How can I fix it ?This is partial stack trace:Exception Type: SIGILL Exception Codes: ILL_NOOP at 0x0 Crashed Thread: 0 Application Specific Information: Selector name found in current argument registers: release Thread 0 Crashed: 0 MyApp 0x000000010105fda1 0x101020000 + 261537 1 MyApp 0x0000000101060130 0x101020000 + 262448 2 MyApp 0x000000010107019f 0x101020000 + 328095 3 MyApp 0x000000010106f972 0x101020000 + 326002 4 libsystem_trace.dylib 0x00007fffe11d93a7 _os_activity_initiate_impl + 53 5 AppKit 0x00007fffc9a96721 -[NSApplication(NSResponder) sendAction:to:from:] + 456 6 AppKit 0x00007fffc957acc4 -[NSControl sendAction:to:] + 86 7 AppKit 0x00007fffc957abec __26-[NSCell _sendActionFrom:]_block_invoke + 136 8 libsystem_trace.dylib 0x00007fffe11d93a7 _os_activity_initiate_impl + 53 9 AppKit 0x00007fffc957ab44 -[NSCell _sendActionFrom:] + 128 10 AppKit 0x00007fffc95bd539 -[NSButtonCell _sendActionFrom:] + 98 11 libsystem_trace.dylib 0x00007fffe11d93a7 _os_activity_initiate_impl + 53 12 AppKit 0x00007fffc9579426 -[NSCell trackMouse:inRect:ofView:untilMouseUp:] + 2481 13 AppKit 0x00007fffc95bd272 -[NSButtonCell trackMouse:inRect:ofView:untilMouseUp:] + 798 14 AppKit 0x00007fffc9577ddb -[NSControl mouseDown:] + 832 15 AppKit 0x00007fffc9c1224f -[NSWindow(NSEventRouting) _handleMouseDownEvent:isDelayedEvent:] + 6341 16 AppKit 0x00007fffc9c0ea6c -[NSWindow(NSEventRouting) _reallySendEvent:isDelayedEvent:] + 1942 17 AppKit 0x00007fffc9c0df0a -[NSWindow(NSEventRouting) sendEvent:] + 541 18 AppKit 0x00007fffc9a92681 -[NSApplication(NSEvent) sendEvent:] + 1145 19 AppKit 0x00007fffc930d427 -[NSApplication run] + 1002 20 AppKit 0x00007fffc92d7e0e NSApplicationMain + 1237 21 MyApp 0x0000000101022219 0x101020000 + 8729 22 libdyld.dylib 0x00007fffe0fa7235 start + 1

I've implemented a VPN app with Packet Tunnel Provider for MacOS and iOS.I have two questions regarding the Extension's sleep/wake functions:1. If the VPN configuration is set with disconnectOnSleep = false, and at the extension I'm sending keep-alives every X seconds, What would happen when the device enters sleep mode? Will it keep sending keep-alive (because the VPN is configured with disconnectOnSleep=false) ?2. If the VPN configuration is set with disconnectOnSleep = true, and also isOnDemandEnabled = true. When the device enters sleep mode, do I need to disconnect the VPN myself? Or the OS would take care of it? And if I should disconnect it myself, the on-demand won't try to turn it on again (because the on-demand) ?

I've implemented a VPN app (with Packet tunnel Provider) for MacOS.Each user has a password, which I'm saving at the keychain with a persistentReference.For some users (not many), the app fails to save the password and I got error -25308 which is User interaction is not allowed.Why does it happening and how can I solve it?

I have an iOS app and a MacOS app in which I want to display to the user it's device's local IP.If there is more than one IP, I would dispaly one of them, not matter which one.This is the code I'm using:func getIFAddresses() -> String { //var addresses = [String]() var address = "N/A" deviceLocalIp = "N/A" // Get list of all interfaces on the local machine: var ifaddr : UnsafeMutablePointer? guard getifaddrs(&ifaddr) == 0 else { return address } guard let firstAddr = ifaddr else { return address } // For each interface ... for ptr in sequence(first: firstAddr, next: { $0.pointee.ifa_next }) { let flags = Int32(ptr.pointee.ifa_flags) var addr = ptr.pointee.ifa_addr.pointee // Check for running IPv4, IPv6 interfaces. Skip the loopback interface. if (flags & (IFF_UP|IFF_RUNNING|IFF_LOOPBACK)) == (IFF_UP|IFF_RUNNING) { if addr.sa_family == UInt8(AF_INET) || addr.sa_family == UInt8(AF_INET6) { let interfaceName = String.init(cString: &ptr.pointee.ifa_name.pointee) //DDLogInfo("interfaceName:\(interfaceName)") // Convert interface address to a human readable string: var hostname = [CChar](repeating: 0, count: Int(NI_MAXHOST)) if (getnameinfo(&addr, socklen_t(addr.sa_len), &hostname, socklen_t(hostname.count), nil, socklen_t(0), NI_NUMERICHOST) == 0) { if interfaceName == "en0" { deviceLocalIp = String(cString: hostname) address = deviceLocalIp break } //if we don't have address from en0 - try get it from another interface //(but prefer from en0) if address == "N/A" && (interfaceName == "en0" || interfaceName == "en1" || interfaceName == "en2" || interfaceName == "pdp_ip" || interfaceName == "ap1") { deviceLocalIp = String(cString: hostname) address = deviceLocalIp } } } } } freeifaddrs(ifaddr) return address } }For IPv4 it seems to work well.For IPv6 (via Mac's Internet Sharing), I'm getting an IPv6 address, but it's not the address I'm expecting to connect -at the Network I see that my device is connected and has the IP address X and the result I'm getting with this code is address Y.P.S -For debugging, I printed all the IPs, not just the first, and still didn't get the correct one..

I noticed a bug at the Packet Tunnel Provider app for macOS (maybe also for iOS, I didn't test it there it):If I'm configuring a split tunnel, with wildcard match domain (empty string) - the system should consult its DNS server for all domains first, as listed here - https://forums.developer.apple.com/thread/35027Now I've added some searchDomains. When There's no split tunnel, or there's a split tunnel with 'Exclude Routes', everything goes well.But if the split tunnel is configured with 'Include Routes', it seems that the searchDomains aren't added to the DNS queries.For example:Lets say searchDomains contains the postfix 'com'- working scenario: I've defined some routes at the split tunnel exclude, and run ping googlethis worked well and I got results for google.com- not working scenario: I've defined some routes at the split tunnel include, where google is one of those routes.running ping google won't work and I get the error: ping: cannot resolve google: Unknown host

I've upgraded my macOS to Catalina. Then I tried to run via Xcode my macOS VPN app (implemented with Packet Tunnel Provider) -The VPN fails to connect and I see at the Console a lot of errors, such as:Current bundle (/Users/myClientPath/Client.app) does not have a SystemExtensions directoryNESMVPNSession[Primary Tunnel:myDetails:(null)]: Received a start command from myClient[2061]Found 0 (0 active) registrations for com.my.bundle.id.extension (com.apple.networkextension.packet-tunnel) - this msgs repeats several timesNEVPNTunnelPlugin(com.my.bundle.id[794]): Validation of the extension failedNESMVPNSession in state NESMVPNSessionStateStarting: plugin NEVPNTunnelPlugin started with PID 0 error (null)Hub connection error: Error Domain=NSCocoaErrorDomain Code=4097 "connection to service on pid 0 named com.my.bundle.id.extensiondisposingFailed to start extension com.my.bundle.id.extensionNSDebugDescription=connection to service on pid 0 named com.my.bundle.id.extensionHow can I solve it?

I've developed a VPN app for iOS and macOS with Packet Tunnel Provider.Once the VPN is enabled all the traffic should go via the VPN. The VPN is configured to be on demand (isOnDemandEnabled is set), with a rule to always connect.There are some cases where this configuration might cause a problem -When the user goes to a place with a captive portal, the VPN won't be able to connect (because the user will first need to login to the captive portal), but the user also won't be able to login to the captive portal (because all traffic triggers the network extension).In such a case, I need that the captive portal will be shown to the user, and I also need to exclude at least some of the traffic from the VPN, so the user would be able to login to the captive portal (but I don't want to open all traffic, just the traffic needed for the login).Is there any API for those cases? If the answer is no, I'll try to detect this case at the Extension. But I won't be able to open the captive portal from there, so the only thing I would be able to do is to display a message to the user, correct?

I have a VPN app (Packet Tunnel Provider) for Mac at the App Store, and I got the following question from a customer:"Can the VPN stay connected between switching users in macOS?"The customer tested it and saw the following:"When switching users, VPN stays connected in Mojave OS but will be disconnected on Catalina OS."I don't know how to reply and I don't know what is the expected behavior in those cases.The only guess that I have is that it's not suppose to stay connected, because this is not a system extension, so it probably be relevant only to one user. But I'm not sure of it.Some details that might help - The VPN is not installed from MDM, and it comes with on-demamd rules to try and stay connected whenever there's traffic.

Some users at a certain company reported they are having problems when using my VPN app for Mac (Packet Tunnel Povider), with SMB:Initiating an SMB upload will fail and then their VPN client will disconnect, in some cases the computer needs to be reboot.I've collected logs for my client (nothing suspicious there), and I also got the logs from thier Console.Those are some relevant lines from the Console, but again I don't see anything suspicious:default 17:27:16.194234 -0400 secd Microsoft Outloo[303]/1#16 LF=0 copy_matching Error Domain=NSOSStatusErrorDomain Code=-34018 "Client has neither com.apple.application-identifier, com.apple.security.application-groups nor keychain-access-groups entitlements" UserInfo={NSDescription=Client has neither com.apple.application-identifier, com.apple.security.application-groups nor keychain-access-groups entitlements} default 17:27:16.252627 -0400 com.apple.WebKit.WebContent Current memory footprint: 14 MB default 17:27:18.079823 -0400 symptomsd rssi (-53) or transmitRate (585.000000) changed on interface en1 for BSSID: default 17:27:18.751723 -0400 coreaudiod gPTPClockStatistics for 0x995aebd999500000 default 17:27:18.751758 -0400 coreaudiod Grandmaster Identity: 0x995aebd999500000 default 17:27:18.751781 -0400 coreaudiod Clock lock state: Locked default 17:27:18.751809 -0400 coreaudiod 0x995aebd999500000: First Sync 2199023255552,2199023255552,42252520443,42252520443,0x995aebd999500000,0 default 17:27:18.751830 -0400 coreaudiod Rate Ratio: 2199023255552/2199023255552 (1.000000000000) default 17:27:18.751845 -0400 coreaudiod Anchors: 42252520443, 42252520443 default 17:27:18.751861 -0400 coreaudiod Sync Identity: 0x995aebd999500000.0 default 17:27:19.466668 -0400 SophosConfigD CSSM Exception: -2147413736 CSSMERR_DL_DATASTORE_ALREADY_EXISTS default 17:27:19.852256 -0400 Core Sync TCP Conn 0x60800016e100 canceled default 17:27:19.853018 -0400 Core Sync TCP Conn [239:0x60000016df80] using empty proxy configuration default 17:27:19.853033 -0400 Core Sync Stream client bypassing proxies on TCP Conn [239:0x60000016df80] default 17:27:19.853045 -0400 Core Sync TCP Conn 0x60000016df80 started default 17:27:19.852614 -0400 Core Sync [242 stream, pid: 565] cancelled [242.1 61DEA637-675C-413E-A6A3-AA6E3FA344EC .51750<->] Connected Path: satisfied (Path is satisfied), interface: utun1, ipv4, dns Duration: 43.817s, DNS @0.000s took 0.597s, TCP @0.598s took 0.580s bytes in/out: 9096/2013, packets in/out: 11/7, rtt: 0.666s, retransmitted packets: 0, out-of-order packets: 0 default 17:27:19.853679 -0400 Core Sync [243 ] start default 17:27:21.403116 -0400 secd Microsoft Outloo[303]/1#16 LF=0 copy_matching Error Domain=NSOSStatusErrorDomain Code=-34018 "Client has neither com.apple.application-identifier, com.apple.security.application-groups nor keychain-access-groups entitlements" UserInfo={NSDescription=Client has neither com.apple.application-identifier, com.apple.security.application-groups nor keychain-access-groups entitlements} default 17:27:21.442425 -0400 nesessionmanager -[NESMSession setStatus:]:776 NESMVPNSession[MyClient - someuser:76FF4E17-someMoreNumbers1EC359]: status changed to disconnecting default 17:27:21.450275 -0400 nsurlsessiond received network changed event default 17:27:21.467515 -0400 CommCenter #I DATA.DataNetworkMonitorOSX: handleNetworkStateChanged_sync: nwi_state: 0x7fdf256247f0 default 17:27:21.467577 -0400 CommCenter #I DATA.DataNetworkMonitorOSX: checkIPConnectivity_sync: ***** ipConnectivityAvailable: true default 17:27:21.467610 -0400 CommCenter #I DATA.DataNetworkMonitorOSX: checkIPConnectivity_sync: Previous primary interface '' is DOWN. default 17:27:21.464626 -0400 airportd _processIPv4Changes: ARP/NDP offloads disabled, not programming the offload default 17:27:21.467640 -0400 CommCenter #I DATA.DataNetworkMonitorOSX: checkIPConnectivity_sync: Primary interface changed to '' with IP family: kDataProtocolFamilyIPv4 default 17:27:21.467692 -0400 CommCenter #I Firing event 'dataWifiAvailable': with params=The VPN disconnects at the line starting with default 17:27:21.442425 -0400Is there something suspicious that I missed in those logs?Is there anything that might cause this behavior, only on SMB?

I've implemented a VPN app with Packet Tunnel Provider for macOS.To send the packets, I'm using BSD sockets.I noticed that when sending big files (1GB), in most of the time the uploading fails, and the relevant errors I see at the console are the following errors:[Extension com.myExtension]: IPC detached NESMVPNSession[Primary Tunnel:My Company - myUserName:6EF9650B-D1DA-418B-B617-AE0874DDCBD3:(null)] in state NESMVPNSessionStateRunning: plugin NEVPNTunnelPlugin(com.MyContainingApp]) did detach from IPC [NOTICE] : networking grace period is over for #lifetime boringssl_context_message_handler(2257) [C6.1:2][0x1048aeac0] Writing SSL3_RT_ALERT 2 bytes boringssl_context_handle_warning_alert(1892) [C6.1:2][0x1048aeac0] write alert, level: warning, description: close notify boringssl_session_disconnect(539) [C6.1:2][0x1048aeac0] SSL_shutdown 0 nw_flow_disconnected [C6.1 20.185.73.23:443 cancelled socket-flow ((null))] Output protocol disconnected nw_connection_report_state_with_handler_on_nw_queue [C6] reporting state cancelled Connection 6: destroyed nw_protocol_boringssl_remove_input_handler(1012) [C6.1:2][0x1048aeac0] nw_protocol_boringssl_remove_input_handler forced true nw_protocol_boringssl_remove_input_handler(1030) [C6.1:2][0x1048aeac0] Transferring nw_protocol_boringssl_t handle back into ARC for autoreleaseSo I'm guessing it's related to "did detach from IPC" or to "SSL3_RT_ALERT 2 bytes", but what's the next step here? How can I try to figure out what's causing this?P.S: It seems that the VPN stays connected and functional, it's just the uploading that fails.