Post not yet marked as solved
I've developed a custom VPN system extension (macOS, Packet Tunnel Provider).
On a first installation, the user has to allow installation of the system extension (via Security & Privacy).
My question is, what should happen when the user updates the app to a newer version - will he get the 'allow system extension installation' popup again? Or is it a 'one time popup' only?
Post not yet marked as solved
I've developed a system-extension custom VPN app for macOS, which is in use by some internal testers.
The app works fine, except for one user, which can't connect to the VPN. I saw that on his machine, the system extension is getting terminated, very shortly after he's approving it. Sometime it happens while he's trying to connect, but sometimes it happens even without a connection attempt, he's just approving the sysExt and wait.
I saw at the logs the following lines:
sysextd: [com.apple.sx:StateChange] **** advancing state from activated_enabling to activated_enabled
sysextd: observer for **** reached success: activated_enabled
sysextd: [com.apple.sx:XPC] client connection (pid 667) invalidated
2022-01-12 21:45:50.844914+0200 0x26fa Activity 0xf149 496 0 sysextd: (Security) SecTrustEvaluateIfNecessary
2022-01-12 21:45:50.926046+0200 0x26fa Default 0x0 496 0 sysextd: request contains no authorizationref
2022-01-12 21:45:50.926390+0200 0x26fa Default 0x0 496 0 sysextd: returning cdhash for arbitrary arch x86_64 of extension ****
sysextd: [com.apple.sx:XPC] client connection (pid 1103) invalidated
nesessionmanager: [com.apple.networkextension:] Adding event subscription 775 for provider *** with extension point com.apple.networkextension.packet-tunnel
...
...
sysextd: received request to remove MDM payload with UUID ****
sysextd: removed MDM payload with UUID ****
sysextd: MDM payload change results in changed decision for Extension **** from Allow to UserOption
sysextd: deactivateExtension called for **** in state "activated_enabled"
sysextd: [com.apple.sx:StateChange] extension **** advancing state from activated_enabled to terminating_for_uninstall
Is this issue related somehow to MDM profiles?
Is it related to "client connection invalidated" ? And what is this thing?
How can I debug it/ understand where's the problem?
Post not yet marked as solved
I've developed a system-extension custom VPN app for macOS. As expected, the containing app is running under 'user' permissions, and the system-extension is running under 'root' permissions.
The containing app and the sys-ext can create (and save) log files.
The containing app has a button to 'collect' the logs from both the containing app and from the extension.
However, it can't really access to the extension's logs since it's under root/
What I'm doing is to ask the extension to send the logs via IPC,
but what should I do if the VPN is not connected? In this case the extension is not running, and I can't get it's logs.
Is there another way to get the file, or maybe to write logs from the extension to somewhere directly accessible to the containing app?
As I mentioned in this thread
https://developer.apple.com/forums/thread/695207
I want my containing app to be active after Mac restarts.
I thought about something that could work - I wrote a "helper" embedded app which will be added to the login items, and after a restart this "helper" app will open the containing app.
However, after archiving the project (with developer ID, it will be distributed outside the App Store), I see the following error at the Console:
Non-fatal error enumerating at , continuing: Error Domain=NSCocoaErrorDomain Code=260 "The file “PlugIns” couldn’t be opened because there is no such file." UserInfo={NSURL=PlugIns/ -- file:///Applications/MyMainApp.app/Contents/Library/LoginItems/LauncherApplication.app/Contents/, NSFilePath=/Applications/MyMainApp.app/Contents/Library/LoginItems/LauncherApplication.app/Contents/PlugIns, NSUnderlyingError=0x7fc5cb02c6f0 {Error Domain=NSPOSIXErrorDomain Code=2 "No such file or directory"}}
I see that there's really no plugin folder, but why?
Is it a certificate/signing issue?
Post not yet marked as solved
I configured my VPN to be 'on-demand' and I restarted my Mac.
After the restart, my Packet Tunnel Provider started (it was called by the OS, because of the on-demand).
The containing app is inactive - it's open (the icon is at the menu bar, with a circle at the bottom) but 'applicationDidFinishLaunching' is not being called.
Is there any way I can 'force start' the containing app?
Any way will be good - if it's by sending a message from the provider, or if it's possible to programmatically ask the OS to start the containing app after Mac restart..
Post not yet marked as solved
Sry for the duplicate -
I added a comment on an old post, but it's tagged only with 'System Extension' and without 'Network Extension', so I'm posting it here as well:
Original post:
https://developer.apple.com/forums/thread/133933?login=true&page=1#694688022
My question:
Bumping this old thread - I have the same scenario, I created a VPN + Certificate payload, installed it, and now I have a VPN conf which I can access to only from the containing app, but I need to access it from the system-extension. As I read above it's not possible, I send messages between the extension and the app, and it worked fine for the SecCertificate, which I sent as a Data to the extension (using SecCertificateCopyData() and sendProviderMessage functions).
The problem is that at the extension I need also the SecKey, and I couldn't find any way to pass it from the containing app to the extension. I even tried to pass it via IPC, but it crashed ( "This coder only encodes objects that adopt NSSecureCoding").
Is there any way to pass SecKey to the Extension, or to access it directly from there?
I have an iOS app and a MacOS app in which I want to display to the user it's device's local IP.If there is more than one IP, I would dispaly one of them, not matter which one.This is the code I'm using:func getIFAddresses() -> String {
//var addresses = [String]()
var address = "N/A"
deviceLocalIp = "N/A"
// Get list of all interfaces on the local machine:
var ifaddr : UnsafeMutablePointer?
guard getifaddrs(&ifaddr) == 0 else { return address }
guard let firstAddr = ifaddr else { return address }
// For each interface ...
for ptr in sequence(first: firstAddr, next: { $0.pointee.ifa_next }) {
let flags = Int32(ptr.pointee.ifa_flags)
var addr = ptr.pointee.ifa_addr.pointee
// Check for running IPv4, IPv6 interfaces. Skip the loopback interface.
if (flags & (IFF_UP|IFF_RUNNING|IFF_LOOPBACK)) == (IFF_UP|IFF_RUNNING) {
if addr.sa_family == UInt8(AF_INET) || addr.sa_family == UInt8(AF_INET6) {
let interfaceName = String.init(cString: &ptr.pointee.ifa_name.pointee)
//DDLogInfo("interfaceName:\(interfaceName)")
// Convert interface address to a human readable string:
var hostname = [CChar](repeating: 0, count: Int(NI_MAXHOST))
if (getnameinfo(&addr, socklen_t(addr.sa_len), &hostname, socklen_t(hostname.count),
nil, socklen_t(0), NI_NUMERICHOST) == 0) {
if interfaceName == "en0" {
deviceLocalIp = String(cString: hostname)
address = deviceLocalIp
break
}
//if we don't have address from en0 - try get it from another interface
//(but prefer from en0)
if address == "N/A" && (interfaceName == "en0" || interfaceName == "en1" || interfaceName == "en2" || interfaceName == "pdp_ip" || interfaceName == "ap1") {
deviceLocalIp = String(cString: hostname)
address = deviceLocalIp
}
}
}
}
}
freeifaddrs(ifaddr)
return address
}
}For IPv4 it seems to work well.For IPv6 (via Mac's Internet Sharing), I'm getting an IPv6 address, but it's not the address I'm expecting to connect -at the Network I see that my device is connected and has the IP address X and the result I'm getting with this code is address Y.P.S -For debugging, I printed all the IPs, not just the first, and still didn't get the correct one..
I have a scenario where the user needs to login using SSO, and then the server will use a url-scheme to communicate with my app.
If I'm opening an external browser - everything works great.
But I tried to use an embedded browser instead (WebView), and for some reason I'm getting this unclear error:
[ProcessSwapping] 0x11fd863f0 - ProvisionalPageProxy::didFailProvisionalLoadForFrame: pageProxyID=23 webPageID=34, frameID=3, navigationID=4
At the Console I saw more similar issues, like:
0x11fd863f0 - ProvisionalPageProxy::didFailProvisionalLoadForFrame: pageProxyID=23 webPageID=34, frameID=3, navigationID=4
<nw_activity 16:1 [E08406EE-456B-4302-913A-6C46229FDFC7] (reporting strategy default) complete (reason cancelled)> complete with reason 4 (cancelled), duration 599ms
How can I tell what's the problem and how to fix it?
P.S
In order to debug/fix it, I tried to implement the WKNavigationDelegate protocol, so I could see
that I'm getting this error as well:
error:Error Domain= Code=0 "Redirection to URL with a scheme that is not HTTP(S)" UserInfo={_WKRecoveryAttempterErrorKey=<WKReloadFrameErrorRecoveryAttempter: 0x600002b1c200>, NSErrorFailingURLStringKey=mycustomurlscheme://someresponse
I'm not sure why the url scheme must be http(s) in this case.
Post not yet marked as solved
Is it possible to use a custom VPN (Packet Tunnel Provider, for macOS) and inspect traffic via a proxy tool like Charles (https://developer.apple.com/documentation/network/taking_advantage_of_third-party_network_debugging_tools) at the same time ?
Post not yet marked as solved
I'm tyring to implement a Packet Tunnel Provider for OSX.I have the entitlements, but when I try to run the app, it's immediatly crashing.At the console, I can see the following errors:Found 2 provisioning profiles
com.apple.developer.networking.networkextension
Disallowing com.myapp.MyApp[pid 73450] because its use of the com.apple.developer.networking.networkextension entitlement is not allowed
killed com.myapp.MyApp[pid 73450] because its use of the com.apple.developer.networking.networkextension entitlement is not allowed (error code -67050)But as I said, I do have the entitlements, I'm using the correct provision profile, and I followed Eskimo tutorial at https://forums.developer.apple.com/message/75928#75928and everything looks as it should be.Any help would be appreciated!Edit: I created the provisioning profiles again, add them the network entitlements, cleaned the project, deleted the old profiles, and the problem still exists.
Post not yet marked as solved
I've implemented a custom VPN app for macOS (Packet Tunnel Provider)
The VPN has the following conf:
disconnectOnSleep = true
tunnelProviderManager.isOnDemandEnabled = true
tunnelProviderManager.onDemandRules = [NEOnDemandRuleConnect()]
So the VPN should be 'almost always-on' - it should connect whenever possible (the only rule is to 'always' connect)
Also, the OS should kill the VPN when the Mac enters sleep, and restart it when the Mac awakes.
The question:
Some customers complained that sometimes after sleep/awake, the Mac loses all traffic.
From the logs it seems that the Mac enters sleep, and then immediately the OS restarts the VPN (probably because of the 'connect' rule). This process can happen multiple times in a row: Sleep (disconnect VPN), and then immediately the state is changing to 'connecting' again. Then sleep->connecting, and so on..
How can I prevent this from happening? If the Mac enters sleep, the OS shouldn't restart the VPN.
Is it a bug? Can I change something at the on-demand rules to 'make it better' but to keep the same behavior?
Post not yet marked as solved
I've implemented a custom VPN app for macOS (Packet Tunnel Provider, network extension).
In my app there's a situation where the user tries to connect (vpn is starting), the server rejects the connection (vpn stops), and the user should enter some code and then the vpn will reconnect again (vpn should start again).
Most of the time this works as expected, but every now and then - the second connection (after the user entered the code) is stuck - the VPN goes into 'connecting' state, but it stays as connecting, without changing the state to connected or disconnected. The extension is not starting in this case.
I saw those logs at the Console:
failed to create the delegate
Tearing down XPC connection due to setup error: Error Domain=NEAgentErrorDomain Code=2
There are more related logs, but I think the above logs are the problematic ones.
After this issue, if I'm pressing the 'connect' button again, it will connect without a problem. So I think it's something related to the OS.
P.S - I also saw this thread, which looks very similar -
https://developer.apple.com/forums/thread/652708?login=true
I've implemented a custom VPN app for macOS (Network Extension, Packet Tunnel Provider).
I got some reports that my app crashed. I asked for the Console logs, and I saw this log:
MyAppExtension[85331]: BUG in libdispatch client: vnode, monitored resource vanished before the source cancel handler was invoked { 0x7f9debe12120[source], ident: 5 / 0x5, handler: 0x107f09ced }
This log appeared multiple times (every couple of hours), each time with a different PID:
MyAppExtension[85765]: BUG in libdispatch client: vnode, monitored resource vanished before the source cancel handler was invoked { 0x7fe76fc1ae70[source], ident: 5 / 0x5, handler: 0x1007d5ced }
Is it what crashed the app? The PID was different each time, so I guess it did crash the app.
What info can I get from this message (how to debug it)?
Post not yet marked as solved
While working on a dev version of my custom macOS VPN (Network Extension, Packet Tunnel Provider), I had cases where the VPN was suppose to start, but it didn't.
It's configured with an on-demand rule to always connect, and also to be on the safe side, I called connection.startVPNTunnel()
From the Console logs I see the following:
myClientClient Saving configuration myClient example - myname_mfa.mynameaccount with existing signature {length = 20, bytes = 0x3be5a6633b963d04c5e0a226cccff4c83a799e14}
default 12:33:36.686853+0200 secd myClientClient[8416]/1#11 LF=0 copy_matching Error Domain=NSOSStatusErrorDomain Code=-50 "query missing class name" (paramErr: error in user parameter list) UserInfo={numberOfErrorsDeep=0, NSDescription=query missing class name}
default 12:33:36.687705+0200 myClientClient MacOS error: -25304
default 12:33:36.690077+0200 myClientClient MacOS error: -25304
NESMVPNSession[Primary Tunnel:myClient example - myname_mfa.mynameaccount:2A6C1B7D-19E8-4EF7-8872-C1D0F8899A17:(null)]: Received a start command from myClientClient[8416]
default 12:33:36.763724+0200 nesessionmanager Registering session NESMVPNSession[Primary Tunnel:myClient example - myname_mfa.mynameaccount:2A6C1B7D-19E8-4EF7-8872-C1D0F8899A17:(null)]
default 12:33:36.764739+0200 nesessionmanager Received a com.apple.neconfigurationchanged notification with token 23
default 12:33:36.765486+0200 nesessionmanager Clearing E853F1E7-23BD-4F01-915B-65DCBB9D9AB8 from the loaded configurations
default 12:33:36.765604+0200 nesessionmanager Clearing 8A4A1803-C370-42A1-8758-35E3D4337959 from the loaded configurations
default 12:33:36.765717+0200 nesessionmanager Clearing 2A6C1B7D-19E8-4EF7-8872-C1D0F8899A17 from the loaded configurations
nesessionmanager nw_network_agent_open_control_socket Successfully connected netagent socket 8
default 12:33:36.760869+0200 SystemUIServer Received a com.apple.neconfigurationchanged notification with token 48
default 12:33:36.790775+0200 neagent Looking for an extension with identifier com.myClientexample.mac.myClientClient.myClientClientExtension and extension point com.apple.networkextension.packet-tunnel
default 12:33:36.791728+0200 neagent [d private] PKHost:0x7f9bc9c29fb0 Beginning discovery for flags: 0, point: com.apple.networkextension.packet-tunnel
default 12:33:36.794692+0200 pkd Waiting on thread private until Launch Services database seeding is complete.
default 12:33:36.783780+0200 nesessionmanager NESMVPNSession[Primary Tunnel:myClient example - myname_mfa.mynameaccount:2A6C1B7D-19E8-4EF7-8872-C1D0F8899A17:(null)]: status changed to connecting
default 12:33:36.811018+0200 neagent [d private] PKHost:0x7f9bc9c29fb0 Completed discovery. Final of matches: 1
default 12:33:36.762607+0200 myClientClient startToggled
default 12:33:36.811362+0200 nesessionmanager com.myClientexample.mac.myClientClient[743]: disposing
default 12:33:36.811575+0200 nesessionmanager com.myClientexample.mac.myClientClient[743]: Tearing down agent connection
default 12:33:36.811641+0200 nesessionmanager NESMVPNSession[Primary Tunnel:myClient example - myname_mfa.mynameaccount:2A6C1B7D-19E8-4EF7-8872-C1D0F8899A17:(null)]: Plugin is installed
default 12:33:36.763228+0200 myClientClient starting vpn tunnel
default 12:33:36.811729+0200 nesessionmanager NESMVPNSession[Primary Tunnel:myClient example - myname_mfa.mynameaccount:2A6C1B7D-19E8-4EF7-8872-C1D0F8899A17:(null)]: Enabling VPN On Demand
default 12:33:36.811145+0200 neagent Found 1 extension(s) with identifier com.myClientexample.mac.myClientClient.myClientClientExtension and extension point com.apple.networkextension.packet-tunnel
default 12:33:36.813142+0200 nesessionmanager NESMVPNSession[Primary Tunnel:myClient example - myname_mfa.mynameaccount:2A6C1B7D-19E8-4EF7-8872-C1D0F8899A17:(null)]: Matched no on demand rule
default 12:33:36.784619+0200 myClientClient vpnStatusDidChange: Connecting
default 12:33:36.784729+0200 myClientClient display Connecting
default 12:33:36.813445+0200 nesessionmanager NESMVPNSession[Primary Tunnel:myClient example - myname_mfa.mynameaccount:2A6C1B7D-19E8-4EF7-8872-C1D0F8899A17:(null)]: Matched on demand rule
action = connect
interfaceTypeMatch = any
And after that there is a very big amount of
"Received a start command from" and "Skip a start command from " (and I copied only part of the log), but the VPN stays at the 'connecting' phase.
Any idea what's causing it?
Can it happen also on the production version of my app? I never reproduced it at the Store version, but it's not always reproduces anyway..
Post not yet marked as solved
I've implemented a custom VPN (Packet Tunnel Provider) for macOS.
I'm using lib-curl from the provider. The traffic is not going via the tunnel. Is it possible to pass this traffic to the tunnel?
What should happen if I'll set the 'capture all traffic' flag? Will the traffic created from lib-curl at the provider will reach the tunnel?
roee84.