I've implemented a custom system-extension VPN (Packet Tunnel Provider) for macOS. At the extension, I need to use a 3rd party dynamic lib. The steps I did: Build phases: Copy files, with Frameworks destination Link Binary With Libraries Build Settings: I set 'Dynamic Library Install Name', 'Dynamic Library Install Name Base', and 'Library Search Path' to the lib folder I set 'Header Search Path' to the headers folder But when running the extension, it's crashing with the error Termination Reason: Namespace DYLD, Code 1 Library missing Library not loaded: @loader_path/somelib.dylib And Reason: tried: '/Library/SystemExtensions/A1111-someID-11111/com.myapp.myappSysExtension.systemextension/Contents/MacOS/libwavmodapi.dylib' (no such file), '/usr/local/lib/libwavmodapi.dylib' (no such file), '/usr/lib/libwavmodapi.dylib' (no such file) (terminated at launch; ignore backtrace) Any idea what I'm doing wrong here? Also, is it even possible to use dynamic libs from a sys-ext?

I have some questions regarding life cycle of Packet Tunnel Provider: I have some static vars at the PacketTunnelProvider. The user connected to the VPN, then disconnected, so I called the relevant compilation handler. After some time, the user will start VPN again, PacketTunnelProvider will be recreated. Will it use the same class as before, and all static vars will hold their last value? Or would it create a new PacketTunnelProvider? Is it the same behavior for Network Extension vs System Extension? Is it the same behavior for macOS vs iOS? What about running threads? If I created a thread, and then I called the completion handler, will this thread continue to run? P.S If I'm adding exit(0) before 'quitting' the Packet Tunnel Provider, it will force cleaning the memory. But I guess it's not a good behavior for a System Extension to use exit(0) class PacketTunnelProvider: NEPacketTunnelProvider { static var isInitiated = false ... } override func startTunnel(options: [String : NSObject]?, completionHandler: @escaping (Error?) -> Void) { ... PacketTunnelProvider.isInitiated = true ...

I've developed a custom VPN system extension (macOS, Packet Tunnel Provider). On a first installation, the user has to allow installation of the system extension (via  Security & Privacy). My question is, what should happen when the user updates the app to a newer version - will he get the 'allow system extension installation' popup again? Or is it a 'one time popup' only?

Hi I've developed a custom VPN app for macOS (system-extension, Packet Tunnel Provider), and I have the following problem: I'm connected vie Ethernet only (not Wi-Fi). I configured on the Ethernet interface HTTP and HTTPS proxies. I'm connecting to my VPN: If I'm using a 'full tunnel' - the traffic won't pass to the Ethernet proxies, this is expected If I'm using a split tunnel - even the routes included on the tunnel will reach the Ethernet proxies, this is not expected. Am I right that this behavior is not expected? How can I fix this issue?

I've developed a system-extension custom VPN app for macOS, which is in use by some internal testers. The app works fine, except for one user, which can't connect to the VPN. I saw that on his machine, the system extension is getting terminated, very shortly after he's approving it. Sometime it happens while he's trying to connect, but sometimes it happens even without a connection attempt, he's just approving the sysExt and wait. I saw at the logs the following lines: sysextd: [com.apple.sx:StateChange] **** advancing state from activated_enabling to activated_enabled sysextd: observer for **** reached success: activated_enabled sysextd: [com.apple.sx:XPC] client connection (pid 667) invalidated 2022-01-12 21:45:50.844914+0200 0x26fa Activity 0xf149 496 0 sysextd: (Security) SecTrustEvaluateIfNecessary 2022-01-12 21:45:50.926046+0200 0x26fa Default 0x0 496 0 sysextd: request contains no authorizationref 2022-01-12 21:45:50.926390+0200 0x26fa Default 0x0 496 0 sysextd: returning cdhash for arbitrary arch x86_64 of extension **** sysextd: [com.apple.sx:XPC] client connection (pid 1103) invalidated nesessionmanager: [com.apple.networkextension:] Adding event subscription 775 for provider *** with extension point com.apple.networkextension.packet-tunnel ... ... sysextd: received request to remove MDM payload with UUID **** sysextd: removed MDM payload with UUID **** sysextd: MDM payload change results in changed decision for Extension **** from Allow to UserOption sysextd: deactivateExtension called for **** in state "activated_enabled" sysextd: [com.apple.sx:StateChange] extension **** advancing state from activated_enabled to terminating_for_uninstall Is this issue related somehow to MDM profiles? Is it related to "client connection invalidated" ? And what is this thing? How can I debug it/ understand where's the problem?

I've developed a system-extension custom VPN app for macOS. As expected, the containing app is running under 'user' permissions, and the system-extension is running under 'root' permissions. The containing app and the sys-ext can create (and save) log files. The containing app has a button to 'collect' the logs from both the containing app and from the extension. However, it can't really access to the extension's logs since it's under root/ What I'm doing is to ask the extension to send the logs via IPC, but what should I do if the VPN is not connected? In this case the extension is not running, and I can't get it's logs. Is there another way to get the file, or maybe to write logs from the extension to somewhere directly accessible to the containing app?

I've developed a system-extension for macOS (Packet Tunnel Provider, Developer ID, distribution outside the App Store). There's a scenario where I want to present some webpages with the WebKit. It works fine, but on of my testing Macs the webpage display the page for a split second, and then becomes white. I saw that the WebKit crashed, but I'm not sure why. I attached the crash report. Also, at the crash report, I saw this: "is_first_party":1,"bug_type":"309" Did my application cause this crash? Any advise on how to debug it or on how can I prevent if from happening? com.apple.WebKit.WebContent-2021-12-12-063048.txt

As I mentioned in this thread https://developer.apple.com/forums/thread/695207 I want my containing app to be active after Mac restarts. I thought about something that could work - I wrote a "helper" embedded app which will be added to the login items, and after a restart this "helper" app will open the containing app. However, after archiving the project (with developer ID, it will be distributed outside the App Store), I see the following error at the Console: Non-fatal error enumerating at , continuing: Error Domain=NSCocoaErrorDomain Code=260 "The file “PlugIns” couldn’t be opened because there is no such file." UserInfo={NSURL=PlugIns/ -- file:///Applications/MyMainApp.app/Contents/Library/LoginItems/LauncherApplication.app/Contents/, NSFilePath=/Applications/MyMainApp.app/Contents/Library/LoginItems/LauncherApplication.app/Contents/PlugIns, NSUnderlyingError=0x7fc5cb02c6f0 {Error Domain=NSPOSIXErrorDomain Code=2 "No such file or directory"}} I see that there's really no plugin folder, but why? Is it a certificate/signing issue?

I configured my VPN to be 'on-demand' and I restarted my Mac. After the restart, my Packet Tunnel Provider started (it was called by the OS, because of the on-demand). The containing app is inactive - it's open (the icon is at the menu bar, with a circle at the bottom) but 'applicationDidFinishLaunching' is not being called. Is there any way I can 'force start' the containing app? Any way will be good - if it's by sending a message from the provider, or if it's possible to programmatically ask the OS to start the containing app after Mac restart..

Sry for the duplicate - I added a comment on an old post, but it's tagged only with 'System Extension' and without 'Network Extension', so I'm posting it here as well: Original post: https://developer.apple.com/forums/thread/133933?login=true&page=1#694688022 My question: Bumping this old thread - I have the same scenario, I created a VPN + Certificate payload, installed it, and now I have a VPN conf which I can access to only from the containing app, but I need to access it from the system-extension. As I read above it's not possible, I send messages between the extension and the app, and it worked fine for the SecCertificate, which I sent as a Data to the extension (using SecCertificateCopyData() and sendProviderMessage functions). The problem is that at the extension I need also the SecKey, and I couldn't find any way to pass it from the containing app to the extension. I even tried to pass it via IPC, but it crashed ( "This coder only encodes objects that adopt NSSecureCoding"). Is there any way to pass SecKey to the Extension, or to access it directly from there?

Is it possible to use a custom VPN (Packet Tunnel Provider, for macOS) and inspect traffic via a proxy tool like Charles (https://developer.apple.com/documentation/network/taking_advantage_of_third-party_network_debugging_tools) at the same time ?

I've implemented a custom VPN app for macOS (Packet Tunnel Provider) The VPN has the following conf: disconnectOnSleep = true tunnelProviderManager.isOnDemandEnabled = true tunnelProviderManager.onDemandRules = [NEOnDemandRuleConnect()] So the VPN should be 'almost always-on' - it should connect whenever possible (the only rule is to 'always' connect) Also, the OS should kill the VPN when the Mac enters sleep, and restart it when the Mac awakes. The question: Some customers complained that sometimes after sleep/awake, the Mac loses all traffic. From the logs it seems that the Mac enters sleep, and then immediately the OS restarts the VPN (probably because of the 'connect' rule). This process can happen multiple times in a row: Sleep (disconnect VPN), and then immediately the state is changing to 'connecting' again. Then sleep->connecting, and so on.. How can I prevent this from happening? If the Mac enters sleep, the OS shouldn't restart the VPN. Is it a bug? Can I change something at the on-demand rules to 'make it better' but to keep the same behavior?

I have a scenario where the user needs to login using SSO, and then the server will use a url-scheme to communicate with my app. If I'm opening an external browser - everything works great. But I tried to use an embedded browser instead (WebView), and for some reason I'm getting this unclear error: [ProcessSwapping] 0x11fd863f0 - ProvisionalPageProxy::didFailProvisionalLoadForFrame: pageProxyID=23 webPageID=34, frameID=3, navigationID=4 At the Console I saw more similar issues, like: 0x11fd863f0 - ProvisionalPageProxy::didFailProvisionalLoadForFrame: pageProxyID=23 webPageID=34, frameID=3, navigationID=4 <nw_activity 16:1 [E08406EE-456B-4302-913A-6C46229FDFC7] (reporting strategy default) complete (reason cancelled)> complete with reason 4 (cancelled), duration 599ms How can I tell what's the problem and how to fix it? P.S In order to debug/fix it, I tried to implement the WKNavigationDelegate protocol, so I could see that I'm getting this error as well: error:Error Domain= Code=0 "Redirection to URL with a scheme that is not HTTP(S)" UserInfo={_WKRecoveryAttempterErrorKey=<WKReloadFrameErrorRecoveryAttempter: 0x600002b1c200>, NSErrorFailingURLStringKey=mycustomurlscheme://someresponse I'm not sure why the url scheme must be http(s) in this case.

I've implemented a custom VPN app for macOS (Packet Tunnel Provider, network extension). In my app there's a situation where the user tries to connect (vpn is starting), the server rejects the connection (vpn stops), and the user should enter some code and then the vpn will reconnect again (vpn should start again). Most of the time this works as expected, but every now and then - the second connection (after the user entered the code) is stuck - the VPN goes into 'connecting' state, but it stays as connecting, without changing the state to connected or disconnected. The extension is not starting in this case. I saw those logs at the Console: failed to create the delegate Tearing down XPC connection due to setup error: Error Domain=NEAgentErrorDomain Code=2 There are more related logs, but I think the above logs are the problematic ones. After this issue, if I'm pressing the 'connect' button again, it will connect without a problem. So I think it's something related to the OS. P.S - I also saw this thread, which looks very similar - https://developer.apple.com/forums/thread/652708?login=true

I've implemented a custom VPN app for macOS (Network Extension, Packet Tunnel Provider). I got some reports that my app crashed. I asked for the Console logs, and I saw this log: MyAppExtension[85331]: BUG in libdispatch client: vnode, monitored resource vanished before the source cancel handler was invoked { 0x7f9debe12120[source], ident: 5 / 0x5, handler: 0x107f09ced } This log appeared multiple times (every couple of hours), each time with a different PID: MyAppExtension[85765]: BUG in libdispatch client: vnode, monitored resource vanished before the source cancel handler was invoked { 0x7fe76fc1ae70[source], ident: 5 / 0x5, handler: 0x1007d5ced } Is it what crashed the app? The PID was different each time, so I guess it did crash the app. What info can I get from this message (how to debug it)?