includeAllNetworks

We are using an NEPacketTunnel provider for our custom VPN solution, and doing so we are setting NEPacketTunnelNetworkSettings with setting IPv4 and IPv6 default routes. We are then setting DNS networkSettings.dnsSettings?.matchDomains = [] However, apps like FaceTime still go around the VPN. Once you set setTunnelNetworkSettings is there no way to ask the system to return what the current saved configuration? Testing, Ive also tried turning off IPv6 on my home network and cell data to force all traffic to my IPv4 default routes. Ive seen FaceTime work on one session, relaunch the app and never again. Note: IncludeAllNetworks does work, but comes with a lot of downsides too. Our goal is to securely and redundantly help with video calls , streaming apps etc.

We're seeing nessionmanager problems caused by having a configuration present on the system which. Has includeAllNetworks set in the protocol Was previously connected & then disconnected After VPN disconnection we sometimes see that DNS and other things are not working. The VPN extension is no longer running, so I'd expect that settings would have been cleaned up, but they aren't in some cases. The system won't recover on its own, and when we delete the VPN configuration we see a set of messages from VPN session manager. There are two I've seen, on different systems. One shows the utun interface being cleaned up, and various network settings being removed. The other refers to deregistering an Enterprise VPN Session, [NESMVPNSession unsetDefaultDropAll], and IP Drop-All disabled. In both of these cases the cleanup is being done hours after the session was disconnected and the extension unloaded from memory. Does anyone know what exactly is happening there, and why the OS isn't cleaning up on disco

Hi,I want a transparent proxy that captures all outgoing tcps so I used NETransparentProxyManager to start an AppProxyProvider with the following rule:networkSettings.includedNetworkRules = NENetworkRule( remoteNetwork: nil, remotePrefix: NSNotFound, localNetwork: nil, localPrefix: NSNotFound, protocol: .TCP, direction: NETrafficDirection.outbound )Everything works as expected except that, after the AppProxyProvider has been started:Any try of starting a tcp listener listening on 0.0.0.0 fails with error Protocol wrong type for socket. This can be easily reproduced by runningpython3 -m http.server, which fails with the error:OSError: [Errno 41] Protocol wrong type for socketTcp listeners that were already boud to 0.0.0.0 won't see incoming connections from local network.Is it a bug or were I doing something wrong?Also, I notice that the transparent proxy cannot capture tcp connections to localhost. I suppose it is by design but is there any way to achieve that? (setting includeAllNetworks to true and

Hi,I want a transparent proxy that captures all outgoing tcps so I used NETransparentProxyManager to start an AppProxyProvider with the following rule:networkSettings.includedNetworkRules = NENetworkRule( remoteNetwork: nil, remotePrefix: NSNotFound, localNetwork: nil, localPrefix: NSNotFound, protocol: .TCP, direction: NETrafficDirection.outbound )Everything works as expected except that, after the AppProxyProvider has been started:Any try of starting a tcp listener listening on 0.0.0.0 fails with error Protocol wrong type for socket. This can be easily reproduced by runningpython3 -m http.server, which fails with the error:OSError: [Errno 41] Protocol wrong type for socketTcp listeners that were already boud to 0.0.0.0 won't see incoming connections from local network.Is it a bug or were I doing something wrong?Also, I notice that the transparent proxy cannot capture tcp connections to localhost. I suppose it is by design but is there any way to achieve that? (setting includeAllNetworks to true and

I've implemented a VPN apps (for iOS and for macOS) with Packet Tunnel Provider.The includedRoutes contains all the IPv4 default routes:newSettings.ipv4Settings?.includedRoutes = [NEIPv4Route.default()]My question is regarding local networks:If I'm not using split tunnel (not including/excluding any other route), what happens to traffic to the local network? By local network I mean the network the device is connected to without the client.I expected that all traffic should go to the tunnel, but I see that I'm able to access resources on my local network even when the tunnel is up.In addition to that, I checked the new flag - includeAllNetworksr which is relevant only to macOS:If this flag is set, I can't access the local network when the VPN is up.So the question is how to configure if the user is able or unable to access resources on his local tunnel.Maybe using the above flag is the answer? And if it is the answer, then what about iOS?Edit: When includeAllNetworks is set, sometimes I don't have tra

We moved our macOS NKE-based VPN over to Network Extensions a while back. Although Network Extensions offered us less control over the system traffic it also let us have a single code base for the core functionality on iOS & macOS, as well as offering the possibilty of MDM.The talk on Network Extensions for Modern macOS offered us some of the control back. The includeAllNetworks and excludeLocalNetworks flags are great to see. But, the title of the talk said 'for Modern macOS', so:- Are they only on macOS, or are the Network Extension parts of that talk also applicable to iOS?- Will those Network Extension flags function if the user is running macOS Mojave?- iOS 12?Or are they only going to work on Cataline/iOS13 and later?Users do tend to upgrade their macOS & iOS versions, but corporate customers upgrade slowly, and they're our market.One abillity of NKEs that we lost with Network Extensions was the ability to do an 'Always On' VPN which made sure that all traffic from the system was tunnel

am using to NETunnelProvider in a openvpn client that is bridged in react-native but no luck there .. the connection to server keep disconnect every time. the Network Extension is configurated. <?xml version=1.0 encoding=UTF-8?> <!DOCTYPE plist PUBLIC -//Apple//DTD PLIST 1.0//EN http://www.apple.com/DTDs/PropertyList-1.0.dtd> <plist version=1.0> <dict> <key>NSExtension</key> <dict> <key>NSExtensionPointIdentifier</key> <string>com.apple.networkextension.packet-tunnel</string> <key>NSExtensionPrincipalClass</key> <string>$(PRODUCT_MODULE_NAME).PacketTunnelProvider</string> </dict> </dict> </plist> typescript side is getting events from vpnStateObserver connecting ... Object { message: The VPN is in the process of connecting, state: 1, } Object { message: The VPN is in the process of disconnecting, state: 3, } Object { message: The VPN is disconnected, state: 0, } tunel: type = plugin identifier = xxxxxxx

Hi, everyone! Our application has the ability to run the Network Extension when there is no internet connection. While testing our application, we found incorrect behavior in the Network Extension disconnect process when there is no internet connection, sometimes the Network Extension hangs in a .disconnecting state when it finishes. In most cases, the work in this case finishes correctly. So for example. We monitor changes in the Network Extension connection status using NEVPNStatusDidChange notifications. We turn off the Internet and try to connect to the VPN tunnel using next NETunnelProviderManager configuration: { localizedDescription = enabled = YES protocolConfiguration = { serverAddress = <13-char-str> disconnectOnSleep = NO includeAllNetworks = NO excludeLocalNetworks = YES enforceRoutes = NO providerBundleIdentifier = } onDemandEnabled = NO } Next, we get the configuration and try to start the Network Extension via NEVPNConnection.startVPNTunnel(options:). When call finished, we get

Title: Loss of Internet Connectivity on iOS Device When Packet Tunnel Crashes Feedback ticket: https://feedbackassistant.apple.com/feedback/14162605 Product: iPhone 12 Version: iOS - 17.5.1 Configuration: NETunnelProviderManager Configuration Description: We are developing an iOS VPN client and have configured our packet tunnel provider according to Apple's guidelines. The configuration is as follows: includeAllNetworks = YES excludeLocalNetworks = NO enforceRoutes = NO This setup works as expected when the VPN successfully connects. However, we encounter a blocker issue where the device loses internet connectivity if the packet tunnel crashes. Steps to Reproduce: Configure the NETunnelProviderManager with the above settings. Connect the VPN, which successfully establishes a connection. Verify that resources are accessible and internet connectivity is functional. Packet tunnel to crash unexpectedly.Observe that the NE process (Packet Tunnel) restarts automatically, as expected and attempts to reconne

Hello, I'm having some problems starting my DNS proxy network extension. Even after I call NEDNSProxyManager.saveToPreference() successfully I don't see any logs from my dns proxy. This is the code from the user space app: import SwiftUI import NetworkExtension func configureDNSProxy() { let dnsProxyManager = NEDNSProxyManager.shared() dnsProxyManager.loadFromPreferences { error in if let error = error { print(Error loading DNS proxy preferences: (error)) return } dnsProxyManager.localizedDescription = my DNS proxy let proto = NEDNSProxyProviderProtocol() proto.providerBundleIdentifier = com.myteam.dns-proxy-tests.ne dnsProxyManager.providerProtocol = proto // Enable the DNS proxy. dnsProxyManager.isEnabled = true dnsProxyManager.saveToPreferences { error in if let error = error { print(Error saving DNS proxy preferences: (error)) } else { NSLog(DNS Proxy enabled successfully) } } } } @main struct dns_proxy_testsApp: App { var body: some Scene { WindowGroup { ContentView() } } init() { configureDNSProxy() } }

Hi - We have had a packettunnel working well on iOS for a long time and now looking into one for Mac OS. However, we haven't been able to get it to work.Summary of what we see:The app can successfully install the VPN profile:nesessionmanager 11:06:26.027252-0700 NESMVPNSession[Primary Tunnel:XyzCatalyst:E2A089D5-A18B-4543-94F5-827E4DB3357D :(null)]: handling configuration changed: { name = XyzlizeCatalyst identifier = E2A089D5-A18B-4543-94F5-827E4DB3357D applicationName = XyzCatalyst application = com.xyz.mac.vpn grade = 1 VPN = { enabled = YES onDemandEnabled = NO disconnectOnDemandEnabled = NO protocol = { type = plugin identifier = 0A3DA48C-EE69-479C-A2CD-994028B01CC0 serverAddress = 127.0.0.1 identityDataImported = NO disconnectOnSleep = NO disconnectOnIdle = NO disconnectOnIdleTimeout = 0 disconnectOnWake = NO disconnectOnWakeTimeout = 0 disconnectOnUserSwitch = NO disconnectOnLogout = NO includeAllNetworks = NO excludeLocalNetworks = NO pluginType = com.xyz.mac.vpn authenticationMethod = 0 reas

Hi All, I have a NEDNSProxyProvider System Extension and my logs are full of sandbox violations, all like: error 2021-09-21 10:42:30.557390 -0400 sandboxd com.apple.sandbox.reporting violation System Policy: com.myCompany.mac(640) deny(1) system-privilege 10006 Violation: deny(1) system-privilege 10006 Process: com.myCompany.mac [640] Path: /Library/SystemExtensions/4375ED6E-69A9-4897-8B39-4252AD9843AD/com.myCompany.macos.netext.dnsproxy.systemextension/Contents/MacOS/com.myCompany.macos.netext.dnsproxy Load Address: 0x1028a8000 Identifier: com.myCompany.macos.netext.dnsproxy Version: 78 (2.0.0) Code Type: arm64 (Native) Parent Process: launchd [1] Responsible: /Library/SystemExtensions/4375ED6E-69A9-4897-8B39-4252AD9843AD/com.myCompany.macos.netext.dnsproxy.systemextension/Contents/MacOS/com.myCompany.macos.netext.dnsproxy User ID: 0 Date/Time: 2021-09-21 10:42:30.522 EDT OS Version: macOS 11.6 (20G165) Report Version: 8 MetaData: {uid:0,summary:deny(1) system-privilege 10006,errno:1,hardware:J293,operation:

First sorry for the long message, but I wanted to give as much info as possible. I have a VPN app that uses Network Extension and OpenVPN on Ventura (13.1). Before Ventura everything worked fine. I have a problem with sockets created from network extension. The sockets created into the extension are assigned on the tunnel interface (utun3 in my case). Scenario: Start the VPN (includeAllNetworks=true) => OS creates utun3 and enters into startTunnel from NE app On extension the app connects to VPN server. Call setTunnelNetworkSettings with the new configuration and when finished calls the completionBlock from startTunnel and reasseting = false After 2 seconds create a new socket (C API) into NE and connect => socket is bound to tunnel interface. # lsof output wifi ip=192.168.0.163 utun3 IP=10.7.1.4 8u IPv4 0xb394555904672715 0t0 TCP 192.168.0.163:60266->VPN_SERVER_IP (ESTABLISHED) 9u IPv4 0xb394555904673d35 0t0 TCP 10.7.1.4:60284->SOME_WEBSITE_IP:http (ESTABLISHED) From this point on, all t

Hi, I've got into a very strange no internet situation on macos 13.3(others reproduced on others too, e.g. 10.15). After I've disconnected from VPN, connected with includeAllNetworks=true, CFNetwork returned no internet connection (error code: -1009). Some apps, e.g. Chrome, Firefox, ping are running, but other of apps e.g. Safari, AppStore, returns no internet. In logs I can see for cloudd is also not working: default 2023-04-12 06:57:50.383656 +0200 cloudd _CFNetworkIsConnectedToInternet returning 0, flagsValid: 1, flags: 0x0 error 2023-04-12 06:57:50.383688 +0200 cloudd Task <925C1A17-8E2C-44C3-A730-38C9BB556990>.<23> HTTP load failed, 0/0 bytes (error code: -1009 [1:50]) default 2023-04-12 06:57:50.383820 +0200 cloudd Task <925C1A17-8E2C-44C3-A730-38C9BB556990>.<23> summary for task failure {transaction_duration_ms=4, response_status=-1, connection=483, reused=1, request_start_ms=0, request_duration_ms=0, response_start_ms=0, response_duration_ms=0, request_bytes=0, respon

I have an app that contains an NEPacketTunnelProvider network extension. Some users are reporting that after upgrading their devices to iOS 14 they are no longer able to start the VPN. We have manage to reproduce the issue, and it only happens when all the following conditions are true: The app is managed by MDM The App Store version of the app is installed (not an enterprise signed ipa) The device is running iOS 14 If any of the above conditions are not true, the VPN can be started without any issues. Because of the requirement to use the App Store version of the app to reproduce, it's very difficult to debug. What I would like to understand is if something changed in iOS 14 that would make an app with a network extension behave differently when under MDM management. I did try sysdiagnose, and I see this pattern of messages generated by nesessionmanager: default 2020-09-25 14:42:32.086975 -0700 nesessionmanager : Register Enterprise VPN Session: NESMVPNSession[Primary Tunnel::5FC13677-04FA-46AD-B91B-4BB9E630