Post not yet marked as solved
44
Views
Hi,
I was working on a feature based on dns packet parsing in the VPN solution of my app on iOS.
I was using the dns_parse_packet api from dnsutils.h class, which was able to parse dns requests and reply packets from raw bytes quite efficiently.
I had tested this flow on iOS 15.2 but after updating to iOS 15.5 this api does not seem to work anymore.
Has this API been deprecated or is this a bug in iOS 15.5?
Post marked as solved
37
Views
We are working on a Network Extension based iOS app.
Is it possible to have an app proxy (for per-app VPN) and packet tunnel providers within the same extension binary on iOS? On Mac this seems to be allowed, but with iOS it looks like we have to separate binaries - one per provider. In our case this complicates things.
Post not yet marked as solved
123
Views
We're developing an application which involves Packet Tunnel Provider extension. Inside the extension we connect to remote server to get tunnel config profile and authentication parameters, followed by tunnel creation.
If we are not able to establish the tunnel, we would like to notify the user via the containing app.
It is possible the tunnel extension is running when the containing app is not running, so we decided to send a notification (via UserNotifications) to achieve the same.
Requirement is that:
If containing app is in foreground, notification should not be displayed, app handles whatever is required
If app is in foreground, when user clicks on the notification, app should come into foreground and handle it
If app is not running, app should launch and handle the notifications
If user launchers app/app comes into foreground, app handles all shown notifications and clears them
We are trying to achieve this by implementing the UNUserNotificationCenterDelegate in AppDelegate of containing app.
Now all above requirements are fulfilled when the notification is published by the containing app, but when published by the NEPacketTunnelProvider extension, the notification appears but clicking on it does not call the appropriate delegate function in containing app.
We want to support MacOS 10.15 and above if possible.
We are testing on MacOS 12.4 and 12.3.2 for now.
Please help with same or suggest a better way of notifying the user that some action is required and containing app needs to be opened.
Post not yet marked as solved
144
Views
Hello,
I have successfully implemented NEPacketTunnelProvider network extension in iOS app which works fine most of the time.
By working fine I mean it starts, stops (it is configured to disconnect on sleep) and handles network traffic as expected.
However I have a few reports that sometimes it doesn't start correctly. It hangs on "Connecting..." when checking the Settings -> VPN.
As far as I can tell even with waiting for minutes, it seems still stuck.
Re-installing either the VPN provider extension or entire app fixes this problem.
What could be causing such random and very rare issues? This doesn't seem to be connected to single iOS version for example.
Post not yet marked as solved
60
Views
Hi,
I have a question regarding NEHotspotHelper, I understand that as soon as the user tries to connect to a new network, We get an Evaluate command and the hotspot helper app has 45 seconds to deliver a response for it. Referring to [this](Authentication State Machine (apple.com)) document.
I wanted to understand, if the user tries changing the access points frequently like first start connecting to one access point, then second so on, are the evaluate commands for these added in the hotspot queue (the one that we register our app with) one after another or does the system wait for the delivering of the response for 1 access point?
Post not yet marked as solved
65
Views
Our TPP excludes our own processes from oversight, which makes some things very easy. Only I just found out that when our app uses a WKWebView... it's very securely shuffled off into its own process. With its own signing identifier. And a ppid of launchd.
How could I tell that a com.apple.WebKit.Networking process is related to our process? (I note that the Endpoint Security Framework has added a "responsible" audit token, presumably for this sort of situation.)
Post marked as solved
177
Views
When network extension is installed, the tethering breaks.
So our customers faced a very big problem.
Give me some feedback.
The test steps are as follows.
1.Test Info.
os : higher than 12.1
hardware : only MacBookPro18, 1~3
and, only Tethering(IPv6).
It does not happen in IPv4.
It works normally in a different environment.
2.Test Step
1)We always allowed Ne's authority request in the same way.
2)After NE is installed, press Allow network filtering.
3)Our NE calls the API below(in main method)
[NEFilterPacketProvider startSystemExtensionMode];
4)However, the following error message occurs.
error 16:10:37.791557+0900 com. ahnlab. TobeyNE [self.extensionContext conformsToProtocol:auxHostProtocol.protocol] - /AppleInternal/Library/BuildRoots/66382bca-8bca-11ec-aade-6613bcf0e2ee/Library/Caches/com.apple.xbs/Sources/ExtensionFoundation/ExtensionFoundation/Source/NSExtension/NSExtensionSupport/EXExtensionContext.m:332: Class NEFilterPacketExtensionProviderContext does not conform to aux host protocol: <private>
5)and, the tethering breaks.
Also, it works normally unless it is MacBookPro18, 1.
There is this issue only in MacBookPro18, 1.
Tell me the solution.
Post marked as solved
126
Views
Hi
We are building an macOS application which integrates VPN functions right now. We are using developer ID ceritifcate to sign the app and system network extension and sandbox is enabled.
One issue we are facing now is that we need to establish mTLS connection to server. During this connection, we need to send client certificate to server via provideIdentity() API.
We have the certificate, key and p12 file which are generated in another daemon. But we can not use SecPkcs12Import function to import the p12 file in our system extension due to the sandbox limitation and the different context.
I know that we cannot construct secIdentity object by ourselves. So I am wondering if there is any way that we can get the secIdentity object in system extension?
Is it possible to send secIdentity object between app and system extension?
Post not yet marked as solved
53
Views
Hi,
We have a macOS app that starts the system network extension to provide the VPN service. I'm integrating the Crashpad to report crashes from the system network extension. To handle and report the crashes, in the network extension, we start the crash handler in a separate process and it listens to the Mach port for EXC_CRASH exceptions.
The crash handler needs to access the file system to create crash reports database. But I'm getting the "Applications Support" directory from the network extension, but the path is not found. Here's the error:
execvp /var/root/Library/Containers/<bundle ID>/Data/Library/Application Support/Crash/handler_mac: No such file or directory
Post not yet marked as solved
91
Views
Hi,
I have an extension using NEPacketTunnelProvider, I need bind both lan address and localhost so that other apps can connect it and transfer data.
I found that if I bind INADDR_LOOPBACK, other apps on the phone can connect it using the localhost(127.0.0.1)
If I bind INADDR_ANY, other apps on the phone can connect it using the lan address but not the localhost(127.0.0.1)
My question is why other app on the phone can not connect using localhost(127.0.0.1) when binding INADDR_ANY?
Thank you.
NEPacketTunnelNetworkSettings:
Exclude route: 192.168.0.0/16, 127.0.0.0/8, 169.254.0.0/16, 10.0.0.0/8, 172.16.0.0/12, 255.255.255.255/32, 239.255.255.250/32, fc00::/7, fe80::/10, ff02::c/128, ff05::c/128, ff08::c/128, ff0e::c/128
Include route: [NEIPv4Route defaultRoute]
NEProxySettings with HTTPEnabled and HTTPSEnabled to localhost (a http server)
NEProxySetting exception: 192.168.0.0/16, 127.0.0.0/8, 169.254.0.0/16, 10.0.0.0/8, 172.16.0.0/12, 255.255.255.255/32, localhost, *.local, captive.apple.com
NEProxySetting excludeSimpleHostnames: YES
Post marked as solved
112
Views
Hi, I am currently building my own VPN application using NetworkExtension's PacketTunnelProvider.
I want to send information from the PacketTunnelProvider to the ViewController when a VPN connection fails and to tell the user why.
The code now is as shown below.
When the startTunnel() being overwritten is executed, somehow NotificationCenter.default.post(name: NSNotification.Name.NEVPNStatusDidChange, object: nil) is executed and VPNStatusDidChange(_ notification: Notification?) in the ViewController is called and displays some message.
I tried to do the same thing by writing NotificationCenter.default.post(name: NSNotification.Name(rawValue: "testnotify"), object: nil) in the PacketTunnelProvider.swift , but it does not work. What is wrong?
Here is a part of current PacketTunnelProvider.swift
override func startTunnel(options: [String : NSObject]? = nil, completionHandler: @escaping (Error?) -> Void) {
conf = (self.protocolConfiguration as! NETunnelProviderProtocol).providerConfiguration! as [String : AnyObject]
self.setupWSSession()
DispatchQueue.global().async {
while (self.connectionPhase < 5) {
Thread.sleep(forTimeInterval: 0.5)
}
self.tunToWS()
}
NotificationCenter.default.post(name: NSNotification.Name(rawValue: "testnotify"), object: nil)
}
And here is a part of ViewController.swift
override func viewDidLoad() {
super.viewDidLoad()
initVPNTunnelProviderManager()
NotificationCenter.default.addObserver(self, selector: #selector(ViewController.VPNStatusDidChange(_:)), name: NSNotification.Name.NEVPNStatusDidChange, object: nil)
NotificationCenter.default.addObserver(self, selector: #selector(ViewController.receieve(_:)), name: NSNotification.Name(rawValue: "testnotify"), object: nil)
}
@objc func VPNStatusDidChange(_ notification: Notification?) {
print("VPN Status changed:")
let status = self.vpnManager.connection.status
switch status {
case .connecting:
print("Connecting...")
connectButton.setTitle("Disconnect", for: .normal)
break
case .connected:
print("Connected...")
connectButton.setTitle("Disconnect", for: .normal)
break
case .disconnecting:
print("Disconnecting...")
break
case .disconnected:
print("Disconnected...")
connectButton.setTitle("Connect", for: .normal)
break
case .invalid:
print("Invliad")
break
case .reasserting:
print("Reasserting...")
break
}
}
@objc func receive(_ notification: Notification?) {
print("receive Notification!")
}
Post not yet marked as solved
81
Views
Hi There,
We have a VPN application built on top of the Packet Tunnel Provider. We are seeing an issue that once our containing application crashed, the packet tunnel provider keeps running. We could detect the crash from the tunnel, but there is no way for us to stop the VPN because on-demand will bring back VPN all the time.
Since there is no way to disable on-demand rule within the packet tunnel provider, is it possible that we can programmatically launch the crash application from the packet tunnel provider? Something like iOS's silent push notification could work too since all we need is to disable on-demand rule from the application and stop VPN.
Post not yet marked as solved
142
Views
Hi there, I am experimenting a firewall app via the NEFilterPacketProvider interface. When I have Cisco AnyConnect VPN connected, all I can see seems to be TCP/UDP 443 SSL VPN traffic, not app traffic that's being tunneled.
From a filter-packet provider, any idea how I can see app traffic before they get encapsulated (and after they get decapsulated)?
Thanks, Billy
Post marked as solved
149
Views
I'm trying to configure Local Push Connectivity. I already have Local Push Entitlement, and have install a provisioning profile with local push entitlement. It's build fine but when app start, PushProvider didn't active and start and Push Manager show error nil. I have done every instructions that sample code have provided.
This is my project.
In my application target, I have a bundle id com.my_team_name.my_app_name
and in the app group name group.com.my_team_name.my_app_name
In the .entitlement, I've set the required configuration:
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>com.apple.developer.networking.networkextension</key>
<array>
<string>app-push-provider</string>
</array>
<key>com.apple.developer.networking.wifi-info</key>
<true/>
<key>com.apple.security.application-groups</key>
<array>
<string>group.com.my_team_name.my_app_name</string>
</array>
</dict>
</plist>
Info.plist has noting to change
And I have a PushManager Class with this code
class AppPushManager: NSObject, NEAppPushDelegate{
func appPushManager(_ manager: NEAppPushManager, didReceiveIncomingCallWithUserInfo userInfo: [AnyHashable : Any] = [:]) {
}
static let shared = AppPushManager()
private var pushManager: NEAppPushManager = NEAppPushManager()
private let pushManagerDescription = "PushDefaultConfiguration"
private let pushProviderBundleIdentifier = "com.my_team_name.my_app_name.PushProvider"
func initialize() {
if pushManager.delegate == nil {
pushManager.delegate = self
}
pushManager.localizedDescription = pushManagerDescription
pushManager.providerBundleIdentifier = pushProviderBundleIdentifier
pushManager.isEnabled = true
pushManager.providerConfiguration = [
"host": "my_server.local"
]
pushManager.matchSSIDs = ["my_wifi_ssid"]
pushManager.saveToPreferences(completionHandler: { error in
print("error? \(String(describing: error))")
print("is active: \(pushManager.isActive)")
})
}
}
In my extension, A PushProvider Target. I have a bundle id com.my_team_name.my_app_name.PushProvider
and in the app group name group.com.my_team_name.my_app_name
In the Info.plist of my extension, I've added the required configuration:
<key>NSExtension</key>
<dict>
<key>NSExtensionPointIdentifier</key>
<string>com.apple.networkextension.app-push</string>
<key>NSExtensionPrincipalClass</key>
<string>$(PRODUCT_MODULE_NAME).PushProvider</string>
</dict>
the .entitlement file have the same contents as the application.
and I have created the extension class "PushProvider.swift" as follow:
class PushProvider: NEAppPushProvider {
...
}
When I run the application, I got this printed out
error? nil
is active: false
I think it might be something with providerBundleIdentifier in Push Manager. Have anyone know what I've missing?
Post not yet marked as solved
87
Views
I uploaded iOS app store with web content filter. When I tried to block the sites, it didn't work. After debug I got the error.
<Error>: YourApp trying to create a content filter configuration through an app. Creating a content filter configuration is only allowed through profile in production version of YourApp.
<Error>: Failed to save configuration com.DemoiOS: Error Domain=NEConfigurationErrorDomain Code=10 "permission denied" UserInfo={NSLocalizedDescription=permission denied}
<Error>: -[NEFilterManager saveToPreferencesWithCompletionHandler:]_block_invoke_3: failed to save the new configuration: Error Domain=NEFilterErrorDomain Code=5 "permission denied" UserInfo={NSLocalizedDescription=permission denied}
It works fine in dev environment.
I searched other threads here, didn't find proper answer.
How do I resolve this error?
It would be great help you can point me out to solution.
I want to make sure that if user downloads app from the store, he should be able to block the selected sites.
