Post not yet marked as solved
Hey everyone,
I'm currently working on an app where I've already implemented a packet tunnel provider. Now, I'm looking to introduce a content filter. One crucial feature I need is the ability to read the bundle ID of the app originating the network flows.
However, I've hit a roadblock when combining both components; When I run the content filter sans packet tunnel provider, I can read the originating app's bundle ID for network flows just fine. But when I add packet tunnel provider, the app's bundle ID defaults to my own app's bundle ID, which is unexpected.
Has anyone else encountered this? Any thoughts on why it's happening or how to fix it?
Cheers!
Post not yet marked as solved
Even when it is disabled (that is, our app says "don't do anything" and all it does is start logging things).
On the mac, when I try to make an outgoing audio-only call (it's a mac mini with no camera), it seems to connect as far as the outside is concerned, but nothing happens -- I get a request on my other devices, with the wrong account, and the mac mini says it's failed while the ipad or iphone keep connected.
I am logging everything I can think of in our extensions, and they don't seem to show anything of interest. And I can't figure out what to look for in the entirety of system logs. I do see Messages dropped during live streaming (use log show to see what they were)... but I'm not sure what to look for in the log show.
If I try to make a call in, it results in what seems to be an iOS FaceTime bug -- the phone tells me to log into FaceTime. Even though I am logged in.
Post not yet marked as solved
Hello, we are developing an open source vpn program that is developed with Flutter and native parts with Swift, and we plan to publish it on the App Store soon, but the project programmers say that you must have an account to publish this app on the App Store. On the other hand, my other friends say that this is not the case, and to publish a vpn app, only one Apple Developer account is enough, and there is no need for a business account!
Post not yet marked as solved
Hi, I was working on some new filtering logic for my Content Filter that I would like to add. It involves making requests to remote DNS resolvers. Is it possible to use it within sync override func handleNewFlow(_ flow: NEFilterFlow) -> NEFilterNewFlowVerdict of the NEFilterDataProvider?
As of right now, I have a concept working in Command Line Tool and playground, however, when I try to add working module to the main project, it's not working (connections are not loading).
Function that makes requests to the servers: In this function I use DispatchGroup and notify for non-main queue
@available(iOS 12, *)
public class NetworkService {
private let nonMainQueue: DispatchQueue = DispatchQueue(label: "non-main-queue")
func isBlocked(hostname: String, completion: @escaping (Bool) -> Void) {
var isAnyBlocked = false
let group = DispatchGroup()
for server in servers {
group.enter()
let endpoint = NWEndpoint.Host(server)
query(host: endpoint, domain: hostname, queue: .global()) { response, error in
defer {
group.leave()
}
/*
* some code that determines the filtering logic
* if condition is true => isAnyBlocked = true & return
*/
}
}
group.notify(queue: nonMainQueue) {
completion(isAnyBlocked)
}
}
}
And, for example, in playground Semaphores make it work as expected, but the same approach doesn't work with the NEFilterDataProvider
playground code sample
let hostname = "google.com"
func returnResponse() -> String {
var result = ""
let semaphore = DispatchSemaphore(value: 0)
DispatchQueue.global().async {
NetworkService.isBlocked(hostname: hostname) { isBlocked in
result = isBlocked ? "blocked" : "allowed"
semaphore.signal()
}
}
semaphore.wait()
return result
}
print(returnResponse())
Output: allowed
Post not yet marked as solved
I am trying to add DNSProxy configuration using .mobileconfig and MDM on supervised device. I have Content Filter payload in the same configuration file that works as expected, however I was unable to start my DNSProxy. My app has 3 extension targets for Filter Data/Control Providers and DNSProxy extension.
Here is my DNSProxy payload:
<dict>
<key>AppBundleIdentifier</key>
<string>my.app.bundle.id</string>
<key>PayloadDescription</key>
<string>Configures DNS proxy network extension</string>
<key>PayloadDisplayName</key>
<string>DNS Proxy</string>
<key>PayloadIdentifier</key>
<string>com.apple.dnsProxy.managed.AEE249BB-4F44-4ED9-912B-6A70CC0E01B6</string>
<key>PayloadType</key>
<string>com.apple.dnsProxy.managed</string>
<key>PayloadUUID</key>
<string>AEE249BB-4F44-4ED9-912B-6A70CC0E01B6</string>
<key>PayloadVersion</key>
<integer>1</integer>
<key>ProviderBundleIdentifier</key>
<string>my.app.bundle.id.DNS-Proxy-Extension</string>
</dict>
Any thoughts on what I might be doing wrong?
Post not yet marked as solved
MacOS Version: 14.3 (23D56)
In my testing of PacketTunnelProvider on MacOS I have observed that when I do a system shutdown or reboot, PacketTunnelProvider::stopTunnelWithReason() is getting called with reason: NEProviderStopReasonUserInitiated. Note: when I try to disconnect the VPN from system settings PacketTunnelProvider::stopTunnelWithReason() is called with the same reason: NEProviderStopReasonUserInitiated.
I am facing an issue here to identify what caused PacketTunnelProvider::stopTunnelWithReason(), system shutdown or any user action?
Post not yet marked as solved
Description:
I am experiencing a persistent issue with establishing a VPN connection through a custom app I've developed using Swift. While the VPN configuration appears to be loaded successfully, attempts to connect result in immediate disconnection. Here are the details:
Problem Summary:
I have implemented a VPN connection using Swift with the NetworkExtension and TunnelKit frameworks. My application successfully loads the VPN configuration, but when attempting to connect, the VPN status quickly changes from connecting to disconnected without ever achieving a stable connection. Manually attempting to toggle the connection from device settings results in the toggle switching off as soon as it is turned on. The console logs indicate a transition from 'connecting' to 'disconnected' almost simultaneously.
Technical Details:
Here is an overview of the relevant part of the code used for setting up and managing the VPN connection:
import TunnelKitOpenVPNCore
import NetworkExtension
import TunnelKit
class VPNManager {
static let shared = VPNManager()
private var providerManager: NETunnelProviderManager?
init() {
NotificationCenter.default.addObserver(self, selector: #selector(vpnStatusDidChange), name: .NEVPNStatusDidChange, object: nil)
}
deinit {
NotificationCenter.default.removeObserver(self)
}
@objc func vpnStatusDidChange(notification: Notification) {
guard let status = self.providerManager?.connection.status else { return }
switch status {
case .connecting:
print("VPN is connecting")
case .connected:
print("VPN is connected")
case .disconnecting:
print("VPN is disconnecting")
case .disconnected:
print("VPN is disconnected")
case .invalid:
print("VPN configuration is invalid")
case .reasserting:
print("VPN is reasserting")
@unknown default:
print("Unknown VPN status")
}
}
func loadAndCreateVPNProfile(completion: @escaping (Bool, Error?) -> Void) {
self.providerManager = NETunnelProviderManager()
guard let ovpnURL = Bundle.main.url(forResource: "client", withExtension: "ovpn"),
let ovpnContents = try? String(contentsOf: ovpnURL) else {
completion(false, NSError(domain: "VPNManagerError", code: 1, userInfo: [NSLocalizedDescriptionKey: "Configuration file could not be read or found."]))
return
}
// Parsing and configuration logic here...
self.providerManager?.saveToPreferences { error in
if let error = error {
print("Error saving preferences: \(error.localizedDescription)")
completion(false, error)
} else {
print("VPN profile saved successfully.")
completion(true, nil)
}
}
}
func connect() {
self.providerManager?.loadFromPreferences { [weak self] error in
guard let strongSelf = self else {
print("Reference to VPNManager lost.")
return
}
if let error = error {
print("Failed to load preferences: \(error.localizedDescription)")
return
}
do {
try strongSelf.providerManager?.connection.startVPNTunnel()
} catch NEVPNError.configurationInvalid {
print("VPN Configuration is invalid.")
} catch NEVPNError.configurationDisabled {
print("VPN Configuration is disabled.")
} catch let error {
print("Unexpected error: \(error.localizedDescription)")
}
}
}
func disconnect() {
providerManager?.connection.stopVPNTunnel()
}
}
Post not yet marked as solved
hello everyone, I want to create VPN app with swiftUI but i do not know where to start. I have already created some beautiful UI but now i want to configurate network to connect another country server. any suggestions?
Post not yet marked as solved
We want to display our application name should be suggested on wifi network which are insecure.
Similar like following:
Please suggest, which class or extension we can use for achieve this.
Post not yet marked as solved
HI Team,
We have recently observed a network issue, followed by device hang-ups when users come out of sleep while using the Transparent app proxy provider in Sonoma 14.4. and users are required to restart the system to resolve the problem.
In the client logs, we observed that State:/Network/Global/IPv4 does not have any PrimaryInterface and there is no internet connectivity, although the internet works fine on other devices.
this issue start coming in sonoma 14.4 and happen with Transparent app proxy provider.
We are currently unable to pinpoint the exact issue. Are there any known issues with Sonoma 14.4?
Post not yet marked as solved
I've implemented a NEPacketTunnelProvider implementation, but I can't see any packets in packet flow. Here is the settings
override func startTunnel(options: [String : NSObject]?, completionHandler: @escaping (Error?) -> Void) {
...
let networkSettings = self.initTunnelSettings()
setTunnelNetworkSettings(networkSettings) { (error) in
if let error = error {
completionHandler(error)
return
}
NSLog("Proxy address: \(networkSettings.proxySettings?.httpsServer?.address)")
self.readPackets()
completionHandler(nil)
}
private func initTunnelSettings() -> NEPacketTunnelNetworkSettings {
let settings: NEPacketTunnelNetworkSettings = NEPacketTunnelNetworkSettings(tunnelRemoteAddress: "85.182.68.10")
/* ipv4 settings */
settings.ipv4Settings = NEIPv4Settings(addresses: ["1.2.3.4"], subnetMasks: ["255.255.255.255"])
settings.ipv4Settings?.includedRoutes = [NEIPv4Route.default()]
/* MTU */
settings.mtu = 1500
return settings
}
There is even more strange thing.
If I add more specific route into includedRoutes array, I can see packets from that route traffic
settings.ipv4Settings?.includedRoutes = [NEIPv4Route.default(), NEIPv4Route(destinationAddress: "192.168.0.103", subnetMask: "255.255.255.252")]
With this changes I will see packets with the destination IP "192.168.0.103", but if change mask to 255.255.255.0 no packet in the packet flow again
settings.ipv4Settings?.includedRoutes = [NEIPv4Route.default(), NEIPv4Route(destinationAddress: "192.168.0.103", subnetMask: "255.255.255.0")]
Anyway my goal is to route all traffic through virtual interface and get all packets in the packetFlow.
Can you help me? What should I change?
Post not yet marked as solved
I work on an app that includes a network extension. The app is essentially just to activate the extension, and the extension typically has long-running background sessions. Analyzing/monitoring metrics for the network extension is very important for us. However, in the Xcode Organizer screen, only the app itself is shown in the drop down menu - the associated network extension is not an option.
For Xcode Organizer screens like Termination metrics and Battery Usage metrics, does the app's background metrics include the network extension, or just the app itself? If just the app, is there any way to get these metrics for the network extension?
Previously, I added a post about the problem with NEFilterManager configuration. Since then, I explored the SimpleTunnel example project and I changed NEFilterManager setup to my own and it still worked well. Now, I simplified the code to just test that Content Filter is starting, but unfortunately it's displayed as 'Invalid' in System Settings.
Here are the samples of my code, but I still don't understand what I am doing wrong here. I would be very grateful for any help.
Test View
struct ContentFilterView: View {
@ObservedObject var vm = FilterManager.shared
@State private var toggleState = false
var body: some View {
VStack {
Toggle("Filter Status", isOn: $toggleState)
.padding()
.onChange(of: toggleState) { status in
vm.setupFilter(with: status)
}
}
.onAppear {
vm.loadFilterConfiguration { success in
if success {
print("loadFilterConfiguration is successful")
toggleState = vm.isEnabled ?? false
print("NEFilterManager config: \(String(describing: NEFilterManager.shared().providerConfiguration?.organization))")
} else {
print("loadFilterConfiguration failed")
toggleState = false
}
}
}
}
}
FilterManager
class FilterManager: ObservableObject {
@Published
private(set) var isEnabled: Bool? = nil
// MARK: - Properties
private let manager = NEFilterManager.shared()
private var subs = Set<AnyCancellable>()
static let shared = FilterManager()
private init() {
manager.isEnabledPublisher()
.receive(on: DispatchQueue.main)
.sink(receiveValue: { [weak self] isEnabled in
self?.setIsEnabled(isEnabled)
})
.store(in: &subs)
}
public func setupFilter(with status: Bool) {
if status && manager.providerConfiguration == nil {
let newConfiguration = NEFilterProviderConfiguration()
newConfiguration.username = "TestUser"
newConfiguration.organization = "Test Inc."
newConfiguration.filterBrowsers = true
newConfiguration.filterSockets = true
manager.providerConfiguration = newConfiguration
print("manager configuration saved successfully: \(String(describing: manager.providerConfiguration?.organization))")
}
manager.isEnabled = status
manager.saveToPreferences { [weak self] error in
if let error {
print("Failed to save the filter configuration: \(error.localizedDescription)")
self?.isEnabled = false
return
}
}
}
public func loadFilterConfiguration(withCompletion completion: @escaping (Bool) -> Void) {
manager.loadFromPreferences { error in
if let loadError = error {
print("Failed to load the filter configuration: \(loadError)")
completion(false)
} else {
completion(true)
}
}
}
private func setIsEnabled(_ isEnabled: Bool) {
guard self.isEnabled != isEnabled else { return }
self.isEnabled = isEnabled
print("NEFilter \(isEnabled ? "enabled" : "disabled")")
}
}
extension NEFilterManager {
// MARK: - Publisher enabling
func isEnabledPublisher() -> AnyPublisher<Bool, Never> {
NotificationCenter.default
.publisher(for: NSNotification.Name.NEFilterConfigurationDidChange)
.compactMap { [weak self] notification in
guard let self else { return nil }
return self.isEnabled
}
.eraseToAnyPublisher()
}
}
NEFilterDataProvider
class FilterDataProvider: NEFilterDataProvider {
// MARK: - Properties
/// A record of where in a particular flow the filter is looking.
var flowOffSetMapping = [URL: Int]()
/// The list of flows that should be blocked after fetching new rules.
var blockNeedRules = [String]()
/// The list of flows that should be allowed after fetching new rules.
var allowNeedRules = [String]()
override func handleNewFlow(_ flow: NEFilterFlow) -> NEFilterNewFlowVerdict {
Log("Will handle filter flow \(flow)", prefix: "[Filter Data]")
return .drop()
}
}
NEFilterControlProvider is the same as SimpleTunnel example project NEFilterControlProvider implementation.
I also followed suggested steps mentioned in this post but it didn't seem to help.
Post not yet marked as solved
Hi,
With iOS-17.4 update, we are seeing AppProxy VPN not getting started when Apps (associated with PerAppVPN) tried to access network resource after MDM PerAppVPN profile install/update.
Looks like PerApp rules associated with applayer vpn profile are broken after profile update/install as we see internet sites working without going through VPN (appProxy network extension), this start working if we toggle WiFi and then access network resource from Apps associated with PerAppVPN.
Created FB13688086 with all the details for this iOS 17.4 and AppLayerVPN, looking for and update here and any feedback/pointers will help. Thanks
Post not yet marked as solved
I am running into an issue with running a PacketTunnelProvider as a system extension, and fast user switching.
Since the VPN is running as root, it runs outside any user context, and is accessible to all users on the machine. I can see the following behavior:
Login to User A
Connect VPN
Fast switch to user B
Open Safari, observe that traffic is directed and sent out the VPN. (As noted by the ability to browse otherwise un-reachable websites).
Is there a way to detect that a fast user switch is happening? And disconnect the VPN when user B takes control of the screen.
I know NSWorkspace is not a daemon-safe API. So NSWorkspaceSessionDidResignActiveNotification and like will not be useful here.
One alternative would be to use NSWorkspace notifications in the GUI and alert the system extension via XPC. But that wouldn't work in the case where there isn't a GUI, such as with ConnectOnDemand.
Is there a daemon-safe API to use or some other alternative?
Thanks
i'd like to set up an app proxy server at local to resolve contents in mail protocols with SSL/TLS.
using VPN(App Proxy Provider only support HTTP?) to tunnel flows about mail protocols to proxy server seems impracticable
system configuration only supports HTTP and FTP?
is there a way to set a Mail Protocols Proxy at system Level?
or is there a way to route all transport layer flows(not only particular Application layer protocol) to proxy server?
Post not yet marked as solved
In iOS, how to use code to turn on the system's hotspot?
Post not yet marked as solved
We are trying to configure split tunnel with tunnel routes with the below Tunnel Provider configuration
tunnelProvider.protocolConfiguration.includeAllNetworks = NO; tunnelProvider.protocolConfiguration.excludeLocalNetworks = NO; tunnelProvider.protocolConfiguration.enforceRoutes = YES;
We are adding some IPs in the excludeRoutes[10.168.10.182 and 192.168.10.65]. Please refer the below network settings for VPN
IPv4Settings = {
configMethod = manual
addresses = (
10.168.10.68,
)
subnetMasks = (
255.255.255.255,
)
includedRoutes = (
{
destinationAddress = 0.0.0.0
destinationSubnetMask = 0.0.0.0
},
)
excludedRoutes = (
{
destinationAddress = 192.168.10.65
destinationSubnetMask = 255.255.255.255
},
{
destinationAddress = 10.168.10.182
destinationSubnetMask = 255.255.255.255
},
)
overridePrimary = NO
}
Issue: when we are trying to access excludedRoute's IP [10.168.10.182 and 192.168.10.65] , it's getting tunneled.
Expected Results : excludedRoutes IPs should go via physical interface.
Post not yet marked as solved
I would like to know, do we have any support from iOS in order to turn on wifi and bluetooth using internal apis on tap of a button in my IOS App, I am struggling to find information over this, more precisely , I want to turn on wifi from my custom widget in I phone, is it possible then please share info.
Post not yet marked as solved
Issue Description:
I have an iOS VPN application. When VPN tunnel is in connected state and network goes off, it’s designed to stay in reasserting state until network is back. But with iOS 17 and later tunnel is moved to disconnected state after 5 mins in reasserting state when no network.
Logs on iOS 16 and Below:
Upto iOS 16 and below, When tunnel is in connected state and network goes off, VPN state is moved to reasserting state and it stays in this state until network is back.
We can see below device console logs:
Entering state NESMVPNSessionStateReasserting
status changed to reasserting
Logs on iOS 17 and Later:
But from iOS 17 and later, When tunnel is in connected state and network goes off, VPN state is moved to reasserting state and it stays in this state for 5 mins and later moved to disconnected state when no network.
We can see below device console logs:
Entering state NESMVPNSessionStateReasserting, timeout 300 seconds
status changed to reasserting
We can see a timeout of 300 secs added from iOS 17 and later.
Because of this new change in iOS 17 and later, end users using my application have to connect back to VPN when network is back(Since tunnel is in disconnected state).
Steps to reproduce:
Connect to VPN when network is reachable
Turn off network (WiFi, Mobile data)
Application is moved to reasserting state. It will be in reasserting state for 5 mins
Later application is moved to disconnected state.
Queries:
From the above observation my queries are,
Is there a way to keep VPN tunnel in reasserting state even after 5 mins when no network from iOS 17 and later ? (To get the same behaviour as iOS 16 and below)
Why is the timeout of 300 secs added from iOS 17 and later ? What benefit this is giving ?
Is there any document related to this timeout change added from iOS 17 and later ?
BugBuster90.
