NetworkExtension

RSS for tag

Customize and extend the core networking features of iOS, iPad OS, and macOS using NetworkExtension.

NetworkExtension Documentation

Posts under NetworkExtension tag

491 results found
Sort by:
Post not yet marked as solved
44 Views

dns_parse_packet API not working

Hi, I was working on a feature based on dns packet parsing in the VPN solution of my app on iOS. I was using the dns_parse_packet api from dnsutils.h class, which was able to parse dns requests and reply packets from raw bytes quite efficiently. I had tested this flow on iOS 15.2 but after updating to iOS 15.5 this api does not seem to work anymore. Has this API been deprecated or is this a bug in iOS 15.5?
Asked
by apsakash.
Last updated
.
Post marked as solved
37 Views

App proxy and packet tunnel providers in one extension

We are working on a Network Extension based iOS app. Is it possible to have an app proxy (for per-app VPN) and packet tunnel providers within the same extension binary on iOS? On Mac this seems to be allowed, but with iOS it looks like we have to separate binaries - one per provider. In our case this complicates things.
Asked
by tandre.
Last updated
.
Post not yet marked as solved
123 Views

How to consume notifications generated by NEPacketTunnelProvider on containing app

We're developing an application which involves Packet Tunnel Provider extension. Inside the extension we connect to remote server to get tunnel config profile and authentication parameters, followed by tunnel creation. If we are not able to establish the tunnel, we would like to notify the user via the containing app. It is possible the tunnel extension is running when the containing app is not running, so we decided to send a notification (via UserNotifications) to achieve the same. Requirement is that: If containing app is in foreground, notification should not be displayed, app handles whatever is required If app is in foreground, when user clicks on the notification, app should come into foreground and handle it If app is not running, app should launch and handle the notifications If user launchers app/app comes into foreground, app handles all shown notifications and clears them We are trying to achieve this by implementing the UNUserNotificationCenterDelegate in AppDelegate of containing app. Now all above requirements are fulfilled when the notification is published by the containing app, but when published by the NEPacketTunnelProvider extension, the notification appears but clicking on it does not call the appropriate delegate function in containing app. We want to support MacOS 10.15 and above if possible. We are testing on MacOS 12.4 and 12.3.2 for now. Please help with same or suggest a better way of notifying the user that some action is required and containing app needs to be opened.
Asked Last updated
.
Post not yet marked as solved
144 Views

Starting `NEPacketTunnelProvider` very rarely gets stuck. How to debug?

Hello, I have successfully implemented NEPacketTunnelProvider network extension in iOS app which works fine most of the time. By working fine I mean it starts, stops (it is configured to disconnect on sleep) and handles network traffic as expected. However I have a few reports that sometimes it doesn't start correctly. It hangs on "Connecting..." when checking the Settings -> VPN. As far as I can tell even with waiting for minutes, it seems still stuck. Re-installing either the VPN provider extension or entire app fixes this problem. What could be causing such random and very rare issues? This doesn't seem to be connected to single iOS version for example.
Asked
by nemecek_f.
Last updated
.
Post not yet marked as solved
60 Views

NEHotspotHelper - multiple access points connect scenario

Hi, I have a question regarding NEHotspotHelper, I understand that as soon as the user tries to connect to a new network, We get an Evaluate command and the hotspot helper app has 45 seconds to deliver a response for it. Referring to [this](Authentication State Machine (apple.com)) document. I wanted to understand, if the user tries changing the access points frequently like first start connecting to one access point, then second so on, are the evaluate commands for these added in the hotspot queue (the one that we register our app with) one after another or does the system wait for the delivering of the response for 1 access point?
Asked Last updated
.
Post not yet marked as solved
65 Views

Transparent Proxy Provider, signing identifiers, and WebKit

Our TPP excludes our own processes from oversight, which makes some things very easy. Only I just found out that when our app uses a WKWebView... it's very securely shuffled off into its own process. With its own signing identifier. And a ppid of launchd. How could I tell that a com.apple.WebKit.Networking process is related to our process? (I note that the Endpoint Security Framework has added a "responsible" audit token, presumably for this sort of situation.)
Asked
by kithrup.
Last updated
.
Post marked as solved
177 Views

When networkextension is installed, the tethering breaks.

When network extension is installed, the tethering breaks. So our customers faced a very big problem. Give me some feedback. The test steps are as follows. 1.Test Info. os : higher than 12.1 hardware : only MacBookPro18, 1~3 and, only Tethering(IPv6). It does not happen in IPv4. It works normally in a different environment. 2.Test Step 1)We always allowed Ne's authority request in the same way. 2)After NE is installed, press Allow network filtering. 3)Our NE calls the API below(in main method) [NEFilterPacketProvider startSystemExtensionMode]; 4)However, the following error message occurs. error 16:10:37.791557+0900 com. ahnlab. TobeyNE [self.extensionContext conformsToProtocol:auxHostProtocol.protocol] - /AppleInternal/Library/BuildRoots/66382bca-8bca-11ec-aade-6613bcf0e2ee/Library/Caches/com.apple.xbs/Sources/ExtensionFoundation/ExtensionFoundation/Source/NSExtension/NSExtensionSupport/EXExtensionContext.m:332: Class NEFilterPacketExtensionProviderContext does not conform to aux host protocol: <private> 5)and, the tethering breaks. Also, it works normally unless it is MacBookPro18, 1. There is this issue only in MacBookPro18, 1. Tell me the solution.
Asked Last updated
.
Post marked as solved
126 Views

Provide identity in system network extension

Hi We are building an macOS application which integrates VPN functions right now. We are using developer ID ceritifcate to sign the app and system network extension and sandbox is enabled. One issue we are facing now is that we need to establish mTLS connection to server. During this connection, we need to send client certificate to server via provideIdentity() API. We have the certificate, key and p12 file which are generated in another daemon. But we can not use SecPkcs12Import function to import the p12 file in our system extension due to the sandbox limitation and the different context. I know that we cannot construct secIdentity object by ourselves. So I am wondering if there is any way that we can get the secIdentity object in system extension? Is it possible to send secIdentity object between app and system extension?
Asked
by willys.
Last updated
.
Post not yet marked as solved
53 Views

/var/root/Library/Containers/ - no such file or directory

Hi, We have a macOS app that starts the system network extension to provide the VPN service. I'm integrating the Crashpad to report crashes from the system network extension. To handle and report the crashes, in the network extension, we start the crash handler in a separate process and it listens to the Mach port for EXC_CRASH exceptions. The crash handler needs to access the file system to create crash reports database. But I'm getting the "Applications Support" directory from the network extension, but the path is not found. Here's the error: execvp /var/root/Library/Containers/&lt;bundle ID&gt;/Data/Library/Application Support/Crash/handler_mac: No such file or directory
Asked
by jingyil.
Last updated
.
Post not yet marked as solved
91 Views

Why binding INADDR_ANY in Network Extension is not allowed other apps to connect it using localhost

Hi, I have an extension using NEPacketTunnelProvider, I need bind both lan address and localhost so that other apps can connect it and transfer data. I found that if I bind INADDR_LOOPBACK, other apps on the phone can connect it using the localhost(127.0.0.1) If I bind INADDR_ANY, other apps on the phone can connect it using the lan address but not the localhost(127.0.0.1) My question is why other app on the phone can not connect using localhost(127.0.0.1) when binding INADDR_ANY? Thank you. NEPacketTunnelNetworkSettings: Exclude route: 192.168.0.0/16, 127.0.0.0/8, 169.254.0.0/16, 10.0.0.0/8, 172.16.0.0/12, 255.255.255.255/32, 239.255.255.250/32, fc00::/7, fe80::/10, ff02::c/128, ff05::c/128, ff08::c/128, ff0e::c/128 Include route: [NEIPv4Route defaultRoute] NEProxySettings with HTTPEnabled and HTTPSEnabled to localhost (a http server) NEProxySetting exception: 192.168.0.0/16, 127.0.0.0/8, 169.254.0.0/16, 10.0.0.0/8, 172.16.0.0/12, 255.255.255.255/32, localhost, *.local, captive.apple.com NEProxySetting excludeSimpleHostnames: YES
Asked
by HenryL.
Last updated
.
Post marked as solved
112 Views

How can I use inter process communication?

Hi, I am currently building my own VPN application using NetworkExtension's PacketTunnelProvider. I want to send information from the PacketTunnelProvider to the ViewController when a VPN connection fails and to tell the user why. The code now is as shown below. When the startTunnel() being overwritten is executed, somehow NotificationCenter.default.post(name: NSNotification.Name.NEVPNStatusDidChange, object: nil) is executed and VPNStatusDidChange(_ notification: Notification?) in the ViewController is called and displays some message. I tried to do the same thing by writing NotificationCenter.default.post(name: NSNotification.Name(rawValue: "testnotify"), object: nil) in the PacketTunnelProvider.swift , but it does not work. What is wrong? Here is a part of current PacketTunnelProvider.swift override func startTunnel(options: [String : NSObject]? = nil, completionHandler: @escaping (Error?) -&gt; Void) {   conf = (self.protocolConfiguration as! NETunnelProviderProtocol).providerConfiguration! as [String : AnyObject]   self.setupWSSession()       DispatchQueue.global().async {     while (self.connectionPhase &lt; 5) {       Thread.sleep(forTimeInterval: 0.5)     }     self.tunToWS()   } NotificationCenter.default.post(name: NSNotification.Name(rawValue: "testnotify"), object: nil) } And here is a part of ViewController.swift override func viewDidLoad() {     super.viewDidLoad()     initVPNTunnelProviderManager()     NotificationCenter.default.addObserver(self, selector: #selector(ViewController.VPNStatusDidChange(_:)), name: NSNotification.Name.NEVPNStatusDidChange, object: nil) NotificationCenter.default.addObserver(self, selector: #selector(ViewController.receieve(_:)), name: NSNotification.Name(rawValue: "testnotify"), object: nil)     } @objc func VPNStatusDidChange(_ notification: Notification?) {   print("VPN Status changed:")   let status = self.vpnManager.connection.status   switch status {   case .connecting:     print("Connecting...")     connectButton.setTitle("Disconnect", for: .normal)     break   case .connected:     print("Connected...")     connectButton.setTitle("Disconnect", for: .normal)     break   case .disconnecting:     print("Disconnecting...")     break   case .disconnected:     print("Disconnected...")     connectButton.setTitle("Connect", for: .normal)     break   case .invalid:     print("Invliad")     break   case .reasserting:     print("Reasserting...")     break   } } @objc func receive(_ notification: Notification?) {     print("receive Notification!") }
Asked Last updated
.
Post not yet marked as solved
81 Views

What's the best way to launch containing app on macOS from the Network Extension

Hi There, We have a VPN application built on top of the Packet Tunnel Provider. We are seeing an issue that once our containing application crashed, the packet tunnel provider keeps running. We could detect the crash from the tunnel, but there is no way for us to stop the VPN because on-demand will bring back VPN all the time. Since there is no way to disable on-demand rule within the packet tunnel provider, is it possible that we can programmatically launch the crash application from the packet tunnel provider? Something like iOS's silent push notification could work too since all we need is to disable on-demand rule from the application and stop VPN.
Asked
by yijiexu.
Last updated
.
Post not yet marked as solved
142 Views

Is it possible to see pre- tunneled traffic in the filter-packet provider

Hi there, I am experimenting a firewall app via the NEFilterPacketProvider interface. When I have Cisco AnyConnect VPN connected, all I can see seems to be TCP/UDP 443 SSL VPN traffic, not app traffic that's being tunneled. From a filter-packet provider, any idea how I can see app traffic before they get encapsulated (and after they get decapsulated)? Thanks, Billy
Asked Last updated
.
Post marked as solved
149 Views

Apple Local Push Connectivity with error nil?

I'm trying to configure Local Push Connectivity. I already have Local Push Entitlement, and have install a provisioning profile with local push entitlement. It's build fine but when app start, PushProvider didn't active and start and Push Manager show error nil. I have done every instructions that sample code have provided. This is my project. In my application target, I have a bundle id com.my_team_name.my_app_name and in the app group name group.com.my_team_name.my_app_name In the .entitlement, I've set the required configuration: <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>com.apple.developer.networking.networkextension</key> <array> <string>app-push-provider</string> </array> <key>com.apple.developer.networking.wifi-info</key> <true/> <key>com.apple.security.application-groups</key> <array> <string>group.com.my_team_name.my_app_name</string> </array> </dict> </plist> Info.plist has noting to change And I have a PushManager Class with this code class AppPushManager: NSObject, NEAppPushDelegate{ func appPushManager(_ manager: NEAppPushManager, didReceiveIncomingCallWithUserInfo userInfo: [AnyHashable : Any] = [:]) { } static let shared = AppPushManager() private var pushManager: NEAppPushManager = NEAppPushManager() private let pushManagerDescription = "PushDefaultConfiguration" private let pushProviderBundleIdentifier = "com.my_team_name.my_app_name.PushProvider" func initialize() { if pushManager.delegate == nil { pushManager.delegate = self } pushManager.localizedDescription = pushManagerDescription pushManager.providerBundleIdentifier = pushProviderBundleIdentifier pushManager.isEnabled = true pushManager.providerConfiguration = [ "host": "my_server.local" ] pushManager.matchSSIDs = ["my_wifi_ssid"] pushManager.saveToPreferences(completionHandler: { error in print("error? \(String(describing: error))") print("is active: \(pushManager.isActive)") }) } } In my extension, A PushProvider Target. I have a bundle id com.my_team_name.my_app_name.PushProvider and in the app group name group.com.my_team_name.my_app_name In the Info.plist of my extension, I've added the required configuration: <key>NSExtension</key> <dict> <key>NSExtensionPointIdentifier</key> <string>com.apple.networkextension.app-push</string> <key>NSExtensionPrincipalClass</key> <string>$(PRODUCT_MODULE_NAME).PushProvider</string> </dict> the .entitlement file have the same contents as the application. and I have created the extension class "PushProvider.swift" as follow: class PushProvider: NEAppPushProvider { ... } When I run the application, I got this printed out error? nil is active: false I think it might be something with providerBundleIdentifier in Push Manager. Have anyone know what I've missing?
Asked
by BizarreTH.
Last updated
.
Post not yet marked as solved
87 Views

Deploying iOS App with Web Content Filter

I uploaded iOS app store with web content filter. When I tried to block the sites, it didn't work. After debug I got the error. <Error>: YourApp trying to create a content filter configuration through an app. Creating a content filter configuration is only allowed through profile in production version of YourApp. <Error>: Failed to save configuration com.DemoiOS: Error Domain=NEConfigurationErrorDomain Code=10 "permission denied" UserInfo={NSLocalizedDescription=permission denied} <Error>: -[NEFilterManager saveToPreferencesWithCompletionHandler:]_block_invoke_3: failed to save the new configuration: Error Domain=NEFilterErrorDomain Code=5 "permission denied" UserInfo={NSLocalizedDescription=permission denied} It works fine in dev environment. I searched other threads here, didn't find proper answer. How do I resolve this error? It would be great help you can point me out to solution. I want to make sure that if user downloads app from the store, he should be able to block the selected sites.
Asked Last updated
.