I'm building a network testing app, and for that I need to verify some information about the network. Specifically, right now, I'm looking for the ability to verify that the Wi-Fi network that my iPhone is connected to, is running the right standard - specifically I'm looking for 802.11ac. On my mac I can alt-click the Wi-Fi symbol to get "PHY-function: 802.11ac". I would presumably get this information through the activePHYMode function. https://developer.apple.com/documentation/corewlan/cwinterface/1426471-activephymode However it does not appear that this function is available on iOS. Could it be made available? -- Frederik

Hi Guys,we have developed an VPN application for iOS 10, that basically just installs a VPN profile (developed using NETunnelProviderManager) that sets a special DNS for evey request to block malicious websites system-wide, that's it.Out can worked great under iOS 10 and even under iOS 11. But since updating the OS of the device to iOS 12, there is a "Update required" directly on the VPN profile:My question now is, did anybody else faced that problem?Because we already updated XCode, compiled the app for Deployment Target iOS 12, updated the application through the App Store, we already talked to the Apple Supported, that saif we should try using the develop forums so, can anybody htell us WHAT we should update to get rid off this message? The VPN profile itself still works, meaning the malicious websites still get blocked. But the label "Update Required" should vanish, but what should we do?Kind Regards,Mario

Hello, we are working on a feature that sometimes needs to drop/postpone DNS requests except for requests for allowed domains or originating from allowed executables. In this product we already have a network extension Socket Filter present. We were looking for correct technology to use for this purpose. 1), socket filter can not be used, as it is not possible to selectively drop only some UDP packets. If we block one flow, the socket can no longer be used to communicate with the specific remote IP and fails with EPIPE. This leads to DNS resolving issues as not every software can cope with UDP not working for part of the remote servers (AFAIK including Apple's own mDNSresponder). 2), loading socket filter drops all active connections. This is understandable for firewall type API, but it is an extremely inconvenient behavior if we do not want to actually implement a firewall. There is currently no option to configure this behavior of socket filter. 3), using DNS proxy is not really feasible, as it is not a transparent proxy and only a single DNS proxy can run at any given time. In case of multiple registered DNS proxies only the last one stays running. It is also a pretty heavyweight solution for what we want to accomplish. We tried using BSD pf packet filter with user specific rules: "pass out quick from any to any keep state user nameofuser" but 4) this breaks if DNS proxy is present. Attribution of proxied flows is not visible to BSD pf packet filter which sees all traffic as attributed to the DNS proxy instead of the original process. This has been reported as working as intended by Apple. The only other solution seems to be a packet level filter. But here we hit other issues: 5), since order of processing is Socket Filter —> DNS proxy -> VPN -> packet filter, we can not guarantee all traffic will be filtered (packet filter does not see at least some VPN traffic on MacOS, did not test this with all VPN types though...) 6). the NEFilterPacketProvider does not seem to have a way how to attribute the packet to a process. While the NEPacket obtained via delayCurrentPacket() has a metadata member, it seems to be never present on MacOS (at least on Monterey). This prevents per app/process/binary filtering and leaves only packet content inspection as an option. While it may in theory be possible to use Socket Filter to attribute packet level addresses to processes, it seems pretty cumbersome and potentially fragile in case DNS proxy is used. 7), there is an issue with coexistence of Packet and Socket filter. It seems that any change of NEFilterManager’s configuration concerning packet filter causes brief stop and start of socket filter as well. This is extremely inconvenient because a socket filter reload subsequently leads to the drop of all connections on the system. Please note that the packet filter does not cause such drop of connections on loading, so it would be ideal for our purpose. The only workaround is to have multiple system extensions, which is actually a correct engineering approach, but that leads to a horrible user experience. Allowing multiple system extensions is far from streamlined for the average user, and he would need to also allow one filter after each other separately. If we were to use socket filter, DNS proxy, VPN and packet filter in a single product, which ideally should each reside in standalone system extensions for resilience, the user would need to allow 8 separate dialogs!! And adding feature during lifetime of the product should not lead to repeated requests to allow system extensions; this is a nightmare from administration point of view. It should really be a once per app action (at least the load of system extension). But we are getting sidetracked. Coexistence seems like the most feasible user centric solution, but it is not really possible with the combination of Socket and Packet filters. Am I missing something or is the only possible solution to use Packet Filter extension (a second one, to not interfere with the Socket Filter one) and filtering based on packet content, which only works for wifi/ethernet interfaces?

Hi, I was working on a feature based on dns packet parsing in the VPN solution of my app on iOS. I was using the dns_parse_packet api from dnsutils.h class, which was able to parse dns requests and reply packets from raw bytes quite efficiently. I had tested this flow on iOS 15.2 but after updating to iOS 15.5 this api does not seem to work anymore. Has this API been deprecated or is this a bug in iOS 15.5?

I'm implementing an NEFilterDataProvider subclass on iOS, and am trying to make outbound network connections from it. Is this supposed to work? URLSession doesn't do it (the connection is never established); perhaps that's by design, considering NEProvider offers createTCPConnection(to:enableTLS:tlsParameters:delegate:) which seems to be designed for the job. However, calling this method doesn't work either; the connection never completes, and alternates between connecting and waiting state while the logging things like this: nw_endpoint_handler_start [C8 Hostname#2169586f:443 initial path ((null))] nw_endpoint_handler_reset_mode [C8 Hostname#2169586f:443 waiting path (unsatisfied (Path was denied by NECP policy), interface: en0, ipv4, dns)] reset nw_connection_report_state_with_handler_on_nw_queue [C8] reporting state waiting And on the first waiting state, the NWTCPConnection's error shows: The operation couldn’t be completed. (kNWErrorDomainDNS error -65563 - DNS Error: ServiceNotRunning) which seems a bit strange because I'm connecting to an IP address (no DNS lookup required). Am I overlooking something? Or is an NEFilterProvider prohibited from actually making its own outbound connections? thanks, -ben

Use case: There are few vehicle chargers which are emitting signals and in Access point mode. I need to create iOS apps that displays all nearby chargers' SSID. I came across https://developer.apple.com/forums/thread/91351?answerId=276151022#276151022 where they say "access to the API is only granted to folks creating hotspot helper apps, that is, apps that help the user navigate a hotspot (a Wi-Fi network where the user must interact with the network to gain access to the wider Internet)." "does not let you initiate a Wi-Fi scan, or even get real-time scan results" I didn't understand this much clearly, whether NEHotspotHelper can suffice my use case. I just need to get nearby wifi in Access point mode.

Hi, I'm using the reachability framework in order to register network status event for a specific address (address_st in the code below)... I'd like to support change of address which will trigger unregister from the old address and register to the new one. How can it be done ? SCNetworkReachabilityRef reachabilityRef = SCNetworkReachabilityCreateWithAddress(NULL, reinterpret_cast<sockaddr *>(&address_st)); SCNetworkReachabilityContext context = {0, NULL, NULL, NULL, NULL}; SCNetworkReachabilitySetCallback(reachabilityRef, ReachabilityCallback, &context)) SCNetworkReachabilitySetDispatchQueue(reachabilityRef, dispatch_queue_create("com.reachability.test", nil)); thanks,

Greetings to all apple developers! I have the problem with NETunnelProviderManager and PacketTunnelProvider. When I try to make a connection (by OpenVPN), there is an instant disconnect. I am using OpenVPNAdapter.framework - https://github.com/ss-abramchuk/OpenVPNAdapter for this. I put nslog in all methods in PacketTunnelProvider and none were printed.... I have the following logs in the console: objective-c NEVPNStatusInvalid Save successfully Connection established! NEVPNStatusConnecting NEVPNStatusDisconnected I checked all the .entitlements and other parameters. As I think they are okay. However, if you could check them again, I would be grateful. Below I am pasting links to images. Main target settings - https://ibb.co/zmHRP2z Extension target settings - https://ibb.co/tQdNNNY Main target .entitlements - https://ibb.co/SwwY8L8 Extension target .entitlements - https://ibb.co/kJg7q6W Extension's Info.plist - https://ibb.co/th2xSzm My code: objective-c (IBAction) buttonAction:(id)sender { [self connection]; } objective-c (void)viewDidLoad { [super viewDidLoad]; [[NSNotificationCenter defaultCenter] addObserver:self selector:@selector(onVpnStateChange:) name:NEVPNStatusDidChangeNotification object:nil]; NSMutableURLRequest *request = [[NSMutableURLRequest alloc] init]; [request setURL:[NSURL URLWithString:@"...."]]; [request setHTTPMethod:@"GET"]; NSURLSession *session = [NSURLSession sessionWithConfiguration:[NSURLSessionConfiguration defaultSessionConfiguration]]; [[session dataTaskWithRequest:request completionHandler:^(NSData *data, NSURLResponse *response, NSError *error) { NSString* requestReply = [[NSString alloc] initWithData:data encoding:NSASCIIStringEncoding]; NSData* responseData = [requestReply dataUsingEncoding:NSUTF8StringEncoding]; NSDictionary *jsonDict = [NSJSONSerialization JSONObjectWithData:responseData options:kNilOptions error:&error]; weak.configData = [jsonDict[@"config"] dataUsingEncoding:NSUTF8StringEncoding] [weak initProvider]; }] resume]; } objective-c(void)initProvider { __weak typeof(self) weak = self; [NETunnelProviderManager loadAllFromPreferencesWithCompletionHandler:^(NSArrayNETunnelProviderManager** _Nullable managers, NSError* _Nullable error) { if(error){ NSLog(@"error: %@",error); return; } weak.providerManager = managers.firstObject ? managers.firstObject : [NETunnelProviderManager new]; [weak.providerManager loadFromPreferencesWithCompletionHandler:^(NSError * _Nullable error) { if(error){ NSLog(@"initProvider [weak.providerManager loadFromPreferencesWithCompletionHandler] error: %@",error); return; } NETunnelProviderProtocol *tunel = [[NETunnelProviderProtocol alloc] init]; tunel.providerBundleIdentifier = @"....com.MyVPN.PacketTunnel"; tunel.providerConfiguration = @{ @"ovpn" : self.configData }; tunel.serverAddress = @"vpn.superVPN.com"; tunel.disconnectOnSleep = NO; weak.providerManager.protocolConfiguration = tunel; weak.providerManager.localizedDescription = @"superVPN"; [weak.providerManager setEnabled:YES]; [weak.providerManager saveToPreferencesWithCompletionHandler:^(NSError *error) { if(error) { NSLog(@"Save error: %@", error); }else { NSLog(@"Save successfully"); } }]; }]; }]; } objective-c (void)connection { __weak typeof(self) weak = self; [self.providerManager loadFromPreferencesWithCompletionHandler:^(NSError * _Nullable error) { if(!error){ NSError *error = nil; [weak.providerManager.connection startVPNTunnelAndReturnError:&error]; if(error) { NSLog(@"Start error: %@", error.localizedDescription); }else{ NSLog(@"Connection established!"); } }else{ NSLog(@"connection error:%@",error); } }]; } I just don't know what the problem might be. Maybe in PacketTunnelProvider ? The code for PacketTunnelProvider was taken from here. - https://github.com/yaooort/OpenVPN-IOS/blob/master/PacketTunnel/PacketTunnelProvider.m All tests I run on a real device (iPhone iOS 12.4.4) Xcode Version 12.4 (12D4e) My .ovpn file is correct because it good works on android version of application. Please help me, I don't know where to look for the answer. There are similar questions on stackoverflow, but no one answered them. PacketTunnelProvider.m - https://developer.apple.com/forums/content/attachment/b4213a5d-8e30-4524-bf5d-94876235c908

I'm working on a React Native (IOS) app which has a feature to scan the available network list and pass the network ID with valid credentials to connect a wifi bridge with network. Why do I need to scan the wifi network list: the app will be communicating with a Custom Wifi Bridge whose role is to just transfer the API calls, since our app is hardware oriented, we have a bluetooth enabled hygrometer involved, so in order to connect the wifi bridge with a wifi source we need to have a way to first scan and then connect to it. Can you help me out with this, since I can't find any relevant help. Thanks.

General: DevForums tag: Network Extension Network Extension framework documentation Wi-Fi management: Wi-Fi Fundamentals DevForums post TN3111 iOS Wi-Fi API overview technote Share and Enjoy — Quinn “The Eskimo!” @ Developer Technical Support @ Apple let myEmail = "eskimo" + "1" + "@" + "apple.com"

Wi-Fi is way more complex than you might think. This post attempts to explain some of that complexity, and how that affects the design of your network apps. Note I’m not a Wi-Fi expert. All of the following is the result of hard-won experience gained while investigating various oddball Wi-Fi problems. As a result it’s a vast simplification of how things really work. If you actually get to talk to a Wi-Fi expert, they’ll be happy to explain to you how Wi-Fi is even more complex than what I’ve explain below. Terminology As this post is going to talk about the fundamentals of Wi-Fi, I’m going to use Wi-Fi technical terms. Specifically: STA (station) — This is a Wi-Fi ‘client’ device. AP (access point) — This is the hardware running a single Wi-Fi network. The definition of Wi-Fi network is more complex than you might think, as I’ll explain next. SSID (Service Set Identifier) — This is what most folks think of as the Wi-Fi network. It’s the user-visible network identifier string that you see throughout the system. BSSID (Basic Service Set Identifier) — This defines a single Wi-Fi network at the Wi-Fi level. It’s identified by the MAC address - https://en.wikipedia.org/wiki/MAC_address of the AP, something that’s generally not user visible. In a typical home Wi-Fi network there’s a one-to-one relationship between SSID and BSSID. This is not true in more complex Wi-Fi setups. For example, in my home I have an Ethernet backbone with multiple APs bridged on to that backbone. Each AP has a different BSSID, but they all share the same SSID so that STAs can roam between APs without disrupting their network. This sort of setup is very common in enterprise environments. I also use various terms that are less widely accepted but are, nevertheless, important when discussing common scenarios: Wi-Fi hotspot — This is a Wi-Fi network where the user must interact with the network to gain access to the wider Internet (1). Wi-Fi accessory — This is an accessory which communicates over Wi-Fi. I use accessory in favour of device because, when working in the Apple ecosystem, device refers to your iOS device. Finally, I don’t use the term ad-hoc Wi-Fi. In my experience this term is so heavily overloaded as to be meaningless. See the next section for more. (1) Apple APIs are not as consistent about this as they should be. For example, the hotspot in NEHotspotHelper - https://developer.apple.com/documentation/networkextension/hotspot_helper is correct but the hotspot in NEHotspotConfigurationManager - https://developer.apple.com/documentation/networkextension/wi-fi_configuration is not (the API can be used to configure the device to join any Wi-Fi network, not just a Wi-Fi hotspot). Ad-Hoc Wi-Fi I don’t use the term ad-hoc Wi-Fi because, in my experience, this term means different things to different people: Some folks interpret it to mean IBSS - https://en.wikipedia.org/wiki/Service_set_%28802.11_network%29#Independent. Some folks interpret it to mean Wi-Fi Direct - https://en.wikipedia.org/wiki/Wi-Fi_Direct. Some folks interpret it to mean Apple peer-to-peer Wi-Fi (aka AWDL or its predecessor). This is the mechanism used by Network framework when you set the includePeerToPeer - https://developer.apple.com/documentation/network/nwparameters/3020639-includepeertopeer flag, Multipeer Connectivity, and so on. Some folks interpret it to mean an infrastructure Wi-Fi network that doesn’t lead to the wider Internet, for example, one published by a Wi-Fi accessory. Given this confusion it’s best to avoid this term in favour something more specific. Unicasts Wi-Fi implements a link-level positive acknowledgement mechanism for unicast traffic. This is really important because the physical packet loss on a Wi-Fi network is pretty bad. In Wi-Fi, all unicast traffic is from STA to AP or vice versa. This makes sense when you think about it. You can’t send from STA to STA because: The STAs might be located such that each STA can see the AP but the STAs can’t see each other (for example, this might be a home network with the AP located in the middle of the home and the STAs located on the extremities) The STAs might be talking to different APs (that is, they’re on different BSSIDs) Wi-Fi unicast traffic is fast because the AP can set the speed of the link to be appropriate for the STA in question. Some APs refuse to forward STA-to-STA traffic. This is most often seen with Wi-Fi hotspots, where the hotspot isolates each STA as a security measure (this is, IMO, security theatre - https://en.wikipedia.org/wiki/Security_theater but there you go). Broadcasts Note In this context, broadcasts also includes multicasts. Wi-Fi broadcasts work very differently from Wi-Fi unicasts. In a broadcast, the STA sends the packet to the AP and the AP then transmits the broadcast and hopes that all the other STAs pick it up. The AP does two things to help improve the chances that the STAs will pick up the broadcast: It sends the broadcast at the lowest supported speed — This makes sense when you think that the AP might have a mix of STAs, some of which support high speed modes and some of which don’t. It typically ramps up its transmission power. These measures help, but they don’t guarantee that all the STAs will pick up the broadcast. If the network has multiple APs, the AP will typically forward the broadcast to the other APs and they will also broadcast the packet. However, this does not always happen. Many organisations have large flat networks, and thus put a limit on Wi-Fi broadcasts to prevent the whole network being flooded with broadcasts. In fact, the AP might not even forward broadcasts from its own STAs (for example, a hotspot that implements STA isolation as I discussed earlier). IMPORTANT When you’re designing a network protocol that will commonly run over Wi-Fi, you must take into account the peculiarities of Wi-Fi’s broadcast support. For example, if you’re only transmitting to a few peers (less than 10 say), it may be better to send a unicast to each peer rather than send a broadcast; the unicasts may be faster (because Wi-Fi will send each one at the highest speed supported by that peer) and will certainly be more reliable. Power Managerment A STA will often turn off its radio in order to save power. When this happens the STA sends the AP a packet telling it how long it’s going to have its radio off, and the AP buffers packets for that STA for the duration. Cool beans! This feature is also used to support radio and antenna multiplexing. On iOS there are two scenarios where that’s necessary: iOS devices commonly have a single antenna for Bluetooth and Wi-Fi, so the device must periodically turn off Wi-Fi so it can use the antenna for Bluetooth. If the device has a single Wi-Fi radio (which is common), it may need to change the channel on that radio in order to deal with peer-to-peer Wi-Fi. It should go without saying that, if the AP sends a broadcast while the STA isn’t listening, the STA won’t see that broadcast. Examining Wi-Fi Mechanics If you’re interested in seeing how Wi-Fi really works, you can take a Wi-Fi level packet trace using the instructions in Recording a Wi-Fi Packet Trace - https://developer.apple.com/documentation/network/recording_a_packet_trace/recording_a_wi-fi_packet_trace. This will show you STA-to-AP traffic, AP-to-STA traffic, link-level positive acknowledgement and retransmission, Wi-Fi power management, and so on. Share and Enjoy — Quinn “The Eskimo!” Apple Developer Relations, Developer Technical Support, Core OS/Hardware let myEmail = "eskimo" + "1" + "@apple.com" Change history: 18 Apr 2016 — First posted. 1 Mar 2019 — Fix a link to QA1176, which is no more. Minor editorial changes. 11 May 2021 — Added the Ad-Hoc Wi-Fi section. Expanded the Terminology section. Minor editorial changes.

Hi, I have a question regarding NEHotspotHelper, I understand that as soon as the user tries to connect to a new network, We get an Evaluate command and the hotspot helper app has 45 seconds to deliver a response for it. Referring to [this](Authentication State Machine (apple.com)) document. I wanted to understand, if the user tries changing the access points frequently like first start connecting to one access point, then second so on, are the evaluate commands for these added in the hotspot queue (the one that we register our app with) one after another or does the system wait for the delivering of the response for 1 access point?

The .includeAllNetworks flag on the NEVPNProtocol object seems suitable for use as a vpn "kill switch." At the very least, the documentation specifies that "if this value is true and the tunnel is unavailable, the system drops all network traffic." Our application has a UI element that allows the user to toggle this setting, for the purposes of ensuring that all of their traffic is sent through the VPN connection. We're encountering an issue, however: it appears that, with this setting enabled, any NWTCPConnection returned by NEPacketTunnelProvider.createTCPConnectionThroughTunnel will never connect. It stays in the .connecting state and never advances to the .connected state. The documentation for this method states that this method can be used "to create a TCP connection to an endpoint inside the private network." Does this mean that the remote endpoint being connected to by createTCPConnectionThroughTunnel must reside inside the private network being connected to by the tunnel in order for it to work properly with the .includeAllNetworks setting? Or is the documentation simply suggesting that the TCP connection is tunneled through the private network? Other web pages seem to be loading just fine while this tunnel is active, it is just the connections returned by this function that seem to be timing out with .includeAllNetworks set to true. If I set it to false, the NWTCPConnection objects returned by this function transition to the .connected state just fine and data can be passed through them with no problems. Is this expected behavior, or is this a possible manifestation of something misconfigured in the VPN profile? Edit: I tested a bit more and it looks like even local connections over the private network seem to time out; I set up an endpoint within the VPN at 10.1.0.1 and createTCPConnectionThroughTunnel was still unable to connect with .includeAllNetworks set to true.

Hi, We have a macOS app that starts the system network extension to provide the VPN service. I'm integrating the Crashpad to report crashes from the system network extension. To handle and report the crashes, in the network extension, we start the crash handler in a separate process and it listens to the Mach port for EXC_CRASH exceptions. The crash handler needs to access the file system to create crash reports database. But I'm getting the "Applications Support" directory from the network extension, but the path is not found. Here's the error: execvp /var/root/Library/Containers/<bundle ID>/Data/Library/Application Support/Crash/handler_mac: No such file or directory