Post not yet marked as solved
Description:
I am experiencing a persistent issue with establishing a VPN connection through a custom app I've developed using Swift. While the VPN configuration appears to be loaded successfully, attempts to connect result in immediate disconnection. Here are the details:
Problem Summary:
I have implemented a VPN connection using Swift with the NetworkExtension and TunnelKit frameworks. My application successfully loads the VPN configuration, but when attempting to connect, the VPN status quickly changes from connecting to disconnected without ever achieving a stable connection. Manually attempting to toggle the connection from device settings results in the toggle switching off as soon as it is turned on. The console logs indicate a transition from 'connecting' to 'disconnected' almost simultaneously.
Technical Details:
Here is an overview of the relevant part of the code used for setting up and managing the VPN connection:
import TunnelKitOpenVPNCore
import NetworkExtension
import TunnelKit
class VPNManager {
static let shared = VPNManager()
private var providerManager: NETunnelProviderManager?
init() {
NotificationCenter.default.addObserver(self, selector: #selector(vpnStatusDidChange), name: .NEVPNStatusDidChange, object: nil)
}
deinit {
NotificationCenter.default.removeObserver(self)
}
@objc func vpnStatusDidChange(notification: Notification) {
guard let status = self.providerManager?.connection.status else { return }
switch status {
case .connecting:
print("VPN is connecting")
case .connected:
print("VPN is connected")
case .disconnecting:
print("VPN is disconnecting")
case .disconnected:
print("VPN is disconnected")
case .invalid:
print("VPN configuration is invalid")
case .reasserting:
print("VPN is reasserting")
@unknown default:
print("Unknown VPN status")
}
}
func loadAndCreateVPNProfile(completion: @escaping (Bool, Error?) -> Void) {
self.providerManager = NETunnelProviderManager()
guard let ovpnURL = Bundle.main.url(forResource: "client", withExtension: "ovpn"),
let ovpnContents = try? String(contentsOf: ovpnURL) else {
completion(false, NSError(domain: "VPNManagerError", code: 1, userInfo: [NSLocalizedDescriptionKey: "Configuration file could not be read or found."]))
return
}
// Parsing and configuration logic here...
self.providerManager?.saveToPreferences { error in
if let error = error {
print("Error saving preferences: \(error.localizedDescription)")
completion(false, error)
} else {
print("VPN profile saved successfully.")
completion(true, nil)
}
}
}
func connect() {
self.providerManager?.loadFromPreferences { [weak self] error in
guard let strongSelf = self else {
print("Reference to VPNManager lost.")
return
}
if let error = error {
print("Failed to load preferences: \(error.localizedDescription)")
return
}
do {
try strongSelf.providerManager?.connection.startVPNTunnel()
} catch NEVPNError.configurationInvalid {
print("VPN Configuration is invalid.")
} catch NEVPNError.configurationDisabled {
print("VPN Configuration is disabled.")
} catch let error {
print("Unexpected error: \(error.localizedDescription)")
}
}
}
func disconnect() {
providerManager?.connection.stopVPNTunnel()
}
}
Post not yet marked as solved
I work on an app that includes a network extension. The app is essentially just to activate the extension, and the extension typically has long-running background sessions. Analyzing/monitoring metrics for the network extension is very important for us. However, in the Xcode Organizer screen, only the app itself is shown in the drop down menu - the associated network extension is not an option.
For Xcode Organizer screens like Termination metrics and Battery Usage metrics, does the app's background metrics include the network extension, or just the app itself? If just the app, is there any way to get these metrics for the network extension?
Post not yet marked as solved
I've implemented a NEPacketTunnelProvider implementation, but I can't see any packets in packet flow. Here is the settings
override func startTunnel(options: [String : NSObject]?, completionHandler: @escaping (Error?) -> Void) {
...
let networkSettings = self.initTunnelSettings()
setTunnelNetworkSettings(networkSettings) { (error) in
if let error = error {
completionHandler(error)
return
}
NSLog("Proxy address: \(networkSettings.proxySettings?.httpsServer?.address)")
self.readPackets()
completionHandler(nil)
}
private func initTunnelSettings() -> NEPacketTunnelNetworkSettings {
let settings: NEPacketTunnelNetworkSettings = NEPacketTunnelNetworkSettings(tunnelRemoteAddress: "85.182.68.10")
/* ipv4 settings */
settings.ipv4Settings = NEIPv4Settings(addresses: ["1.2.3.4"], subnetMasks: ["255.255.255.255"])
settings.ipv4Settings?.includedRoutes = [NEIPv4Route.default()]
/* MTU */
settings.mtu = 1500
return settings
}
There is even more strange thing.
If I add more specific route into includedRoutes array, I can see packets from that route traffic
settings.ipv4Settings?.includedRoutes = [NEIPv4Route.default(), NEIPv4Route(destinationAddress: "192.168.0.103", subnetMask: "255.255.255.252")]
With this changes I will see packets with the destination IP "192.168.0.103", but if change mask to 255.255.255.0 no packet in the packet flow again
settings.ipv4Settings?.includedRoutes = [NEIPv4Route.default(), NEIPv4Route(destinationAddress: "192.168.0.103", subnetMask: "255.255.255.0")]
Anyway my goal is to route all traffic through virtual interface and get all packets in the packetFlow.
Can you help me? What should I change?
i'd like to set up an app proxy server at local to resolve contents in mail protocols with SSL/TLS.
using VPN(App Proxy Provider only support HTTP?) to tunnel flows about mail protocols to proxy server seems impracticable
system configuration only supports HTTP and FTP?
is there a way to set a Mail Protocols Proxy at system Level?
or is there a way to route all transport layer flows(not only particular Application layer protocol) to proxy server?
Post not yet marked as solved
HI Team,
We have recently observed a network issue, followed by device hang-ups when users come out of sleep while using the Transparent app proxy provider in Sonoma 14.4. and users are required to restart the system to resolve the problem.
In the client logs, we observed that State:/Network/Global/IPv4 does not have any PrimaryInterface and there is no internet connectivity, although the internet works fine on other devices.
this issue start coming in sonoma 14.4 and happen with Transparent app proxy provider.
We are currently unable to pinpoint the exact issue. Are there any known issues with Sonoma 14.4?
Post not yet marked as solved
Even when it is disabled (that is, our app says "don't do anything" and all it does is start logging things).
On the mac, when I try to make an outgoing audio-only call (it's a mac mini with no camera), it seems to connect as far as the outside is concerned, but nothing happens -- I get a request on my other devices, with the wrong account, and the mac mini says it's failed while the ipad or iphone keep connected.
I am logging everything I can think of in our extensions, and they don't seem to show anything of interest. And I can't figure out what to look for in the entirety of system logs. I do see Messages dropped during live streaming (use log show to see what they were)... but I'm not sure what to look for in the log show.
If I try to make a call in, it results in what seems to be an iOS FaceTime bug -- the phone tells me to log into FaceTime. Even though I am logged in.
Post not yet marked as solved
I am running into an issue with running a PacketTunnelProvider as a system extension, and fast user switching.
Since the VPN is running as root, it runs outside any user context, and is accessible to all users on the machine. I can see the following behavior:
Login to User A
Connect VPN
Fast switch to user B
Open Safari, observe that traffic is directed and sent out the VPN. (As noted by the ability to browse otherwise un-reachable websites).
Is there a way to detect that a fast user switch is happening? And disconnect the VPN when user B takes control of the screen.
I know NSWorkspace is not a daemon-safe API. So NSWorkspaceSessionDidResignActiveNotification and like will not be useful here.
One alternative would be to use NSWorkspace notifications in the GUI and alert the system extension via XPC. But that wouldn't work in the case where there isn't a GUI, such as with ConnectOnDemand.
Is there a daemon-safe API to use or some other alternative?
Thanks
Post not yet marked as solved
In iOS, how to use code to turn on the system's hotspot?
Post not yet marked as solved
I would like to know, do we have any support from iOS in order to turn on wifi and bluetooth using internal apis on tap of a button in my IOS App, I am struggling to find information over this, more precisely , I want to turn on wifi from my custom widget in I phone, is it possible then please share info.
I am trying to add DNSProxy configuration using .mobileconfig and MDM on supervised device. I have Content Filter payload in the same configuration file that works as expected, however I was unable to start my DNSProxy. My app has 3 extension targets for Filter Data/Control Providers and DNSProxy extension.
Here is my DNSProxy payload:
<dict>
<key>AppBundleIdentifier</key>
<string>my.app.bundle.id</string>
<key>PayloadDescription</key>
<string>Configures DNS proxy network extension</string>
<key>PayloadDisplayName</key>
<string>DNS Proxy</string>
<key>PayloadIdentifier</key>
<string>com.apple.dnsProxy.managed.AEE249BB-4F44-4ED9-912B-6A70CC0E01B6</string>
<key>PayloadType</key>
<string>com.apple.dnsProxy.managed</string>
<key>PayloadUUID</key>
<string>AEE249BB-4F44-4ED9-912B-6A70CC0E01B6</string>
<key>PayloadVersion</key>
<integer>1</integer>
<key>ProviderBundleIdentifier</key>
<string>my.app.bundle.id.DNS-Proxy-Extension</string>
</dict>
Any thoughts on what I might be doing wrong?
Post not yet marked as solved
I tried to unit test the method "FilterDataProvider.handleNewFlow" from the sample project
https://developer.apple.com/documentation/networkextension/filtering_network_traffic
I always get this below issue,
Undefined symbols:
Linker command failed with exit code 1 (use -v to see invocation)
Could someone help with it?
Post not yet marked as solved
We have a main app that handles UI and interaction with the user. And we also have daemon contained inside of it. Daemon has all the business logic and FDA and root permissions. Now we want to add a network extension. First we added the Network Extension to Main app and it was working fine (to test the waters). But then we decided to move it to Daemon since it has all the business logic and NE mostly contains business logic and no UI. It needs to be there. Now NE activationRequest(forExtensionWithIdentifier is working fine. But deactivationRequest(forExtensionWithIdentifier: during uninstall always fails with this error
System Extension deactivationRequest fails with error he operation couldn’t be completed. (OSSystemExtensionErrorDomain error 13.)
OSSystemExtensionError Code 13 says "An error code that indicates the system was unable to obtain the proper authorization."
What does this actually mean. Also if there is an error why is it throwing it during uninstall rather than install?
To make it more clear this is our app structure is
Main.app -> Contents -> Mac OS -> Daemon.app -> Contents -> Library -> SystemExtensions -> System Extension Bundle
Apple doc says
@discussion This method creates a new request to activate/deactivate a System Extension.
Extensions are discovered from the `Contents/Library/SystemExtensions`
directory of the main application bundle.
Our System Extension is present on the main app bundle and has Contents/Library/SystemExtensions structure but one extra layer deep. Is this supported app structure?. If not is there any way to succesfully uninstall NE from code. Right now systemextensionsctl uninstall won't work without System Integrity Protection disabled. Keeping NE on the main app will break our project structure and require major rewrite of the app.
Also whenever I run systemextensionsctl with SIP on I get this message
At this time, this tool cannot be used if System Integrity Protection is enabled.
This limitation will be removed in the near future.
Please remember to re-enable System Integrity Protection!
Apple introduced System Extensions in 2019. It is still not there yet. Does anybody have any idea when will Apple make it work? if at all?
Previously, I added a post about the problem with NEFilterManager configuration. Since then, I explored the SimpleTunnel example project and I changed NEFilterManager setup to my own and it still worked well. Now, I simplified the code to just test that Content Filter is starting, but unfortunately it's displayed as 'Invalid' in System Settings.
Here are the samples of my code, but I still don't understand what I am doing wrong here. I would be very grateful for any help.
Test View
struct ContentFilterView: View {
@ObservedObject var vm = FilterManager.shared
@State private var toggleState = false
var body: some View {
VStack {
Toggle("Filter Status", isOn: $toggleState)
.padding()
.onChange(of: toggleState) { status in
vm.setupFilter(with: status)
}
}
.onAppear {
vm.loadFilterConfiguration { success in
if success {
print("loadFilterConfiguration is successful")
toggleState = vm.isEnabled ?? false
print("NEFilterManager config: \(String(describing: NEFilterManager.shared().providerConfiguration?.organization))")
} else {
print("loadFilterConfiguration failed")
toggleState = false
}
}
}
}
}
FilterManager
class FilterManager: ObservableObject {
@Published
private(set) var isEnabled: Bool? = nil
// MARK: - Properties
private let manager = NEFilterManager.shared()
private var subs = Set<AnyCancellable>()
static let shared = FilterManager()
private init() {
manager.isEnabledPublisher()
.receive(on: DispatchQueue.main)
.sink(receiveValue: { [weak self] isEnabled in
self?.setIsEnabled(isEnabled)
})
.store(in: &subs)
}
public func setupFilter(with status: Bool) {
if status && manager.providerConfiguration == nil {
let newConfiguration = NEFilterProviderConfiguration()
newConfiguration.username = "TestUser"
newConfiguration.organization = "Test Inc."
newConfiguration.filterBrowsers = true
newConfiguration.filterSockets = true
manager.providerConfiguration = newConfiguration
print("manager configuration saved successfully: \(String(describing: manager.providerConfiguration?.organization))")
}
manager.isEnabled = status
manager.saveToPreferences { [weak self] error in
if let error {
print("Failed to save the filter configuration: \(error.localizedDescription)")
self?.isEnabled = false
return
}
}
}
public func loadFilterConfiguration(withCompletion completion: @escaping (Bool) -> Void) {
manager.loadFromPreferences { error in
if let loadError = error {
print("Failed to load the filter configuration: \(loadError)")
completion(false)
} else {
completion(true)
}
}
}
private func setIsEnabled(_ isEnabled: Bool) {
guard self.isEnabled != isEnabled else { return }
self.isEnabled = isEnabled
print("NEFilter \(isEnabled ? "enabled" : "disabled")")
}
}
extension NEFilterManager {
// MARK: - Publisher enabling
func isEnabledPublisher() -> AnyPublisher<Bool, Never> {
NotificationCenter.default
.publisher(for: NSNotification.Name.NEFilterConfigurationDidChange)
.compactMap { [weak self] notification in
guard let self else { return nil }
return self.isEnabled
}
.eraseToAnyPublisher()
}
}
NEFilterDataProvider
class FilterDataProvider: NEFilterDataProvider {
// MARK: - Properties
/// A record of where in a particular flow the filter is looking.
var flowOffSetMapping = [URL: Int]()
/// The list of flows that should be blocked after fetching new rules.
var blockNeedRules = [String]()
/// The list of flows that should be allowed after fetching new rules.
var allowNeedRules = [String]()
override func handleNewFlow(_ flow: NEFilterFlow) -> NEFilterNewFlowVerdict {
Log("Will handle filter flow \(flow)", prefix: "[Filter Data]")
return .drop()
}
}
NEFilterControlProvider is the same as SimpleTunnel example project NEFilterControlProvider implementation.
I also followed suggested steps mentioned in this post but it didn't seem to help.
Post not yet marked as solved
[iOS 17] We are trying to configure below Tunnel Provider configuration and we are saving it in NETunnelProviderManager preferences before calling startTunnelWithOptions
tunnelProvider.protocolConfiguration.includeAllNetworks = YES;
tunnelProvider.protocolConfiguration.excludeLocalNetworks = NO;
tunnelProvider.protocolConfiguration.enforceRoutes = NO;
We are adding an IP in the excludeRoutes which belongs to server address[10.97.6.244]. Please refer the below network settings for VPN
IPv4Settings = {
configMethod = manual
addresses = (
10.97.4.188,
)
subnetMasks = (
255.255.255.255,
)
includedRoutes = (
{
destinationAddress = 0.0.0.0
destinationSubnetMask = 0.0.0.0
},
)
excludedRoutes = (
{
destinationAddress = 10.97.6.244
destinationSubnetMask = 255.255.255.255
},
)
overridePrimary = NO
}
Issue: when we are trying to access server address, it's getting tunneled because of that few of our APIs are sending failure and we are unable to connect to VPN.
Expected Results : excludedRoutes IPs should go via physical interface.
STEPS TO REPRODUCE
Configure VPN packet tunnel provider config as mentioned above and add some IPs in excludeRoutes
Save the configuration to NETunnelProviderManager preferences using “saveToPreferencesWithCompletionHandler”
Try to connect to VPN
excludeRoutes are tunneled via VA
Hi Team,
Im trying to disable the option to change the status of the Transparent Proxy enable/disable but there is no API which works in NETransparentProxyManager.
Could you suggest, how to disable the option to change the status of the Transparent Proxy enable/disable? We want to disable it so that no one can modify it from the settings.
This option is coming in Network -> Vpn & Filters
I observed that some other providers disabled it in the "Network -> VPN & Filters" settings.
Post not yet marked as solved
Requirement: We need to update below tunnel provider properties once VPN is up. Is it possible?
includeAllNetworks
excludeLocalNetworks
enforceRoutes
When is the standard time to configure and save the below properties in system preferences?
Is it possible to save these properties in system preference when VPN is up?
saveToPreferencesWithCompletionHandler
If we can change these properties in VPN connected state, When these tunnel provider properties will come into effect?
Post not yet marked as solved
Hi,
With iOS-17.4 update, we are seeing AppProxy VPN not getting started when Apps (associated with PerAppVPN) tried to access network resource after MDM PerAppVPN profile install/update.
Looks like PerApp rules associated with applayer vpn profile are broken after profile update/install as we see internet sites working without going through VPN (appProxy network extension), this start working if we toggle WiFi and then access network resource from Apps associated with PerAppVPN.
Created FB13688086 with all the details for this iOS 17.4 and AppLayerVPN, looking for and update here and any feedback/pointers will help. Thanks
Post not yet marked as solved
Is it possible to mock the behavior of NWPathMonitor for a specific app?
The scenario I want to support
I've created an app called RocketSim, a developer tool for Xcode's Simulator. I've already created Airplane mode, which disables networking calls from URLSession from a specific bundle identifier app installed on the Simulator.
Now, I want to support blocking NWPathMonitor as well. I believe the Simulator uses macOS's NWPathMonitor and does not use any specific HTTP request or similar to determine the reachability state.
Is there a way I can make NWPathMonitor return unsatisfied when my 'airplane mode' is turned on? Potentially using a Network Extension?
I got an error message in Xcode related to provisioning profiles and entitlements. Specifically, it appears Xcode encountered an issue with the provisioning profile I'm trying to use.
The error message states that the provisioning profile named "iOS Team Provisioning Profile" doesn't include the entitlement com.apple.developer.networking.HotspotHelper.
Post not yet marked as solved
Hello,
We would like to track the open sockets on the machine. we don't want to use a constantly running thread that polls the open sockets (such as by using sysctlbyname) since it sometimes will miss short-lived sockets.
After some research we decided to implement a content filter (NEFilterDataProvider) that pass-through every socket flow.
However, as we see and read in the forum, all previously opened sockets are disconnected once the filter is applied, which is an undesired thing for users using a VPN that will disconnect as well.
We would like to know if there is a better way to track all sockets, preferably in an event-driven way, or, to prevent the existing sockets from disconnecting if we use the filter or other network extension.
