Post not yet marked as solved
Recently, I encountered an issue where some users have reported that the VPN cannot be connected. Even after uninstalling the app and reinstalling it, I cannot connect. I must restart my phone to successfully connect. IOS system.
Post not yet marked as solved
In code:
thread Queue: shared_tcpConnWorkQueue
libsp.dylib`spd_checkin_socket.cold.1:
0x242276464 <+0>: adrp x8, 137736
0x242276468 <+4>: adrp x9, 0
0x24227646c <+8>: add x9, x9, #0xa3f ; "Linked against modern SDK, VOIP socket will not wake. Use Local Push Connectivity instead"
0x242276470 <+12>: str x9, [x8, #0x390]
0x242276474 <+16>: brk #0x1 ->
EXC_BREAKPOINT (code=1, subcode=0x242276474)
DeviceLogs:
Application Specific Information:
Linked against modern SDK, VOIP socket will not wake. Use Local Push Connectivity instead
Thread 3 name: Dispatch queue: shared_tcpConnWorkQueue
Thread 3 Crashed:
0 libsp.dylib 0x216566474 spd_checkin_socket.cold.1 + 16
1 libsp.dylib 0x2165654c0 spd_checkin_socket + 896
2 CFNetwork 0x1b4230ef0 0x1b40f2000 + 1306352
3 CFNetwork 0x1b4232bcc 0x1b40f2000 + 1313740
4 CFNetwork 0x1b42351e0 0x1b40f2000 + 1323488
5 CFNetwork 0x1b42343a0 0x1b40f2000 + 1319840
6 libdispatch.dylib 0x1b9e61850 _dispatch_call_block_and_release + 24
7 libdispatch.dylib 0x1b9e627c8 _dispatch_client_callout + 16
8 libdispatch.dylib 0x1b9e3d854 _dispatch_lane_serial_drain$VARIANT$armv81 + 604
9 libdispatch.dylib 0x1b9e3e2e4 _dispatch_lane_invoke$VARIANT$armv81 + 380
10 libdispatch.dylib 0x1b9e48000 _dispatch_workloop_worker_thread + 612
11 libsystem_pthread.dylib 0x1fa8e2b50 _pthread_wqthread + 284
12 libsystem_pthread.dylib 0x1fa8e267c start_wqthread + 8
I think it is due to voip socket issue. But not getting the point exactly. As am new to ios Development so do not have much idea. Looking forward for guidance.
Thanks in advance!
Post not yet marked as solved
Hi!
I've a per-app VPN in a form of PacketTunnelProvider with bundle id rules.
I have a service application (not from AppStore), which resides in the /Library/Application Support/.../SomeOtherBundle.app/.../ServiceApplication.app
There is a mechanism which updates SomeOtherBundle.app with ServiceApplication.app periodically.
Sometimes after such update, the ServiceApplication.app can't access the VPN, its traffic just not being forwarded to the tunnel.
After some research, I found, that the reason for this is the system is not aware of the new version of ServiceApplication.app binary, and it is not really relies on bundle id, but instead on macho uuid. There is only old macho uuid known to the system, so my new version of the app is not accounted and not routed to the tunnel.
The question here, is how to notify the system about my app update, so it will route it correctly?
Post not yet marked as solved
Hello,
Our users are seeing random crashes in our packet filter system extension on macOS. Any help pointing me in the right direction to either avoid the issue or fix it would be greatly appreciated. Attached is the crash log.
Thank you.
packetfilter.crash
Crashed Thread: 2 Dispatch queue: com.apple.network.connections
Exception Type: EXC_BAD_ACCESS (SIGBUS)
Exception Codes: KERN_PROTECTION_FAILURE at 0x0000000112918700
Exception Note: EXC_CORPSE_NOTIFY
Termination Signal: Bus error: 10
Termination Reason: Namespace SIGNAL, Code 0xa
Terminating Process: exc handler [40687]
...
Thread 2 Crashed:: Dispatch queue: com.apple.network.connections
0 libsystem_kernel.dylib 0x00007fff2089b46e os_channel_get_next_slot + 230
1 com.apple.NetworkExtension 0x00007fff2e2e2643 __40-[NEFilterPacketInterpose createChannel]_block_invoke + 560
2 libdispatch.dylib 0x00007fff20718806 _dispatch_client_callout + 8
3 libdispatch.dylib 0x00007fff2071b1b0 _dispatch_continuation_pop + 423
4 libdispatch.dylib 0x00007fff2072b564 _dispatch_source_invoke + 2061
5 libdispatch.dylib 0x00007fff20720318 _dispatch_workloop_invoke + 1784
6 libdispatch.dylib 0x00007fff20728c0d _dispatch_workloop_worker_thread + 811
7 libsystem_pthread.dylib 0x00007fff208bf45d _pthread_wqthread + 314
8 libsystem_pthread.dylib 0x00007fff208be42f start_wqthread + 15
What is the difference between AppProxyProvider and TransparentProxyProvider?
I can see in documentation that NETransparentProxyProvider is derived from NEAppProxyProvider, but what was the need to add a new proxyprovider (NETransparentProxyProvider) when we already had NEAppProxyProvider?
Post not yet marked as solved
I am writing the Unit test cases for the App Extension.
The App Extension target is a combination of Swift Code + Objective Code.
I just followed the below steps after creating the unit test target for the schema (The app target to be tested)which points out to the App Extension target in the XCode.
Select you extension test target in Project settings
Go to Build Phases
Expand Compile Sources
Click +
Add source files with your testable code.
Build for Testing
When I try to build the unit test target from the XCode.
I am seeing the below error
Cannot find interface declaration for 'XCTestCase', superclass of 'TunnelTests'
Please provide help to overcome this Blocker.
Post not yet marked as solved
Hey all!
I have a System Extension that, while doing some other things, starts up my custom Network Extension via [NEProvider startSystemExtensionMode]. This Network Extension contains a class (let's call it MyDataProvider) that overrides the NEFilterDataProvider interface and implements handleNewFlow. MyDataProvider thus acts as a network content filter.
The problem is that installing my System Extension on a Ventura 13.4 (or older) system and starting up the Network Extension seemingly drops any ongoing connection I have. For example, my ssh connection will hang. This makes it quite annoying attempting to install the System Extension remotely.
I do not see this behavior for my other class that inherits the NEFilterPacketProvider interface.
Is this behavior expected of the NEFilterDataProvider? It seems like a bug since I do not see any documentation stating this behavior.
Post not yet marked as solved
In our PacketTunnelProvider we are seeing behavior for enforceRoutes which appears to contradict the documentation.
According to the developer documentation (my emphasis):
If this property is YES when the includeAllNetworks property is NO, the system scopes the included routes to the VPN and the excluded routes to the current primary network interface.
If we set these IPv4 settings:
IPv4Settings = {
configMethod = manual
addresses = (
172.16.1.1,
)
subnetMasks = (
255.255.255.255,
)
includedRoutes = (
{
destinationAddress = 0.0.0.0
destinationSubnetMask = 0.0.0.0
},
)
excludedRoutes = (
{
destinationAddress = 10.10.0.0
destinationSubnetMask = 255.255.255.0
},
)
overridePrimary = YES
}
Then if enforceRoutes is set to YES, then we do not see traffic for the excluded network, which is the expected behavior. If enforceRoutes is set to NO, then we do see traffic for the excluded network.
In both cases includeAllNetworks and excludeLocalNetworks are both NO.
The excluded network is not one of the local LANs.
Is this a known issue? Is there some documented interaction that I missed here?
Is there a workaround we can use to make this function as intended, with enforceRoutes set to YES?
I am recently learning Apple's system extension using MacOS and downloaded a sample from apple's official document. https://developer.apple.com/documentation/networkextension/filtering_network_traffic, which use to filter incoming connections. An video talking about it can be found here, though a bit old.
Although I can build the sample code successfully using xcode, but the system extension is actually not started. (I have added log to verify this), specifically the main.swift under SimpleFirewallExtension folder is not loaded
I have read this article - https://www.avanderlee.com/debugging/network-extension-debugging-macos, saying if the main.swift in not loaded, there must some configuration issue in the project setup. But the project is downloaded from Apple's sample. Anyone has encounter this before?
I am using macOS Ventura version 13.1.1, Xcode version 14.3.
Post not yet marked as solved
I am trying to connect to an SSID using applyConfiguration. The documentation is pretty clear here: "A successful configuration doesnʼt mean the device has joined that Wi-Fi network". Therefore I try to verify that the device is connected and I call fetchCurrentWithCompletionHandler, and I do this inside the completion handler of applyConfiguration.
Normally this works just fine. My iOS device is able to connect and fetchCurrentWithCompletionHandler gives the desired SSID. In around 1% of the cases however it does not work. Either fetchCurrentWithCompletionHandler gives some other known SSID or null.
Post not yet marked as solved
More and more routers are establishing Wi-Fi networks with a mixed frequency band of 2.4G and 5G, but most smart accessory (IoT devices) only support 2.4G Wi-Fi. Our business requires us to determine the current Wi-Fi frequency band information that iOS is connected to, and if it is 5G, provide a reminder to the user.
Post not yet marked as solved
I am developing a MacOS application hosting a Network Extension (app proxy provider). I am signing with Developer ID certificate to distribute outside the AppStore and notarizing the host app with the following entitlements:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>com.apple.developer.networking.networkextension</key>
<array>
<string>app-proxy-provider-systemextension</string>
</array>
<key>com.apple.developer.system-extension.install</key>
<true/>
<key>com.apple.security.application-groups</key>
<array>
<string>com.my-organization.my-group</string>
</array>
<key>com.apple.security.network.client</key>
<true/>
</dict>
</plist>
After notarizing the app, I am able to install and use the Network Extension.
Now I have a requirement to add the following entitlements (because I need to use some third party native libraries which are signed ad-hoc):
<key>com.apple.security.cs.allow-unsigned-executable-memory</key>
<true/>
<key>com.apple.security.cs.disable-library-validation</key>
<true/>
As soon as I add those entitlements, the application starts crashing at startup:
Exception Type: EXC_CRASH (SIGKILL (Code Signature Invalid))
Exception Codes: 0x0000000000000000, 0x0000000000000000
Termination Reason: CODESIGNING 1 Taskgated Invalid Signature
Triggered by Thread: 0
Thread 0 Crashed:
0 ??? 0x11cf78ef0 _dyld_start + 0
1 ??? 0x10f62c000 ???
Thread 0 crashed with X86 Thread State (64-bit):
rax: 0x0000000000000000 rbx: 0x0000000000000000 rcx: 0x0000000000000000 rdx: 0x0000000000000000
rdi: 0x0000000000000000 rsi: 0x0000000000000000 rbp: 0x0000000000000000 rsp: 0x00007ff7b08d3b98
r8: 0x0000000000000000 r9: 0x0000000000000000 r10: 0x0000000000000000 r11: 0x0000000000000000
r12: 0x0000000000000000 r13: 0x0000000000000000 r14: 0x0000000000000000 r15: 0x0000000000000000
rip: 0x000000011cf78ef0 rfl: 0x0000000000000200 cr2: 0x0000000000000000
Logical CPU: 0
Error Code: 0x00000000
Trap Number: 0
Binary Images:
0x11cf74000 - 0x11d00bfff ??? (*) <bba77709-6cad-3592-ab03-09d0f7b8610e> ???
0x10f62c000 - 0x10f62dfff ??? (*) <4c4c44aa-5555-3144-a128-fba98974e1e0> ???
Error Formulating Crash Report:
dyld_process_snapshot_get_shared_cache failed
If I remove the com.apple.developer.networking.networkextension and com.apple.developer.system-extension.install, then the app starts but of course I cannot activate and use the Network Extension.
So my question is whether the network extension entitlements and the disable-library-validation entitlements can be used together?
Post not yet marked as solved
I am seeing an interesting behavior on iOS 16.4+ when I set NEVPNProtocol includeAllNetworks flag to TRUE as part of my tunnels's saved preferences.
After my packet tunnel provider starts up and goes through the usual setup of adding routes, where let's say we just just add NEIPv4Route.default() to route everything and eventually setting via: setTunnelNetworkSettings. Any subsequent calls to cancelTunnelWithError will cause the phone to get into a state where the tunnel provider goes away but it appears that my routes did not properly clean up, essentially causing a device to get into a state where all network traffic is now dead. The only way to recover is to go into OS Settings -> VPN and change selected profile to some other one, or just remove ours and go through installation again.
It appears to only be happening on iOS 16.4+ devices, any previous versions clean up just fine. Curious if anyone has seen such behavior? Thanks in advance.
I want to connect to Wi-Fi programmatically using swift in my iPad application and I want to create according to bellow flow.
Enter the network name programmatically
Set the programmatically "WAP2-Enterprise" for security.
Set username/password.
A certificate popup will appear, so tap "Trust".
"Turn on the following information." otherwise off.
Automatic connection
Restrict IP address tracking
Set the programmatically IPV4 address below.
Configure ID: Manual
IP address: 192.***.***.***
For tablets, ○○: 1 to 20
Subnet mask: 255.255.255.0
Router: 192.***.***.***
Configure DNS server(Set the programmatically)
Manual
Add server: 8.8.8.8
HTTP proxy(Set the programmatically)
Configure proxy: off
if anyone you can guide me to proper way much a appreciated!!!
The problem
I have a MacOS app that hosts a content filtering system extension, like SimpleFirewall.
The app has been in production for a couple years.
I'm working on a new version, and in testing the release candidate, I'm getting a
consistent crash that I believe is related to swift concurrency back deployment. Here are
the key details:
building using Xcode 14.2, from a machine running Monterrey, Swift 5.7.2
crash does not happen when building and testing from Xcode, locally
crash does not happen on test machine running Ventura
crash DOES happen always on a test machine running Big Sur
only the root-user system extension crashes, not the host application
the new version introduced async/await into the system extension
crash report shows identical stack trace to well-known issue that had to do with concurrency back deployment
Is there a known issue/limitation with concurrency back deployment in the context of a system extension? Is there any reason why async/await shouldn't work in that context when deployed to Big Sur?
More details, context
The key lines of the crash stack trace are:
0 libswiftCore.dylib 0x00007fff2cdacdc7 swift::ResolveAsSymbolicReference::operator()(swift::Demangle::__runtime::SymbolicReferenceKind, swift::Demangle::__runtime::Directness, int, void const*) + 55
1 libswiftCore.dylib 0x00007fff2cdcf2dd swift::Demangle::__runtime::Demangler::demangleSymbolicReference(unsigned char) + 141
2 libswiftCore.dylib 0x00007fff2cdcc2a8 swift::Demangle::__runtime::Demangler::demangleType(__swift::__runtime::llvm::StringRef, std::__1::function<swift::Demangle::__runtime::Node* (swift::Demangle::__runtime::SymbolicReferenceKind, swift::Demangle::__runtime::Directness, int, void const*)>) + 168
3 libswiftCore.dylib 0x00007fff2cdb25a4 swift_getTypeByMangledNameImpl(swift::MetadataRequest, __swift::__runtime::llvm::StringRef, void const* const*, std::__1::function<swift::TargetMetadata<swift::InProcess> const* (unsigned int, unsigned int)>, std::__1::function<swift::TargetWitnessTable<swift::InProcess> const* (swift::TargetMetadata<swift::InProcess> const*, unsigned int)>) + 516
4 libswiftCore.dylib 0x00007fff2cdafd6d swift::swift_getTypeByMangledName(swift::MetadataRequest, __swift::__runtime::llvm::StringRef, void const* const*, std::__1::function<swift::TargetMetadata<swift::InProcess> const* (unsigned int, unsigned int)>, std::__1::function<swift::TargetWitnessTable<swift::InProcess> const* (swift::TargetMetadata<swift::InProcess> const*, unsigned int)>) + 477
5 libswiftCore.dylib 0x00007fff2cdaff9b swift_getTypeByMangledNameInContext + 171
6 com.myorg.app.filter-extension 0x000000010db2b8b7 0x10db02000 + 170167
7 libdispatch.dylib 0x00007fff20516806 _dispatch_client_callout + 8
8 libdispatch.dylib 0x00007fff2051798c _dispatch_once_callout + 20
9 libswiftCore.dylib 0x00007fff2cdbe16a swift_once + 26
10 com.myorg.app.filter-extension 0x000000010db2c5e3 0x10db02000 + 173539
11 com.myorg.app.filter-extension 0x000000010dbbd708 0x10db02000 + 767752
12 com.myorg.app.filter-extension 0x000000010db073cc 0x10db02000 + 21452
13 com.apple.NetworkExtension 0x00007fff2dfdd4d8 -[NEExtensionProviderContext createWithCompletionHandler:] + 377
14 com.apple.Foundation 0x00007fff215a7c96 __NSXPCCONNECTION_IS_CALLING_OUT_TO_EXPORTED_OBJECT_S1__ + 10
15 com.apple.Foundation 0x00007fff21552b98 -[NSXPCConnection _decodeAndInvokeMessageWithEvent:flags:] + 2271
16 com.apple.Foundation 0x00007fff2150a049 message_handler + 206
17 libxpc.dylib 0x00007fff20406c24 _xpc_connection_call_event_handler + 56
18 libxpc.dylib 0x00007fff20405a9b _xpc_connection_mach_event + 938
The first five lines are identical to an issue from Xcode 13.2.1, discussed in depth on the swift forums:
https://forums.swift.org/t/async-await-crash-on-ios14-with-xcode-13-2-1/54541
...except I'm using Xcode 14.2. Which makes me think that it's not exactly the same bug, but another manifestation of a failure to link against the back-deployed currency lib, possibly having to do with the fact that the system extension isn't able to access the back-deployed lib.
The archived app does have libswift_Concurrency.dylib at MyApp.app/Contents/Frameworks/libswift_Concurrency.dylib.
What I've Tried
I tested the workaround in the above mentioned thread, using lipo to remove arm64 arch, but it didn't work.
I also tested adding -Xllvm -sil-disable-pass=alloc-stack-hoisting to Other Swift settings, as suggested in https://developer.apple.com/forums/thread/697070.
I would greatly appreciate any assistance.
Post not yet marked as solved
Hello!
I’ve been wanting to make a VPN app for mobile(iOS), i’ve got the UI ready, but I don’t know how to make it work. i‘m not familiar with NEVPNManager n’or NetworkExtension, so if someone would like to guide me through the steps for the app.
Note: Im on iPad and i’m using Playgrounds 😉😅
Best regards,
-Ryan
Post not yet marked as solved
Hi,
I'm new to iOS development and would like to gain some understanding about how NEPacketTunnelProvider handles for UDP traffic.
In my code, I've created NEPacketTunnelNetworkSettings
let settings = NEPacketTunnelNetworkSettings(tunnelRemoteAddress: proxyHost)
let ipv4Settings = NEIPv4Settings(
addresses: ["127.0.0.1"],
subnetMasks: ["255.255.255.255"]
)
settings.ipv4Settings = ipv4Settings
let proxySettings = NEProxySettings()
...
settings.proxySettings = proxySettings
and passed it to the setTunnelNetworkSettings function. And I was able to start the VPN with no issues.
However, in the debug tool, I couldn't see any UDP traffic which I'm sure there should be some. The only UDP connection had no traffic constantly.
Does the NEProxySettings only work for TCP? What am I missing here? (I've set protocolConfiguration?.includeAllNetworks = true in my NETunnelProviderManager)
Thanks
Post not yet marked as solved
Hello!
Right now developing NE extension. Need to determine DNS (means need to know where this package need to be delivered by Domain Name) and IP from the packet itself. How to do it with NEPacketTunnelProvider?
There need to solve issue:
if there destination Domain Name equal domain1.com then forward it to forwarder1.com
if there destination Domain Name equal domain2.com then forward it to forwarder2.com
And etc ...
Is it in this class https://developer.apple.com/documentation/networkextension/nepacket ?
Or should it be done with NEFilterProvider?
Hello!
There are fully operated iOS Network Extension written with NEPacketTunnelProvider. It's working on iOS device. From previous discussion on this forum got some info abpit similarity for iOS and MacOS. If it's working for iOS, is there something to change in code or just supy with MacOS provisiosnoing profile instead of iOS?
Hello all!
Got confused with some behavior of VPN applications on MacOS. Some of application instatiate NE System extension for each of protocol.
Why? Is it best practice? Or it's requirements?
My appology for this questions if it's looking strange or weird. The System Extension on MacOS is very new field of development for me.
