I have a project that has the DataExtension target installed. In this extension I have a subclass of NEFilterDataProvider (the one that's created alongside the target). However, I don't know how to trigger the actual extension to start working. I have tried adding the following in application:didFinishLaunchingWIthOptions:[[NEFilterManager sharedManager] loadFromPreferencesWithCompletionHandler:^(NSError * _Nullable error) {
if (error) {
// This error usually does not happen.
NSLog(@"%@", error);
}
NEFilterProviderConfiguration *config = [[NEFilterProviderConfiguration alloc] init];
config.username = @"Test";
config.organization = @"Org";
config.filterBrowsers = YES;
config.filterSockets = YES;
config.serverAddress = @"Server to request new rules";
[NEFilterManager sharedManager].providerConfiguration = config;
[[NEFilterManager sharedManager] setEnabled:YES];
[[NEFilterManager sharedManager] saveToPreferencesWithCompletionHandler:^(NSError * _Nullable error) {
if (error) {
// This always returns:
// Error Domain=NEConfigurationErrorDomain Code=10 "permission denied" UserInfo={NSLocalizedDescription=permission denied}`
NSLog(@"%@", error);
}
}];
}];I have a suspicion I'm getting the denied permission because of Entitlements. My entitlements look like this:DataFilterExtension<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-/
<plist version="1.0">
<dict>
<key>com.apple.security.application-groups</key>
<array>
<string>group.com.appIdentifier</string>
</array>
</dict>
</plist>MainApp<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-/
<plist version="1.0">
<dict>
<key>com.apple.developer.networking.vpn.api</key>
<array>
<string>allow-vpn</string>
</array>
</dict>
</plist>I'm not sure what to do.
Post not yet marked as solved
Hi there,
We have a batch of customer ipad running our software older version with dnsproxy. They have not been running for a while. Then it is found that these devices cannnot load dnsproxy network extension and no network access anymore.
Below is the ipad console.
iPad neagent(NetworkExtension)[220] <Error>: Failed to start extension com.***.ios-dns.ext: Error Domain=PlugInKit Code=4 "RBSLaunchRequest error trying to launch plugin com.***.ios-dns.ext(***): Error Domain=RBSRequestErrorDomain Code=5 "Launch failed." UserInfo={NSLocalizedFailureReason=Launch failed., NSUnderlyingError=0x14de85170 {Error Domain=NSPOSIXErrorDomain Code=85 "Bad executable (or shared library)" UserInfo={NSLocalizedDescription=Launchd job spawn failed with error: 85}}}" UserInfo={NSLocalizedDescription=RBSLaunchRequest error trying to launch plugin com.***.ios-dns.ext(***): Error Domain=RBSRequestErrorDomain Code=5 "Launch failed." UserInfo={NSLocalizedFailureReason=Launch failed., NSUnderlyingError=0x14de85170 {Error Domain=NSPOSIXErrorDomain Code=85 "Bad executable (or shared library)" UserInfo={NSLocalizedDescription=Launchd job spawn failed with error: 85}}}}
I guess it is because the dnsproxy provisioning profile there expires already?
In this case is there any way to retain the network access remotely? There are hundreds of them. Cannot imagine need to remove the app one by one manually.
Furthermore, is there any way to avoid such a situation: devices wakeup after not in use for some time, provisioning profile expires, not able to load dnsproxy network extension and no network anymore.
Thanks in advance for any suggestion,
Richard
Post not yet marked as solved
Hello
We are developing our own iOS Network Extensions-based VPN and it has an HTTP proxy in the VPN.
In addition, we also use PAC (Proxy auto-configuration) script to configure what kind of HTTP/HTTPS traffic should route to our proxy in the VPN.
However, we get this kind of message "Received XPC error Connection invalid for message type 3 kCFNetworkAgentXPCMessageTypePACQuery" randomly on iOS 15.5.
We have not been aware of any weird behavior of iOS based on the error message. We are afraid of this error message is caused by our VPN solution.
Is there any suggestion that should consider or follow to fix this error?
The documentation for NEProviderTunnelSession.sendProviderMessage says the following:
If this method can’t start sending the message it reports an error in the returnError parameter. If an error occurs while sending the message or returning the result, nil should be sent to the response handler as notification.
My question is, what sorts of errors can occur that would result in this function calling the completion handler with a nil value? When I'm returning an error explicitly to the client from my network extension, I call back with a specific piece of data that indicates an error condition (beginning with the byte 255.) However, I still occasionally get a callback with a nil value, which results in the app sometimes getting confused. I don't notice anything wrong from the extension's side when I check its logs.
What issue in the message sending layer might be causing this? Is there a process whose logs I can monitor that might shine some light on the problem and show me what problem I need to avoid?
We are working on a Network Extension based iOS app.
Is it possible to have an app proxy (for per-app VPN) and packet tunnel providers within the same extension binary on iOS? On Mac this seems to be allowed, but with iOS it looks like we have to separate binaries - one per provider. In our case this complicates things.
Post not yet marked as solved
We're developing an application which involves Packet Tunnel Provider extension. Inside the extension we connect to remote server to get tunnel config profile and authentication parameters, followed by tunnel creation.
If we are not able to establish the tunnel, we would like to notify the user via the containing app.
It is possible the tunnel extension is running when the containing app is not running, so we decided to send a notification (via UserNotifications) to achieve the same.
Requirement is that:
If containing app is in foreground, notification should not be displayed, app handles whatever is required
If app is in foreground, when user clicks on the notification, app should come into foreground and handle it
If app is not running, app should launch and handle the notifications
If user launchers app/app comes into foreground, app handles all shown notifications and clears them
We are trying to achieve this by implementing the UNUserNotificationCenterDelegate in AppDelegate of containing app.
Now all above requirements are fulfilled when the notification is published by the containing app, but when published by the NEPacketTunnelProvider extension, the notification appears but clicking on it does not call the appropriate delegate function in containing app.
We want to support MacOS 10.15 and above if possible.
We are testing on MacOS 12.4 and 12.3.2 for now.
Please help with same or suggest a better way of notifying the user that some action is required and containing app needs to be opened.
Post not yet marked as solved
Hello,
I have successfully implemented NEPacketTunnelProvider network extension in iOS app which works fine most of the time.
By working fine I mean it starts, stops (it is configured to disconnect on sleep) and handles network traffic as expected.
However I have a few reports that sometimes it doesn't start correctly. It hangs on "Connecting..." when checking the Settings -> VPN.
As far as I can tell even with waiting for minutes, it seems still stuck.
Re-installing either the VPN provider extension or entire app fixes this problem.
What could be causing such random and very rare issues? This doesn't seem to be connected to single iOS version for example.
Post not yet marked as solved
Our TPP excludes our own processes from oversight, which makes some things very easy. Only I just found out that when our app uses a WKWebView... it's very securely shuffled off into its own process. With its own signing identifier. And a ppid of launchd.
How could I tell that a com.apple.WebKit.Networking process is related to our process? (I note that the Endpoint Security Framework has added a "responsible" audit token, presumably for this sort of situation.)
When network extension is installed, the tethering breaks.
So our customers faced a very big problem.
Give me some feedback.
The test steps are as follows.
1.Test Info.
os : higher than 12.1
hardware : only MacBookPro18, 1~3
and, only Tethering(IPv6).
It does not happen in IPv4.
It works normally in a different environment.
2.Test Step
1)We always allowed Ne's authority request in the same way.
2)After NE is installed, press Allow network filtering.
3)Our NE calls the API below(in main method)
[NEFilterPacketProvider startSystemExtensionMode];
4)However, the following error message occurs.
error 16:10:37.791557+0900 com. ahnlab. TobeyNE [self.extensionContext conformsToProtocol:auxHostProtocol.protocol] - /AppleInternal/Library/BuildRoots/66382bca-8bca-11ec-aade-6613bcf0e2ee/Library/Caches/com.apple.xbs/Sources/ExtensionFoundation/ExtensionFoundation/Source/NSExtension/NSExtensionSupport/EXExtensionContext.m:332: Class NEFilterPacketExtensionProviderContext does not conform to aux host protocol: <private>
5)and, the tethering breaks.
Also, it works normally unless it is MacBookPro18, 1.
There is this issue only in MacBookPro18, 1.
Tell me the solution.
Hi
We are building an macOS application which integrates VPN functions right now. We are using developer ID ceritifcate to sign the app and system network extension and sandbox is enabled.
One issue we are facing now is that we need to establish mTLS connection to server. During this connection, we need to send client certificate to server via provideIdentity() API.
We have the certificate, key and p12 file which are generated in another daemon. But we can not use SecPkcs12Import function to import the p12 file in our system extension due to the sandbox limitation and the different context.
I know that we cannot construct secIdentity object by ourselves. So I am wondering if there is any way that we can get the secIdentity object in system extension?
Is it possible to send secIdentity object between app and system extension?
Post not yet marked as solved
Hi,
I have an extension using NEPacketTunnelProvider, I need bind both lan address and localhost so that other apps can connect it and transfer data.
I found that if I bind INADDR_LOOPBACK, other apps on the phone can connect it using the localhost(127.0.0.1)
If I bind INADDR_ANY, other apps on the phone can connect it using the lan address but not the localhost(127.0.0.1)
My question is why other app on the phone can not connect using localhost(127.0.0.1) when binding INADDR_ANY?
Thank you.
NEPacketTunnelNetworkSettings:
Exclude route: 192.168.0.0/16, 127.0.0.0/8, 169.254.0.0/16, 10.0.0.0/8, 172.16.0.0/12, 255.255.255.255/32, 239.255.255.250/32, fc00::/7, fe80::/10, ff02::c/128, ff05::c/128, ff08::c/128, ff0e::c/128
Include route: [NEIPv4Route defaultRoute]
NEProxySettings with HTTPEnabled and HTTPSEnabled to localhost (a http server)
NEProxySetting exception: 192.168.0.0/16, 127.0.0.0/8, 169.254.0.0/16, 10.0.0.0/8, 172.16.0.0/12, 255.255.255.255/32, localhost, *.local, captive.apple.com
NEProxySetting excludeSimpleHostnames: YES
Hi, I am currently building my own VPN application using NetworkExtension's PacketTunnelProvider.
I want to send information from the PacketTunnelProvider to the ViewController when a VPN connection fails and to tell the user why.
The code now is as shown below.
When the startTunnel() being overwritten is executed, somehow NotificationCenter.default.post(name: NSNotification.Name.NEVPNStatusDidChange, object: nil) is executed and VPNStatusDidChange(_ notification: Notification?) in the ViewController is called and displays some message.
I tried to do the same thing by writing NotificationCenter.default.post(name: NSNotification.Name(rawValue: "testnotify"), object: nil) in the PacketTunnelProvider.swift , but it does not work. What is wrong?
Here is a part of current PacketTunnelProvider.swift
override func startTunnel(options: [String : NSObject]? = nil, completionHandler: @escaping (Error?) -> Void) {
conf = (self.protocolConfiguration as! NETunnelProviderProtocol).providerConfiguration! as [String : AnyObject]
self.setupWSSession()
DispatchQueue.global().async {
while (self.connectionPhase < 5) {
Thread.sleep(forTimeInterval: 0.5)
}
self.tunToWS()
}
NotificationCenter.default.post(name: NSNotification.Name(rawValue: "testnotify"), object: nil)
}
And here is a part of ViewController.swift
override func viewDidLoad() {
super.viewDidLoad()
initVPNTunnelProviderManager()
NotificationCenter.default.addObserver(self, selector: #selector(ViewController.VPNStatusDidChange(_:)), name: NSNotification.Name.NEVPNStatusDidChange, object: nil)
NotificationCenter.default.addObserver(self, selector: #selector(ViewController.receieve(_:)), name: NSNotification.Name(rawValue: "testnotify"), object: nil)
}
@objc func VPNStatusDidChange(_ notification: Notification?) {
print("VPN Status changed:")
let status = self.vpnManager.connection.status
switch status {
case .connecting:
print("Connecting...")
connectButton.setTitle("Disconnect", for: .normal)
break
case .connected:
print("Connected...")
connectButton.setTitle("Disconnect", for: .normal)
break
case .disconnecting:
print("Disconnecting...")
break
case .disconnected:
print("Disconnected...")
connectButton.setTitle("Connect", for: .normal)
break
case .invalid:
print("Invliad")
break
case .reasserting:
print("Reasserting...")
break
}
}
@objc func receive(_ notification: Notification?) {
print("receive Notification!")
}
Post not yet marked as solved
Hi There,
We have a VPN application built on top of the Packet Tunnel Provider. We are seeing an issue that once our containing application crashed, the packet tunnel provider keeps running. We could detect the crash from the tunnel, but there is no way for us to stop the VPN because on-demand will bring back VPN all the time.
Since there is no way to disable on-demand rule within the packet tunnel provider, is it possible that we can programmatically launch the crash application from the packet tunnel provider? Something like iOS's silent push notification could work too since all we need is to disable on-demand rule from the application and stop VPN.
Post not yet marked as solved
Hi there, I am experimenting a firewall app via the NEFilterPacketProvider interface. When I have Cisco AnyConnect VPN connected, all I can see seems to be TCP/UDP 443 SSL VPN traffic, not app traffic that's being tunneled.
From a filter-packet provider, any idea how I can see app traffic before they get encapsulated (and after they get decapsulated)?
Thanks, Billy
I'm trying to configure Local Push Connectivity. I already have Local Push Entitlement, and have install a provisioning profile with local push entitlement. It's build fine but when app start, PushProvider didn't active and start and Push Manager show error nil. I have done every instructions that sample code have provided.
This is my project.
In my application target, I have a bundle id com.my_team_name.my_app_name
and in the app group name group.com.my_team_name.my_app_name
In the .entitlement, I've set the required configuration:
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>com.apple.developer.networking.networkextension</key>
<array>
<string>app-push-provider</string>
</array>
<key>com.apple.developer.networking.wifi-info</key>
<true/>
<key>com.apple.security.application-groups</key>
<array>
<string>group.com.my_team_name.my_app_name</string>
</array>
</dict>
</plist>
Info.plist has noting to change
And I have a PushManager Class with this code
class AppPushManager: NSObject, NEAppPushDelegate{
func appPushManager(_ manager: NEAppPushManager, didReceiveIncomingCallWithUserInfo userInfo: [AnyHashable : Any] = [:]) {
}
static let shared = AppPushManager()
private var pushManager: NEAppPushManager = NEAppPushManager()
private let pushManagerDescription = "PushDefaultConfiguration"
private let pushProviderBundleIdentifier = "com.my_team_name.my_app_name.PushProvider"
func initialize() {
if pushManager.delegate == nil {
pushManager.delegate = self
}
pushManager.localizedDescription = pushManagerDescription
pushManager.providerBundleIdentifier = pushProviderBundleIdentifier
pushManager.isEnabled = true
pushManager.providerConfiguration = [
"host": "my_server.local"
]
pushManager.matchSSIDs = ["my_wifi_ssid"]
pushManager.saveToPreferences(completionHandler: { error in
print("error? \(String(describing: error))")
print("is active: \(pushManager.isActive)")
})
}
}
In my extension, A PushProvider Target. I have a bundle id com.my_team_name.my_app_name.PushProvider
and in the app group name group.com.my_team_name.my_app_name
In the Info.plist of my extension, I've added the required configuration:
<key>NSExtension</key>
<dict>
<key>NSExtensionPointIdentifier</key>
<string>com.apple.networkextension.app-push</string>
<key>NSExtensionPrincipalClass</key>
<string>$(PRODUCT_MODULE_NAME).PushProvider</string>
</dict>
the .entitlement file have the same contents as the application.
and I have created the extension class "PushProvider.swift" as follow:
class PushProvider: NEAppPushProvider {
...
}
When I run the application, I got this printed out
error? nil
is active: false
I think it might be something with providerBundleIdentifier in Push Manager. Have anyone know what I've missing?
Post not yet marked as solved
I uploaded iOS app store with web content filter. When I tried to block the sites, it didn't work. After debug I got the error.
<Error>: YourApp trying to create a content filter configuration through an app. Creating a content filter configuration is only allowed through profile in production version of YourApp.
<Error>: Failed to save configuration com.DemoiOS: Error Domain=NEConfigurationErrorDomain Code=10 "permission denied" UserInfo={NSLocalizedDescription=permission denied}
<Error>: -[NEFilterManager saveToPreferencesWithCompletionHandler:]_block_invoke_3: failed to save the new configuration: Error Domain=NEFilterErrorDomain Code=5 "permission denied" UserInfo={NSLocalizedDescription=permission denied}
It works fine in dev environment.
I searched other threads here, didn't find proper answer.
How do I resolve this error?
It would be great help you can point me out to solution.
I want to make sure that if user downloads app from the store, he should be able to block the selected sites.
Post not yet marked as solved
When the VPN connection is successful, splitTunnel is closed(All traffic flows through VPN). How to obtain the DNS of the currently connected network. Physical network DNS?
For example, DNS of current WiFi network.
Thanks
2022.5.13
Post not yet marked as solved
I have a Packet Tunnel Provider that works ok in development, but fails calling NETunnelProviderManager.saveToPreferencesWithCompletionHandler with "permission denied" upon being opened by App Review. If it means anything, I just switched my account from personal to company/organization so I could distribute a VPN app, and the app is signed with an Apple Distribution cert created for the company. The provisioning profiles for the container app and the extension are both signed with this cert and both have Network Extensions and Personal VPN entitlements.
What is missing that is preventing the distribution to the App Store from working properly?
Post not yet marked as solved
ipad lock screen app cut to background hang after unlocking and restoring the app may lead to several minutes of inability to connect to LAN devices
XCode 13.2.1 iPad ios 15.4.1
Post not yet marked as solved
I would like to have my network extension installed without having to go through two pop ups. The first one being for actually installing the network extension, which I know can be done via https://developer.apple.com/documentation/devicemanagement/systemextensions , but it doesn't disable the second dialog window for allowing the network extension to actually filter network traffic. I would like to know how to automate for the secondary one as well. Thanks
olivaresf.
