When I am trying to connect from a iOS 15 device to a new local network that the device has never connected to before using this code: let hotspotConfig = NEHotspotConfiguration(ssid: "ssid", passphrase: "pass", isWEP: false) hotspotConfig.joinOnce = false let hotspotManager = NEHotspotConfigurationManager.shared hotspotManager.apply(hotspotConfig) { error in if let error = error { print(error) } } The following error is given when executing above code: NEHotspotConfigurationHelper failed to communicate to helper server. Error Domain=NEHotspotConfigurationErrorDomain Code=8 "internal error." UserInfo={NSLocalizedDescription=internal error.} Failed to send a 9 message to nehelper: <dictionary: 0x1f4150c70> { count = 1, transaction: 0, voucher = 0x0, contents = "XPCErrorDescription" => <string: 0x1f4150e08> { length = 18, contents = "Connection invalid" } } I have added the following capabilities: Access WiFi Information Hotspot Configuration Wireless Accessory Configuration (don't think this is needed?) The in my info.plist I got the following strings: NSLocalNetworkUsageDescription NSLocationWhenInUseUsageDescription I have tested following actions based on other threads on this topic: Set joinOnce = false since this might cause bugs om iOS 15 Add location permission Restart the phone Check if the "Edit your App ID Configuration" is correct (which has the 3 capabilities checked) I also never receive a dialogue that the app wants to connect to ... so I have no idea what is causing this error since the network SSID is available and the password is correct.

Hi, I want to ask about "Auto running application when finish booting/restart/on startup device" I already read some article for this but there no solution of it. But I've notice VPN can be running on that condition then I do my research on it. I found https://developer.apple.com/documentation/networkextension and there are something called by "Always-on VPN". I would to ask about this features, because I really need my application can be running on startup. can I use some feature to make my application like VPN?

Our iOS app is using CallKit to receive VoIP notification and using Per App VPN to access custom HTTP REST API located in private network. VPN is required to access the custom HTTP REST API and to resolve the API server name. Currently we have issues with receiving notifications when the Per App VPN is not connected. After the notification is received and AppDelegate wakes up, the custom HTTP REST API calls are executed while waiting for the user's interaction. At the timing of this HTTP REST API Call , the server name resolution fails and the app crashes. From the user's point of view,Incoming Calling Report screen disappears in about 2 seconds. Expected results: HTTP REST API call to succeed and the app not to crash. I want to know following. Is the communication triggered by AppDelegate not subject to activation Per App VPN? The behavior of this phenomenon does not appear to activate Per App VPN. Is it possible to explicitly start VPN from App code and wait for it to ready?

I implemented a per-app vpn with packetTunnelProvider on MacOS, fully functional. I would like to get the PID from sourceAppAuditToken but it is always nil. This is the code: self.packetFlow.readPacketObjects { packets in for packet in packets { if let auditToken = packet.metadata!.sourceAppAuditToken { log.debug("ok") } else { log.debug("No audit Token") } } } I read a lot of answer about this problem but all solved on NEFilterFlow and they don't actually work on PacketTunnelFlow

Hello! I'm new to iOS development and am developing an app that blocks certain websites. At the moment, I'm thinking of using the Network Extension capability to do the job. From what I have read, in the production version of the app, you'd need to make use of MDM profiles since NE filtering only works on supervised devices. So, I'm here to ask the community if there are better options than using this method. As far as screen time api is concerned, I believe it requires the user to specify which websites they want blocked by themselves using the activity picker so that doesn't quite work for me since i want to allow the app to block groups of websites by itself based on the user's preference. Thanks!

Strange one... We have a WiFi guest portal setup and the CNA pops up as expected upon connecting to the network. It loads the splash page inside the CNA and all is good so far. All domains/URLs that we use within the CNA are allowed/whitelisted before authentication. However, after clicking the Continue button (which performs a POST via the javascript native fetch) and then performs a window.location to the returned URL in the fetch response, it is only redirecting to this new page is there is an active, in service SIM card present. If I turn cellular data off, or remove the SIM, it doesn't redirect to the next page. P.S. If I choose "Cancel" and then "Use Without Internet" and open Safari, visit neverssl.com (which will force a redirect to the splash page) and use the exact same Continue button as above, it works as expected without any requirement for a data connection. What can be making this only work if there is a cellular data connection when the whole point of the CNA is to load all content over the WiFi connection? Also, is there any way to debug or attach a console to the CNA window so that I can actually debug it to see what is happening like you can with Safari windows? Thanks

Currently, I have implemented a project that includes network extension and system extension entitlements. When I create the profile using the development method, I get exactly the right entitlement matching. For example: create app id (identifier) create a profile, associate with the corresponding app id, generate the profile and download it locally. In xcode, fill in the corresponding app id in Bundle Identifier, such as com.***.test.app, and fill in the corresponding development profile in Provisioning Profile. At this point I was able to achieve a complete and correct program compiling and running. Now, I want to distribute this app by developer id. According to https://developer.apple.com/developer-id/ , I have several questions remain: I followed this method https://developer.apple.com/help/account/create-certificates/create-developer-id-certificates/ to create a distribution certificate and created two new profiles (distribute- developer id), which is associated with the existing bundle ID (com.***.test.app, com.***.test.extension). But when I import the corresponding provisioning profile in xcode, it shows error: Provisioning profile "***" doesn’t match the entitlement file’s value for the com.apple.developer.networking.networkextension entitlement. But isn't the corresponding entitlement information already selected when the app id is set? Why is the profile of the development type feasible, but the profile of the developer id is not feasible? I have made relevant settings according to this method https://developer.apple.com/documentation/xcode/preparing-your-app-for-distribution/, and I don’t seem to need the hardened runtime and sandbox related content, so I don't have any settings. Maybe apple events in hardened runtime is necessary? Submitting software to apple notarization seems to be a more trustworthy behavior for users, but at this stage I just want to simply implement distribution for program testing, so I chose export in archives-distribute app-developer id, and in the follow-up The same error as in question 1 appeared in the profile selection of the profile: Profile doesn't match the entitlements file's value for the com.apple.developer.networking.networkextension entitlement. So, overall: One is how to create the correct developer id profile? My two entitlements files are as follows: <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>com.apple.developer.networking.networkextension</key> <array> <string>content-filter-provider</string> </array> <key>com.apple.developer.system-extension.install</key> <true/> <key>com.apple.security.app-sandbox</key> <false/> <key>com.apple.security.files.user-selected.read-only</key> <true/> </dict> </plist> <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>com.apple.developer.networking.networkextension</key> <array> <string>content-filter-provider</string> </array> <key>com.apple.security.app-sandbox</key> <false/> <key>com.apple.security.application-groups</key> <array> <string>$(TeamIdentifierPrefix)com.example.app-group</string> </array> </dict> </plist> Second, is Apple notarization necessary?

We have developed a network filter based on the Network extension framework in macOS. However, we have found that after blocking a network, the poll socket value still returns as 1, which causes some applications to run abnormally. We return dropVerdict in the callback handleNewFlow We simulated the process of an application initiating a network request. Create an asynchronous socket. sockfd = socket(AF_INET, SOCK_STREAM, 0); if (sockfd < 0) { perror("socket"); exit(EXIT_FAILURE); } int flags = fcntl(sockfd, F_GETFL, 0); fcntl(sockfd, F_SETFL, flags | O_NONBLOCK); connect server // Connect to the server ret = connect(sockfd, (struct sockaddr *)&server_addr, sizeof(server_addr)); if (ret < 0) { NSLog(@"connect, errno:%d, err str:%s.", errno, strerror(errno)); } we found the connect return -1, errno return EINPROGRESS, means operation now in progress. poll socket int timeout = 5000; // 5 seconds struct pollfd fds[MAX_EVENTS]; fds[0].fd = sockfd; fds[0].events = POLLIN; ret = poll(fds, 1, timeout) return 1, means the number of descriptors that are ready for I/O. We believe it is unreasonable for poll to return 1 after network disruption, which leads to abnormal application processing.

I've implemented NEPacketTunnelProvider with ipv4Settings everything is fine. I just need app id in PacketTunnelProvider every time any request sent from any app. or request from my single app. Note: I got the app id in DataFilterProvider, now I'm looking for NEPacketTunnelProvider.

Hi, This is how we create ipv4Settings, then we add includedRoutes, excludedRoutes. let ipv4Settings = NEIPv4Settings(addresses: addresses, subnetMasks: subnetMask) In my case, Packet Tunnel Provider reads the packet like this - packetFlow.readPacketObjects, sends packets to C++ module which takes care of sending it to wireguard tunnel, returns packet back to Packet Tunnel Provider for writing. C++ Module does everything related to wireguard tunnel. As per my understanding, any unique private ipv4, ipv6 address should be fine for creating NEIPv4Settings, NEIPv6Settings. is that correct? or is there anything else i need to consider for setting Utun addresses as of now i have harcoded it to 10.10.10.10/32 and 2001:db8::/128, will it cause any problem?

When I call fetchCurrent on NEHotspotNetwork, I am able to correctly retrieve the SSID and other information, but why do I always receive zero as the signal strength value? Here my code: let config = NEHotspotConfiguration(ssid: "mySSID", passphrase: "MyPass", isWEP: false) config.joinOnce = true NEHotspotConfigurationManager.shared.apply(config) { [weak self] (error) in guard let this = self else { print("WiFi network not found") result(false) return } this.getSSID { (sSSID) -> () in if (error != nil) { if (error?.localizedDescription == "already associated.") { print("Connected to '\(sSSID ?? "<Unknown Network>")'") result(true) } else { print("Not Connected") result(false) } } else if let ssid = sSSID { print("Connected to " + ssid) // ssid check is required because if wifi not found (could not connect) there seems to be no error given result(ssid == sSSID) } else { print("WiFi network not found") result(false) } } } } else { print("Not Connected") result(nil) return } public func getSSID(result: @escaping (String?) -> ()) { if #available(iOS 14.0, *) { NEHotspotNetwork.fetchCurrent { currentNetwork in result(currentNetwork?.ssid) } } }

Looking forward to read SourceAppId from packetFlow.readPacketObjects() of my PacketTunnelProvider. Note: I've implemented the Per app VPN too. looking forward for the further steps, regards:

Environment: macOS 13.5 and 13.4 Cisco VPN installed with active DNS Proxy, Content Filter and Transparent Proxy extensions (yes I know Apple can't support 3rd parties here). Our Content Filter extension loaded. In this scenario DNS packets are being truncated after our extension asks to see more data from the Cisco DNS Proxy flow. Specifically we ask to see a max of 96 bytes for all UDP traffic. When a DNS query is made the DNS response is truncated to 96 bytes after we return [allowVerdict] from our [handleInboundDataFromFlow:] for that first 96 bytes. This only occurs when both our extension and the Cisco extensions are loaded. It does not occur if just our extension is loaded or just the Cisco extensions are loaded. So my question is are we doing something wrong by returning [allowVerdict] after the initial 96 byte inspection in [handleInboundDataFromFlow:]? Should we instead try to only respond after a complete datagram is received? But how to do that when we do not know the datagram size because we only request peek data for TCP/UDP (thus no IP header info)? Is Cisco at fault? From inspecting their binary it appears they are not using the NWUDPSession/NWTCPConnection classes as recommend by Apple, but are instead using their own custom classes that probably wrap the BSD socket API. Is this a OS bug? From what I know NEFilterFlow is a stream and the OS is supposed to handle proper data reassembly. But somehow a truncated UDP datagram is being passed on to the Cisco filter (and dig). Shouldn't the system send the complete datagram after we return [allowVerdict] for the initial 96 bytes?

Hello, we are currently getting a permission denied error when calling NEVPNManager saveToPreferences(completionHandler:) on MacOS Sonoma Beta 5 and up only. This seems to be an issue only on an M1 machine, but works fine on Intel and M2 machines. We haven't made any changes on our end and it was working on all machines on MacOS Sonoma Beta 3 and below. After upgrading to MacOS Sonoma Beta 5 and up, attempting to call the function results in the permission denied error. We have also verified that the app has the 'Personal VPN' capability. The exact error we are getting is the following: Domain=NEVPNErrorDomain Code=5 "permission denied" UserInfo={NSLocalizedDescription=permission denied} I checked the release notes, but couldn't find anything specific to this issue. Has anyone experienced something similar and/or have any suggestions for any fixes? Thanks in advanced!

Hello, Regarding this explanation If this property is YES, the system excludes network connections to hosts on the local network — such as AirPlay, AirDrop, and CarPlay — but only when the includeAllNetworks or enforceRoutes property is also YES. So my question is the local network here only meaning AirPlay, AirDrop, and CarPlay? Is the pings to local LAN IP still working? What is the exactly the local network definition here? Is it based on the interface or the IPs? For example, somehow we connects to a wifi which assigned a public IP. After VPN is connected with tunnel all mode, we set includeAllNetworks and excludeLocalNetworks flag, will the traffic originally goes through wlan interface goes through utun interface? Or it will keep going through wlan interface?

Hello there, I already have a native iOS vpn app that I developed and is already on the appstore working well, I decided to support tvOS, where I downloaded apple tvOS beta 17 on real device, downloaded latest xcode beta and setup my code, when connecting to vpn it fails alwas (Ikev2), my only question is may the error be from my code (where it works well on iOS) or apple does not support the vpn connection in beta till now ?

The following call to getaddrinfo makes ‘PacketTunnelProvider’ system extension SIGSEGV: if (hostname != NULL) { int ret = getaddrinfo(hostname, port, &hints, results); if (ret != 0) { printf(“Failed to resolve host : %s by getaddrinfo, err : %d", hostname, ret); return false; } } Most of the time getaddrinfo() is working fine. Can someone please help in understanding what could be causing this crash. Can this caused due to stack corruption due to C++/C code switched to objective C? Below is the crash details: ------------------------------------- Translated Report (Full Report Below) ------------------------------------- Process: com.mycompany.client.product-Client.ui.pkttunnel [29951] Path: /Library/SystemExtensions/*/com.mycompany.client.product-Client.ui.pkttunnel Identifier: com.mycompany.client.product-Client.ui.pkttunnel Version: 1.0 (1) Code Type: X86-64 (Native) Parent Process: launchd [1] User ID: 0 Date/Time: 2023-08-18 20:04:43.6346 +0530 OS Version: macOS 13.5 (22G74) Report Version: 12 Bridge OS Version: 7.6 (20P6072) Anonymous UUID: F235BB2F-C030-0A58-E5C1-C3FE9796F29C Sleep/Wake UUID: C73181BF-B3A9-4DED-9556-897ED8C2E0A1 Time Awake Since Boot: 65000 seconds Time Since Wake: 37781 seconds System Integrity Protection: enabled Crashed Thread: 2 Exception Type: EXC_BAD_ACCESS (SIGSEGV) Exception Codes: KERN_INVALID_ADDRESS at 0x00000001e13dfa50 Exception Codes: 0x0000000000000001, 0x00000001e13dfa50 Termination Reason: Namespace SIGNAL, Code 11 Segmentation fault: 11 Terminating Process: exc handler [29951] VM Region Info: 0x1e13dfa50 is not in any region. Bytes after previous region: 3477011025 Bytes before following region: 105545042363824 REGION TYPE START - END [ VSIZE] PRT/MAX SHRMOD REGION DETAIL shared memory 111fef000-111ff0000 [ 4K] rw-/rw- SM=SHM ---> GAP OF 0x5ffeee010000 BYTES MALLOC_NANO 600000000000-600008000000 [128.0M] rw-/rwx SM=PRV Thread 0: 0 libsystem_kernel.dylib 0x7ff80ee222b2 __sigsuspend_nocancel + 10 1 libdispatch.dylib 0x7ff80eccbd2f _dispatch_sigsuspend + 36 2 libdispatch.dylib 0x7ff80eccbd0b _dispatch_sig_thread + 49 Thread 1: ******************** ******************** ******************** ******************** Thread 2 Crashed: 0 libobjc.A.dylib 0x7ff80eac64a9 objc_msgSend + 41 1 libobjc.A.dylib 0x7ff80eae6582 objc_object::sidetable_release(bool, bool) + 270 2 Network 0x7ff81553fa04 -[NWConcrete_nw_endpoint .cxx_destruct] + 52 3 libobjc.A.dylib 0x7ff80eacfa5b object_cxxDestructFromClass(objc_object*, objc_class*) + 83 4 libobjc.A.dylib 0x7ff80eac8e31 objc_destructInstance + 99 5 libobjc.A.dylib 0x7ff80eac8dbf _objc_rootDealloc + 62 6 Network 0x7ff81553e05a -[NWConcrete_nw_endpoint dealloc] + 778 7 Network 0x7ff815c30f1a -[NWOSAddressEndpoint dealloc] + 74 8 Network 0x7ff815a175bf nw_array_dispose + 383 9 Network 0x7ff815718ab1 -[OS_nw_array dealloc] + 17 10 Network 0x7ff815bd2b3d -[NWConcrete_nw_path .cxx_destruct] + 93 11 libobjc.A.dylib 0x7ff80eacfa5b object_cxxDestructFromClass(objc_object*, objc_class*) + 83 12 libobjc.A.dylib 0x7ff80eac8e31 objc_destructInstance + 99 13 libobjc.A.dylib 0x7ff80eac8dbf _objc_rootDealloc + 62 14 Network 0x7ff815bd29af -[NWConcrete_nw_path dealloc] + 127 15 Network 0x7ff815bd045a -[NWConcrete_nw_path_evaluator .cxx_destruct] + 58 16 libobjc.A.dylib 0x7ff80eacfa5b object_cxxDestructFromClass(objc_object*, objc_class*) + 83 17 libobjc.A.dylib 0x7ff80eac8e31 objc_destructInstance + 99 18 libobjc.A.dylib 0x7ff80eac8dbf _objc_rootDealloc + 62 19 Network 0x7ff815bd0377 -[NWConcrete_nw_path_evaluator dealloc] + 967 20 Network 0x7ff815a606ca nw_nat64_get_interface_state_internal + 2634 21 Network 0x7ff815a5f905 nw_nat64_copy_prefixes_internal + 101 22 Network 0x7ff815a5f482 nw_nat64_copy_prefixes + 210 23 Network 0x7ff815a62537 nw_nat64_synthesize + 215 24 libsystem_info.dylib 0x7ff80ee9447e _gai_nat64_synthesis + 309 25 libsystem_info.dylib 0x7ff80ee940c2 si_addrinfo + 886 26 libsystem_info.dylib 0x7ff80ee93caf getaddrinfo + 176 27 com.mycompany.client.product-Client.ui.pkttunnel 0x10f3c2bb4 ******::resolvehostname(char const*, char const*, addrinfo, addrinfo**) + 32 28 com.mycompany.client.product-Client.ui.pkttunnel 0x10f3c4e57 ******::udp_connect() + 323 29 com.mycompany.client.product-Client.ui.pkttunnel 0x10f3c48c7 ******::ssl_create() + 129 30 com.mycompany.client.product-Client.ui.pkttunnel 0x10f3c9014 ******::ssl_initiate_connect(fd_set&, fd_set&, int&) + 288 31 com.mycompany.client.product-Client.ui.pkttunnel 0x10f3c3b3c ******::ssl_connect_thread(int) + 228 32 com.mycompany.client.product-Client.ui.pkttunnel 0x10f3cc691 void* std::__1::__thread_proxy<std::__1::tuple<std::__1::unique_ptr<std::__1::__thread_struct, std::__1::default_delete<std::__1::__thread_struct>>, void (*)(int), int>>(void*) + 39 33 libsystem_pthread.dylib 0x7ff80ee5b1d3 _pthread_start + 125 34 libsystem_pthread.dylib 0x7ff80ee56bd3 thread_start + 15

Hi, I have developed a VPN application with PacketTunnelProvider that connects to the OpenVPN server. It works perfectly fine. Now I have the following requirements. The user should be able to block a particular domain, such as "example.com" while staying connected to the VPN server. For the above requirement, I need to capture the DNS request for facebook.com and see if it is in the block list provided by the user and block the DNS request. I don't have to have multiple network extensions, I need to handle it from one Packettunnel provider that is already handling OpenVPN connection. Can anyone help me here with this use case?

I'm using this code to get the path of an executable from the audit token provided in NEFilterDataProvider.handleNewFlow(_:), forwarded from the Network Extension to the main app via IPC: private func securePathFromAuditToken(_ auditToken: Data) throws -> String? { let secFlags = SecCSFlags() var secCode: SecCode? var status = SecCodeCopyGuestWithAttributes(nil, [kSecGuestAttributeAudit: auditToken] as CFDictionary, secFlags, &secCode) guard let secCode = secCode else { throw SecError(status) } var secStaticCode: SecStaticCode? status = SecCodeCopyStaticCode(secCode, secFlags, &secStaticCode) guard let secStaticCode = secStaticCode else { throw SecError(status) } var url: CFURL? status = SecCodeCopyPath(secStaticCode, secFlags, &url) guard let url = url as URL? else { throw NSError(domain: NSOSStatusErrorDomain, code: Int(status)) } return nil } But it seems that some processes like trustd, rapportd, nsurlsessiond and timed have a non-nil path. For these executables I have to resort to this code, which I have read is not as secure: private func insecurePathFromAuditToken(_ auditToken: Data) throws -> String? { if auditToken.count == MemoryLayout<audit_token_t>.size { let pid = auditToken.withUnsafeBytes { buffer in audit_token_to_pid(buffer.baseAddress!.assumingMemoryBound(to: audit_token_t.self).pointee) } let pathbuf = UnsafeMutablePointer<Int8>.allocate(capacity: Int(PROC_PIDPATHINFO_SIZE)) defer { pathbuf.deallocate() } let ret = proc_pidpath(pid, pathbuf, UInt32(PROC_PIDPATHINFO_SIZE)) if ret <= 0 { throw NSError(domain: NSPOSIXErrorDomain, code: Int(errno)) } return String(cString: pathbuf) } return nil } This seems to happen with both NEFilterFlow.sourceAppAuditToken and sourceProcessAuditToken. Is this expected? Can it really be that some executables shipped with macOS are not signed?

Hello! New to swift development. I've created a very basic iOS app that uses the network extension to block web domains. Now, I am trying to make it work on a macOS using Mac Catalyst. However, when I build the project, I get this error: 2023-09-08 23:31:32.540010+0600 controlShift[69583:2468143] [Metadata] unable to get a dev_t for store 1795162192. 2023-09-08 23:31:33.986014+0600 controlShift[69583:2467453] [] -[NEFilterManager saveToPreferencesWithCompletionHandler:]_block_invoke_3: failed to save the new configuration: (null) The app launches and the UI works correctly. However, it fails to save the preference as stated in the error, so it does not block anything. Here is the relevant part of the code in the root file: var body: some Scene { WindowGroup { ContentView() .environment(\.managedObjectContext, persistenceController.container.viewContext) .onAppear { NEFilterManager.shared().loadFromPreferences { error in if let loadError = error { print("Failed to load the filter configuration: \(loadError)") return } } DispatchQueue.main.asyncAfter(deadline: .now()+1.5) { if NEFilterManager.shared().providerConfiguration == nil { let newConfiguration = NEFilterProviderConfiguration() newConfiguration.username = "UserName" newConfiguration.organization = "myApp " newConfiguration.filterBrowsers = true newConfiguration.filterSockets = true newConfiguration.serverAddress = "http://192.168.100.48:3000" NEFilterManager.shared().providerConfiguration = newConfiguration } NEFilterManager.shared().isEnabled = true NEFilterManager.shared().saveToPreferences { error in if let saveError = error { print("Failed to save the filter configuration: \(saveError)") } } } } } I'm at a loss for what is wrong. Lmk if you need additional details. Thanks! btw, I am very new to swift and iOS/macOS development in general so if there's a better way to write or structure the logic inside the "onAppear" method (of which I'm sure there is), lmk as well. ^_^