Hi. i've got a case, when i've successfully run Packet - Tunnel with NEPacketTunnelProvider (socks protocol) And i can't found a way to calculate traffic. i've tried with usage self.packetFlow.readPackets... self.packetFlow.writePackets... with different ways, but each time when i call methods, which contains lines with packet flow, nothing happens, i think its related to my protocol and library which i've use to implement packet tunneling, cause its freeze the thread. By the way its working great in memory limits of iOS. i've see that the profiler in xcode is showing spended traffic. I've also trying to get with functions getifaddrs name of virtual interface which extension is create for use, and by the name, found virtual adapter, but all fields of objects there, which i found, doesn't provide any helpful information related to size of packages information Also i've tried to implement custom NEPacketTunnelFlow, and use them in NEPacketTunnelProvider, but as the result NEPacketTunnelProvider not starting, and crashing without any helpfull information. Can someone give some prompts where i can found some ways of solution?

Hi Team, I am utilizing the nw_parameters_create_secure_tcp in Objective-C to establish a TCP connection. However, I would like the connection to go through a specific utun interface. I attempted to use the following method for binding: nw_parameters_require_interface(nw_parameters_t parameters, _Nullable nw_interface_t interface); Unfortunately, I haven't found any API that can convert a utun interface name or index to an nw_interface_t object. Both nw_interface_create_with_index and nw_interface_create_with_name are private methods. I also tried using nw_path_monitor_set_update_handler and nw_path_enumerate_interfaces, but they did not return the utun interface. Could you please suggest how I can obtain the utun interface as an nw_interface_t?

In my iOS VPN app the user can change between full tunnel or split tunnel. With full tunnel the PacketTunnelProvider includedRoutes are set to defaultRoute and in split tunnel the includedRoutes are set to what the user has configured. When going from full tunnel to split everything works as expected and I see the routing table change and packets flow as expected. However, when going from split tunnel to full, even though I see the routing table updated with the default route setting, I am seeing no packets coming in on my readPacketsWithCompletionHandler for my TUN interface. I know the interface is active because I can bind to it and send data just fine (as a test) but nothing in the system appears to be working. I do the same exact thing in macOS and it works flawlessly. Thoughts?

There are some terms I've come across so far relating to a packet tunnel provider: "On Demand", "Per App", "Always On", "Source-application mode", "Destination IP mode", "App extension", "System extension". I'm trying to understand how these ideas fit together. I'm trying to make a packet tunnel provider setup on iOS which tunnels ALL traffic through it. Which combination of terms does this entail. I'm assuming it must be "Destination IP mode" and maybe "System extension" and probably not "Per App" but maybe "On Demand" or "Always On"?

Hi, I have an issue with a packet tunnel that have two ipv4 networks. The first network works well but the second does not, because when trying to reach any IP of the second network, the source IP used is one of the first network. Setup So, I have a NE (Network Extension), with a packet tunnel. Internally our application create two tunnels to access different resources. These tunnels are linked to two local networks. utun3 192.168.1.42/24 <===> tunnel 1 utun3 192.168.2.42/24 <===> tunnel 2 To clarify, I only have one NE, but two ipv4 network in it (configured via NEIPv4Settings) I also configured routes to tell the NE that both networks whould go through the tunnel. Problem and Investigations Trying to ping 192.168.1.1 does work, however, trying to ping 192.168.2.1 does not. Doing a bit of tcpdump on the interface shows that the source IP used is 192.168.1.42 instead of 192.168.2.42 Seeing that, I suspected some kind of routing issue, therefore I removed the routes from the NE and tried to add some by hand. I ended up adding the following : 192.168.1.0/24 via 192.168.1.42 192.168.2.0/24 via 192.168.2.42 With this it actually worked. Delighted by this quick resolution, I deleted any static route I had created, rushed back to my application and added theses routes into the NE. And it did not worked. Very surprised, I tried to find the difference between me adding the route manually with route add ... and the NE adding the route. But it got much weirder, as netstat -rn showed me that the created routes where identical. Digging through the internet I was unable to find many people with a similar issue. Also, I saw something about NE route and user added routes being different, but not many information, and not enough to help me out. In the end, I started suspecting an issue with the Network Extension. Moreover since the API does allow to add multiple ipv4 networks. Do you have any information on this topic ?

Hi Developers, First of all thanks for reading me…I’m trying to build an iOS app that lists all requests made from the device like Proxy App does. My idea is to have a Packet Tunnel Provider and set up a local VPN connection without an external VPN server. The traffic would then be internally routed to the packet tunnel, without requiring an external VPN server. I have downloaded the SimpleTunnel sample code project from Apple, created the correct entitlements, and can now run the project and create a VPN configuration that gets listed under Settings. Still, I can't connect to the VPN tunnel. I have also downloaded the source code at https://github.com/lxdcn/NEPacketTunnelVPNDemo but didn't get it to work either. Let me know if any of you’ve come across a similar implementation. Thank you for your time!

Based on popular demand [1], I decided to write up definitions for some of the terms we used in the Network Extension and VPN world. If you have questions or comments, or suggestions for additional entries, please put them in a new thread here on DevForums. Tag it with Network Extension so that I see it. Share and Enjoy — Quinn “The Eskimo!” @ Developer Technical Support @ Apple let myEmail = "eskimo" + "1" + "@" + "apple.com" [1] Well, [one person asked specifically][refPD] (-: but I’ve seen a lot of confusion about this elsewhere. [refPD]: Network Extension and VPN Glossary This posts defines some terms used by the Network Extension framework and VPN. TN3134 THis section covers some of the terms used in TN3134 Network Extension provider deployment. Network Extension providers can be packaged in one of two ways: App extension — This is supported on all platforms. On macOS, which supports multiple users, the VPN interface is available globally but the provider is run in the context of the user who started the VPN. If that user logs out, the VPN interface goes down. System extension — This is only supported on macOS. The provider is run in a global context, so it’s not affected by users logging in or out. App Store only means that this option is only supported in App Store apps. This is relevant on macOS, where developers can distribute products independently using Developer ID signing. So, in the case of a packet tunnel provider on macOS: App extension packaging is only supported in App Store apps. System extension packaging is supported for both App Store apps and independently distributed apps. Managed devices only means that the option is only supported on managed devices, that is, devices that are enrolled in an organisation’s management system (MDM). This typically means that the feature has to be configured via MDM. For example, on iOS per-app VPN support only works on managed devices because your device manager must use MDM to set the VPNUUID property that associates the app with the VPN configuration. Supervised devices only mean that the option is only supported on supervised device. A supervised device is a managed device that’s owned by the organisation. This is in contrast to a BYOD device, where the user owns the device but its enrolled in the organisation’s management system. Other VPN On Demand is the ability for a VPN to start automatically when an app connects to a server that’s on the ‘far side’ of the VPN. Imagine you’re in an organisation, example.com, where all your intranet services are within corp.example.com. To access those from outside you must go through the VPN. A site admin might configure VPN On Demand such that, when an app connects to anything with corp.example.com, the system will automatically start the VPN as part of the connection process. Per-app VPN is a VPN configuration mode where a device manager can associate a set of apps with a specific VPN configuration. To continue the above example, an organisation might deploy a corporate directory app which connects to an directory endpoint within corp.example.com. In a BYOD scenario, they don’t want other random apps on the user’s device to be able to connect to that endpoint, and thus they deploy per-app VPN such that only their directory app can access it. An app proxy provider always acts as a per-app VPN. A packet tunnel provider can work in one of two modes: In the normal mode, aka destination IP mode, packets are routed to the provider based on their destination IP address [1]. In per-app VPN mode, aka Source-application routing mode, packets are routed to the provider based on their source application. Always-on VPN is a feature of Apple’s IKEv2 VPN transport such that the VPN is… well… always on. If the VPN can’t come up, the device appears to have no network connectivity. [1] Well, it’s not quite that sample. I discuss this in more detail in the various subposts of Extra-ordinary Networking.

I'm testing my NEFilterDataProvider system extension by building it in Xcode and then copying the built app into the Applications folder. When I do changes to the extension's code, obviously the system extension process currently running needs to be shut down or restarted when I launch the new app version. Increasing the app version and build numbers each time always seem to trigger the system extension update in macOS, but that's not so convenient and at the latest when publishing the update those numbers cannot just make arbitrary jumps. I've read that moving an app to the trash should uninstall any attached system extensions, and this seems to be confirmed by the alert that macOS shows when doing so, but even after clicking Continue and authenticating with Touch ID to confirm the uninstall and emptying the trash, it sometimes happens that when launching the next version of my app from the Applications folder the old system extension is still running, which I notice e.g. because the app crashes since it's using different IPC method signatures than the system extension. When checking in Activity Monitor the system extension is also still listed. Even restarting the Mac doesn't always solve the issue, so when this happens my only solution is to increase the build and version numbers to make it work, and then reset them later when moving the app to the trash correctly uninstalls the system extension again. Is this a bug or am I missing something? Or is there a workaround that doesn't involve booting into safe mode and manually uninstalling the system extension? P.S.: I just tried booting into safe mode and moving the files from /Library/SystemExtensions to the trash as suggested on discussions.apple.com, but I got an alert saying that I didn't have the privileges to do so.

Hello, I experienced a strange (and in my opinion unexpected) behavior from DynamicStore/configd. In our application we setup the routes in the system by setting AdditionalRoutes property on a specific interface to route part of the network traffic through it. The routes are set properly, but I noticed that the they are not cleared once removed from AdditionalRoutes. After a while I figured, that the problem lies in the DestinationAddress I set in AdditionalRoutes. I was using the following configuration: var newRoutes: [[String: NSObject]] = [ ["DestinationAddress": "10.0.0.1" as NSObject, "SubnetMask": "255.0.0.0" as NSObject ] ] and it resulted in a new route: 10 link#16 UCS en0 ! which was not cleared when AdditionalRoutes were reset to the original value. When I changed the DestinationAddress to: var newRoutes: [[String: NSObject]] = [ ["DestinationAddress": "10.0.0.0" as NSObject, "SubnetMask": "255.0.0.0" as NSObject ] ] both, setting and clearing routes works as expected. The only difference is changing the DestinationAddress from 10.0.0.1 to 10.0.0.1. In my opinion this incosistent behavior. Although I can understand that the system might reject 10.0.0.1 as a valid DestinationAddress for creating routes, I don't think it's correct behavior to accept such address, but never clear the routes. The full source code which might be used to verify my claims: import Foundation import SystemConfiguration let en0ServiceIPv4 = "State:/Network/Service/***/IPv4" as CFString let store = SCDynamicStoreCreate(nil, "dseditor" as CFString, nil, nil)! let originalValue = SCDynamicStoreCopyValue(store, en0ServiceIPv4) as! [String: NSObject] var newValue = originalValue print("AdditionalRoutes: \(String(describing: originalValue["AdditionalRoutes"]))") var newRoutes: [[String: NSObject]] = [ ["DestinationAddress": "10.0.0.1" as NSObject, "SubnetMask": "255.0.0.0" as NSObject ] ] newValue["AdditionalRoutes"] = newRoutes as NSObject print("newValue: \(newValue)") var result = SCDynamicStoreSetValue(store, en0ServiceIPv4, newValue as CFPropertyList) print("set new value: \(result)") sleep(3) result = SCDynamicStoreSetValue(store, en0ServiceIPv4, originalValue as CFPropertyList) print("restore old value: \(result)") Naturally, the en0ServiceIPv4 needs to be changed and the program needs to be run as root. Can you please share your thoughts, if this is an OS bug or expected behavior? If it is expected, what is the reasoning behind it?

Hello! Is it possible to add location permissions to a macOS system extension? We have a network firewall system extension that also considers WIFI connections in its rules. With the release of Sonoma, interface information is only accessible while having location permissions, which we are having trouble asking for. We have the entitlements, the usage description, but the authorizationStatus of CLLocationManager stays at .notDetermined and no window for location permission pops up after calling requestAlwaysAuthorization(). What we need is to get the SSID of the network that the interface is connected, its security and encryption type. If the permission is not possible, is there a workaround? Cheers

On Ventura - We have a network extension(Transparent Proxy) which blocks IPv6 traffic as below. override func handleNewFlow(_ flow: NEAppProxyFlow) -&gt; Bool { //Ipv6 gets blocks by below code let error = NSError(domain: "", code: 0, userInfo: [NSLocalizedDescriptionKey : "Connection Refused"]) flow.closeReadWithError(error) flow.closeWriteWithError(error) On IPv6 enabled client machine, when a client application(Browser, curl, Teams etc), try to send HTTP/s requests, first they try to send the request over IPv6 and if it fails, they try with IPv4 (Happy eyeballs Algorithm) In our case, as network extension blocks IPv6 traffic, client applications will fail to establish connection over IPv6 and fallback to IPv4 as per Happy eyeballs Algorithm The above scenario works fine till MacOS Ventura. For Sonoma, this behaviour seems to have changed When our network extension blocks IPv6 traffic, client applications do not fallback to IPv4. They simply fail without trying IPv4. We tested with curl, Google chrome browser, Microsoft Teams. All these fail to load pages on Sonoma and they work fine on Ventura. Note : No change in our network extension code, curl and browser versions. Only change is MacOS version Please find attached screenshots with Ventura and with Sonoma, running curl One other difference seen here is the error code received by client applications with Ventura and Sonoma. On Ventura, when IPv6 is blocked, error is Network is down and client application establishes connection with IPv4. On Sonoma, error code is 22 : Invalid arguments and client application does not retry with IPv4. Curl_Ventura.jpg Curl_Sonoma.png

Since NEFilterFlow.identifier is documented as The unique identifier of the flow., I thought I could use it to store the flow by its identifier in a dictionary in order to retrieve it later. I do this when the system extension pauses a flow because it needs to ask the user whether the flow should eventually be allowed or dropped. But then I noticed that sometimes when allowing a previously paused flow, identified by its identifier, my system extension doesn't find that flow anymore. After some debugging it turned out that this happens because I stored at least one other flow with the same id which, when confirmed, is removed again from the dictionary, so there is no more flow with that identifier waiting in the dictionary. Is it expected that the identifiers are recycled for different flows, or does it mean that the same flow is effectively being passed to .handleNewFlow(_:) multiple times, such as if the extension waited "too long" between pausing a flow and allowing or dropping it? What does this mean?

Hi, I am writing an iOS App that includes an App Proxy Provider Network Extension. I would like to route all traffic from the containing iOS App to go through the App Proxy Provider. I can do this for my own testing by adding the NETestAppMapping key to the Info.plist file of the App. Given that the App and its network extension come from the same developer and belong to the same App Group, would it be possible to achieve this without involving an MDM? Thanks

We have a Transparent Proxy Provider, and a Packet Filter. They both get activated on app startup, and then when that's done, I call code to set the preferences to enable them. That is basically done by having the request:didFinishWithResult: method check the identity of the request, determine whether it was activation or deactivation, and then call the appropriate function to do the preferences load/save dance. However, from the logs, it looks like the preferences-handling code sometimes only gets called for one of them (and, strangely, almost always the packet filter). Is this a known issue? I'd guess something about multiple calls to load/save preferences happening at the same time?

I am developing a VPN app in react-native, so for ios I am building a native module for Wireguard to connect VPN, the NEVPNStatus is not proceeding to the connected stage but holds at connecting

Hello , We've developed a MacOS app with a system extension that includes a content filter using socket and packet providers. To enable the extension, we applied the following payload : - &lt;dict&gt; &lt;key&gt;PayloadContent&lt;/key&gt; &lt;array&gt; &lt;dict&gt; &lt;key&gt;PayloadIdentifier&lt;/key&gt; &lt;string&gt;com.companyname.webcontentfilter&lt;/string&gt; &lt;key&gt;PayloadType&lt;/key&gt; &lt;string&gt;com.apple.webcontent-filter&lt;/string&gt; &lt;key&gt;PayloadUUID&lt;/key&gt; &lt;string&gt;5e8794fb-8820-43cd-9d18-d171539f755a&lt;/string&gt; &lt;key&gt;PayloadVersion&lt;/key&gt; &lt;integer&gt;1&lt;/integer&gt; &lt;key&gt;PayloadScope&lt;/key&gt; &lt;string&gt;System&lt;/string&gt; &lt;key&gt;AutoFilterEnabled&lt;/key&gt; &lt;false /&gt; &lt;key&gt;FilterBrowsers&lt;/key&gt; &lt;true/&gt; &lt;key&gt;FilterSockets&lt;/key&gt; &lt;true/&gt; &lt;key&gt;FilterType&lt;/key&gt; &lt;string&gt;Plugin&lt;/string&gt; &lt;key&gt;FilterPackets&lt;/key&gt; &lt;true/&gt; &lt;key&gt;FilterPacketProviderBundleIdentifier&lt;/key&gt; &lt;string&gt;com.companyname.dlp.test1.ne.Extension&lt;/string&gt; &lt;/dict&gt; &lt;/array&gt; &lt;key&gt;PayloadDescription&lt;/key&gt; &lt;string&gt;Description&lt;/string&gt; &lt;key&gt;PayloadDisplayName&lt;/key&gt; &lt;string&gt;Restriction Profile&lt;/string&gt; &lt;key&gt;PayloadIdentifier&lt;/key&gt; &lt;string&gt;com.test.restriction&lt;/string&gt; &lt;key&gt;PayloadOrganization&lt;/key&gt; &lt;string&gt;COMPANY NAME Pvt. Ltd.&lt;/string&gt; &lt;key&gt;PayloadRemovalDisallowed&lt;/key&gt; &lt;false/&gt; &lt;key&gt;PayloadType&lt;/key&gt; &lt;string&gt;Configuration&lt;/string&gt; &lt;key&gt;PayloadUUID&lt;/key&gt; &lt;string&gt;f5f02ca0-0bed-4844-ba53-ea1e0dd6f61e&lt;/string&gt; &lt;key&gt;PayloadVersion&lt;/key&gt; &lt;integer&gt;1&lt;/integer&gt; &lt;/dict&gt; However, it failed to deploy on the device with the reason being: "The ‘VPN Service’ payload could not be installed. The VPN service could not be created." We've followed the guidelines from available resources, but it's not working as expected. Additionally, we're primarily testing on Ventura (M1) and Monterey (Intel). Any insights or advice from your side would be greatly appreciated. Thank you.

macOS Sonoma cannot resolve short hostnames (no dots) when there is an active interface of NETransparentProxyProvider type. I have submitted a report FB13288727, but maybe I am missing something and there is a way to fix this from our NETransparentProxyProvider code? Normally, when you specify the search domain "example.net", the system resolver automatically adds it to the short hostnames like "testhost" (no dots). So the resulting query is "testhost.example.net". https://support.apple.com/en-il/guide/mac-help/mh141272/mac Starting from macOS Sonoma when there is an active interface of NETransparentProxyProvider type, the system resolver tries to resolve using only the first domain from the list. Also it does not try to resolve the hostname as it is (without the search domain). What makes this bug fatal is that Sonoma automatically adds a hidden entry like "0.5.168.192.in-addr.arpa" in the search domain list. So it tries to resolve shorthostname.0.5.168.192.in-addr.arpa, fails and does not try without the domain. So the resolution of all short hostnames always fails. It could be easily tested with a command like "ping store" and Search Domain "apple.com" Pre Sonoma versions: ping store PING store.apple.com (23.14.139.109): 56 data bytes... Sonoma: ping store ping: cannot resolve store: Unknown host In reality, it tries to resolve store.0.5.168.192.in-addr.arpa and fails. It does not try to resolve store.apple.com at all. This can be seen in the traffic to the DNS server (UDP port 53).

I'm trying to fetch current connected network (WiFi or hotspot or MobileNetwork). I'm using the below code snippet NEHotspotNetwork.fetchCurrent { hotspotNetwork in print("Network Information") print(hotspotNetwork?.ssid) print(hotspotNetwork?.isSecure ?? true) print(hotspotNetwork?.bssid) print(hotspotNetwork?.securityType) print(hotspotNetwork?.signalStrength) I'm able to get the wi fi details. but one thing I noticed that it is giving every network as a UnSecure network whether it is password protected or not.How can we differentiate secure network and Unsecure network. And after some time, all of sudden, it stop giving all the values i.e. for each(ssid, isSecure, bssid, securityType, signalStrength) It gives nil values. Can anyone help me upstanding this. Thanks in advance.

Recently we have got serveral crash report from Organizer. The crash is about cancelTunnelWithError API usage in network extension. Last Exception Backtrace: 0 CoreFoundation 0x1d879140c __exceptionPreprocess + 160 (NSException.m:202) 1 libobjc.A.dylib 0x1d1a71c10 objc_exception_throw + 56 (objc-exception.mm:356) 2 Foundation 0x1d2b29448 -[NSXPCEncoder _checkObject:] + 288 (NSXPCCoder.m:0) 3 Foundation 0x1d2b29114 -[NSXPCEncoder _encodeUnkeyedObject:] + 36 (NSXPCCoder.m:396) 4 Foundation 0x1d2b28ddc -[NSXPCEncoder _encodeArrayOfObjects:forKey:] + 180 (NSXPCCoder.m:523) 5 Foundation 0x1d2b2ba24 -[NSDictionary(NSDictionary) encodeWithCoder:] + 568 (NSDictionary_Foundation.m:47) 6 Foundation 0x1d2b28ff8 -[NSXPCEncoder _encodeObject:] + 436 (NSXPCCoder.m:373) 7 Foundation 0x1d2b28ddc -[NSXPCEncoder _encodeArrayOfObjects:forKey:] + 180 (NSXPCCoder.m:523) 8 Foundation 0x1d2b2ba24 -[NSDictionary(NSDictionary) encodeWithCoder:] + 568 (NSDictionary_Foundation.m:47) 9 Foundation 0x1d2b28ff8 -[NSXPCEncoder _encodeObject:] + 436 (NSXPCCoder.m:373) 10 Foundation 0x1d2b28ddc -[NSXPCEncoder _encodeArrayOfObjects:forKey:] + 180 (NSXPCCoder.m:523) 11 Foundation 0x1d2b2ba24 -[NSDictionary(NSDictionary) encodeWithCoder:] + 568 (NSDictionary_Foundation.m:47) 12 Foundation 0x1d2b28ff8 -[NSXPCEncoder _encodeObject:] + 436 (NSXPCCoder.m:373) 13 Foundation 0x1d2b54378 _NSXPCSerializationAddInvocationWithOnlyObjectArgumentsArray + 112 (NSXPCCoder_InvocationSerialization.m:36) 14 Foundation 0x1d2b49c2c -[NSXPCEncoder _encodeInvocationObjectArgumentsOnly:count:typeString:selector:isReply:into:] + 208 (NSXPCCoder.m:498) 15 Foundation 0x1d2b472dc _sendReplyArgumentsOnly + 172 (NSXPCConnection.m:359) 16 Foundation 0x1d30649f8 __64-[NSXPCConnection _decodeAndInvokeMessageWithEvent:reply:flags:]_block_invoke_4 + 92 (NSXPCConnection.m:573) 17 Foundation 0x1d2baef90 -[_NSXPCConnectionRequestedReplies endTransactionForSequence:completionHandler:] + 192 (NSXPCConnectionHelpers.m:516) 18 Foundation 0x1d3064974 __64-[NSXPCConnection _decodeAndInvokeMessageWithEvent:reply:flags:]_block_invoke_3 + 148 (NSXPCConnection.m:569) 19 NetworkExtension 0x1ee499f6c -[NEExtensionProviderContext cancelWithError:] + 196 (NEExtensionProviderContext.m:247) 20 NetworkExtension 0x1ee49ccb8 -[NEExtensionTunnelProviderContext cancelWithError:] + 68 (NEExtensionTunnelProviderContext.m:185) 21 NetworkExtension 0x1ee578bdc -[NEPacketTunnelProvider cancelTunnelWithError:] + 164 (NEPacketTunnelProvider.m:84) 22 *****PacketTunnelProvider 0x100659318 *****PacketTunnelProvider.cancelTunnelWithError(_:) + 360 (*****PacketTunnelProvider.swift:162) 23 *****PacketTunnelProvider 0x100659370 @objc *****PacketTunnelProvider.cancelTunnelWithError(_:) + 56 (<compiler-generated>:0) 24 ***** 0x100778c70 *****PacketTunnelProviderImpl.cancelTunnelWithError(_:cancelingFunction:) + 720 (******PacketTunnelProviderImpl.swift) 25 ***** 0x10077e434 closure #1 in *****PacketTunnelProviderImpl.****** 26 MCKit 0x1007b9934 partial apply for closure #1 in *****PacketTunnelProviderImpl.****(****) + 32 (<compiler-generated>:0) 27 MCKit 0x100774e9c thunk for @escaping @callee_guaranteed @Sendable (@guaranteed Data?, @guaranteed NSURLResponse?, @guaranteed Error?) -> () + 148 (<compiler-generated>:0) 28 CFNetwork 0x1d9774e60 __40-[__NSURLSessionLocal taskForClassInfo:]_block_invoke + 476 (LocalSession.mm:718) 29 CFNetwork 0x1d9783da8 __49-[__NSCFLocalSessionTask _task_onqueue_didFinish]_block_invoke_2 + 156 (LocalSessionTask.mm:544) 30 libdispatch.dylib 0x1df5347a8 _dispatch_call_block_and_release + 24 (init.c:1518) 31 libdispatch.dylib 0x1df535780 _dispatch_client_callout + 16 (object.m:560) 32 libdispatch.dylib 0x1df5106fc _dispatch_lane_serial_drain$VARIANT$armv81 + 600 (queue.c:3885) 33 libdispatch.dylib 0x1df5111e4 _dispatch_lane_invoke$VARIANT$armv81 + 432 (queue.c:3976) 34 libdispatch.dylib 0x1df51af14 _dispatch_workloop_worker_thread + 608 (queue.c:6507) 35 libsystem_pthread.dylib 0x2227ddbd0 _pthread_wqthread + 284 (pthread.c:2618) 36 libsystem_pthread.dylib 0x2227dd720 start_wqthread + 8 So we have some self defined error enums which conforms CustomNSError protocol. Not sure if there is something wrong from Error in swift to NSError in objective-c. This issue is not existed for old iOS version before. And the same code works fine on macOS.

We have a PacketTunnelProvider in a SystemExtension with split tunnelling. We specify several matching domains using NEPacketTunnelNetworkSettings, such as abc.example.com and xyz.example.com. DNS requests of type A and AAAA for these domains are routed to the VPN interface, but we've noticed that SRV type requests do not reach the VPN interface. To test this, I'm creating an SRV type request from the terminal using the following command: dig SRV _https._tcp.example.com. Please guide me if there are any specific configurations required for SRV records. --Thanks Happy Questioning and Enjoy