My App is a VPN APP, use [com.apple.networkextension.packet-tunnel] extension app to provider a VPN service.
A problem puzzled me for a long time: Sometimes the VPN doesn't start successfully, until the user restart the iOS System or reinstall my APP.
The detail is :
The user use the app normally for many times, and suddenly can't start the vpn service, the APP log show API "startVPNTunnelWithOptions" call success, and return success.
but the VPN extension status(NEVPNStatus) change from Disconnect to Connecting and then nothing happen, the VPN process not started, and not any log of the VPN extension created, my VPN log is start from the init function of the class inherit from PacketTunnelProvider, so can see that the vpn process not started.
My NETunnelProviderProtocol is :
NETunnelProviderProtocol *tunnel = [[NETunnelProviderProtocol alloc] init];
tunnel.providerBundleIdentifier = kTunBundleId;
tunnel.serverAddress = @"";
tunnel.disconnectOnSleep = NO;
[self.providerManager setEnabled:YES];
[self.providerManager setProtocolConfiguration:tunnel];
self.providerManager.localizedDescription = kAppName;
very simple, because my app use openvpn3 to provide the vpn service,so no need to set the serverAddress.
Because when this problem happened, I can't get any useful log (because APP can't get the iOS system log), so this is a really trouble for me. Could any body help !
Network Extension
RSS for tagCustomize and extend the core networking features of iOS, iPad OS, and macOS using Network Extension.
Posts under Network Extension tag
200 Posts
Sort by:
Post
Replies
Boosts
Views
Activity
I am reaching out regarding the usage of the fetchCurrent method within the NEHotspotNetwork framework.
According to the documentation provided at [https://developer.apple.com/documentation/networkextension/nehotspotnetwork/3666511-fetchcurrent], it is mentioned that in order to utilize this method, the application needs to meet all four of the following conditions:
The app is using the Core Location API and has the user’s authorization to access precise location.
The app used the NEHotspotConfiguration API to configure the current Wi-Fi network.
The app has active VPN configurations installed.
The app has an active NEDNSSettingsManager configuration installed.
However, upon reviewing the comments in the code for the fetchCurrent method, it states: "This method returns SSID, BSSID, and security type of the current Wi-Fi network when the requesting application meets one of the following 4 requirements -."
Could you please clarify whether it is necessary to fulfill all four conditions or if meeting just one of the four requirements is sufficient to use the fetchCurrent method?
iOS 17 issue:
I am connecting to VPN connection with configuration as full tunnel which is tunneling all the traffic generated on my device which is expected.
This is for Full Tunnel and Tunnel routes:
//Below is the NEPacketTunnelProvider configuration
tunnelProvider.protocolConfiguration.includeAllNetworks = YES; tunnelProvider.protocolConfiguration.excludeLocalNetworks = NO; tunnelProvider.protocolConfiguration.enforceRoutes = NO;
But Once I disconnect and kill the NEPacketTunnelProvider instance, My internet is blocked until I restart the device.
NOTE: This behavior is not seen with iOS 16 and below and things work smooth.
Kindly update as soon as possible.
I'm using NEHotspotNetwork for getting the WiFi network information , ex - SSID , BSSID and Signal Strength.
But the BSSID values are not accurate comparing to the Router MAC Address .
The last segment value is different is always from NEHotspotNetwork.
Is apple intentionally proving last value differently or do I need to use any other API for getting the MAC address of a router.
Example : What I am getting using NEHotspotNetwork : c3:85:63:26:56:ef
The actual Mac address of the Network : c3:85:63:26:56:3c
I am connecting to VPN connection with NEPacketTunnelProvider configuration as IncludeAllNetworks=YES;
ExcludeLocalNetwork=NO;
which is tunneling all the traffic generated on my device which is expected.
But Once I disconnect and kill the NEPacketTunnelProvider instance, My internet is blocked unless I restart the device. This behavior is not seen with iOS 16 and things work smooth.
Kindly update as soon as possible
Hi Community:
I want to know (if someone knows) why content filters are only available for:
Supervised devices
Apps with Screen time, but only for children.
Is that make any sense while in Mac is supervision is not needed?
Why adults cannot decide to use a built in content filter instead of using screen time pre-filter by them selves?
Are they no conscious about what are they doing?
Are there any UX question to not open this powerful tool to improve an iOS user experience guided by third parties?
Thanks in advance.
I've developed an VPN app using NEVPNManager API (IKEv2 protocol). Can I publish this app in AppStore from my developer account enrolled as an individual?
I encountered a problem while implementing DNS Proxy for Network Extension.
It consists of MyMyExt, a System Extension that implements DNS Proxy, and MyMyService, a container.
The system extension consists of classes that inherit the NEDNSProxyProvider.
Class has overrided "override init(), override func startProxy(...), override func stopProxy(...) override func handleNewFlow(...)"
Since the manager.loadFromPreferences(...) and manager.saveToPreferences(...) calls, system extensions and DNS Proxy have been added.
However, contrary to expectations, init(), startProxy(...), etc. are not being called.
(In System Settings → Network → Filter, DNS Proxy has been added, but is displayed as "Activated" and a yellow circle)
Here is the information that appears on the console.
... Omitted ...
MyMyService.MyMyExt [Info] DNSProxyManager.swift: 51 [-] DNSProxy: saved
nesessionmanager NESMDNSProxySession[Primary Tunnel:MyMyService.MyMyExt:<GUID>:(null)]: Adding a connection for client mDNSResponder[167]
nesessionmanager NESMDNSProxySession[Primary Tunnel:MyMyService.MyMyExt:<GUID>:(null)]: handleNetworkDetectionNotification <MyMyService.MyMyExt>
nesessionmanager NESMDNSProxySession[Primary Tunnel:MyMyService.MyMyExt:<GUID>:(null)]: Received a restart command from nesessionmanager[1011]
nesessionmanager Registering session NESMDNSProxySession[Primary Tunnel:MyMyService.MyMyExt:<GUID>:(null)]
nesessionmanager NESMDNSProxySession[Primary Tunnel:MyMyService.MyMyExt:<GUID>:(null)]: Resetting VPN On Demand
nesessionmanager NESMDNSProxySession[Primary Tunnel:MyMyService.MyMyExt:<GUID>:(null)] in state NESMVPNSessionStateIdle: update configuration
nesessionmanager <NESMServer: 0x13ae0ac90>: <MyMyService.MyMyExt> Register DNS Proxy Session: NESMDNSProxySession[Primary Tunnel:MyMyService.MyMyExt:<GUID>:(null)]
nesessionmanager NESMDNSProxySession[Primary Tunnel:MyMyService.MyMyExt:<GUID>:(null)]: Successfully registered
nesessionmanager NESMDNSProxySession[Primary Tunnel:MyMyService.MyMyExt:<GUID>:(null)]: status changed to connecting
nesessionmanager NESMDNSProxySession[Primary Tunnel:MyMyService.MyMyExt:<GUID>:(null)] in state NESMVPNSessionStateIdle: received start message
nesessionmanager NESMDNSProxySession[Primary Tunnel:MyMyService.MyMyExt:<GUID>:(null)]: Leaving state NESMVPNSessionStateIdle
nesessionmanager NESMDNSProxySession[Primary Tunnel:MyMyService.MyMyExt:<GUID>:(null)]: Entering state NESMVPNSessionStatePreparingNetwork
nesessionmanager NESMDNSProxySession[Primary Tunnel:MyMyService.MyMyExt:<GUID>:(null)]: Cannot create agent for plugin type MyMyService.MyMyExt, missing designated requirement
nesessionmanager NESMDNSProxySession[Primary Tunnel:MyMyService.MyMyExt:<GUID>:(null)]: Failed to create an NEAgent
nesessionmanager NESMDNSProxySession[Primary Tunnel:MyMyService.MyMyExt:<GUID>:(null)]: Leaving state NESMVPNSessionStatePreparingNetwork
nesessionmanager NESMDNSProxySession[Primary Tunnel:MyMyService.MyMyExt:<GUID>:(null)]: Entering state NESMVPNSessionStateStopping, timeout 20 seconds
... Omitted ...
Perhaps the key is the "Cannot create agent for plugin type MyMyService.MyMyExt, missing designated requirement" recorded in the log.
But I can't find out what this message is about or how to resolve it.
and, here is my code, more info at my previous post.
I ask for your help.
Thank you, for your attention.
Note The PF side of this is now covered by TN3165 Packet Filter is not API.
Network Extension (NE) providers let you create products for VPN, content filtering, transparent proxying, and so on. Various Apple platforms support various different provider types. See TN3134 Network Extension provider deployment for the details.
On iOS NE providers are the only game in town. It’s not possible to implement products like this in any other way. On macOS, however, there are a variety of other ad hoc techniques you might use. These include:
Packet Filter (PF) aka pfctl (see its man page)
A utun interface (see <net/if_utun.h>)
Network kernel extensions (NKE), aka KEXTs
People use these techniques for a variety of reasons. For example, you might have a product that predates the NE provider architecture, or you might want to reuse code that you wrote for another platform.
Regardless of the reason, be aware that DTS doesn’t support these ad hoc techniques. If you’re building a product like this for macOS, create an NE provider.
We’ve adopted this policy because, in our experience, these ad hoc techniques tend to be very brittle, and thus are not supportable in the long term. A great example of this is PF. There’s no documented arbitration scheme for PF rules so, as a third-party developer, the rules you install might be incompatible with the rules set up by various macOS features, other third-party developers, the user, or the site admin.
Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"
Revision History
2028-02-09 Added a link to TN3165.
2023-11-23 First posted.
Hello, When I used iPhone 14 Pro Max (iOS 17.3.1) to test, the Network Extension exceeding 15 MB would still automatically close the VPN connection, unlike what was mentioned on the Apple Developer Website that the NE memory limit increased to 50MB after iOS 15. What is this? The reason? Thank you so much
p.authenticationMethod = NEVPNIKEAuthenticationMethodSharedSecret;
p.sharedSecretReference = [self searchKeychainCopyMatching:@"PSK"];
Failed to create IKEV2 using PSK, and the following error message is displayed:
Start VPN failed: [The operation couldn’t be completed. (NEVPNErrorDomain error 1.)]
May I ask what the reason is?
Hello.
Can someone please explain to me what "per-app" means in "per-app on managed devices" in the context of this document(https://developer.apple.com/documentation/technotes/tn3134-network-extension-provider-deployment)?
Thank you!
Hello! I'm trying to develop an app using PacketTunnelProvider.
I set up local VPN server, and successfully established UDP session between client and server. Also, I was able to exchange some test packets using session.writeDatagram()
There is problem: It seems that packetFlow.readPacketObjects does not gather real packets at all.
Unless I set DNS settings for PacketTunnelProvider as
settings.dnsSettings = NEDNSSettings(servers: ["8.8.8.8", "8.8.4.4"])
Then, tunnel does catch only DNS queries.
How can I get all allowed packet traffic? Is it possible? Give me some hints, please
Thank you
Hi. We setup OpenVPN protocol based VPN tunnel on MacOS using Packet Tunnel Provider / Network extension framework. We are trying to configure forced tunneling that means passing all the internet bound traffic via VPN tunnel. We configure routes on virtual tun interface:
0.0.0.0/ 0 - Works correctly.
But this setup doesn't work:
0.0.0.0/1
128.0.0.0/1
(Covers full IPv4 address range). Routes get added on the tun interface but TCP socket gets disconnected within few seconds with error: No route to host.
Both were working correctly on MacOS < 14.0.
Any pointers on this?
在开发vpn中遇到一个问题 iOS17以下 在连接vpn时 通过 connect 可以连接到服务器 在xcode 的 debug session 中看到 本地发出的 ip 地址为 本地 ip 没有通过 VPN 代理
但是在 iOS17以上的设备中 在xcode 的 debug session 中看到 本地发出的 ip 为 VPN 的ip地址 iOS17 之后对VPN 做了调整吗? 有哪位大佬遇到过这种问题
Hi, I'm developing an app that requires to connect to Wi-Fi hotspot to pair an Iot device.
Often, while IPhone is connected to the device's Wi-Fi hotspot, I get the annoying popup saying that the Wi-Fi network has not access to the internet , suggesting the user to switch back to another network/mobile data.
This behavior may create problems with end users, that often taps on the button to switch the net, disconnecting from my device and failing pairing process/data exchange.
Is there an option/permission to disable such behavior on my specific app or this is a system function?
thanks a lot!
Hi Team,
I'm trying to capture inbound traffic for DNS responses and have experimented with the following rules, but they did not work.
NENetworkRule *dnsInboundTraffic = [[NENetworkRule alloc] initWithRemoteNetwork:nil remotePrefix:0 localNetwork:[NWHostEndpoint endpointWithHostname:@"0.0.0.0" port:@"53"] localPrefix:0 protocol:NENetworkRuleProtocolUDP direction:NETrafficDirectionInbound];
settings.includedNetworkRules = @[dnsInboundTraffic];
Could you please correct me if I'm making any mistakes while setting the rules?
Two different crash patterns -- one an abort, the other complaining about a lock being corrupt or owning thread having exited. The first one is:
Thread 1 Crashed:: Dispatch queue: com.apple.root.default-qos.overcommit
0 libsystem_platform.dylib 0x18fc10244 _os_unfair_lock_corruption_abort + 88
1 libsystem_platform.dylib 0x18fc0b788 _os_unfair_lock_lock_slow + 332
2 libobjc.A.dylib 0x18f820c90 objc_sync_enter + 20
3 com.kithrup.TPProvider 0x100d2eee0 closure #3 in TPProvider.startProxy(options:completionHandler:) + 340
4 com.kithrup.TPProvider 0x100d2d980 thunk for @escaping @callee_guaranteed () -> () + 28
5 libdispatch.dylib 0x18fa31910 _dispatch_client_callout + 20
6 libdispatch.dylib 0x18fa34dc8 _dispatch_continuation_pop + 600
7 libdispatch.dylib 0x18fa48be4 _dispatch_source_latch_and_call + 420
8 libdispatch.dylib 0x18fa477b4 _dispatch_source_invoke + 832
9 libdispatch.dylib 0x18fa431f4 _dispatch_root_queue_drain + 392
10 libdispatch.dylib 0x18fa43a04 _dispatch_worker_thread2 + 156
11 libsystem_pthread.dylib 0x18fbdb0d8 _pthread_wqthread + 228
12 libsystem_pthread.dylib 0x18fbd9e30 start_wqthread + 8
while the other one is:
Application Specific Information:
BUG IN CLIENT OF LIBPLATFORM: os_unfair_lock is corrupt, or owner thread exited without unlocking
Abort Cause 198194
Thread 1 Crashed:: Dispatch queue: com.apple.root.default-qos.overcommit
0 libsystem_platform.dylib 0x18fc10220 _os_unfair_lock_corruption_abort + 52
1 libsystem_platform.dylib 0x18fc0b788 _os_unfair_lock_lock_slow + 332
2 libobjc.A.dylib 0x18f820c90 objc_sync_enter + 20
3 com.kithrup.TPProvider 0x104e86ee0 closure #3 in TPProvider.startProxy(options:completionHandler:) +340
4 com.kithrup.TPProvider 0x104e85980 thunk for @escaping @callee_guaranteed () -> () + 28
5 libdispatch.dylib 0x18fa31910 _dispatch_client_callout + 20
6 libdispatch.dylib 0x18fa34dc8 _dispatch_continuation_pop + 600
7 libdispatch.dylib 0x18fa48be4 _dispatch_source_latch_and_call + 420
8 libdispatch.dylib 0x18fa477b4 _dispatch_source_invoke + 832
9 libdispatch.dylib 0x18fa431f4 _dispatch_root_queue_drain + 392
10 libdispatch.dylib 0x18fa43a04 _dispatch_worker_thread2 + 156
11 libsystem_pthread.dylib 0x18fbdb0d8 _pthread_wqthread + 228
12 libsystem_pthread.dylib 0x18fbd9e30 start_wqthread + 8
Our TPProvider, whenever it uses a dispatch queue, uses a custom one, so these are presumably system queues and locks. My best guess would be some XPC command took too long? But that's just WAG.
Any ideas about what is actually going on?
We are using network proxy on macOS to divert network traffic. We found that when the proxy is configured with an exception list, if we exceed 685 number of characters in the exception list, then Safari is not accepting this exception list. In this case, Safari is connecting to all sites (including sites in the exception list) directly. Where as the same excption list is accepted by other browsers like Google Chrome, Firefox and MS Edge. We have not found any reference to the maximum size of this exception list for Safari browser.
1.Please share any documentation in this regard.
2. Also let us know if we can configure this maximum character limit using any suitable configuration.
Hi!
We are developing VPN software for the iOS platform, and our customers report a rare issue that we cannot reproduce. We seek any advice about the root cause of such a problem.
On every update, we notice an increased number of customer reports saying that the tunnel process is in a "connecting" loop, and to break the loop the customer has to remove the VPN profile from the settings. As none of our testers could reproduce the issue, we have minimal knowledge to work on. What we know so far:
The OnDemand rules cause the tunnel process to be restarted in the loop
The tunnel process does not start at all. We have logs from our customers, and we know that the application tries to start an extension, but the extension does not start at all. Something in the operating system prevents the extension from starting.
The issue reappears on every app update.
My theory so far is that the profile gets broken during an update process, but we have no means of confirming that.
Is this a known issue? Any advice on how could we reproduce the problem? Thank you in advance for any tips!