Hello, I'm working on an app with a local push provider. I already push it on testflight, two weeks ago and before that, and all worked. Since, I updated to Version 15.0.1 (15A507) and download iOS 17. And now I can't upload a build anymore. There is no error on build, I can archive the project, but while I Distribute the app on testflight, it failed. I got this error: I already check my too provisioning profile and the app id (the app one and the localPushProvider one), the two seems to be good. No red cross on Xcode profile analyze for either, with all needing information: This entitlements on each side : <key>com.apple.developer.networking.networkextension</key> <array> <string>app-push-provider</string> </array> I'm running out of clue for fixing this. All of this was working two weeks ago and I don't understand how update my system can interact with upload system ? Any idea what to try to upload my build on TestFlight ? Thank you by advance !

At times, I saw a Local Network Privacy Alert when opening an app, even when I'm exclusively using cellular data. Additionally, when I reinstall certain apps from the Apple App Store at the same time, some of them immediately request provincial network permissions, others do not which may only use the system network library. Has anyone else faced this issue? It seems like a system issue lead to a unexpected behaviour. The console log has some XPC_ERROR_CONNECTION_INVALID error log related to the process of nehelper. nehelper sent invalid response: <dictionary: 0x245cb7e20> { count = 1, transaction: 0, voucher = 0x0, contents = "XPCErrorDescription" => <string: 0x245cb7fb8> { length = 18, contents = "Connection invalid" } } 30760 0x89d905 UsageTrackingAgent 38502326 libsystem_networkextension.dylib nw_parameters_set_source_application_by_bundle_id_internal Failed to convert from bundle ID (com.apple.UsageTrackingAgent) to UUID. This could lead to wrong data usage accounting. 30760 0x89d905 UsageTrackingAgent 38502326 Network

On Sonoma I develop with gcloud and python2.7 and python3.9 from MacPorts. I always get MULTIPLE dialogue pop-ups when starting the python webserver in Terminal.app Choices are not remembered (neither block nor allow!!) I tried to solve that with socketfilterfw and codesign but it has NO effect at all. Questions like this creep around since 10 years on Stackexchange. I am searching since several hours for a solution of this problem. Is there any solution? 20 : /opt/local/Library/Frameworks/Python.framework/Versions/3.9/Resources/Python.app ( Allow incoming connections ) 21 : /opt/local/Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app ( Allow incoming connections ) sudo codesign -s - -f /opt/local/Library/Frameworks/Python.framework/Versions/3.9/Resources/Python.app

[Network Extension, Packet Tunnel Provider, iOS, split tunnel] I've implemented a custom network extension app for iOS using Packet Tunnel Provider. A customer enabled a split tunnel, set the tunnel's DNS servers, and added relevant 'search domains' and 'match domains'. Then, he reported an error related to DNS, specifically, DNS Over HTTPS. He noticed that DNS queries were sent over HTTPS. He also has the corresponding app for Mac (Packet Tunnel Provider, macOS, system extension), and everything works fine with the same DNS configuration, and the DNS queries were sent as a 'clear text', not DoH. Is DoH the default behavior on iOS? Is it the default on macOS? Can we somehow change this behavior? Are DoH queries reach the tunnel as plain DNS queries?

I am making an application related to networkextension for distribution outside the appstore. First, my application has been notarized and can be installed normally. But after installing and running, start the VPN-related api(open func saveToPreferences(completionHandler: ((Error?)) -> Void)? = nil)) cannot be tuned up. Excuse me, what is the reason for this?

can the launch daemon using network extension API like DNSProxyProvider?

I didn't think it was possible, but a coworker showed me a screenshot with the SentinelOne content filter having the enabled button greyed out in sysprefs: So how are they doing that?

Hi there! I recently used SwiftNIO example - Connect Proxy with NEPacketTunnelProvider to set up a local proxy server which support HTTPS proxy. I also referenced this link to simultaneously support HTTP proxy. It works great when opening web pages in browsers like Safari or Chrome! However, when I use some instant messenger app to make VOIP calls, I can't make successful calls. What could be the possible reason for this? I want my proxy server to intercept only HTTP/HTTPS requests but not interfere with or block VOIP calls. Is there any configuration parameter that can achieve this? I'm sorry, but I don't have a strong background in proxy servers and VOIP. I would greatly appreciate any guidance or insights. Here is how I start Packet Tunnel and Proxy Server: let tunnelNetworkSettings = NEPacketTunnelNetworkSettings(tunnelRemoteAddress: localhostIP) let proxySettings = NEProxySettings() proxySettings.httpServer = NEProxyServer(address: localhostIP, port: localhostHttpPort) proxySettings.httpsServer = NEProxyServer(address: localhostIP, port: localhostHttpsPort) proxySettings.autoProxyConfigurationEnabled = false proxySettings.httpEnabled = true proxySettings.httpsEnabled = true proxySettings.excludeSimpleHostnames = true proxySettings.exceptionList = ["192.168.0.0/16", "10.0.0.0/8", "172.16.0.0/12", "127.0.0.1", "localhost", "*.local"] tunnelNetworkSettings.proxySettings = proxySettings tunnelNetworkSettings.ipv4Settings = NEIPv4Settings(addresses: ["10.8.0.2"], subnetMasks: ["255.255.255.0"]) tunnelNetworkSettings.mtu = 1500 let dns = NEDNSSettings(servers: ["8.8.8.8"]) dns.matchDomains = [""] tunnelNetworkSettings.dnsSettings = dns tunnelNetworkSettings.ipv4Settings?.includedRoutes = [NEIPv4Route.default()] tunnelNetworkSettings.ipv4Settings?.excludedRoutes = [ NEIPv4Route(destinationAddress: "192.168.0.0", subnetMask: "255.255.0.0"), NEIPv4Route(destinationAddress: "10.0.0.0", subnetMask: "255.0.0.0"), NEIPv4Route(destinationAddress: "172.16.0.0", subnetMask: "255.240.0.0") ] setTunnelNetworkSettings(tunnelNetworkSettings) { error in self.pendingCompletion?(error) self.pendingCompletion = nil } And how I've used SwiftNIO: let group = MultiThreadedEventLoopGroup(numberOfThreads: System.coreCount) let bootstrap = ServerBootstrap(group: group) .serverChannelOption(ChannelOptions.socket(SOL_SOCKET, SO_REUSEADDR), value: 1) .childChannelOption(ChannelOptions.socket(SOL_SOCKET, SO_REUSEADDR), value: 1) .childChannelInitializer { channel in channel.pipeline.addHandler(ByteToMessageHandler(HTTPRequestDecoder(leftOverBytesStrategy: .forwardBytes))) .flatMap { channel.pipeline .addHandler(HTTPResponseEncoder()) } .flatMap { if channel.localAddress?.port == self.localhostHttpPort { channel.pipeline .addHandler(ConnectHttpHandler()) } else { channel.pipeline .addHandler(ConnectHttpsHandler()) } } }

A few weeks ago I had problems with provisioning profiles for some macOS programs, so I deleted/revoked a bunch of certificates and provisioning profiles and started from scratch. (Everything seems to be working for me) Unfortunately, a co-worker had two programs on his machine that were built with the old, test provisioning profiles with the revoked certificates, and it seems this may be preventing him from deleting the system extensions. The apps have been deleted, but that does not delete the system extensions. I installed a new program that programmatically (tries to) uninstall the system extension, but it doesn't seem to work either. When he reboots his computer, macOS pops up a window showing that the extensions may be malware. If he clicks "Show in Finder" and then tries to delete the system extensions from the Finder, he gets the message: The operation can't be completed because you don't have permission to access some of the items. Is it possible to delete the old system extensions that were installed with the old provisioning profiles? Are there multiple files that need to be deleted (e.g., the system extension and a .plist file somewhere)?

Setup Details: Apple M2 Pro MacOs: 13.6 (22G120) My machine came back from sleep at 9:25am. At 9:57am packet tunnel stopped, I could find below logs: 2023-11-08 09:57:51.812259+0530 0x72ad Default 0x4adb 261 0 nesessionmanager: [com.apple.networkextension:] NESMVPNSession[Primary Tunnel:mycompany myproduct VPN:22FD4FD4-3E93-446F-961B-BFAE92561DD2:(null)]: Received a stop command from SystemUIServer[604] with reason 1 2023-11-08 09:57:52.115967+0530 0x6d02 Default 0x0 796 0 com.mycompany.client.mycompany-Client.myproductui.myproductpkttunnel: (NetworkExtension) [com.apple.networkextension:] [Extension com.mycompany.client.mycompany-Client.myproductui]: Calling stopTunnelWithReason because: Stop command received Can someone please help in understand: Why would 'SystemUIServer' trigger a stop command for my packet tunnel vpn with any user action? filtered.log full_logs.log

As mentioned before, we have to network extensions for our app -- a transparent proxy provider, and a packet filter. We just started testing with multiple users, and I'm seeing what seem to me to be very strange results, but they get less strange if the states aren't system-wide. Easiest case: I install while I'm logged in, we install the agents and daemons, start everything up, and the app then goes to activate both extensions. This starts with an OSSystemExtensionRequest for each, and when the completion delegate is invoked, I go to "connect" them, which is where the does the load/save preferences. Barring the apparent timing issue I filed a feedback on, this works. If i then fast-user-switch to a second user, the agent once again starts, and goes through the same process -- it creates an OSSystemExtensionRequest to load them both, the delegate gets invoked, and then it does the connection functions for each. The behaviour might change slightly if the second user is already logged in, but I lost my notes there. At the end of this, I am left with things in a weird-to-me state: For the second user (not an admin), I see three entries in prefs/settings > Network -- one packet filter, and two TPPs. The two TPPs either appear 100% identical, in that they both have the same connection time, or one is connected and the other isn't. For the first user (an admin), I sometimes see 1, 2, or 3 entries -- and the VPNs are not always shown as connected. This is new behaviour for us, so either it's something I'm doing in the connection code, or something in the OS changed. The latter seems unlikely since the machine in question is still running macOS 12.6, but I don't test multiple users very often. If the packet filter is global, and the TPP network connection is per user, this kinda makes sense (but why did we not notice it before?).

Hi, I have installed content filter network extension which is almost same as https://developer.apple.com/documentation/networkextension/filtering_network_traffic. I have another app. As part of this app, I am sending messages from server process to client process by using unix domain sockets which is almost same as https://github.com/devlights/go-unix-domain-socket-example. If network traffic is little bit more then my client is failing to send messages with write: no buffer space available error. If I stop content filter network extension then there is no issue. How can I handle this type of error with network extension? Note: This is happening on both monterey and ventura mac os (both intel and m1).

We have code inside our network extension to create NWConnection with destination to loopback address 127.0.0.1 with a specific port number that another process is listening to. This method has been working fine until we test it on macOS 14.2 Beta (23C5030f) where we observed the following error: (Network) [com.apple.network:connection] nw_connection_copy_connected_local_endpoint_block_invoke [C42] Connection has no local endpoint and accessing the connection.currentPath.localEndpoint would return nil. This eventually leads to connection failure. This error is only observed with connection to loopback address. NWConnection created with destination to real address (Eg. on en0 interface) does not have any issue. This error is not observed with all connections to loopback address. Some NWConnection objects would still contain the localEndpoint. Here is an example of all log messages we get for a specific connection: (Network) [com.apple.network:connection] [C42 D9F43B3D-6832-4581-9B3B-12F6F5C7C408 127.0.0.1:49154 tcp, attribution: developer, context: Default Network Context (private), proc: 0D165C5B-CDFE-3F43-BC52-1DFCD61739E6, prefer no proxy] start (Network) [com.apple.network:connection] [C42 127.0.0.1:49154 initial parent-flow ((null))] event: path:start @0.000s (Network) [com.apple.network:connection] [C42 127.0.0.1:49154 waiting parent-flow (satisfied (Path is satisfied), viable, interface: lo0)] event: path:satisfied @0.000s, uuid: 6655EA53-47F9-4B16-85D6-7B81FA0C360E (Network) [com.apple.network:connection] [C42 127.0.0.1:49154 in_progress socket-flow (satisfied (Path is satisfied), viable, interface: lo0)] event: flow:start_connect @0.000s (Network) [com.apple.network:connection] nw_connection_report_state_with_handler_on_nw_queue [C42] reporting state preparing (Network) [com.apple.network:connection] nw_socket_handle_socket_event [C42:1] Socket received CONNECTED event (Network) [com.apple.network:connection] nw_flow_connected [C42 127.0.0.1:49154 in_progress socket-flow (satisfied (Path is satisfied), viable, interface: lo0)] Output protocol connected (socket) (Network) [com.apple.network:connection] [C42 127.0.0.1:49154 ready socket-flow (satisfied (Path is satisfied), viable, interface: lo0)] event: flow:finish_connect @0.000s (Network) [com.apple.network:connection] nw_connection_report_state_with_handler_on_nw_queue [C42] reporting state ready (Network) [com.apple.network:connection] [C42 D9F43B3D-6832-4581-9B3B-12F6F5C7C408 127.0.0.1:49154 tcp, prefer no proxy, attribution: developer] cancel (Network) [com.apple.network:connection] nw_connection_copy_connected_local_endpoint_block_invoke [C42] Connection has no local endpoint (Network) [com.apple.network:connection] [C42 D9F43B3D-6832-4581-9B3B-12F6F5C7C408 127.0.0.1:49154 tcp, prefer no proxy, attribution: developer] cancelled [C42 6655EA53-47F9-4B16-85D6-7B81FA0C360E <NULL><->127.0.0.1:49154] Connected Path: satisfied (Path is satisfied), interface: lo0 Privacy Stance: Not Eligible Duration: 0.001s, TCP @0.000s took 0.000s bytes in/out: 0/0, packets in/out: 0/0, rtt: 0.001s, retransmitted bytes: 0, out-of-order bytes: 0 ecn packets sent/acked/marked/lost: 0/0/0/0 Questions: Why is loopback address special in this case as issue is only observed with connections to loopback address? What we should do in terms of updating our code inside network extension to get this working in macOS 14.2?

Apple M2 Pro MacOs: 13.6 (22G120) In my system extension installer's postInstall script I have launch agent configured for the app as below: launchctl enable gui/$user_uid/com.mycompany.client.myproduct launchctl bootstrap gui/501 /Library/LaunchAgents/com.mycompany.myproduct.plist When I install the software using a local user, the service works fine without any issue and the service is shown listed in 'launchctl list' command: % launchctl list | grep -i mycompany 84714 0 com.mycompany.client.myproduct But when I login using on the same machine using a AD (Active Directory) user, the service/agent doesnt start and I don't see any entry service listed in 'launchctl list'. This is how my plist file looks like: % defaults read /Library/LaunchAgents/com.mycompany.myproduct.plist { CFBundleVersion = "200.200.200.200"; KeepAlive = 1; Label = "com.mycompany.client.myproduct"; LimitLoadToSessionType = ( Aqua ); ProgramArguments = ( "/Applications/mycompany.app/Contents/MacOS/Mycompany Module" ); RunAtLoad = 1; Version = "200.200.200.200"; } What am I missing here?

I want to understand in which API triggers this below popup. 1. This below code always trigger popup after fresh install which make sense: `//manager NETunnelProviderManager manager.connection.startVPNTunnel(options: [:])` 2. This below code sometime triggers popup intermittently. Ideally this shouldn't trigger or always trigger. I tried running this code in loop to check this behaviour, some time around 50th or sometime around 88th execution observed this popup. config.providerBundleIdentifier =“bundleId” config.serverAddress = "Connection managed by app”Name// let manager = NETunnelProviderManager() manager.protocolConfiguration = config manager.localizedDescription = “xyz” manager.saveToPreferences(completionHandler: { (saveError) -> Void in }``` no where startVPNTunnel called in 2nd code sample.

Currently I am using below network rule to read all traffic. But I want to skip to read particular port on localhost. What is NetworkRule to exclude reading from particular port on localhost? let networkRule = NENetworkRule(remoteNetwork: nil, remotePrefix: 0, localNetwork: nil, localPrefix: 0, protocol: .any, direction: .any)

Hi, thanks to https://developer.apple.com/forums/thread/712626 I understand that NECP, is protecting my Network Extension from listening on the tunnel interface provided by that Network Extension. However what I try to achieve is to have a sort of keepalive/ping (udp) I send through the tunnel to monitor tunnel stability and have some measures in case tunnel quality decreases or tunnel becomes unreliable. Is there any way to get a listening UDP socket and sending UDP packets through the tunnel inside such a Network Extension?

Hi, I often use a VPN connection by connecting through my Windows 11 pc. It would be very convenient for me to be able to connect from mac. The VPN server is a Windows 2012 R2, the connection is created via routing and remote access. The connection type is IKEv2. Authentication is by username and password only. As mentioned Windows 11 pcs connect without problems. If I try to connect from mac (Sonoma 14.0), the connection ends instantly with these errors in the LOG: &gt;&gt;[IKE_SA_INIT R resp0 994E2089D715CEEC-F426465324CAB801] Initiator init received notify error Error Domain=NEIKEv2ProtocolErrorDomain Code=14 "NoProposalChosen" UserInfo={NSDebugDescription=NoProposalChosen} &gt;&gt;IKEv2IKESA[1.1, 994E2089D715CEEC-0000000000000000] state Connecting -&gt; Disconnected error (null) -&gt; Error Domain=NEIKEv2ProtocolErrorDomain Code=14 "NoProposalChosen" UserInfo={NSDebugDescription=NoProposalChosen} &gt;&gt;IKEv2Session[1, 994E2089D715CEEC-0000000000000000] Failed to process IKE SA Init packet (connect) &gt;&gt;IKEv2IKESA[1.1, 994E2089D715CEEC-0000000000000000] not changing state Disconnected nor error Error Domain=NEIKEv2ProtocolErrorDomain Code=14 "NoProposalChosen" UserInfo={NSDebugDescription=NoProposalChosen} -&gt; Error Domain=NEIKEv2ErrorDomain Code=6 "PeerInvalidSyntax: Failed to process IKE SA Init packet (connect)" UserInfo={NSLocalizedDescription=PeerInvalidSyntax: Failed to process IKE SA Init packet (connect)} ChildSA[1, (null)-(null)] state Connecting -&gt; Disconnected error (null) -&gt; Error Domain=NEIKEv2ProtocolErrorDomain Code=14 "NoProposalChosen" UserInfo={NSDebugDescription=NoProposalChosen}

I have been testing a VPN app on a phone connected to Wi-Fi but with no SIM card, and a couple of times now I've noticed that NWPathMonitor reports changes to network path in rapid succession. Usually between 20 seconds and down to 2 or 3 seconds for each update, alternating between "satisfied" and "unsatisfied". Resetting the network settings seems to fix the problem. Any idea as to why this happens? Here's an excerpt from the logs: [2023-11-13 10:18:11.379][TunnelManager][info] Status: waiting for connectivity, network unreachable. [2023-11-13 10:18:17.355][TunnelManager][info] Status: reconnecting to se-sto-wg-001, network reachable. [2023-11-13 10:18:23.356][TunnelManager][info] Status: waiting for connectivity, network unreachable. [2023-11-13 10:18:44.356][TunnelManager][info] Status: reconnecting to se-sto-wg-001, network reachable. [2023-11-13 10:18:47.356][TunnelManager][info] Status: waiting for connectivity, network unreachable. [2023-11-13 10:18:50.356][TunnelManager][info] Status: reconnecting to se-sto-wg-001, network reachable. [2023-11-13 10:18:53.356][TunnelManager][info] Status: waiting for connectivity, network unreachable. [2023-11-13 10:18:56.357][TunnelManager][info] Status: reconnecting to se-sto-wg-001, network reachable. [2023-11-13 10:19:02.356][TunnelManager][info] Status: waiting for connectivity, network unreachable. [2023-11-13 10:19:23.356][TunnelManager][info] Status: reconnecting to se-sto-wg-001, network reachable. [2023-11-13 10:19:26.355][TunnelManager][info] Status: waiting for connectivity, network unreachable. [2023-11-13 10:19:29.356][TunnelManager][info] Status: reconnecting to se-sto-wg-001, network reachable. [2023-11-13 10:19:32.357][TunnelManager][info] Status: waiting for connectivity, network unreachable. [2023-11-13 10:19:35.356][TunnelManager][info] Status: reconnecting to se-sto-wg-001, network reachable. [2023-11-13 10:19:38.356][TunnelManager][info] Status: waiting for connectivity, network unreachable. [2023-11-13 10:19:41.356][TunnelManager][info] Status: reconnecting to se-sto-wg-001, network reachable. [2023-11-13 10:19:47.356][TunnelManager][info] Status: waiting for connectivity, network unreachable. [2023-11-13 10:19:50.356][TunnelManager][info] Status: reconnecting to se-sto-wg-001, network reachable. [2023-11-13 10:19:53.356][TunnelManager][info] Status: waiting for connectivity, network unreachable. [2023-11-13 10:20:02.356][TunnelManager][info] Status: reconnecting to se-sto-wg-001, network reachable. [2023-11-13 10:20:05.357][TunnelManager][info] Status: waiting for connectivity, network unreachable. [2023-11-13 10:20:17.358][TunnelManager][info] Status: reconnecting to se-sto-wg-001, network reachable. [2023-11-13 10:20:20.356][TunnelManager][info] Status: waiting for connectivity, network unreachable. [2023-11-13 10:20:23.356][TunnelManager][info] Status: reconnecting to se-sto-wg-001, network reachable.

Note The PF side of this is now covered by TN3165 Packet Filter is not API. Network Extension (NE) providers let you create products for VPN, content filtering, transparent proxying, and so on. Various Apple platforms support various different provider types. See TN3134 Network Extension provider deployment for the details. On iOS NE providers are the only game in town. It’s not possible to implement products like this in any other way. On macOS, however, there are a variety of other ad hoc techniques you might use. These include: Packet Filter (PF) aka pfctl (see its man page) A utun interface (see <net/if_utun.h>) Network kernel extensions (NKE), aka KEXTs People use these techniques for a variety of reasons. For example, you might have a product that predates the NE provider architecture, or you might want to reuse code that you wrote for another platform. Regardless of the reason, be aware that DTS doesn’t support these ad hoc techniques. If you’re building a product like this for macOS, create an NE provider. We’ve adopted this policy because, in our experience, these ad hoc techniques tend to be very brittle, and thus are not supportable in the long term. A great example of this is PF. There’s no documented arbitration scheme for PF rules so, as a third-party developer, the rules you install might be incompatible with the rules set up by various macOS features, other third-party developers, the user, or the site admin. Share and Enjoy — Quinn “The Eskimo!” @ Developer Technical Support @ Apple let myEmail = "eskimo" + "1" + "@" + "apple.com" Revision History 2028-02-09 Added a link to TN3165. 2023-11-23 First posted.