Recently, while developing a network extension on macOS, I encountered a very interesting issue. When the App Sandbox entitlement is included, the NE (Network Extension) can be called and run normally. However, when the App Sandbox is removed, with everything else remaining unchanged, an error occurs. The logs are as follows: Failed to find an app extension with identifier app.acmeVpnM.extension and extension point com.apple.networkextension.packet-tunnel: (null) Found 0 registrations for app.acmeVpnM.extension (com.apple.networkextension.packet-tunnel) If you add app sandbox, it will run normally. this is my container app entitlement this is my NE extension (without App SandBox) I want to know the reason for this. App sandbox shouldn't be mandatory. How can I make my NE run in an environment without app sandbox?

Hello, I encountered a memory management issue while developing VPN functionality and would like to seek your advice. The specific phenomenon is as follows: Problem description: After multiple calls to the 'createTCPConnectToEndpoint' and 'create UDPSessionToEndpoint' interfaces to create connection objects, the application memory continues to grow. Even if the cancel interface is immediately called to actively release the object, the memory does not fall back. 3. Confirm that there is no other code referencing these objects, but the system does not seem to automatically reclaim memory. Attempted measures: Immediately call the cancel method after creating the object, and the memory is not reduced Use tools such as Profiler to monitor memory and confirm that objects have not been released. doubt: Is this phenomenon normal? Is there a known memory management mechanism (such as cache pooling) that causes delayed release? 2. Are there any other interfaces or methods (such as release, dispose) that need to be explicitly called? Supplementary Information: Development environment: [iOS 16, 14pm] Reproduction steps: After continuously creating connection objects, the memory grows without falling back. Could you please help confirm if there are any abnormalities and the correct memory release posture. Thank you for your support!

We have a vpn app which uses PacketTunnelProvider. We also support per-app vpn for iOS, I need help with debugging steps for an issue I am facing recently. In the per app vpn, we have split tunneling: some urls should be tunneled while others should be direct, for tunneled urls/ips everything is working as expected. But for "direct" resources, I am facing an issue where sometimes I don't get an ACK back from the browser. Leading to a series of retransmissions and eventually the direct website not loading. Some more points of data: we do get true for the writePackets call, which seems to mean that the vpn app did write the packets to the TUN interface, but we don't get an ACK from the browser. I want some way of debugging this further so I can check if the browser actually got the packets. I also suspect that there might be a loop with packets (we are reading the packets we just wrote onto TUN), but can't say for sure since the issue is intermittent, in case of a loop, I would expect it to always help. Any help would be greatly appreciated.

We are using the [NEHotspotHelper supportedNetworkInterfaces] to get the Wi-Fi interface in our app, but it occasionally crashes on some devices with the following stack trace: 0 CaptiveNetwork 0x0000000221d87a4c ServerConnectionGetHandlerQueue + 0 (ServerConnection.c:509) 1 CaptiveNetwork 0x0000000221d8577c CNPluginCopySupportedInterfaces + 180 (CNPlugin.c:457) 2 NetworkExtension 0x00000001b0446618 +[NEHotspotHelper supportedNetworkInterfaces] + 32 (NEHotspotHelper.m:563) It seems like the crash is happening on apple's api of supportedNetworkInterfaces. We would like to understand the cause of the crash.

Hello, I'm having some problems when install my Packet Tunnel network extension as system extension on my mac(macos 15.0). It stuck on Validation By Category. (it works well as NE app extension on ios) systemextensionsctl list --- com.apple.system_extension.network_extension enabled active teamID bundleID (version) name [state] <...> com.myteam.balabalabla.ne (1.0/1) - [validating by category] This is my install System Extension Code sample public class SystemExtension: NSObject, OSSystemExtensionRequestDelegate { private let forceUpdate: Bool private let inBackground: Bool private let semaphore = DispatchSemaphore(value: 0) private var result: OSSystemExtensionRequest.Result? private var properties: [OSSystemExtensionProperties]? private var error: Error? private init(_ forceUpdate: Bool = false, _ inBackground: Bool = false) { } // some request function i overwrite public func activation() throws -> OSSystemExtensionRequest.Result? { let request = OSSystemExtensionRequest.activationRequest(forExtensionWithIdentifier: FilePath.packageName + ".myNeName", queue: .main) request.delegate = self OSSystemExtensionManager.shared.submitRequest(request) semaphore.wait() if let error { throw error } return result } public func getProperties() throws -> [OSSystemExtensionProperties] { let request = OSSystemExtensionRequest.propertiesRequest(forExtensionWithIdentifier: FilePath.packageName + ".myNeName", queue: .main) request.delegate = self OSSystemExtensionManager.shared.submitRequest(request) semaphore.wait() if let error { throw error } return properties! } public nonisolated static func install(forceUpdate: Bool = false, inBackground: Bool = false) async throws -> OSSystemExtensionRequest.Result? { try await Task.detached { try SystemExtension(forceUpdate, inBackground).activation() }.result.get() } public nonisolated static func uninstall() async throws -> OSSystemExtensionRequest.Result? { try await Task.detached { try SystemExtension().deactivation() }.result.get() } } // And other methods I follow this post Your Friend the System Log and use this command line to collect log. After I initiated the system extension request sudo log collect --last 5m Here is my log (),I only pasted some code snippets that caught me, full version see attachments.(only include com.apple.sysextd), if need more, plz ask me. 1. Some policy missing ```log 22:00:13.818257 `sysextd` extension mockTeamID app.balabala.com.mockbalabala (1.0/1) advancing state from staging to validating 22:00:13.818263 sysextd returning cdhash for local arch arm64 of extension app.balabala.com.mockbalabala info 2025-05-01 22:00:13.818336 sysextd Extension with identifier <private> reached state <private> 22:00:13.819185 sysextd [0x9a2034b00] activating connection: mach=false listener=false peer=false name=com.apple.CodeSigningHelper 22:00:13.819911 sysextd [0x9a2034b00] invalidated after the last release of the connection object 22:00:13.821024 sysextd making activation decision for extension with teamID teamID("mockTeamID ), identifier app.balabala.com.mockbalabala 22:00:13.821026 sysextd no related kext found for sysex `app.balabala.com.mockbalabala` 22:00:13.821027 sysextd no extension policy -- activation decision is UserOption nesessionmanager.system-extensions interrupted 22:00:14.313576 sysextd [0x9a2178280] invalidated because the client process (pid 1886) either cancelled the connection or exited 22:00:14.542154 sysextd connection to com.apple.nesessionmanager.system-extensions interrupted 22:00:14.542319 sysextd [0x9a2178000] Re-initialization successful; calling out to event handler with XPC_ERROR_CONNECTION_INTERRUPTED 22:00:14.542351 sysextd connection to com.apple.nesessionmanager.system-extensions interrupted 22:00:14.589375 nesessionmanager [0x6c80e4500] activating connection: mach=true listener=false peer=false name=com.apple.sysextd And when i debug the System Extension code i notice the request Error catch by didFailWithError public func request(_: OSSystemExtensionRequest, didFailWithError error: Error) { self.error = error semaphore.signal() } error is OSSystemExtensionErrorDomain code 1 This problem has been bothering me for a long time, I would appreciate any help, if need more info, comment, thank you.

Hi! I've noticed that the IP_RECVIF socket option, i.e.: int y = 1; setsockopt(fd, IPPROTO_IP, IP_RECVIF, &y, sizeof(y)); does not seem to work if the socket is proxied by a NETransparentProxyProvider type network extension: there's no ancillary data in messages received with recvmsg. As soon as I disable the network extension, recvmsg starts returning ancillary data containing the interface name. This seems to break some applications which rely on IP_RECVIF in the presence of a transparent proxy, making it, in fact, not transparent. One such example is Apple's own libresolv, which relies on IP_RECVIF and breaks if there's no ancillary data in the recvmsg result. I don't think that this is the intended behaviour, since IPV6_PKTINFO seems to work fine. I've filed a bug report (FB17586550) about this, however, I would greatly appreciate if someone could point me in the direction of a workaround.

Dear Apple: In our app, we will call the - (void) applyConfiguration:(NEHotspotConfiguration *) configuration completionHandler:(void (^)(NSError * error)) completionHandler; interface of NEHotspotConfigurationManager on Apple devices. However, we are encountering a problem where the connection to the 2.4G hotspot fails, and the error is nil when it fails. We checked the Wi-Fi air interface and found that the Apple phone does not send a probe request before connecting to the hotspot. However, we are unclear why the Apple device does not send the probe request frame. Could you please help us understand when the probe request frame is not sent during the hotspot connection and how to trigger it to send the probe request frame every time? Thank you.

Dear Apple Support Team, My app, io.cylonix.sase, has a BGAppRefreshTask (io.cylonix.sase.ios.refresh) that is canceled by dasd ~9ms after submission from a Network Extension. Please help identify the cause and suggest a solution. App Details: App ID: io.cylonix.sase iOS Version: 17.1.1 (iPhone Xs Max) Network Extension: saseWgNetworkExtension with packet-tunnel-provider entitlement Use Case: VPN app; Network Extension records file receipts in shared group UserDefaults and schedules BGAppRefreshTask to wake the main app. App Usage: High (frequently used) System State: Sufficient resources (not low on battery or memory) Issue: The task is submitted but canceled immediately with priority 10. It has never run, so rate-limiting is not an issue. ` debug 22:09:37.952749-0700 dasd Best binding found for evaluator 0x16d541720: &lt;private&gt; debug 22:09:37.954483-0700 dasd Invoking selector backgroundTaskSchedulerPermittedIdentifiersWithContext:tableID:unitID:unitBytes: on &lt;LSApplicationRecord 0x724844650&gt; default 22:09:37.955563-0700 dasd CANCELED: bgRefresh-io.cylonix.sase.ios.refresh:ABDAFA at priority 10 &lt;private&gt;!

Sometimes when adding a VPN configuration, it just redirects to the Settings app and doesn’t continue with the rest of the configuration process like prompting for passcode. But it proceeds as normal after the 2nd or 3rd try. This issue is occurring on iOS 18.5 build 22F5068a but it has been a problem over several versions now. Feedback ID: FB17458055

Hello, im currently developing proxy app with XrayCore trying to bypass APNs when tunnel us up and i found .excludeAPNs property in NETunnelProviderProtocol that works only when includeAllNetworks property is also TRUE. I wonder if there is a possible way to make APNs bypass tunnel in split tunnelling mode? because we use excludedRoutes and full tunnel is not an option

We have a VPN app built using PacketTunnelProvider and support per-app VPN on iOS. We're currently investigating an issue specific to per-app VPN configurations that use split tunneling, where some URLs are routed through the VPN tunnel while others are intended to go directly. Tunneled traffic works as expected. However, for direct traffic, we observe intermittent failures where the browser does not receive an ACK, leading to repeated retransmissions and eventual page load failures. This issue appears only in per-app VPN scenarios, and we've reproduced it across multiple MDM solutions (Intune, CEM) and multiple managed browsers. It's intermittent but frequently reproducible with common public URLs routed directly. Key observations: writePackets returns true, confirming the VPN app writes packets to the TUN interface. Despite that, the browser often fails to acknowledge receipt (no ACK), suggesting it may not receive the packet at all. We suspect a possible packet loop, where packets written to TUN are immediately read back by the app. However, due to the intermittent nature of the issue, this is hard to confirm. A consistent loop would likely result in persistent failures, not sporadic ones. We are attaching: A Wireshark summary - highlighting the missing ACK and retransmission pattern. As we cannot attach the xlsx file or a zip file, we have took the screenshots of the files names as image1, image2, image3, image4 and image5 in sequence. Dails on the iOS device and MDM environment. NETunnelProviderProtocol configuration that reproduces the issue Any guidance on how to further debug this, particularly on confirming packet delivery to the browser and identifying potential loops would be greatly appreciated. Thank you. e t

I have written the Transparent App Proxy and can capture the network flow and send it to my local server. I want to avoid any processing on the traffic outgoing from my server and establish a connection with a remote server, but instead of connecting to the remote server, it again gets captured and sent back to my local server. I am not getting any clue on how to ignore these flows originating from my server. Any pointers, API, or mechanisms that will help me?

Here's what the documentation says https://developer.apple.com/documentation/networkextension/maintaining-a-reliable-network-connection Confirm that your NEAppPushProvider implementation doesn’t create a retain cycle with itself. After you call the completionHandler that the system passes to stop(with:completionHandler:), the Network Extension framework releases your NEAppPushProvider instance. This instance typically deallocates from memory when released, but if the instance has a retain cycle with itself, it fails to deallocate and wastes memory. Failure to deallocate can also cause the system to have two or more instances of your push provider, leading to inconsistent behavior. Use Instruments or add a logging statement to deinit to verify that your NEAppPushProvider deinitializes when expected. I observe that when I turn off the wifi, the AppPushProvider subclass fully deinitializes. But when I call removeFromPreferences on the NEAppPushManager from the app, it calls stop() on my AppPushProvider subclass, but it does not initialize. Should I be alarmed by this behavior? Will this cause a memory leak? Will this cause multiple Extension/AppPushProviders to be operating concurrently? For testing, I've removed everything except for logs and some singleton calls. No closures capturing self, and no strong references of self being passed anywhere. I am also not using the debugger, and am using the console to debug.

Hello, Our app uses Network Extension / Packet Tunnel Provider to establish VPN connections on macOS and iOS. We have observed that after creating a utun device and adding any IPv4 routes (NEPacketTunnelNetworkSettings.IPv4Settings), the OS automatically adds several host routes via utun to services such as Akamai, Apple Push, etc. These routes appear to correspond to TCP flows that were active at the moment the VPN connection was established. When a particular TCP flow ends, the corresponding host route is deleted. We understand this is likely intended to avoid breaking existing TCP connections. However, we find the behavior of migrating existing TCP flows to the new utun interface simply because any IPv4 route is added somewhat questionable. This approach would make sense in a "full-tunnel" scenario — for example, when all IPv4 traffic (e.g., 0.0.0.0/0) is routed through the tunnel — but not necessarily in a "split-tunnel" configuration where only specific IPv4 routes are added. Is there any way to control or influence this behavior? Would it be possible for FlowDivert to differentiate between full-tunnel and split-tunnel cases, and only preserve existing TCP flows via utun in the full-tunnel scenario? Thank you.

I'm looking for help with a network extension filtering issue. Specifically, we have a subclass of NEFilterDataProvider that is used to filter flows based upon a set of rules, including source IP and destination IP. We've run into an issue where the source IP is frequently 0.0.0.0 (or the IPv6 equivalent) on outgoing flows. This has made it so rules based upon source IP don't work. This is also an issue as we report these connections, but we're lacking critical data. We were able to work around the issue somewhat by keeping a list of flows that we allow that we periodically check to see if the source IP is available, and then report after it becomes available. We also considered doing a "peekBytes" to allow a bit of data to flow and then recheck the flow, but we don't want to allow data leakage on connections that should be blocked because of the source IP. Is there a way to force the operating system or network extension frameworks to determine the source IP for an outbound flow without allowing any bytes to flow to the network? STEPS TO REPRODUCE Create a network filtering extension for filtering flows using NEFilterDataProvider See that when handleNewFlow: is called, the outgoing flow lacks the source IP (is 0.0.0.0) in most cases There is this post that is discussing a similar question, though for a slightly different reason. I imagine the answer to this and the other post will be related, at least as far as NEFilterDataProvider:handleNewFlow not having source IP is considered. Thanks!

Title: Loss of Internet Connectivity on iOS Device When Packet Tunnel Crashes Feedback ticket: https://feedbackassistant.apple.com/feedback/14162605 Product: iPhone 12 Version: iOS - 17.5.1 Configuration: NETunnelProviderManager Configuration Description: We are developing an iOS VPN client and have configured our packet tunnel provider according to Apple's guidelines. The configuration is as follows: includeAllNetworks = YES excludeLocalNetworks = NO enforceRoutes = NO This setup works as expected when the VPN successfully connects. However, we encounter a blocker issue where the device loses internet connectivity if the packet tunnel crashes. Steps to Reproduce: Configure the NETunnelProviderManager with the above settings. Connect the VPN, which successfully establishes a connection. Verify that resources are accessible and internet connectivity is functional. Packet tunnel to crash unexpectedly.Observe that the NE process (Packet Tunnel) restarts automatically, as expected and attempts to reconnect the VPN; however, the device now lacks internet connectivity, preventing VPN reconnection. Try accessing resources using Safari or any other internet-dependent app, resulting in an error indicating the device is not connected to the internet. Actual Results: The device loses internet connectivity after the packet tunnel crashes and fails to regain it automatically, preventing the VPN from reconnecting. Expected Results: The device should maintain internet connectivity or recover connectivity to allow the VPN to reconnect successfully after the packet tunnel process restarts. Workaround - iPhone device needs a restart to regain internet connectivity .

Feedback Ticket: FB13812251 Problem Statement: We are currently facing internet connectivity issue with our VPN application where we try to disconnect the VPN from the Packet Tunnel Network Extension using - (void)cancelTunnelWithError:(nullable NSError *)error. Which API to use to disconnect the VPN from Packet Tunnel as VPN app is not running such that device retains its internet connectivity as soon as VPN disconnects. Configuration: We have configured PacketTunnelProvider with the following settings: (NETunnelProviderManager *)tunnelProvider.protocolConfiguration.includeAllNetworks = YES; (NETunnelProviderManager *)tunnelProvider.protocolConfiguration.excludeLocalNetworks = NO; (NETunnelProviderManager *)tunnelProvider.protocolConfiguration.enforceRoutes = NO; These settings are applied from the VPN app and allow us to successfully establish a VPN connection, with all traffic being routed through the tunnel as expected.We are setting above properties to address local net attack. Issue we are facing: However, we encounter a problem when we attempt to disconnect the VPN from. When we call the following method from PacketTunnel network extension: (void)cancelTunnelWithError:(nullable NSError *)error Upon calling this method, the VPN disconnects as expected, but the device loses all internet connectivity and is unable to access any resources. This is not the desired behavior. Observation : Interestingly, when we call the following method from the app side. The VPN disconnects and the device retains its internet connectivity. [enabledConfig.connection stopVPNTunnel]; We would like to achieve the same behavior when disconnecting the VPN from the Network Extension. So we are looking for an API that could be called from NE without causing any internet connectivity issue. Any guidance on how to resolve this issue would be greatly appreciated.

Hi, DNS resolution using libresolv (res_nquery) fails in 15.4 when connected to VPN. The same is working fine for 15.3 and lower and this happens for all the domains. The method returns -1 and res->res_h_errno is set to 2. In wireshark we can see that the DNS request is sent and server also returns the response successfully. The same works fine if we use TCP instead of UDP by setting the following option res->options |= RES_USEVC;

Hi~ I implemented network filtering on iOS using NEFilterControlProvider and NEFilterDataProvider. However, I found that their usage is restricted when distributing in the App Store. Does ADEP-based distribution allow the use of NEFilterControlProvider and NEFilterDataProvider? In TN3134, it states that NEPacketTunnelProvider requires MDM. Should I assume that NEFilterControlProvider and NEFilterDataProvider also require MDM in the same way? thanks.

Hi~ I implemented network filtering on iOS using NEFilterControlProvider and NEFilterDataProvider. However, I found that their usage is restricted when distributing through the App Store. Does ADEP-based distribution allow the use of NEFilterControlProvider and NEFilterDataProvider? In TN3134, it states that NEPacketTunnelProvider requires MDM. Should I assume that NEFilterControlProvider and NEFilterDataProvider also require MDM in the same way? Thanks