Post not yet marked as solved
Hello,
I have some question about the usage of the function:
func update(NEFilterSocketFlow, using: NEFilterDataVerdict, for: NETrafficDirection)
(https://developer.apple.com/documentation/networkextension/nefilterdataprovider/3543400-update)
provided by the NEFilterDataProvider class of the content filter network extension.
If I understand correctly, this function can be used on an instance of NEFilterDataProvider to update an already issued verdict for a network flow. By "issuing verdict" I mean returning any of .allow()/.drop()/.init(pass: peek:) in handleNewFlow/handleInboundData/handleOutboundData
However, I am having difficulty with it. My workflow involves maintaining an array of currently active flows. Flows are inserted in handleNewFlow() and they are deleted when handleReport(report: NEFilterReport) with event flowClosed is called (flow identification is based on their UUID). Then, at some point in future, based on our business logic, I iterate through the container of "active flows" and attempt to call func update(NEFilterSocketFlow, using: NEFilterDataVerdict, for: NETrafficDirection) on all of them, with intention of changing the already issued verdict.
However, calling that function seems to have no effect. Am I using it the wrong way? What is the intended usage? Is it even possible to update verdict of already allowed or postponed by .init(peek:pass:) flows?
The issue I'm trying to solve is that we evaluate flows based on our business logic and return either .drop() or .init(pass: peek:) verdicts for them. Sometimes, we want to reevaluate the .init(pass: peek:) verdict immediately, which is when we attempt to call the update() function and provide a new .init(pass:peek) or .drop() verdict.
The main objective is to promptly drop certain flows, particularly those awaiting further data evaluation due to .init(pass: peek), immediately on demand.
Thanks.
Post not yet marked as solved
I am working on a VPN app featuring Wireguard. The app was working fine. I planned to make a Framework for the Wireguard Target, Network Extension Target and the Code managing VPN, Now after removing all errors, resolving Bundle IDs and making all the targets compatible to iOS 16.0, I am getting this error in the Settings app as shown in the following
In short, same code is not working when moved into the framework.
I have read the similar thread talking about lowering the minimum deployments. All of my minimum deployments are set to iOS 16.0.
Any suggestions would be appreciated.
Thanking you in anticipation.
Ali.
Post not yet marked as solved
Hey everyone,
I'm currently working on an app where I've already implemented a packet tunnel provider. Now, I'm looking to introduce a content filter. One crucial feature I need is the ability to read the bundle ID of the app originating the network flows.
However, I've hit a roadblock when combining both components; When I run the content filter sans packet tunnel provider, I can read the originating app's bundle ID for network flows just fine. But when I add packet tunnel provider, the app's bundle ID defaults to my own app's bundle ID, which is unexpected.
Has anyone else encountered this? Any thoughts on why it's happening or how to fix it?
Cheers!
Post not yet marked as solved
How can you change the behaviour of the system resolver on iOS?
need help eskimo..!
Post not yet marked as solved
On the [documentation page](Implement a completely custom DNS proxying protocol) it says
For example, a DNS proxy provider might:
Implement a completely custom DNS proxying protocol
I would like to add some filtering logic to the NEDNSProxyProvider (for example, return nxdomain if the flow is not passing the filtering process). Is it possible to implement with NEDNSProxyProvider? It also says that
func handleNewFlow(_ flow: NEAppProxyFlow) -> Bool
from NEDNSProxyProvider returns a Boolean value set to true if the proxy implementation decides to handle the flow, or false if it instead decides to terminate the flow link. Does it mean that the filtering logic could be added here by just returning false for the flows that are not matching the rules?
Because I first tried to handle UDP flows like this in handleNewFlow(_ flow: NEAppProxyUDPFlow) function and form my own packets in connection.transferData, by first passing empty Data object and then by setting RCODE to 3, which is supposedly a nxdomain response code. However, both implementations didn't work: even though I was getting logs about handling failure, the flow was still able to go through.
try await flow.open(withLocalEndpoint: flow.localEndpoint as? NWHostEndpoint)
let datagrams = try await flow.readDatagrams()
let results = try await datagrams.parallelMap {
let connection = try DatagramConnection($0)
return try await connection.transferData()
}
try await flow.writeDatagrams(results)
flow.closeReadWithError(nil)
flow.closeWriteWithError(nil)
I am new to NEDNSProxyProvider and my networking knowledge is on a pretty basic level, so I would be very grateful to hear any suggestions. Thank you!
I am trying to add DNSProxy configuration using .mobileconfig and MDM on supervised device. I have Content Filter payload in the same configuration file that works as expected, however I was unable to start my DNSProxy. My app has 3 extension targets for Filter Data/Control Providers and DNSProxy extension.
Here is my DNSProxy payload:
<dict>
<key>AppBundleIdentifier</key>
<string>my.app.bundle.id</string>
<key>PayloadDescription</key>
<string>Configures DNS proxy network extension</string>
<key>PayloadDisplayName</key>
<string>DNS Proxy</string>
<key>PayloadIdentifier</key>
<string>com.apple.dnsProxy.managed.AEE249BB-4F44-4ED9-912B-6A70CC0E01B6</string>
<key>PayloadType</key>
<string>com.apple.dnsProxy.managed</string>
<key>PayloadUUID</key>
<string>AEE249BB-4F44-4ED9-912B-6A70CC0E01B6</string>
<key>PayloadVersion</key>
<integer>1</integer>
<key>ProviderBundleIdentifier</key>
<string>my.app.bundle.id.DNS-Proxy-Extension</string>
</dict>
Any thoughts on what I might be doing wrong?
Post not yet marked as solved
I want to use Network Extension Relay to implement a system-wide proxy. First, I will setup a local http2 proxy and forward to a local http proxy. The problem is
How to implement this http2relayurl link to? Is it a regular http2 proxy protocol?
What should I pass to raw public keys? Is it a bytes like rsa public key, or is .pem, .pub like plain text string? And I will use self signed certificate, will it be a problem?
Post not yet marked as solved
Even when it is disabled (that is, our app says "don't do anything" and all it does is start logging things).
On the mac, when I try to make an outgoing audio-only call (it's a mac mini with no camera), it seems to connect as far as the outside is concerned, but nothing happens -- I get a request on my other devices, with the wrong account, and the mac mini says it's failed while the ipad or iphone keep connected.
I am logging everything I can think of in our extensions, and they don't seem to show anything of interest. And I can't figure out what to look for in the entirety of system logs. I do see Messages dropped during live streaming (use log show to see what they were)... but I'm not sure what to look for in the log show.
If I try to make a call in, it results in what seems to be an iOS FaceTime bug -- the phone tells me to log into FaceTime. Even though I am logged in.
Post not yet marked as solved
hi, I made an interface for VPN applications for iOS, and I just need to make a connection to the protocol, I wanted to use wireguard, but I can’t do it, what can you suggest me?
Post not yet marked as solved
Hello, we are developing an open source vpn program that is developed with Flutter and native parts with Swift, and we plan to publish it on the App Store soon, but the project programmers say that you must have an account to publish this app on the App Store. On the other hand, my other friends say that this is not the case, and to publish a vpn app, only one Apple Developer account is enough, and there is no need for a business account!
Post not yet marked as solved
Hi, I was working on some new filtering logic for my Content Filter that I would like to add. It involves making requests to remote DNS resolvers. Is it possible to use it within sync override func handleNewFlow(_ flow: NEFilterFlow) -> NEFilterNewFlowVerdict of the NEFilterDataProvider?
As of right now, I have a concept working in Command Line Tool and playground, however, when I try to add working module to the main project, it's not working (connections are not loading).
Function that makes requests to the servers: In this function I use DispatchGroup and notify for non-main queue
@available(iOS 12, *)
public class NetworkService {
private let nonMainQueue: DispatchQueue = DispatchQueue(label: "non-main-queue")
func isBlocked(hostname: String, completion: @escaping (Bool) -> Void) {
var isAnyBlocked = false
let group = DispatchGroup()
for server in servers {
group.enter()
let endpoint = NWEndpoint.Host(server)
query(host: endpoint, domain: hostname, queue: .global()) { response, error in
defer {
group.leave()
}
/*
* some code that determines the filtering logic
* if condition is true => isAnyBlocked = true & return
*/
}
}
group.notify(queue: nonMainQueue) {
completion(isAnyBlocked)
}
}
}
And, for example, in playground Semaphores make it work as expected, but the same approach doesn't work with the NEFilterDataProvider
playground code sample
let hostname = "google.com"
func returnResponse() -> String {
var result = ""
let semaphore = DispatchSemaphore(value: 0)
DispatchQueue.global().async {
NetworkService.isBlocked(hostname: hostname) { isBlocked in
result = isBlocked ? "blocked" : "allowed"
semaphore.signal()
}
}
semaphore.wait()
return result
}
print(returnResponse())
Output: allowed
Post not yet marked as solved
MacOS Version: 14.3 (23D56)
In my testing of PacketTunnelProvider on MacOS I have observed that when I do a system shutdown or reboot, PacketTunnelProvider::stopTunnelWithReason() is getting called with reason: NEProviderStopReasonUserInitiated. Note: when I try to disconnect the VPN from system settings PacketTunnelProvider::stopTunnelWithReason() is called with the same reason: NEProviderStopReasonUserInitiated.
I am facing an issue here to identify what caused PacketTunnelProvider::stopTunnelWithReason(), system shutdown or any user action?
Post not yet marked as solved
Description:
I am experiencing a persistent issue with establishing a VPN connection through a custom app I've developed using Swift. While the VPN configuration appears to be loaded successfully, attempts to connect result in immediate disconnection. Here are the details:
Problem Summary:
I have implemented a VPN connection using Swift with the NetworkExtension and TunnelKit frameworks. My application successfully loads the VPN configuration, but when attempting to connect, the VPN status quickly changes from connecting to disconnected without ever achieving a stable connection. Manually attempting to toggle the connection from device settings results in the toggle switching off as soon as it is turned on. The console logs indicate a transition from 'connecting' to 'disconnected' almost simultaneously.
Technical Details:
Here is an overview of the relevant part of the code used for setting up and managing the VPN connection:
import TunnelKitOpenVPNCore
import NetworkExtension
import TunnelKit
class VPNManager {
static let shared = VPNManager()
private var providerManager: NETunnelProviderManager?
init() {
NotificationCenter.default.addObserver(self, selector: #selector(vpnStatusDidChange), name: .NEVPNStatusDidChange, object: nil)
}
deinit {
NotificationCenter.default.removeObserver(self)
}
@objc func vpnStatusDidChange(notification: Notification) {
guard let status = self.providerManager?.connection.status else { return }
switch status {
case .connecting:
print("VPN is connecting")
case .connected:
print("VPN is connected")
case .disconnecting:
print("VPN is disconnecting")
case .disconnected:
print("VPN is disconnected")
case .invalid:
print("VPN configuration is invalid")
case .reasserting:
print("VPN is reasserting")
@unknown default:
print("Unknown VPN status")
}
}
func loadAndCreateVPNProfile(completion: @escaping (Bool, Error?) -> Void) {
self.providerManager = NETunnelProviderManager()
guard let ovpnURL = Bundle.main.url(forResource: "client", withExtension: "ovpn"),
let ovpnContents = try? String(contentsOf: ovpnURL) else {
completion(false, NSError(domain: "VPNManagerError", code: 1, userInfo: [NSLocalizedDescriptionKey: "Configuration file could not be read or found."]))
return
}
// Parsing and configuration logic here...
self.providerManager?.saveToPreferences { error in
if let error = error {
print("Error saving preferences: \(error.localizedDescription)")
completion(false, error)
} else {
print("VPN profile saved successfully.")
completion(true, nil)
}
}
}
func connect() {
self.providerManager?.loadFromPreferences { [weak self] error in
guard let strongSelf = self else {
print("Reference to VPNManager lost.")
return
}
if let error = error {
print("Failed to load preferences: \(error.localizedDescription)")
return
}
do {
try strongSelf.providerManager?.connection.startVPNTunnel()
} catch NEVPNError.configurationInvalid {
print("VPN Configuration is invalid.")
} catch NEVPNError.configurationDisabled {
print("VPN Configuration is disabled.")
} catch let error {
print("Unexpected error: \(error.localizedDescription)")
}
}
}
func disconnect() {
providerManager?.connection.stopVPNTunnel()
}
}
Post not yet marked as solved
hello everyone, I want to create VPN app with swiftUI but i do not know where to start. I have already created some beautiful UI but now i want to configurate network to connect another country server. any suggestions?
Post not yet marked as solved
We want to display our application name should be suggested on wifi network which are insecure.
Similar like following:
Please suggest, which class or extension we can use for achieve this.
Post not yet marked as solved
HI Team,
We have recently observed a network issue, followed by device hang-ups when users come out of sleep while using the Transparent app proxy provider in Sonoma 14.4. and users are required to restart the system to resolve the problem.
In the client logs, we observed that State:/Network/Global/IPv4 does not have any PrimaryInterface and there is no internet connectivity, although the internet works fine on other devices.
this issue start coming in sonoma 14.4 and happen with Transparent app proxy provider.
We are currently unable to pinpoint the exact issue. Are there any known issues with Sonoma 14.4?
Post not yet marked as solved
I've implemented a NEPacketTunnelProvider implementation, but I can't see any packets in packet flow. Here is the settings
override func startTunnel(options: [String : NSObject]?, completionHandler: @escaping (Error?) -> Void) {
...
let networkSettings = self.initTunnelSettings()
setTunnelNetworkSettings(networkSettings) { (error) in
if let error = error {
completionHandler(error)
return
}
NSLog("Proxy address: \(networkSettings.proxySettings?.httpsServer?.address)")
self.readPackets()
completionHandler(nil)
}
private func initTunnelSettings() -> NEPacketTunnelNetworkSettings {
let settings: NEPacketTunnelNetworkSettings = NEPacketTunnelNetworkSettings(tunnelRemoteAddress: "85.182.68.10")
/* ipv4 settings */
settings.ipv4Settings = NEIPv4Settings(addresses: ["1.2.3.4"], subnetMasks: ["255.255.255.255"])
settings.ipv4Settings?.includedRoutes = [NEIPv4Route.default()]
/* MTU */
settings.mtu = 1500
return settings
}
There is even more strange thing.
If I add more specific route into includedRoutes array, I can see packets from that route traffic
settings.ipv4Settings?.includedRoutes = [NEIPv4Route.default(), NEIPv4Route(destinationAddress: "192.168.0.103", subnetMask: "255.255.255.252")]
With this changes I will see packets with the destination IP "192.168.0.103", but if change mask to 255.255.255.0 no packet in the packet flow again
settings.ipv4Settings?.includedRoutes = [NEIPv4Route.default(), NEIPv4Route(destinationAddress: "192.168.0.103", subnetMask: "255.255.255.0")]
Anyway my goal is to route all traffic through virtual interface and get all packets in the packetFlow.
Can you help me? What should I change?
Post not yet marked as solved
I work on an app that includes a network extension. The app is essentially just to activate the extension, and the extension typically has long-running background sessions. Analyzing/monitoring metrics for the network extension is very important for us. However, in the Xcode Organizer screen, only the app itself is shown in the drop down menu - the associated network extension is not an option.
For Xcode Organizer screens like Termination metrics and Battery Usage metrics, does the app's background metrics include the network extension, or just the app itself? If just the app, is there any way to get these metrics for the network extension?
Previously, I added a post about the problem with NEFilterManager configuration. Since then, I explored the SimpleTunnel example project and I changed NEFilterManager setup to my own and it still worked well. Now, I simplified the code to just test that Content Filter is starting, but unfortunately it's displayed as 'Invalid' in System Settings.
Here are the samples of my code, but I still don't understand what I am doing wrong here. I would be very grateful for any help.
Test View
struct ContentFilterView: View {
@ObservedObject var vm = FilterManager.shared
@State private var toggleState = false
var body: some View {
VStack {
Toggle("Filter Status", isOn: $toggleState)
.padding()
.onChange(of: toggleState) { status in
vm.setupFilter(with: status)
}
}
.onAppear {
vm.loadFilterConfiguration { success in
if success {
print("loadFilterConfiguration is successful")
toggleState = vm.isEnabled ?? false
print("NEFilterManager config: \(String(describing: NEFilterManager.shared().providerConfiguration?.organization))")
} else {
print("loadFilterConfiguration failed")
toggleState = false
}
}
}
}
}
FilterManager
class FilterManager: ObservableObject {
@Published
private(set) var isEnabled: Bool? = nil
// MARK: - Properties
private let manager = NEFilterManager.shared()
private var subs = Set<AnyCancellable>()
static let shared = FilterManager()
private init() {
manager.isEnabledPublisher()
.receive(on: DispatchQueue.main)
.sink(receiveValue: { [weak self] isEnabled in
self?.setIsEnabled(isEnabled)
})
.store(in: &subs)
}
public func setupFilter(with status: Bool) {
if status && manager.providerConfiguration == nil {
let newConfiguration = NEFilterProviderConfiguration()
newConfiguration.username = "TestUser"
newConfiguration.organization = "Test Inc."
newConfiguration.filterBrowsers = true
newConfiguration.filterSockets = true
manager.providerConfiguration = newConfiguration
print("manager configuration saved successfully: \(String(describing: manager.providerConfiguration?.organization))")
}
manager.isEnabled = status
manager.saveToPreferences { [weak self] error in
if let error {
print("Failed to save the filter configuration: \(error.localizedDescription)")
self?.isEnabled = false
return
}
}
}
public func loadFilterConfiguration(withCompletion completion: @escaping (Bool) -> Void) {
manager.loadFromPreferences { error in
if let loadError = error {
print("Failed to load the filter configuration: \(loadError)")
completion(false)
} else {
completion(true)
}
}
}
private func setIsEnabled(_ isEnabled: Bool) {
guard self.isEnabled != isEnabled else { return }
self.isEnabled = isEnabled
print("NEFilter \(isEnabled ? "enabled" : "disabled")")
}
}
extension NEFilterManager {
// MARK: - Publisher enabling
func isEnabledPublisher() -> AnyPublisher<Bool, Never> {
NotificationCenter.default
.publisher(for: NSNotification.Name.NEFilterConfigurationDidChange)
.compactMap { [weak self] notification in
guard let self else { return nil }
return self.isEnabled
}
.eraseToAnyPublisher()
}
}
NEFilterDataProvider
class FilterDataProvider: NEFilterDataProvider {
// MARK: - Properties
/// A record of where in a particular flow the filter is looking.
var flowOffSetMapping = [URL: Int]()
/// The list of flows that should be blocked after fetching new rules.
var blockNeedRules = [String]()
/// The list of flows that should be allowed after fetching new rules.
var allowNeedRules = [String]()
override func handleNewFlow(_ flow: NEFilterFlow) -> NEFilterNewFlowVerdict {
Log("Will handle filter flow \(flow)", prefix: "[Filter Data]")
return .drop()
}
}
NEFilterControlProvider is the same as SimpleTunnel example project NEFilterControlProvider implementation.
I also followed suggested steps mentioned in this post but it didn't seem to help.
Post not yet marked as solved
Hi,
With iOS-17.4 update, we are seeing AppProxy VPN not getting started when Apps (associated with PerAppVPN) tried to access network resource after MDM PerAppVPN profile install/update.
Looks like PerApp rules associated with applayer vpn profile are broken after profile update/install as we see internet sites working without going through VPN (appProxy network extension), this start working if we toggle WiFi and then access network resource from Apps associated with PerAppVPN.
Created FB13688086 with all the details for this iOS 17.4 and AppLayerVPN, looking for and update here and any feedback/pointers will help. Thanks
fredybotas.
