General: DevForums tag: Network Extension Network Extension framework documentation Network Extension and VPN Glossary DevForums post Debugging a Network Extension Provider DevForums post Exporting a Developer ID Network Extension DevForums post Network Extension vs ad hoc techniques on macOS DevForums post Extra-ordinary Networking DevForums post Wi-Fi management: Wi-Fi Fundamentals DevForums post TN3111 iOS Wi-Fi API overview technote How to modernize your captive network developer news post iOS Network Signal Strength DevForums post See also Networking Resources. Share and Enjoy — Quinn “The Eskimo!” @ Developer Technical Support @ Apple let myEmail = "eskimo" + "1" + "@" + "apple.com"

We are not seeing any traffic from iOS to App-Proxy extension. We have a Safari domains specified in the per App App Proxy VPN configuration which is pushed to our device. When we tap on the safari and start loading one of these domains, safari will not load any websites with these domains. But if we load any other websites with any other domain, the websites are loaded properly. But the same behavior works fine and app receives traffic on iOS 17.5.1 and older iOS versions. The issue is observed only on iOS 18 Beta versions.

That's probably a bad title, let's try with specifics: we have a network extension, it has some classes / functions of its own, and they, when push comes to build, depend on (for example) NEAppProxyFlow and its subclasses. The code is written in Swift, since it is the language of the future. If I want to do a unit test for my code, I need to provide something that at least looks like NEAppProxyFlow, since I can't otherwise create one. I thought I could provide my own NetworkExtension module for test case, but that... did not work well, and I still don't understand why. On the other hand, I'm really bad at making unit tests, so the odds that I'm missing something fairly obvious to most other people are pretty high.

Hi all, I'm working on deploying a VPN for users of our enterprise app, using the built-in IKEv2 provider (configured either by a configuration profile or an app). I'm struggling to get the user experience right and was curious to hear if the behaviors I'm observing have been seen by other developers. The main behavior I am observing is that the client tends to randomly disconnect, and it does not attempt to reconnect. This is particularly problematic when paired with the includeAllNetworks option. Paired with includeAllNetworks: The device does not attempt to reconnect the tunnel Once the tunnel disconnects, onDemandRules don't seem to evaluate. Even if a NEOnDemandRuleConnect rule matches the current network, the connection does not reestablish. All network traffic remains blocked on both WiFi and Cellular (rendering any network-dependent app unusable) until the user intervenes and toggles the connection in the Settings app This seems like a problematic user experience and I would be surprised if this is by design. As for the disconnects themselves, I have had a hard time correlating them to any particular network condition or protocol behavior. I've seen a connection drop after as little as 10 minutes and stay up for over 16 hours (including while the device roamed from WiFi to Cellular networks and in and out of connectivity). We confirmed with server logs that the clients were able to successfully re-key both the IKE SA and CHILD SAs. I had difficulty retrieving system logs from iOS, but on macOS I was able to observe this error from NEIKEv2Provider that lined up with one of the disconnect events: "Internal: Initiate MOBIKE failed to migrate child SAs" (server logs showed a successful rekey exchange at the same time). Thanks, Lucas

My requirement is to create a App and all the traffic from this App will be forwarded to relay servers(only implement socks5 protocol), the relay server then forward the traffic to the destination server. I have tried the two plans below: A. I tried the NEAppProxyProvider but it seemed to work only under MDM, MDM looks like very complex , so I gave it up. Actually this way is more appropraite for me. B. the other way is NEPacketTunnelProvider. I have figured out a common solution, steps: config the routes for NEPacketTunnelProvider get the fd from packetFlow start a tun2socks service to forward the traffic from the fd。 Sadly the way gettting the traffic from the fd is not recommened by apple official. so the only way to deal with the traffic is handling the packets. may be steps: parse the packet modify the packet write the packet back ... it seems even more complex than plan A,Besides, we have multiple relay servers, if there is a whole request we can make sure all this request data is forwarded by a same relay server, But if there is a packet, may be god can tell which relay server it should go to. We have implemented the same functionality in Android devices. can you help me to find out which way is better in iOS devices? I will be appreciated if you can provide more advice. Thanks.

HI, I have Mac Sequoia Beta3. I installed Content Filer network extension which is same as https://developer.apple.com/documentation/networkextension/filtering_network_traffic in my machine. When I try to connect a machine through "ssh", NEFilterFlow.description in handleNewFlow(_ flow: NEFilterFlow) is showing "sourceAppIdentifier" (process name) as "Terminal" instead of "ssh". But other Mac OS versions, it is showing as "ssh". Is there any issue with Sequoia Beta3? or Is this expected? Thanks

There is new porperty introduced in iOS 18 Beta for VPN i.e CellularSliceUUID But there is no description available for the same. Could you please let us know how this property can impact VPN? https://developer.apple.com/documentation/devicemanagement/vpn?changes=latest_major&language=objc

I am having two issues with an IKEv2 VPN profile and certificates, and I am using Apple Configurator to create the profile. We have a self-signed CA that consists of an intermediate/root chain. The first issue is that when I load the intermediate and/or root into the Certificates section, then, in the VPN section, select Certificate for Machine Authentication, the VPN doesn't connect, and from Console, we get the error "Trust evaluate failure: [leaf MissingIntermediate]." If I load the server cert, the profile connects. I am lost as to why this works, I would assume we would need only the intermediate and/or root. Second issue I am running into, is that when I put the Intermediate CA name into "Server Certificate Issuer Common Name" the VPN does not connect at all. With the server cert or not. If I can provide any more information at all, please let me know. With this being a public forum, I didn't want to include much from my organization but can send it privately. Thank you in advance for any assistance. Screenshot of the console error is attached

I am applying for the NEHotspot API Entitlement with the details below, but Apple has rejected it multiple times. Can you help me understand what I am doing wrong? Q. In how many countries are your hotspots located? A - 1 Q. What is the approximate total number of hotspots you manage? A - 1000 Q. Which of the following best explains the relationship between you, the app publisher, and the users of these hotspots? A - These hotspots are free for anyone to use. Hotspot Helper API usage Q. A hotspot helper must claim the hotspot networks that it supports by setting a confidence value of either .low or .high when responding to the .evaluate command. See Figure 1-1 in Hotspot Network Subsystem Programming Guide for more background on this. When the helper claims a network, its display name (kNEHotspotHelperOptionDisplayName) is shown in Settings > Wi-Fi. What value do you intend to use for this? A - BSSID(MAC) Q. When responding to the .authenticate command, you system must interact with your hotspot to instruct it to pass traffic from the device to the wider internet. What network protocols does it use? A - DNS , HTTP Q. Provide any additional details about your usage to help us understand your planned implementation. A - We are implementing the following functionalities in our project: Connect to a Wi-Fi hotspot with a specified SSID. Remove Wi-Fi configurations for specific SSIDs. Initialize a new hotspot configuration with the specified SSID.

Hi, I'm trying to connect to a Wifi access point with the new AccessorySetupKit framework. At first i thought that ASK would establish the connection to the access point but then it was mentioned in the session that I need to do that myself with NEHotspotConfigurationManager. I tried to do that but every time I get this error: NEHotspotConfigurationErrorDomain Code=17 "system denied configuration of the accessory network." My AP is just a small ESP32 but I get the same results with any other AP. Looking at the logs in Console.app for my device, I see some interesting logs such as these: Subsystem: com.apple.AccessorySetup, Category: ASAccessorySession Received event: DADeviceEvent: type DeviceChangedDADeviceEvent: device DADevice: ID D0A7B5FB-6800-4B73-9DC4-697DDE791D2B, name 'Printer Emulator', flags AccessorySetup, SSID 'ESP32-AP', type Hi-Fi Speaker, { DADeviceAppAccessInfo: com.criboe.GBPE, ID D0A7B5FB-6800-4B73-9DC4-697DDE791D2B, state Authorized, < WiFi >, Time 2024-07-10-11:16:40.389, disConfig asID 6CC66EF2-9D12-4071-92E4-7038D741D5E5, btSv [], com.criboe.GBPE, flags 0x8 < RenameSSID >, hSPs [ "ESP32" ] } Subsystem: com.apple.DeviceAccess, Category: DADaemonServer [WiFi] profile not found for SSID = 'ESP32-AP' [WiFi] profile not found for SSID = 'ESP32-AP' [WiFi] profile not found for SSID = 'ESP32-AP' ...and many more... Subsystem: --, Category: (wifid) WiFiManagerAddNetworkAsync: Request to add network with content: ESP32-AP: isHidden=0, isEAP=0, isSAE=0, isWPA=0, isWEP=0, WAPI=0, type=0, enabled=(null), saveData=(null), responsiveness=(null) ((null)) isHome=Unknown, isForceFixed=0, transitionDisabledFlags=(null), foundNanIe=0, isPH=0, isPublicAirPlayNetwork=0, is6EDisabled=0, hs20=0, Channel=0 WiFiManagerAddNetworkAsync: adding ssid='ESP32-AP' bundleId='com.criboe.GBPE' appName='Camera Boy' originator='3rd Party' HS20=0 __GetNetworkWithSameSsid: network ESP32-AP not found WiFiManagerAddNetworkAsync: 'com.criboe.GBPE' is authorized to join 'ESP32-AP: isHidden=0, isEAP=0, isSAE=0, isWPA=0, isWEP=0, WAPI=0, type=0, enabled=(null), saveData=(null), responsiveness=(null) ((null)) isHome=Unknown, isForceFixed=0, transitionDisabledFlags=(null), foundNanIe=0, isPH=0, isPublicAirPlayNetwork=0, is6EDisabled=0, hs20=0, Channel=0' What is weird is that if I don't use ASK to first find my accessory and simply call NEHotspotConfigurationManager.shared.apply(_: ) I can connect to the AP just fine. Any suggestions to what might be wrong here?

Hi Team, We are trying to set MDM with NETransparentProxyManager to auto-approve the proxy, but it did not work. We have tried the below Apple document for NETransparentProxyManager. https://developer.apple.com/documentation/devicemanagement/vpn/transparentproxy. Attached is the config file. ApplicationProxy.VPN.mobileconfg.txt could you please suggest how to configure NETransparentProxyManager via MDM?

Hi We currently have an app being rejected due to Guideline 5.4 (VPN apps). The answer from App Review was a vague reference to the app not providing enough information to the user about data collection. About 6 months ago we added a modal sheet that requires agreement from the user before the app will attempt to create a VPN profile via NEVPNManager APIs. This was in response to a prior rejection, and our app was subsequently approved. Following our latest rejected update we tried to clarify if our modal was being observed and after some back and forth, the latest rejection from Apple Review states that: we still found that your app does not sufficiently explain how the app or VPN service is using data collected from users in the purpose string of VPN Configurations prompt. I have scoured the documentation and gone through all the Plist options within Xcode and can find no reference to a custom purpose/privacy string on the VPN configurations prompt. My understanding is that the content of that alert is fully controlled by the system. Has anyone else encountered this, or aware of any changes to the way VPN apps should create new connection profiles? Many thanks

I've followed all the advice on these forums regarding developing network extensions. I'm working on a FilterDataProvider using the SimpleFirewall example project as a starting point. The issue I run into is that the copy of the extension binary that the system manages does not get updated by the system when I copy a new application into the /Applications directory. Here's my workflow: Build and run the application from Xcode. I've added a pre-run action that copies the extension into a /Applications/SysExtDev folder so I don't have to disable SIP. Test & make changes to code Disable & remove the extension in Settings > Network > Filters & Proxies Build and run the application from Xcode. New app binary loads, but the old extension binary loads. I also notice that the app will report that the extension is already registered even when it's not present in the UI in System Settings. And when I enable the extension in the newly launched app, I don't see the full flow of confirmation dialogs, only one indicating that the app wants to filter network content. If I run: ❯ diff /Applications/SysExtDev/SimpleFirewall.app/Contents/Library/SystemExtensions/com.example.apple-samplecode.SimpleFirewall2U6G6353D3.SimpleFirewallExtension.systemextension/Contents/MacOS/com.example.apple-samplecode.SimpleFirewall2U6G6353D3.SimpleFirewallExtension /Library/SystemExtensions/44022C0D-8BBA-4783-8314-83195A516DB5/com.example.apple-samplecode.SimpleFirewall2U6G6353D3.SimpleFirewallExtension.systemextension/Contents/MacOS/com.example.apple-samplecode.SimpleFirewall2U6G6353D3.SimpleFirewallExtension Binary files ... and ... differ it indicates that the binaries are not the same. In order to resolve this issue I usually have to wait around for awhile and/or reboot the machine. I can't find any rhyme or reason to it. I've tried removing the old app from /Applications before building the new copy but that doesn't seem to help either. The way I know things are going to work is, if when I launch and enable the extension, I see the full onboarding flow asking me to open settings and allow under privacy and security. I have tried running $ systemextensionsctl uninstall 2U6G6353D3 com.example.apple-samplecode.SimpleFirewall2U6G6353D3.SimpleFirewallExtension but that requires SIP to be disabled. I'm really close to just throwing in the towel and developing with SIP disabled. However, I feel like I must be missing something. Do I need to bump the version every time? Do I need to kill the extension process with launchctl so it can be cleaned up? Do I have to tickle the launch services or sfl db? What am I missing?

Hi, I had a Content Filter network extension. It is successfully working until Sonoma. I try to install and activate same network extension on Sequoia beta Intel Mac. But even I haven't got any user consent to activate and allow it. I haven't found any entry in Network settings. Do we need to make any changes in Sequoia MacOs to make it work? Thank you.

Hi, I'm responsible for extending my company's Firewall application with MacOS support. The easiest and fastest way requires a simple API similar to netmap/nfq in Unix/Linux systems or NDIS/WinDivert in Windows platform where All network traffic passing NIC's or WiFi adapter should beforwarded to our FW application, FW application should process the raw packets with its own connection tracking mechanism, modify them if needed, generate new ones if needed, FW application should inject forwarded or new packets to continue their ways. In other words, the required API should stand between NIC/WiFi driver and networking stack and allow packet manipulation. My questions follow: I can't decide on which method to focus further, throughout three alternatives; kext - It can satisfy the requirements, but deprecated, difficult to progress and have no guarantee to be applicable in future versions of MacOS, am I right ? networkingdriverkit - It can satisfy the requirements, am I right ? networkextension - can it satisfy the requirements? Also there is a serious performance problem as mentioned in https://developer.apple.com/forums/thread/757071. Can anyone help me to decide on the most proper method for? Thanks.

Hi, I'm using network extension on my VPN app. I'm override the sleep method and send some data to my server when the method call. I noticed that the server requests are succeeded when I'm connecting with a WiFi networks and failed when I'm connecting with cellular networks. Does the OS blocks immediately the connectivity when I'm on the cellular networks and the device enter to sleep?

We have a product which uses a Network Extension (a socket filter and a packet content filter). The application contains the network extension, as well as an un-sandboxed LaunchDaemon which connects to the service at the NEMachServiceName. Occasionally, usually after an upgrade where the system extension is swapped for the new version, our un-sandboxed process isn't able to contact the network extension. From the logging, we receive the following XPC error (libxpc.dylib) [com.apple.xpc:connection] [0x7fd6d0307f40] failed to do a bootstrap look-up: xpc_error=[3: No such process] in the unsandboxed process. Eventually, we receive an invalidated callback on the XPC connection with the error Couldn’t communicate with a helper application.. We have confirmed that an appropriate service is running via the launchctl command, and the network extension process appears to have initialised correctly. We don't see any indication of a received connection at the Network Extension process however (probably not surprising given the error). Once a system enters this state, repeated attempts to connect are unsuccessful and continue to produce the same error. We've also confirmed that there are no XPC codec exceptions apparent that might cause the connection to fail. I'm at a bit of a loss to explain why this failure might be occurring, other than a problem in the bootstrap/launchd being able to find the appropriate service. Is there possibly some problem with unsandboxed processes accessing the sandboxed network extension via XPC? They are both provisioned in an app group together. Is there possibly some issue where attempting to connect at a critical point during network extension installation causes it to become inaccessible? We've observed this specifically on macOS 14.5 (23F79), however this is something we've noticed on other versions of macOS and our code. The problem isn't systematic, and systems end up in this state only occasionally. We do seem to find some customers have more instances of this problems than others, but we haven't been successful at teasing out any common thread that might explain why.

Title: Loss of Internet Connectivity on iOS Device When Packet Tunnel Crashes Feedback ticket: https://feedbackassistant.apple.com/feedback/14162605 Product: iPhone 12 Version: iOS - 17.5.1 Configuration: NETunnelProviderManager Configuration Description: We are developing an iOS VPN client and have configured our packet tunnel provider according to Apple's guidelines. The configuration is as follows: includeAllNetworks = YES excludeLocalNetworks = NO enforceRoutes = NO This setup works as expected when the VPN successfully connects. However, we encounter a blocker issue where the device loses internet connectivity if the packet tunnel crashes. Steps to Reproduce: Configure the NETunnelProviderManager with the above settings. Connect the VPN, which successfully establishes a connection. Verify that resources are accessible and internet connectivity is functional. Packet tunnel to crash unexpectedly.Observe that the NE process (Packet Tunnel) restarts automatically, as expected and attempts to reconnect the VPN; however, the device now lacks internet connectivity, preventing VPN reconnection. Try accessing resources using Safari or any other internet-dependent app, resulting in an error indicating the device is not connected to the internet. Actual Results: The device loses internet connectivity after the packet tunnel crashes and fails to regain it automatically, preventing the VPN from reconnecting. Expected Results: The device should maintain internet connectivity or recover connectivity to allow the VPN to reconnect successfully after the packet tunnel process restarts. Workaround - iPhone device needs a restart to regain internet connectivity .

We have observed for a few months that the Instruments tool in Xcode does not show correct memory allocation for the PacketTunnelProvider process on iOS 17. The memory allocation does not exceed 6-7 MB, which is not the case with iOS 16 or 15. Additionally, Instruments crashes the PacketTunnelProvider process after profiling for a few minutes. Please note that I am not running Xcode in debugger mode for the PacketTunnelProvider process along with instruments, as this is a known issue that causes the PacketTunnelProvider to be killed when both Instruments and the Xcode debugger are running. Is anyone else facing this issue and have a workaround?

Looking for a spare phone anyone may have that they aren using that I can use with no strings attached. Thanks in advance for being a blessing f:)

Hi Team, We are using the transparent app proxy in macOS and resolving DNS queries using DNSServiceQueryRecord in the TAP process. According to the documentation, when passing the interfaceIndex as 0, it should be queried on all interfaces, and based on IP rules, it assigns the query to that particular interface. However, when we pass 0, it does not query any of the interfaces. We need to provide the specific interface index.