General: DevForums tag: Network Extension Network Extension framework documentation Network Extension and VPN Glossary DevForums post Debugging a Network Extension Provider DevForums post Exporting a Developer ID Network Extension DevForums post Network Extension vs ad hoc techniques on macOS DevForums post Extra-ordinary Networking DevForums post Wi-Fi management: Wi-Fi Fundamentals DevForums post TN3111 iOS Wi-Fi API overview technote How to modernize your captive network developer news post iOS Network Signal Strength DevForums post See also Networking Resources. Share and Enjoy — Quinn “The Eskimo!” @ Developer Technical Support @ Apple let myEmail = "eskimo" + "1" + "@" + "apple.com"

Hi guys,I'm developing a custom VPN client with NEPacketTunnelProvider which tunnels all device traffic. All is going well so far but I've noticed that iOS battery statistics (Settings -> Battery) is claiming that our client has consumed a significant amount of energy (10%~30%). I though it was true for a while, but then I conducted some basic testing which suggested this is more likely a statistical issue.I set up my device (rebooted with clean battery cosumption statistics) with ~80% battery capacity and started to watch "NASA Live" channel in Youtube app with 1080p60 quality, for 3 hours, and taking notes every hour. I cross referenced the data of the same scenario (same device as well) collected with our custom VPN provider enabled and disabled. I made sure when the VPN client is enabled, I can actually see the Youtube traffic tunneled. Actually the video feed can generate ~1GiB traffic per hour pretty stably. I can provide detailed numbers if necessary, but generally, after 3 hours, both scenarios showed an overal of ~50% battery consumption (from the battery indicator on the status bar on top of the phone screen), there was no significant difference in the battery consumption. However when I looked at the statistics in Settings -> Battery, the scenario without our VPN client was showing 100% battery consumption from Youtube app (which is expected), and the scenario with VPN was showing 68% for Youtube, and 32% for our VPN client app!32% battery consumption in statistics is scaring. But what confuses me is that the actual device battery consumption didn't increase. My theory is that without the VPN client, individual apps are sending out their traffic on their own so the battery consumption are calculated on their head. But now with our VPN client, we are actually sending out traffic for every applications so iOS will blame us for that part of energy consumption. I'm not sure if the theory is true but it certainly explains the behavior.I'm wondering if Apple can look at the issue at if proved to be a statistical issue then fix it. Because 10%+ battery consumption on our app would be enough to scare away our customers. We can explain to them there is no actual extra energy consumption but customers will be suspicious. Whenever they feel their phone's having a shortened battery life they'll come to see the list and they will blame us.Thanks in advance!

Hi,I create application "Connecting to WiFi in iOS"Code to connecting:Swiftlet configuration = NEHotspotConfiguration.init(ssid: "SSIDname", passphrase: "Password", isWEP: false)configuration.joinOnce = trueNEHotspotConfigurationManager.shared.apply(configuration) { (error) in if error != nil { if error?.localizedDescription == "already associated." { print("Connected") } else{ print("No Connected") } } else { print("Connected") }}and Xamarin[assembly: Dependency(typeof(WifiConnector))]namespace WiFiManager.iOS{ public class WifiConnector : IWifiConnector { public void ConnectToWifi(string ssid, string password) { var wifiManager = new NEHotspotConfigurationManager(); var wifiConfig = new NEHotspotConfiguration(ssid, password, false); wifiManager.ApplyConfiguration(wifiConfig, (error) => { if (error != null) { Console.WriteLine($"Error while connecting to WiFi network {ssid}: {error}"); } }); } }}Everything works fine but iOS always asks a question "Wants to Join Wi-Fi Network".Is there any possibility that it would not ask? For my application, this popup is a problem. Maybe list of preferred network?Thank you in advance!

I need to develop an extension that gets the current connected Wi-Fi signal strength, the app will be registered as a Hotspot Helper, but first, we need to do some testing.I don't see too much documentation about this and I don't know how to use the object.

At my app I have a SecKey which I want to sign some Data with it, and at my sever I need to do the verification process, but this time with openSSL. I didn't find any common key or any steps to achieve this between Apple Security framework and OpenSSL. For example, I've tried the following: Signing (Apple Security): let signedStrCFData = SecKeyCreateSignature(key, .rsaSignatureRaw, plaintextData, &error) Verifying (OpenSSL): ret = RSAverify(NIDrsaSignature, (const unsigned char *)challenge, (unsigned int)strlen(challenge), challengeenc, challengeenc_size, rsa); Which key to choose is not really important to me (as long as it's a reasonable signing key), so I tried multiple types of keys, but I wasn't able to do it. Any idea what I'm missing here?

Looking over the SimpleTunnel code example, how is the subclassed NEPacketTunnelProvider being used and the startTunnel() function being called? I've looked over the documentation and watched the "What's New in Network Extension and VPN" WWDC15 video and I'm not sure how it's actually started. When I do a search for "PacketTunnelProvider" I don't see any references outside the file itself aside from the NSExtensionPrincipalClass entry in the associated Info.plist. Is creating this file and having it present in a system extension enough to "activate" the PacketTunnelProvider class and call startTunnel()? What else must be done? The SimpleTunnel example uses an App Extension since it's targeting iOS. Am I correct in thinking that for the macOS it should be a System Extension?

Hi, I am trying to create an app that filters network events - whether to collect statistics, or to even block some specific flows. I see that using NEFilterDataProvider I am able to only filter UDP or TCP protocols (when filtering by .any, I see I only receive UDP/TCP). For example, I wish to see the flow of a simple ping 1.1.1.1. This of course makes the statistics partial (without ICMP packet/raw socket packets), or the flow block being bypass-able (even if with some effort), by using Raw sockets. Is there a way to add to the filtering also ICMP and RAW flows? Should I use a different provider for those?

Recently I experienced some weird issues with iOS VPN including personal VPN(IPsec VPN) and enterprise VPN(custom ssl VPN) when running some applications on both mac and iOS. I coded a network extension program which can run on both mac and iOS. In the network extension it intercepts the packets from the NEPacketTunnelFlow and encap them with a self defined header which is 16 bytes and send them via a UDP session to the remote server. test env: Xcode 12.0.1 / iOS 14.0 SDK / iPhone iOS 12.4.8 Here are some test results as following. IPSec VPN(personal VPN) which is supported natively by iOS: when running Speedtest from OOKLA it failed to test on mobile network(in my case it's 4G). The message shows ERROR Test failed to complete. Check your internet connection and try again OK There is no such issue on WIFI network. custom ssl VPN(enterprise VPN) created by using NETunnelProviderManager: On WIFI network run Roblox application on iPhone it failed when joining the server with error message Disconnected Failed to connect to the Game.(ID=17:Connection attempt failed.)(Error Code: 279) Leave I suspect it's related to the mtu setting so I tried with different tunnelOverheadBytes or mtu values:  on wifi network(my router's mtu is 1480):     work: -100/-16/20 (<=20)     not work: 21 (> 20)  on mobile network:     work:0/-16/-100(very slow)     not work: 1/2/5/10/20/21/28 (> 0)    It's weird that negative numbers work for overhead setting. And it seems on WIFI network the range of x <= 20 work for the Roblox game application( can join the server and play some games without any problems) and on mobile network the range is x <=0. Or set mtu instead of tunnelOverheadBytes:   on wifi network:     work:1480/1485/1490/1500     not work:1464/1479/1600     on mobile network:     work:1480/1485/1490/1500     not work:1464/1479/1600/2000 It seems the working value range is [1480, 1500] for both WIFI and mobile network. And also, Speedtest works on WIFI network but not on mobile network. To my understanding in the network extension we only need to set the tunnelOverheadBytes and the iOS will compute the mtu size and we don't need to care about the difference between different type of network. But actually there are differences. Now I'm totally confused. Apparently the value of tunnelOverheadBytes or mtu is quite critical for the network traffic. How to correctly set the tunnelOverheadBytes in the network extension for both WIFI and mobile network?

NEFilterDataProvider seemed to perfectly meet our needs to monitor and control a Mac's network traffic, in total and by process. But: we found out that traffic from about 50 Apple processes is excluded from being seen and controlled by NEFilterDataProvider, due to an undocumented Apple exclusion list. This is a regression from what was possible with NKEs. We believe it has a high number of drawbacks, and we already know this is negatively affecting our end users. I've covered all of the above in detail in FB8808172, also why other ways to monitor and control traffic are not alternatives we could consider for this scenario. I'd appreciate if someone at Apple could have a look as soon as possible.

While trying to add a new VPN configuration , the ios Network Extension fails for a particular device with my App with the following error default 23:34: 34.140388-0400 Adding 918D08B1-2814-47C0-AAA9-0A0A8C92049C to the loaded configurations  error 23:34:41.386023-0400 nehelper : Cannot save configuration , the total size of the NetworkExtension configuration is to large (2643248 bytes)  default 23:34:41.510241-0400 kernel memorystatus: set assertion priority(10) error The same behaviour is seen with other VPN Providers like Tunnel Bear. Question: As this issue is seen only on a particular device. Has anyone seen this issue/able to mitigate , and also shed more details why this issue happens.

Hi, how could I get the command line arguments of a process given its audit token. My app is a Content Filter Network Extension written in swift. I can obtain the audit token from NEFilterFlow but I can't figure out how to get the process arguments, I was able to get the pid from the audit token using audit_token_to_pid.

Hello! Does anybody know release date of "Family Control" capability for Distribution? iOS 15 was released, but "Family Control" is still available only for Development Distribution: We can't create Distribution provision profile for testing via TestFlight right now. Furthermore we can't proof that Content Filter Providers will be work on authorized Family Control devices without any restrictions and additional setup (see Content Filter Providers with Family Control app)

Error when activating system extension Extension not found in App bundle: perhaps App is not validly structured

In another question on this forum (https://developer.apple.com/forums/thread/124775) eskimo stated that launching a system extension from an daemon is not the right approach and that the OSSystemExtensionRequest.activationRequest API should be called from an App. My question is, does this same restriction apply to a LaunchAgent started App? If so, to ensure activation as soon as possible is the only option to use a SMLoginItemSetEnabled helper to start the App on login?

I've implemented a content filter in iOS using Network Extension with help of NEFilterDataProvider, NEFilterPacketProvider. Which works fine, getting all requests and blocking based on the requirement. But When I implement the same this in macOS, getting NEFilterManager.shared().isEnabled true means it's connected, still able to access all the sites. I notice one thing that for macOS in NEFilterProviderConfiguration, "filterBrowsers is not supported on macOS" is deprecated What does it mean?

My App is a VPN APP, use [com.apple.networkextension.packet-tunnel] extension app to provider a VPN service. A problem puzzled me for a long time: Sometimes the VPN doesn't start successfully, until the user restart the iOS System or reinstall my APP. The detail is : The user use the app normally for many times, and suddenly can't start the vpn service, the APP log show API "startVPNTunnelWithOptions" call success, and return success. but the VPN extension status(NEVPNStatus) change from Disconnect to Connecting and then nothing happen, the VPN process not started, and not any log of the VPN extension created, my VPN log is start from the init function of the class inherit from PacketTunnelProvider, so can see that the vpn process not started. My NETunnelProviderProtocol is : NETunnelProviderProtocol *tunnel = [[NETunnelProviderProtocol alloc] init]; tunnel.providerBundleIdentifier = kTunBundleId; tunnel.serverAddress = @""; tunnel.disconnectOnSleep = NO; [self.providerManager setEnabled:YES]; [self.providerManager setProtocolConfiguration:tunnel]; self.providerManager.localizedDescription = kAppName; very simple, because my app use openvpn3 to provide the vpn service，so no need to set the serverAddress. Because when this problem happened, I can't get any useful log (because APP can't get the iOS system log), so this is a really trouble for me. Could any body help !

What happens when I try to run my app with the DNS proxy provider in network extension while another app with the same extension is already running? Will it throw an error?

Explore the platforms, packaging, OS versions and device configurations for Network Extension provider deployment. View Technote TN3134 >

This issue has cropped up many times here on DevForums. Someone recently opened a DTS tech support incident about it, and I used that as an opportunity to post a definitive response here. If you have questions or comments about this, start a new thread and tag it with Network so that I see it. Share and Enjoy — Quinn “The Eskimo!” @ Developer Technical Support @ Apple let myEmail = "eskimo" + "1" + "@" + "apple.com" iOS Network Signal Strength The iOS SDK has no general-purpose API that returns Wi-Fi or cellular signal strength in real time. Given that this has been the case for more than 10 years, it’s safe to assume that it’s not an accidental omission but a deliberate design choice. For information about the Wi-Fi APIs that are available on iOS, see TN3111 iOS Wi-Fi API overview. Network performance Most folks who ask about this are trying to use the signal strength to estimate network performance. This is a technique that I specifically recommend against. That’s because it produces both false positives and false negatives: The network signal might be weak and yet your app has excellent connectivity. For example, an iOS device on stage at WWDC might have terrible WWAN and Wi-Fi signal but that doesn’t matter because it’s connected to the Ethernet. The network signal might be strong and yet your app has very poor connectivity. For example, if you’re on a train, Wi-Fi signal might be strong in each carriage but the overall connection to the Internet is poor because it’s provided by a single over-stretched WWAN. The only good way to determine whether connectivity is good is to run a network request and see how it performs. If you’re issuing a lot of requests, use the performance of those requests to build a running estimate of how well the network is doing. Indeed, Apple practices what we preach here: This is exactly how HTTP Live Streaming works. Keep in mind that network performance can change from moment to moment. The user’s train might enter or leave a tunnel, the user might walk into a lift, and so on. If you build code to estimate the network performance, make sure it reacts to such changes. But what about this code I found on the ’net? Over the years various folks have used various unsupported techniques to get around this limitation. If you find code on the ’net that, say, uses KVC to read undocumented properties, or grovels through system logs, or walks the view hierarchy of the status bar, don’t use it. Such techniques are unsupported and, assuming they haven’t broken yet, are likely to break in the future. But what about Hotspot Helper? Hotspot Helper does have an API to read Wi-Fi signal strength, namely, the signalStrength property. However, this is not a general-purpose API. Like the rest of Hotspot Helper, this is tied to the specific use case for which it was designed. This value only updates in real time for networks that your hotspot helper is managing, as indicated by the isChosenHelper property. But what about MetricKit? MetricKit is so cool. Amongst other things, it supports the MXCellularConditionMetric payload, which holds a summary of the cellular conditions while your app was running. However, this is not a real-time signal strength value. But what if I’m working for a carrier? This post is about APIs in the iOS SDK. If you’re working for a carrier, discuss your requirements with your carrier’s contact at Apple.

I need to store auth keys somewhere, previously app network extension would store them in a shared keychain. Now we're trying to move to system extensions, for out of appstore distribution, and shared keychain will no longer work. Is it possible to write to system keychain from system extension? If yes, how do I specify that I want to use system keychain? Our current code returns errSecNotAvailable if run in System Extension instead of App Extension. The code looks like this. If uncommented, it will work from the App Extension.   NSString *teamID = [[[NSBundle mainBundle] infoDictionary] objectForKey:@"Development Team"];   NSString *groupID = [[[NSBundle mainBundle] infoDictionary] objectForKey:@"App Group ID"];   NSMutableDictionary *query = [NSMutableDictionary dictionaryWithDictionary:@{     (id)kSecClass: (id)kSecClassGenericPassword, //    (id)kSecAttrAccessGroup: [NSString stringWithFormat:@"%@.%@", teamID, groupID],     (id)kSecAttrService: groupID, //    (id)kSecAttrAccessible: (id)kSecAttrAccessibleAfterFirstUnlockThisDeviceOnly   }];   [query setObject:(id)kCFBooleanTrue forKey:(id)kSecUseDataProtectionKeychain];   [query setObject:@(key) forKey:(id)kSecAttrAccount]; [query setObject:[NSData dataWithBytes:buffer length:length] forKey:(id)kSecValueData]; SecItemAdd(cfQuery, NULL);