NEPacketTunnelProvider Memory Limits (iOS)

Question

Created Jul ’18

Replies 4

Boosts 0

Views 2.8k

Participants 2

I'm playing around wth a custom VPN protocol.

I've created an App with an NEPacketTunnelManager and NEPacketTunnelProvider, and I'm able to capture packets using the extension.

I'm now trying to pull in some code (gomobile, as an experiment) to actually do the work for my VPN.

Unfortunately, this quickly crosses the 15MB enforced limit for the extension and my extension gets killed by jetsam.

15MB seems really quite limited.

Is this limit really applied to the extension and any libraries used? Is there a way to get around this? I don't mean reconfiguring the limit, but rather structuring my App such that the meat of the VPN logic isn't what is checked for size in the extension.

I have seen lots of examples for NEPacketTunnelProvider (i.e., Apple's SimpleTunnel example), but not much in mitigating around the memory limits.

Boost

Answer 1

DTS Engineer OP

Apple

Jul ’18

Is this limit really applied to the extension and any libraries used?

Yes. App extension memory limits are applied to the process as a whole, and thus to your code and any library code you use.

Be aware that the exact limit is not officially documented, although you can see this thread for some unofficial info.

I don't mean reconfiguring the limit, but rather structuring my App such that the meat of the VPN logic isn't what is checked for size in the extension.

I’m not sure what you’re getting at here. Most VPN implementations fit within the limit without too much pain because most VPN implementations are kinda simple. The major challenge is buffer management, something I covered in detail in my Network Extension Provider Memory Strategy post. Other than buffers, what else are you concerned about?

Share and Enjoy
—
Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

0

Answer 2

Ryan0751 OP

Jul ’18

Thanks, this is helpful.

How are things like signalling handled?

For example, let's say you wanted to implement IKEv2+IPsec as a network extension (this isn't what I'm trying to do, and yes, I know iOS already provides an IKE+IPsec stack).

Couldn't a complicated protocol such as that run up against the 15MB limit?

I would expect that the signalling portion of a VPN tunnel also needs to run in this PacketTunnelProvider process context?

Are SSL VPN's able to fit in the limit? Linking in SSL isn't an issue?

0

Answer 3

DTS Engineer OP

Apple

Jul ’18

Couldn't a complicated protocol such as that run up against the 15MB limit?

If you make something arbitrarily complicated then, sure, it’s possible that you could run over this limit. However, there are lots of tunnel providers in the field right now, including many implementations that use TLS, and they generally work quite well.

I would expect that the signalling portion of a VPN tunnel also needs to run in this PacketTunnelProvider process context?

Correct.

Are SSL VPN's able to fit in the limit?

Yes.

Linking in SSL isn't an issue?

Not in and of itself. Most of the complications associated with TLS are in the code, and most developers use the built-in TLS stack which is shared between processes, and thus doesn’t have a significant memory impact. However, there are folks using third-party TLS implementations in a tunnel provider and they also seem to fit within the limit.

Keep in mind that there are good reasons for this limit. Many users have VPN running all day, every day, so memory used by the tunnel provider is not available to other apps on the system, and those are the apps the user generally cares about.

Share and Enjoy
—
Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

0

Answer 4

Ryan0751 OP

Jul ’18

Thanks eskimo. This is extremely helpful!

0