Debugging VPN network extension connection failure.

There is a few things I would try to do here to debug this:

1. Add logging to your provider to determine if the provider is being hit:

Code Block swift
static let log = OSLog(subsystem: "com.example.myapp.packettunnel", category: "provider")
private let log: OSLog
override init() {
    self.log = Self.log
    os_log(.debug, log: self.log, "init")
    super.init()
}

2. Make sure that your container app is using a sub set bundle identifier of your NEPacketTunnelProvider. For example:

Container app: com.example.myapp
Packet Tunnel Provider: com.example.myapp.packettunnel

3. Make sure that both processes are running a Sandbox and have the correct Network System Extension Entitlements. (Include the System Extension on the container app if you are running a System Extension on macOS)

4. If you are building on macOS, make sure you build and run outside of Xcode. For example, build and run in the /Applications folder.


Matt Eaton
DTS Engineering, CoreOS
meaton3@apple.com

I've followed your guidelines and added sandbox on both sides and set the following entitlements

On both sides :

	<key>com.apple.developer.networking.networkextension</key>
	<array>
		<string>packet-tunnel-provider</string>
	</array>
	<key>com.apple.security.app-sandbox</key>
	<true/>
	<key>com.apple.security.network.client</key>
	<true/>
	<key>com.apple.security.network.server</key>
	<true/>

On containing app only :

	<key>com.apple.developer.system-extension.install</key>
	<true/>

I've also changed my app and extension profiles accordingly.

But now I get that the xpc between myApp and the sysextd gets invalidated and prevent the activation of my network extension :

2021-05-26 23:57:05.250703+0300 0xa51db    Default     0x0                  30955  0    sysextd: [com.apple.sx:XPC] client activation request for com.mycompany.app.ext
2021-05-26 23:57:05.250705+0300 0xa51db    Default     0x0                  30955  0    sysextd: attempting to realize extension with identifier com.mycompany.app.ext
2021-05-26 23:57:05.252342+0300 0xa51db    Activity    0xdd5e0              30955  0    sysextd: (Security) SecTrustEvaluateIfNecessary
2021-05-26 23:57:05.255916+0300 0xa51db    Default     0x0                  30955  0    sysextd: [com.apple.sx:XPC] client connection (pid 33640) invalidated
2021-05-26 23:57:05.256149+0300 0xa518b    Default     0x0                  33640  0    myapp: com.mycompany.app.ext: Activation request failed: Extension not found in App bundle

I guess that the connection failure prevent my app from locating the extension. Any idea what leads to this connection failure ? perhaps it's the sandbox ?

Thank you for sharing these logs. It looks like the issue is here:

2021-05-26 23:57:05.250705+0300 0xa51db    Default     0x0                  30955  0    sysextd: attempting to realize extension with identifier com.mycompany.app.ext
...
2021-05-26 23:57:05.256149+0300 0xa518b    Default     0x0                  33640  0    myapp: com.mycompany.app.ext: Activation request failed: Extension not found in App bundle

What is the bundle id of your container app? Is it com.mycompany.app?

Also, how is your Network System Extension activated? Is it activated through a standard container app where the Network System Extension can be found at:

Container.app
  Contents/
    Library/
      SystemExtensions/
        com.mycompany.app.ext.systemextension

---

Matt Eaton
DTS Engineering
meaton3@apple.com

Thanks to you guidance I changed my extension target name to com.mycompany.app.ext.systemextension and now the sysextd is able to trace it, but this exposed another issue with wrong package formatting :

sysextd: system extension does not appear to belong to any extension categories

myapp: com.mycompany.app.ext: Activation request failed: Invalid extension configuration in Info.plist and/or entitlements

I saw that on another 3rd party network extension that works, the Info.plist has

        <key>CFBundlePackageType</key>
        <string>SYSX</string>

and in my extension it's defined as :

        <key>CFBundlePackageType</key>
        <string>XPC!</string>

Any idea how to change the variable that set this plist field (PRODUCT_BUNDLE_PACKAGE_TYPE)?

Also, here's the entitlements but I don't think there's any problem here :

M-C02F71G2MD6R:VPN zkabeli$ codesign -d --entitlements :- /Applications/myapp.app/Contents/Library/SystemExtensions/com.mycompany.app.ext.systemextension
Executable=/Applications/myapp.app/Contents/Library/SystemExtensions/com.mycompany.app.ext.systemextension/Contents/MacOS/com.mycompany.app.ext

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
	<key>com.apple.application-identifier</key>
	<string>TEAM_ID.com.mycomapny.app.ext</string>
	<key>com.apple.developer.networking.networkextension</key>
	<array>
		<string>app-proxy-provider</string>
		<string>content-filter-provider</string>
		<string>packet-tunnel-provider</string>
	</array>
	<key>com.apple.developer.team-identifier</key>
	<string>TEAM_ID</string>
	<key>com.apple.security.application-groups</key>
	<array>
		<string>group.com.mycompany.vpn</string>
	</array>
	<key>com.apple.security.get-task-allow</key>
	<true/>
</dict>
</plist>

And here's the entitlement of the containing app :

M-C02F71G2MD6R:VPN zkabeli$ codesign -d --entitlements :- /Applications/myapp.app
Executable=/Applications/myapp.app/Contents/MacOS/myapp
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
	<key>com.apple.application-identifier</key>
	<string>TEAM_ID.com.mycompany.app</string>
	<key>com.apple.developer.networking.networkextension</key>
	<array>
		<string>packet-tunnel-provider</string>
	</array>
	<key>com.apple.developer.system-extension.install</key>
	<true/>
	<key>com.apple.developer.team-identifier</key>
	<string>TEAM_ID</string>
	<key>com.apple.security.app-sandbox</key>
	<true/>
	<key>com.apple.security.application-groups</key>
	<array>
		<string>group.com.mycompany.vpn</string>
	</array>
	<key>com.apple.security.get-task-allow</key>
	<true/>
	<key>com.apple.security.network.client</key>
	<true/>
	<key>com.apple.security.network.server</key>
	<true/>
	<key>com.apple.security.temporary-exception.mach-lookup.global-name</key>
	<array>
		<string>com.apple.sysextd</string>
	</array>
</dict>
</plist>

First, you will need to add a Sandbox Entitlement to your Network System Extension as this is a requirement no matter if you are deploying to the Mac App Store or via Developer ID.

Regarding:

Any idea how to change the variable that set this plist field (PRODUCT_BUNDLE_PACKAGE_TYPE)?

I would not change this but let the system derive the package type. When you created a new target to add to your Xcode project to build your Network System Extension, did you add a XPC Service target instead of a Network System Extension (bottom)?

Matt Eaton
DTS Engineering, CoreOS
meaton3@apple.com