PacketTunnelProvider not work

App & System Services Networking
vivianw OP
Created Mar ’17
Replies 15
Boosts 0
Views 3.5k
Participants 2

I check the projiect setting as this:

My main app and an extension entitlements is same as flow:

<?xml version="1.0" encoding="UTF-8"?>

<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">

<plist version="1.0">

<array>

<string>packet-tunnel-provider</string>

<string>app-proxy-provider</string>

<string>content-filter-provider</string>

</array>

<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">

<plist version="1.0">

<array>

<string>allow-vpn</string>

</array>

<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">

<plist version="1.0">

<true/>

<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">

<plist version="1.0">

<array>

<string>group.com.myTunnel.testTunnel</string>

</array>

<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">

<plist version="1.0">

<array>

<string>$(AppIdentifierPrefix)com.myTunnel.testTunnel</string>

</array>

</plist>

My testTunnel.app.xcent is flow:

<?xml version="1.0" encoding="UTF-8"?>

<!DOCTYPE plist PUBLIC "-/

<plist version="1.0">

<dict>

<key>com.apple.application-identifier</key>

<string>H3DPC4EH35.com.myTunnel.testTunnel</string>

<key>com.apple.developer.networking.networkextension</key>

<array>

<string>packet-tunnel-provider</string>

<string>app-proxy-provider</string>

<string>content-filter-provider</string>

</array>

<key>com.apple.developer.networking.vpn.api</key>

<array>

<string>allow-vpn</string>

</array>

<key>com.apple.developer.team-identifier</key>

<string>H3DPC4EH35</string>

<key>com.apple.security.app-sandbox</key>

<true/>

<key>com.apple.security.application-groups</key>

<array>

<string>group.com.myTunnel.testTunnel</string>

</array>

<key>keychain-access-groups</key>

<array>

<string>H3DPC4EH35.com.myTunnel.testTunnel</string>

</array>

</dict>

</plist>


I involk startTunnelWithOptions like flow:

_gTunnelManager = tmpmanager;

NETunnelProviderSession *psession = [_gTunnelManager connection];

NSMutableDictionary *options = [[NSMutableDictionary alloc] init];

NSError *err;

[psession startTunnelWithOptions:options andReturnError:&err];

if (err)

{

_gTunnelManager = nil;

NSLog(@"startTunnelWithOptions error: %@", err);

}

else

{

NSLog(@"_gTunnelManager : %@", _gTunnelManager);

NSLog(@"session status: %ld", psession.status);

NSLog(@"openAppleTun success");

}

My PacketTunnelProvider code like flow:

class PacketTunnelProvider: NEPacketTunnelProvider


override func startTunnel(options: [String : NSObject]? = nil, completionHandler: @escaping (Error?) -> Void) {

NSLog("startTunnel enter")

let settings = NEPacketTunnelNetworkSettings(tunnelRemoteAddress:"0.0.0.0")

self.setTunnelNetworkSettings(settings, completionHandler: {(error:Error?) in

if (error != nil){

NSLog("startTunnel error:\(error)")

}else{

NSLog("startTunnel success")

}

})

Error tempErr;

completionHandler(tempErr)

}


But when run , the Debug is out put is:

2017-03-03 18:21:15.873611 testTunnel[2767:115046] _gTunnelManager : {

localizedDescription = test VPN

enabled = YES

protocolConfiguration = {

serverAddress = <4-char-str>

disconnectOnSleep = NO

providerConfiguration = {

key = value

}

providerBundleIdentifier = com.myTunnel.testTunnel.tunnel

}

onDemandEnabled = NO

}

2017-03-03 18:21:15.873650 testTunnel[2767:115046] session status: 2

2017-03-03 18:21:15.873670 testTunnel[2767:115046] openAppleTun success


The PacketTunnelProvider is not work(the log "startTunnel enter" is not print).

XCode version:Version 8.2.1 (8C1002)

My PC version:10.12.3 (16D32)

How did I fix this?

Replies  15
Boosts  0
Views  3.5k
Participants  2
vivianw OP
Mar ’17

Is there anybody can help me?

1
DTS Engineer OP
Apple
Mar ’17

What platform are you developing for? I suspect iOS, but it’d be nice to be sure.

You should check the entitlements in the built binary; the 

.entitlements
and 
.xcent
files are inputs to the code signing process, and you want to check the output. My Debugging Entitlement Issues describes how to do this.

Make sure you check the entitlements for both the app and the provider nested within that app.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware 

let myEmail = "eskimo" + "1" + "@apple.com"
0
vivianw OP
Mar ’17

The app is run in my PC(10.12.3 (16D32)).

I has check the 

.entitlements
and 
.xcent, there seems to be no incorrect.

I have put the container app and extension app entitlements, in the first postings. Also put the .xcent for container app in it.

The .xcent for extension app is flow:

<?xml version="1.0" encoding="UTF-8"?>

<!DOCTYPE plist PUBLIC "-/

<plist version="1.0">

<dict>

<key>com.apple.application-identifier</key>

<string>H3DPC4EH35.com.myTunnel.testTunnel.tunnel</string>

<key>com.apple.developer.networking.networkextension</key>

<array>

<string>packet-tunnel-provider</string>

<string>app-proxy-provider</string>

<string>content-filter-provider</string>

</array>

<key>com.apple.developer.networking.vpn.api</key>

<array>

<string>allow-vpn</string>

</array>

<key>com.apple.developer.team-identifier</key>

<string>H3DPC4EH35</string>

<key>com.apple.security.app-sandbox</key>

<true/>

<key>com.apple.security.application-groups</key>

<array>

<string>group.com.myTunnel.testTunnel</string>

</array>

<key>keychain-access-groups</key>

<array>

<string>H3DPC4EH35.com.myTunnel.testTunnel.tunnel</string>

</array>

</dict>

</plist>

Is there anything i need to check?

0
DTS Engineer OP
Apple
Mar ’17

You need to dump the entitlements of the built binary, not the 

.entitlements
file or the 
.xcent
file. That means running the 
codesign
tool on the built binary of both the app and the extension nested within the app, as described in the Debugging Entitlement Issues post a referenced earlier. The is really important; the OS doesn’t look at your 
.entitlements
file or your 
.xcent
file, it looks at your built executable.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware 

let myEmail = "eskimo" + "1" + "@apple.com"
0
vivianw OP
Mar ’17

I sorry,

This flow is the command codesign -d --entitlements output of the container app and extension app,there seens not incorrect.

Executable=/Users/antonycui/Library/Developer/Xcode/DerivedData/testTunnel-cnomglujrazpnvfcbkthtcznqten/Build/Products/Debug/testTunnel.app/Contents/MacOS/testTunnel

<?xml version="1.0" encoding="UTF-8"?>

<!DOCTYPE plist PUBLIC "-/

<plist version="1.0">

<dict>

<key>com.apple.application-identifier</key>

<string>H3DPC4EH35.com.myTunnel.testTunnel</string>

<key>com.apple.developer.networking.networkextension</key>

<array>

<string>packet-tunnel-provider</string>

<string>app-proxy-provider</string>

<string>content-filter-provider</string>

</array>

<key>com.apple.developer.networking.vpn.api</key>

<array>

<string>allow-vpn</string>

</array>

<key>com.apple.developer.team-identifier</key>

<string>H3DPC4EH35</string>

<key>com.apple.security.app-sandbox</key>

<true/>

<key>com.apple.security.application-groups</key>

<array>

<string>group.com.myTunnel.testTunnel</string>

</array>

<key>keychain-access-groups</key>

<array>

<string>H3DPC4EH35.com.myTunnel.testTunnel</string>

</array>

</dict>

</plist>


Executable=/Users/antonycui/Library/Developer/Xcode/DerivedData/testTunnel-cnomglujrazpnvfcbkthtcznqten/Build/Products/Debug/tunnel.appex/Contents/MacOS/tunnel

<?xml version="1.0" encoding="UTF-8"?>

<!DOCTYPE plist PUBLIC "-/

<plist version="1.0">

<dict>

<key>com.apple.application-identifier</key>

<string>H3DPC4EH35.com.myTunnel.testTunnel.tunnel</string>

<key>com.apple.developer.networking.networkextension</key>

<array>

<string>packet-tunnel-provider</string>

<string>app-proxy-provider</string>

<string>content-filter-provider</string>

</array>

<key>com.apple.developer.networking.vpn.api</key>

<array>

<string>allow-vpn</string>

</array>

<key>com.apple.developer.team-identifier</key>

<string>H3DPC4EH35</string>

<key>com.apple.security.app-sandbox</key>

<true/>

<key>com.apple.security.application-groups</key>

<array>

<string>group.com.myTunnel.testTunnel</string>

</array>

<key>keychain-access-groups</key>

<array>

<string>H3DPC4EH35.com.myTunnel.testTunnel.tunnel</string>

</array>

</dict>

</plist>

0
DTS Engineer OP
Apple
Mar ’17

OK, that looks promising. Four things:

  • Please put code and other monospace stuff in a code block; it makes things much easier to read. Use the 

    <>
    icon to add a code block.

  • You’ve dumped the entitlements of the 

    .appex
    in your build folder rather than the 
    .appex
    that’s nested within your app. If Xcode is messing up the entitlements are it copies the 
    .appex
    into your app, you won’t notice. You should re-run your second test with this path: 
    …/Build/Products/Debug/testTunnel.app/Contents/PlugIns/tunnel.appex/Contents/MacOS/tunnel
    .

  • Both your app and extension have the 

    com.apple.developer.networking.vpn.api
    entitlement. That’s only necessary if you’re using NEVPNManager to set up Personal VPN. Even if you are doing that, you should only have that entitlement on the app; your app extension can’t set up Personal VPN.

  • These dumps confirm that you’re on macOS, not iOS as I originally assumed. macOS has more flexibility, which means that certain things can get wrong that are not possible on iOS. You’ll find some macOS-specific debugging advice in this thread.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware 

let myEmail = "eskimo" + "1" + "@apple.com"
0
vivianw OP
Mar ’17

Thanks for you suggest, there made progress for this issue. I has follow adjustment

  • I have change the system to ios 10.2.1. The MAC issue, I has submit a bug report.
  • I have change the projiect to a new projiect that refer to the project QNEPacketTunnel that your sent to me from the Email.
  • The container APP entitlement juest request com.apple.security.application-groups and com.apple.developer.networking.vpn.api.

The extension APP entitlement juest requestcom.apple.security.application-groups and com.apple.developer.networking.networkextension.

Final, the QNEPacketTunnel seens like run normally, but my test projiect is crash.

QNEPacketTunnel configuration is follow:

configuration:Optional({
    localizedDescription = QNEPacketTunnel
    enabled = YES
    protocolConfiguration = {
        serverAddress = <11-char-str>
        disconnectOnSleep = NO
        providerConfiguration = {
            dummy = 1
        }
        providerBundleIdentifier = com.example.apple.iOS.PacketTunnel.Provider
    }

My project configuration follow:

{
    localizedDescription = test VPN 
    enabled = YES
    protocolConfiguration = {
        serverAddress = <4-char-str>
        disconnectOnSleep = NO
        providerConfiguration = {
            key = value
        }
        providerBundleIdentifier = com.pass-world.tun-app
    }
    onDemandEnabled = NO
}

The crash info like this:

Path:                /private/var/containers/Bundle/Application/17DFCEB9-7C41-4506-B6D0-E688ED35DE68/pass world.app/PlugIns/tun-app.appex/tun-app
Identifier:          com.pass-world.tun-app
Version:            1 (1.0)
Code Type:          ARM (Native)
Role:                Unspecified
Parent Process:      launchd [1]
Coalition:          com.pass-world.tun-app [1097]
Date/Time:          2017-03-24 15:23:43.2572 +0800
Launch Time:        2017-03-24 15:23:42.0000 +0800
OS Version:          iPhone OS 10.2.1 (14D27)
Report Version:      104
Exception Type:  EXC_CRASH (SIGABRT)
Exception Codes: 0x0000000000000000, 0x0000000000000000
Exception Note:  EXC_CORPSE_NOTIFY
Triggered by Thread:  1
Application Specific Information:
abort() called
Filtered syslog:
None found
Last Exception Backtrace:
0  CoreFoundation                0x1bad8df2 __exceptionPreprocess + 126
1  libobjc.A.dylib              0x1ad3b072 objc_exception_throw + 34
2  CoreFoundation                0x1b9e95ea -[__NSDictionaryM setObject:forKey:] + 828
3  Foundation                    0x1c3c3a5a -[_NSExtensionContextVendor _setPrincipalObject:forUUID:] + 92
4  Foundation                    0x1c3c3238 __105-[_NSExtensionContextVendor _beginRequestWithExtensionItems:listenerEndpoint:withContextUUID:completion:]_block_invoke + 888
5  libdispatch.dylib            0x1b17e092 _dispatch_call_block_and_release + 6
6  libdispatch.dylib            0x1b18ae58 _dispatch_queue_serial_drain + 836
7  libdispatch.dylib            0x1b181374 _dispatch_queue_invoke + 562
8  libdispatch.dylib            0x1b18b2f0 _dispatch_queue_override_invoke + 282
9  libdispatch.dylib            0x1b18ca58 _dispatch_root_queue_drain + 374
10  libdispatch.dylib            0x1b18c87e _dispatch_worker_thread3 + 102
11  libsystem_pthread.dylib      0x1b333932 _pthread_wqthread + 1164
12  libsystem_pthread.dylib      0x1b33348c start_wqthread + 4
0
vivianw OP
Mar ’17

It seens ExtensionContextVendor can't find the NSExtensionPrincipalClass for my test projiect.I am debug the process QNEPacketTunnelProvider, the brekpoint that on the provider init has triggered, but debug the process tun-app, that breakpoint not triggered and it is crash.What wrong with the problem?

0
DTS Engineer OP
Apple
Mar ’17
Accepted Answer

The container APP entitlement juest request 

com.apple.security.application-groups
and 
com.apple.developer.networking.vpn.api
.

I’m not sure whether you’re talking about the 

.entitlements
file or the final built binary. If it’s the latter, be aware that Network Extension provider apps should have the 
com.apple.developer.networking.networkextension
entitlement on both the app and the extension nested within that app.

It seens ExtensionContextVendor can't find the NSExtensionPrincipalClass for my test project.

The first thing I’d check here is the 

Info.plist
of the provider. If you’re working Swift it should look like this: 
<key>NSExtension</key>
<dict>
    <key>NSExtensionPointIdentifier</key>
    <string>com.apple.networkextension.packet-tunnel</string>
    <key>NSExtensionPrincipalClass</key>
    <string>$(PRODUCT_MODULE_NAME).Provider</string>
</dict>

where 

Provider
is the name of your NEPacketTunnelProvider subclass. In Objective-C you should remove the leading 
$(PRODUCT_MODULE_NAME).
.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware 

let myEmail = "eskimo" + "1" + "@apple.com"
0
vivianw OP
Mar ’17

Thanks,this issue is slove.

where Provider is the name of your NEPacketTunnelProvider subclass.  In Objective-C you should remove the leading $(PRODUCT_MODULE_NAME).

That my NEPacketTunnelProvider subclass is Objective-C.


that Network Extension provider apps should have the com.apple.developer.networking.networkextension entitlement on both the app and the extension nested within that app.

This seens that the container APP entitlement did not request it. Final, I did not requet the entitlement in my test project and the test project that you sned to me,

there are run normally.

But on the MAC devices, I give the above seetting, the NEPacketTunnelProvider also not work normal.I submit the bug report(31060286) has no progress. In the past few days, I has upload some files that collected when the issue is occuring on my PC.Did your held responsible for it?

0
DTS Engineer OP
Apple
Mar ’17

At this point I don’t think I’m going to be able to help you further in the limited time I have available to me on DevForums. I recommend that you open a DTS tech support incident about this, which will allow me to give your issue my full attention.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware 

let myEmail = "eskimo" + "1" + "@apple.com"
0
vivianw OP
Mar ’17

Is it "I recommend that you open a DTS tech support incident about this" means submit a bug report? If yes, I have do it for MAC issue at 17-Mar.The last replay that request provider some files about sysdiagnose logging at 23-Mar, and I has did it. The progress seens slow. How to did make the progress speed up? Or Is me wrought-up?

0
DTS Engineer OP
Apple
Apr ’17

Is it “I recommend that you open a DTS tech support incident about this” means submit a bug report?

No. I work for an organisation, Developer Technical Support, that provides one-on-one help for developers, like yourself, who have run into trouble integrating their code into Apple platforms. If you follow the link I posted you’ll find lots of details on that process.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware 

let myEmail = "eskimo" + "1" + "@apple.com"
0
vivianw OP
Apr ’17

Understand the meaning of ”DTS tech support incident“.I have test for the project QNEPacketTunnel in this week.It run normally some times, and it also in my test project, I can't get the reason.Is me need to open a DTS tech support incident?

0
DTS Engineer OP
Apple
Apr ’17

Is me need to open a DTS tech support incident?

It’s really up to you. If you open a DTS TSI then someone (probably me) can provide you with detailed one-on-one help for this problem. Alternatively, you can continue investigating this on your own, or via informal support channels such as DevForums.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware 

let myEmail = "eskimo" + "1" + "@apple.com"
0
PacketTunnelProvider not work
First post date Last post date
 
 
Q