WireGuard Apple VPN macOS 15.1 issue with connecting to VPN

But it does not connect to the VPN.

How far does it get:

• Does your sysex load?

• If so, is your NE provider object instantiated?

• If so, where do things go wrong within the provider?

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Hi,

1. Yes, it loads sysex (asks for system extension permission to load).
2. Yes, NE provider is instantiated (asks for network extension permission).
3. As per API calls, we are saving VPN configurations using saveToPreferences method of NETunnelProviderManager and connecting to VPN using startTunnel method of NETunnelProviderSession. Since SIP is enabled, it is difficult to debug. But I checked by adding logs and it is like it fails in startTunnel method.

Anyway, if there is any error with the code, it should also fail in case SIP is disabled. But it works in case SIP is disabled and it does not work with SIP enabled. So, should there be any error with the code or configuration or notarization?

Even if SIP is enabled or disabled, it works fine on macOS 13.* and 14.*. But in the case of macOS 15.1, it works if SIP is disabled and not if SIP is enabled. macOS 15.0 did not work in either case.

NE provider is instantiated (asks for network extension permission).

Ah, sorry being unclear. I was asking about the ‘first light’ log points that I discuss in Debugging a Network Extension Provider. In this case you want one in both the sysex main function and in the provider’s initialiser. The first tells you whether the sysex loads and the second tells you when the NE provider is instantiated.

I just noticed that, at the start of this thread, you referenced Exporting a Developer ID Network Extension. Does that mean you’re trying to do this with a Developer ID signed extension?

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Hi, thanks for replying so quickly. Here are the details you asked for.

Let us explain all the steps that are taken during the installation of the app. This will answer all your questions.

Steps:

1. We added the log in main.swift which is in the extension. The sample code given in the post Debugging a Network Extension Provider was giving us compilation errors because WireGuard overrides its methods. So we added a simple line of code wg_log(.info, message: "abc test")

2. Build the app following the post Exporting a Developer ID Network Extension. Yes, we are using a Developer ID signed extension.

3. Copy the app to the /Applications folder and run it.

4. First, we ask for the system extension permission. Once the user allows it to load, we proceed with NE. Yes, the system extension is loading. We checked it using the terminal command "systemextensionsctl list" which shows "[activated enabled]".

5. While loading the NE, it asks the user for permission to load it. Once the user gives approval for the NE, it prints the log to the console app as mentioned in step 1. This works fine in both cases of SIP enabled and disabled. But the VPN connects only in case of SIP disabled and not if SIP enabled in macOS 15.1.

The strange thing is that regardless of whether SIP is enabled or disabled, it works fine in macOS 13.* and 14.*. But in case of macOS 15.1, it works if SIP is disabled and not if SIP is enabled. macOS 15.0 did not work in either case.

But in case of macOS 15.1, it works if SIP is disabled and not if SIP is enabled. macOS 15.0 did not work in either case.

Yeah, I don’t have a ready explanation for that. But I wanna make sure you’re on the right path before I dig into it.

Yes, we are using a Developer ID signed extension.

OK. Then are you going through this process to test what your users will see? Or are you doing this during development?

I ask because:

• To test what you’re using will see, you have to notarise the app. In Testing a Notarised Product I discuss the process I use for this sort of test.

• If you’re doing this during development, I recommend that you switch to Apple Development signing. I explain why in The Care and Feeding of Developer ID.

Regarding step 5, were you able to see add a ‘first light’ log point to your provider’s initialiser? If so, did you see it?

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

ravikaradbhajne Can you please provide me your email. I am developing same functionality and have same issue