WireGuard Apple VPN macOS 15.1 issue with connecting to VPN

Question

ravikaradbhajne OP

Created 1w

Replies 6

Boosts 0

Participants 3

I am working on developing a Mac app (WireGuard Apple VPN) that will be distributed outside the App Store.

I have added the network extension which is included in the system extension with packet tunneling capability.

I have created a build following these steps here: https://developer.apple.com/forums/thread/737894

as per your suggestions in my accepted post: https://developer.apple.com/forums/thread/761251

It works fine in this case when the machine has SIP disabled and systemextensionsctl developer enabled.

As soon as I have made changes on the machine to disable systemextensionsctl developer and enable SIP, it loads the system extension and also asks for network extension permission. But it does not connect to the VPN.

I have copied the app to the "/Applications" directory before opening it.

This issue is specific to macOS 15.1. It works fine for macOS 14.* and 13.*. Speaking of macOS 15.0, it didn't work in both cases with SIP enabled or disabled. So, it seems that it must be a bug in macOS 15.0 and it seems that this bug was partially fixed in macOS 15.1. Is that right?

I am currently planning to distribute the app to testers for final testing before rolling it out to a wider audience.

Am I missing something? Thanks in advance.

Boost

Answer 1

DTS Engineer OP

Apple

1w

But it does not connect to the VPN.

How far does it get:

Does your sysex load?
If so, is your NE provider object instantiated?
If so, where do things go wrong within the provider?

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

0

Answer 2

ravikaradbhajne OP

1w

Hi,

Yes, it loads sysex (asks for system extension permission to load).
Yes, NE provider is instantiated (asks for network extension permission).
As per API calls, we are saving VPN configurations using saveToPreferences method of NETunnelProviderManager and connecting to VPN using startTunnel method of NETunnelProviderSession. Since SIP is enabled, it is difficult to debug. But I checked by adding logs and it is like it fails in startTunnel method.

Anyway, if there is any error with the code, it should also fail in case SIP is disabled. But it works in case SIP is disabled and it does not work with SIP enabled. So, should there be any error with the code or configuration or notarization?

Even if SIP is enabled or disabled, it works fine on macOS 13.* and 14.*. But in the case of macOS 15.1, it works if SIP is disabled and not if SIP is enabled. macOS 15.0 did not work in either case.

0

Answer 3

DTS Engineer OP

Apple

1w

NE provider is instantiated (asks for network extension permission).

Ah, sorry being unclear. I was asking about the ‘first light’ log points that I discuss in Debugging a Network Extension Provider. In this case you want one in both the sysex main function and in the provider’s initialiser. The first tells you whether the sysex loads and the second tells you when the NE provider is instantiated.

I just noticed that, at the start of this thread, you referenced Exporting a Developer ID Network Extension. Does that mean you’re trying to do this with a Developer ID signed extension?

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

0

Answer 4

ravikaradbhajne OP

1w

Hi, thanks for replying so quickly. Here are the details you asked for.

Let us explain all the steps that are taken during the installation of the app. This will answer all your questions.

Steps:

We added the log in main.swift which is in the extension. The sample code given in the post Debugging a Network Extension Provider was giving us compilation errors because WireGuard overrides its methods. So we added a simple line of code wg_log(.info, message: "abc test")
Build the app following the post Exporting a Developer ID Network Extension. Yes, we are using a Developer ID signed extension.
Copy the app to the /Applications folder and run it.
First, we ask for the system extension permission. Once the user allows it to load, we proceed with NE. Yes, the system extension is loading. We checked it using the terminal command "systemextensionsctl list" which shows "[activated enabled]".
While loading the NE, it asks the user for permission to load it. Once the user gives approval for the NE, it prints the log to the console app as mentioned in step 1. This works fine in both cases of SIP enabled and disabled. But the VPN connects only in case of SIP disabled and not if SIP enabled in macOS 15.1.

The strange thing is that regardless of whether SIP is enabled or disabled, it works fine in macOS 13.* and 14.*. But in case of macOS 15.1, it works if SIP is disabled and not if SIP is enabled. macOS 15.0 did not work in either case.

0

Answer 5

DTS Engineer OP

Apple

1w

But in case of macOS 15.1, it works if SIP is disabled and not if SIP is enabled. macOS 15.0 did not work in either case.

Yeah, I don’t have a ready explanation for that. But I wanna make sure you’re on the right path before I dig into it.

Yes, we are using a Developer ID signed extension.

OK. Then are you going through this process to test what your users will see? Or are you doing this during development?

I ask because:

To test what you’re using will see, you have to notarise the app. In Testing a Notarised Product I discuss the process I use for this sort of test.
If you’re doing this during development, I recommend that you switch to Apple Development signing. I explain why in The Care and Feeding of Developer ID.

Regarding step 5, were you able to see add a ‘first light’ log point to your provider’s initialiser? If so, did you see it?

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

0

Answer 6

samartmar OP

3d

ravikaradbhajne Can you please provide me your email. I am developing same functionality and have same issue

0