I am new to iOS development and boldly decided to work on a project using the Network Extension with the goals of intercepting all incoming packets (not exclusive to my app), creating temporary copies, passing through the original unmodified packet, and then processing the copy.
I currently have a Packet Tunnel that intercepts all IPv4 packets, but I do not know how to route them. The goal is to keep everything on the device for privacy concerns.
So I have a few questions in mind:
-
Is a packet tunnel necessary? I am reading into the Content Filter, but I am unsure if I can use it due to Apple's own apps possibly bypassing it.
-
Is it possible to route packets collected from the tunnel? I thought about using NE Relays, but to my knowledge I cannot use the packets I obtained to do this.
-
Are there any references to existing implementations I can look through?
-
Are there any other unforeseen issues I might encounter while developing this?
I can provide more information about the project I am working on if necessary. Any advice, references or sample code will be appreciated.
Thanks in advance!
I am new to iOS development and boldly decided to work on a project using the Network Extension
That is indeed a bold choice. Most folks start with something easier, like a tip calculator app (-:
I do not know how to route them
Indeed. What you’re building here is a content filter [1], but you’ve chosen to implement it using as a packet tunnel provider. That generally doesn’t end well. TN3120 Expected use cases for Network Extension packet tunnel providers explains that. We also touched on it in WWDC 2025 Session 234 Filter and tunnel network traffic with NetworkExtension.
The packet tunnel API was designed for folks implementing VPN. It assumes that you have a VPN server. The standard pattern is that your provider opens a connection to your VPN server, encapsulates any outgoing packets and writes them to the connection, and does the reverse for incoming packets. So far, so easy.
If you build a packet tunnel provider without a VPN server things get… well… unsupported. There are things you can do, but they are not fun to implement and have a tendency to be very brittle. Hence the whole not supported thing.
I recommend that you have another look at content filters. It’s a much easier path forward. Be aware, however, that they have significant deployment limitations on iOS. See TN3134 Network Extension provider deployment for more on that.
Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"
[1] Well, monitor.