NEPacketTunnelProvider entitlement conflict: App Store validation vs runtime “permission denied” (Code 5/10)

I’m building a Personal VPN app (non-MDM) that uses a NEPacketTunnelProvider extension for content filtering and blocking.

When configuring the VPN locally using NETunnelProviderManager.saveToPreferences, the call fails with:

Error Domain=NEConfigurationErrorDomain Code=10 "permission denied" Error Domain=NEVPNErrorDomain Code=5 "permission denied"

The system does prompt for VPN permission (“Would Like to Add VPN Configurations”), but the error still occurs after the user allows it.

Setup: • Main App ID – com.promisecouple.app • Extension ID – com.promisecouple.app.PromiseVPN • Capabilities – App Group + Personal VPN + Network Extensions • Main app entitlements:   com.apple.developer.networking.vpn.api = allow-vpn   com.apple.developer.networking.networkextension = packet-tunnel-provider • Extension entitlements: same + shared App Group

Problem: • If I remove the networkextension entitlement, the app runs locally without the Code 5 error. • But App Store Connect then rejects the build with:

Missing Entitlement: The bundle 'Promise.app' is missing entitlement 'com.apple.developer.networking.networkextension'.

Question:

What is the correct entitlement configuration for a Personal VPN app using NEPacketTunnelProvider (non-MDM)?

Is com.apple.developer.networking.networkextension required on the main app or only on the extension?

Why does including it cause saveToPreferences → Code 5/10 “permission denied” on device?

Environment: Xcode 26.1 (17B55), iOS 17.3+ on physical device (non-MDM) Both provisioning profiles and certificates are valid.