My iPhone opened cellular, and connected to an AP provided by a smart-device with wifi at the same time. When my app send data through UDP to the smart-device, how iOS determine to send data through wifi or cellular?

Currently I am displaying a pdf in one of my apps using the PDFKit. When I tap on the pdf view there is a strange crash happening related to the the text ranges conversion. No issues with iOS 16, seems to happen only in iOS 17 0x0000000117092fa1 in void PageLayout::ConvertTextRangesToStringRanges<std::__1::span<CFRange, 18446744073709551615ul>, std::__1::back_insert_iterator<std::__1::vector<CFRange, std::__1::allocator<CFRange> > > >(std::__1::span<CFRange, 18446744073709551615ul>&&, std::__1::back_insert_iterator<std::__1::vector<CFRange, std::__1::allocator<CFRange> > >&&) const ()

I am trying to set includeAllNetworks flags right now and I see some wield behaviors from macOS system: default 13:32:50.825941+0800 ***** <debug> newStatus = Connecting... default 13:32:51.816353+0800 ***** <debug> newStatus = Disconnected default 13:32:52.222371+0800 ***** <debug> newStatus = Connected The app which is observing VPN status gets notified with disconnected status between connecting and connected. And in some cases I find that app will never gets connected notification after disconnected. In that case tunnel interface and all tunnel network settings are well set. But our UI logic will just handle the disconnected case. If I just clear the includeAllNetwork flag, then everything is fine. default 14:13:50.075947+0800 *****<debug> newStatus = Connecting... default 14:13:50.829195+0800 *****<debug> newStatus = Connected The test environment is macOS 14.0 and I am using network extension framework for the status KVO. So I am just wondering if this is expected behavior or not. If this is expected, then is there any suggestion that I should use to work around it?

Hi, AFAIK Safari or any macOS apps which uses WKWebview, uses com.apple.WebKit.Networking.xpc to do actual networking. I am working on a packet tunnel, where I am able to get process id associated with packet read. Based on process id, i am using libproc to get process name. I am facing below problem: For Safari or any other apps which uses WKWebview having same process name: com.apple.WebKit.Networking Any ways to distinguish wether it is from safari or other xyz wkwebview apps? Related Problem: https://developer.apple.com/forums/thread/693528 In this thread, app proxy can help but in packet tunnel no such options exposed.

I'm setting up an app that will need to intercept all traffic on the device. Configuration is: let manager = NETunnelProviderManager() let protocolConfiguration = NETunnelProviderProtocol() protocolConfiguration.providerBundleIdentifier = "com.***.PacketTunnelProvider" protocolConfiguration.serverAddress = "VPN Server" protocolConfiguration.providerConfiguration = ["key": "value"] manager.protocolConfiguration = protocolConfiguration manager.localizedDescription = "VPN Server" The configuration is correctly saved but in the settings, the profile comes out with "Update required" and "must be updated by the developer before VPN Server can be connected" Looking around the forums, I already checked the entitlements on the binary and everything comes out good: <key>com.apple.developer.networking.networkextension</key> <array> <string>app-proxy-provider</string> <string>packet-tunnel-provider</string> </array> on the main bundle and [Key] com.apple.developer.networking.networkextension [Value] [Array] [String] app-proxy-provider [String] packet-tunnel-provider on packettunnelprovider.appex When I try to start the tunnel with func startProxyServer() { NETunnelProviderManager.loadAllFromPreferences { (managers, error) in if let error = error { print("Error loading preferences: \(error)") return } let manager = managers?.first(where: { $0.localizedDescription == "VPN Server" }) manager!.loadFromPreferences { error in if let error = error { print("Error loading preferences: \(error)") } else { do { try manager!.connection.startVPNTunnel(options: nil) print("Started tunnel.") } catch { print("Failed to start tunnel: \(error)") } } } } putting a breakpoint will show that the profile gets loaded but it lacks completely the protocol configuration. Funnily enough, I don't get an error so I get to the "Started tunnel" code branch. Of course without the protocol configuration, even if the manager is "loaded" and connection.startVPNtunnel is called, the packettunnelprovider is never initialized and nothing actually starts. Build targets are the same on both the main app and the packet tunnel provider target, and I tried lowering or raising them to no effect. How to further debug this?

Hi. i've got a case, when i've successfully run Packet - Tunnel with NEPacketTunnelProvider (socks protocol) And i can't found a way to calculate traffic. i've tried with usage self.packetFlow.readPackets... self.packetFlow.writePackets... with different ways, but each time when i call methods, which contains lines with packet flow, nothing happens, i think its related to my protocol and library which i've use to implement packet tunneling, cause its freeze the thread. By the way its working great in memory limits of iOS. i've see that the profiler in xcode is showing spended traffic. I've also trying to get with functions getifaddrs name of virtual interface which extension is create for use, and by the name, found virtual adapter, but all fields of objects there, which i found, doesn't provide any helpful information related to size of packages information Also i've tried to implement custom NEPacketTunnelFlow, and use them in NEPacketTunnelProvider, but as the result NEPacketTunnelProvider not starting, and crashing without any helpfull information. Can someone give some prompts where i can found some ways of solution?

Hi Team, I am utilizing the nw_parameters_create_secure_tcp in Objective-C to establish a TCP connection. However, I would like the connection to go through a specific utun interface. I attempted to use the following method for binding: nw_parameters_require_interface(nw_parameters_t parameters, _Nullable nw_interface_t interface); Unfortunately, I haven't found any API that can convert a utun interface name or index to an nw_interface_t object. Both nw_interface_create_with_index and nw_interface_create_with_name are private methods. I also tried using nw_path_monitor_set_update_handler and nw_path_enumerate_interfaces, but they did not return the utun interface. Could you please suggest how I can obtain the utun interface as an nw_interface_t?

In my iOS VPN app the user can change between full tunnel or split tunnel. With full tunnel the PacketTunnelProvider includedRoutes are set to defaultRoute and in split tunnel the includedRoutes are set to what the user has configured. When going from full tunnel to split everything works as expected and I see the routing table change and packets flow as expected. However, when going from split tunnel to full, even though I see the routing table updated with the default route setting, I am seeing no packets coming in on my readPacketsWithCompletionHandler for my TUN interface. I know the interface is active because I can bind to it and send data just fine (as a test) but nothing in the system appears to be working. I do the same exact thing in macOS and it works flawlessly. Thoughts?

There are some terms I've come across so far relating to a packet tunnel provider: "On Demand", "Per App", "Always On", "Source-application mode", "Destination IP mode", "App extension", "System extension". I'm trying to understand how these ideas fit together. I'm trying to make a packet tunnel provider setup on iOS which tunnels ALL traffic through it. Which combination of terms does this entail. I'm assuming it must be "Destination IP mode" and maybe "System extension" and probably not "Per App" but maybe "On Demand" or "Always On"?

Hi, I have an issue with a packet tunnel that have two ipv4 networks. The first network works well but the second does not, because when trying to reach any IP of the second network, the source IP used is one of the first network. Setup So, I have a NE (Network Extension), with a packet tunnel. Internally our application create two tunnels to access different resources. These tunnels are linked to two local networks. utun3 192.168.1.42/24 <===> tunnel 1 utun3 192.168.2.42/24 <===> tunnel 2 To clarify, I only have one NE, but two ipv4 network in it (configured via NEIPv4Settings) I also configured routes to tell the NE that both networks whould go through the tunnel. Problem and Investigations Trying to ping 192.168.1.1 does work, however, trying to ping 192.168.2.1 does not. Doing a bit of tcpdump on the interface shows that the source IP used is 192.168.1.42 instead of 192.168.2.42 Seeing that, I suspected some kind of routing issue, therefore I removed the routes from the NE and tried to add some by hand. I ended up adding the following : 192.168.1.0/24 via 192.168.1.42 192.168.2.0/24 via 192.168.2.42 With this it actually worked. Delighted by this quick resolution, I deleted any static route I had created, rushed back to my application and added theses routes into the NE. And it did not worked. Very surprised, I tried to find the difference between me adding the route manually with route add ... and the NE adding the route. But it got much weirder, as netstat -rn showed me that the created routes where identical. Digging through the internet I was unable to find many people with a similar issue. Also, I saw something about NE route and user added routes being different, but not many information, and not enough to help me out. In the end, I started suspecting an issue with the Network Extension. Moreover since the API does allow to add multiple ipv4 networks. Do you have any information on this topic ?

Hi Developers, First of all thanks for reading me…I’m trying to build an iOS app that lists all requests made from the device like Proxy App does. My idea is to have a Packet Tunnel Provider and set up a local VPN connection without an external VPN server. The traffic would then be internally routed to the packet tunnel, without requiring an external VPN server. I have downloaded the SimpleTunnel sample code project from Apple, created the correct entitlements, and can now run the project and create a VPN configuration that gets listed under Settings. Still, I can't connect to the VPN tunnel. I have also downloaded the source code at https://github.com/lxdcn/NEPacketTunnelVPNDemo but didn't get it to work either. Let me know if any of you’ve come across a similar implementation. Thank you for your time!

Based on popular demand [1], I decided to write up definitions for some of the terms we used in the Network Extension and VPN world. If you have questions or comments, or suggestions for additional entries, please put them in a new thread here on DevForums. Tag it with Network Extension so that I see it. Share and Enjoy — Quinn “The Eskimo!” @ Developer Technical Support @ Apple let myEmail = "eskimo" + "1" + "@" + "apple.com" [1] Well, [one person asked specifically][refPD] (-: but I’ve seen a lot of confusion about this elsewhere. [refPD]: Network Extension and VPN Glossary This posts defines some terms used by the Network Extension framework and VPN. TN3134 THis section covers some of the terms used in TN3134 Network Extension provider deployment. Network Extension providers can be packaged in one of two ways: App extension — This is supported on all platforms. On macOS, which supports multiple users, the VPN interface is available globally but the provider is run in the context of the user who started the VPN. If that user logs out, the VPN interface goes down. System extension — This is only supported on macOS. The provider is run in a global context, so it’s not affected by users logging in or out. App Store only means that this option is only supported in App Store apps. This is relevant on macOS, where developers can distribute products independently using Developer ID signing. So, in the case of a packet tunnel provider on macOS: App extension packaging is only supported in App Store apps. System extension packaging is supported for both App Store apps and independently distributed apps. Managed devices only means that the option is only supported on managed devices, that is, devices that are enrolled in an organisation’s management system (MDM). This typically means that the feature has to be configured via MDM. For example, on iOS per-app VPN support only works on managed devices because your device manager must use MDM to set the VPNUUID property that associates the app with the VPN configuration. Supervised devices only mean that the option is only supported on supervised device. A supervised device is a managed device that’s owned by the organisation. This is in contrast to a BYOD device, where the user owns the device but its enrolled in the organisation’s management system. Other VPN On Demand is the ability for a VPN to start automatically when an app connects to a server that’s on the ‘far side’ of the VPN. Imagine you’re in an organisation, example.com, where all your intranet services are within corp.example.com. To access those from outside you must go through the VPN. A site admin might configure VPN On Demand such that, when an app connects to anything with corp.example.com, the system will automatically start the VPN as part of the connection process. Per-app VPN is a VPN configuration mode where a device manager can associate a set of apps with a specific VPN configuration. To continue the above example, an organisation might deploy a corporate directory app which connects to an directory endpoint within corp.example.com. In a BYOD scenario, they don’t want other random apps on the user’s device to be able to connect to that endpoint, and thus they deploy per-app VPN such that only their directory app can access it. An app proxy provider always acts as a per-app VPN. A packet tunnel provider can work in one of two modes: In the normal mode, aka destination IP mode, packets are routed to the provider based on their destination IP address [1]. In per-app VPN mode, aka Source-application routing mode, packets are routed to the provider based on their source application. Always-on VPN is a feature of Apple’s IKEv2 VPN transport such that the VPN is… well… always on. If the VPN can’t come up, the device appears to have no network connectivity. [1] Well, it’s not quite that sample. I discuss this in more detail in the various subposts of Extra-ordinary Networking.

I'm testing my NEFilterDataProvider system extension by building it in Xcode and then copying the built app into the Applications folder. When I do changes to the extension's code, obviously the system extension process currently running needs to be shut down or restarted when I launch the new app version. Increasing the app version and build numbers each time always seem to trigger the system extension update in macOS, but that's not so convenient and at the latest when publishing the update those numbers cannot just make arbitrary jumps. I've read that moving an app to the trash should uninstall any attached system extensions, and this seems to be confirmed by the alert that macOS shows when doing so, but even after clicking Continue and authenticating with Touch ID to confirm the uninstall and emptying the trash, it sometimes happens that when launching the next version of my app from the Applications folder the old system extension is still running, which I notice e.g. because the app crashes since it's using different IPC method signatures than the system extension. When checking in Activity Monitor the system extension is also still listed. Even restarting the Mac doesn't always solve the issue, so when this happens my only solution is to increase the build and version numbers to make it work, and then reset them later when moving the app to the trash correctly uninstalls the system extension again. Is this a bug or am I missing something? Or is there a workaround that doesn't involve booting into safe mode and manually uninstalling the system extension? P.S.: I just tried booting into safe mode and moving the files from /Library/SystemExtensions to the trash as suggested on discussions.apple.com, but I got an alert saying that I didn't have the privileges to do so.

Hello, I experienced a strange (and in my opinion unexpected) behavior from DynamicStore/configd. In our application we setup the routes in the system by setting AdditionalRoutes property on a specific interface to route part of the network traffic through it. The routes are set properly, but I noticed that the they are not cleared once removed from AdditionalRoutes. After a while I figured, that the problem lies in the DestinationAddress I set in AdditionalRoutes. I was using the following configuration: var newRoutes: [[String: NSObject]] = [ ["DestinationAddress": "10.0.0.1" as NSObject, "SubnetMask": "255.0.0.0" as NSObject ] ] and it resulted in a new route: 10 link#16 UCS en0 ! which was not cleared when AdditionalRoutes were reset to the original value. When I changed the DestinationAddress to: var newRoutes: [[String: NSObject]] = [ ["DestinationAddress": "10.0.0.0" as NSObject, "SubnetMask": "255.0.0.0" as NSObject ] ] both, setting and clearing routes works as expected. The only difference is changing the DestinationAddress from 10.0.0.1 to 10.0.0.1. In my opinion this incosistent behavior. Although I can understand that the system might reject 10.0.0.1 as a valid DestinationAddress for creating routes, I don't think it's correct behavior to accept such address, but never clear the routes. The full source code which might be used to verify my claims: import Foundation import SystemConfiguration let en0ServiceIPv4 = "State:/Network/Service/***/IPv4" as CFString let store = SCDynamicStoreCreate(nil, "dseditor" as CFString, nil, nil)! let originalValue = SCDynamicStoreCopyValue(store, en0ServiceIPv4) as! [String: NSObject] var newValue = originalValue print("AdditionalRoutes: \(String(describing: originalValue["AdditionalRoutes"]))") var newRoutes: [[String: NSObject]] = [ ["DestinationAddress": "10.0.0.1" as NSObject, "SubnetMask": "255.0.0.0" as NSObject ] ] newValue["AdditionalRoutes"] = newRoutes as NSObject print("newValue: \(newValue)") var result = SCDynamicStoreSetValue(store, en0ServiceIPv4, newValue as CFPropertyList) print("set new value: \(result)") sleep(3) result = SCDynamicStoreSetValue(store, en0ServiceIPv4, originalValue as CFPropertyList) print("restore old value: \(result)") Naturally, the en0ServiceIPv4 needs to be changed and the program needs to be run as root. Can you please share your thoughts, if this is an OS bug or expected behavior? If it is expected, what is the reasoning behind it?

When the tws headset is connected on the system bluetooth， there will be a prompt suggests to AppStore install the APP, Just like this: How they did it?

Since NEFilterFlow.identifier is documented as The unique identifier of the flow., I thought I could use it to store the flow by its identifier in a dictionary in order to retrieve it later. I do this when the system extension pauses a flow because it needs to ask the user whether the flow should eventually be allowed or dropped. But then I noticed that sometimes when allowing a previously paused flow, identified by its identifier, my system extension doesn't find that flow anymore. After some debugging it turned out that this happens because I stored at least one other flow with the same id which, when confirmed, is removed again from the dictionary, so there is no more flow with that identifier waiting in the dictionary. Is it expected that the identifiers are recycled for different flows, or does it mean that the same flow is effectively being passed to .handleNewFlow(_:) multiple times, such as if the extension waited "too long" between pausing a flow and allowing or dropping it? What does this mean?

We have a Transparent Proxy Provider, and a Packet Filter. They both get activated on app startup, and then when that's done, I call code to set the preferences to enable them. That is basically done by having the request:didFinishWithResult: method check the identity of the request, determine whether it was activation or deactivation, and then call the appropriate function to do the preferences load/save dance. However, from the logs, it looks like the preferences-handling code sometimes only gets called for one of them (and, strangely, almost always the packet filter). Is this a known issue? I'd guess something about multiple calls to load/save preferences happening at the same time?

I am developing a VPN app in react-native, so for ios I am building a native module for Wireguard to connect VPN, the NEVPNStatus is not proceeding to the connected stage but holds at connecting

macOS Sonoma cannot resolve short hostnames (no dots) when there is an active interface of NETransparentProxyProvider type. I have submitted a report FB13288727, but maybe I am missing something and there is a way to fix this from our NETransparentProxyProvider code? Normally, when you specify the search domain "example.net", the system resolver automatically adds it to the short hostnames like "testhost" (no dots). So the resulting query is "testhost.example.net". https://support.apple.com/en-il/guide/mac-help/mh141272/mac Starting from macOS Sonoma when there is an active interface of NETransparentProxyProvider type, the system resolver tries to resolve using only the first domain from the list. Also it does not try to resolve the hostname as it is (without the search domain). What makes this bug fatal is that Sonoma automatically adds a hidden entry like "0.5.168.192.in-addr.arpa" in the search domain list. So it tries to resolve shorthostname.0.5.168.192.in-addr.arpa, fails and does not try without the domain. So the resolution of all short hostnames always fails. It could be easily tested with a command like "ping store" and Search Domain "apple.com" Pre Sonoma versions: ping store PING store.apple.com (23.14.139.109): 56 data bytes... Sonoma: ping store ping: cannot resolve store: Unknown host In reality, it tries to resolve store.0.5.168.192.in-addr.arpa and fails. It does not try to resolve store.apple.com at all. This can be seen in the traffic to the DNS server (UDP port 53).

I was investigating the Client Hello for my iOS app and saw that the TLS 1.3 handshake with Client Hello sends Signature Algorithm: rsa_pkcs1_sha1 (0x0201) Signature Hash Algorithm Hash: SHA1 (2) Signature Hash Algorithm Signature: RSA (1) I thought SHA-1 is not being used anymore. The Full list of offered signature_algorithms from the client in the Extension: signature_algorithms (len=24) Type: signature_algorithms (13) Length: 24 Signature Hash Algorithms Length: 22 Signature Hash Algorithms (11 algorithms) Signature Algorithm: ecdsa_secp256r1_sha256 (0x0403) Signature Hash Algorithm Hash: SHA256 (4) Signature Hash Algorithm Signature: ECDSA (3) Signature Algorithm: rsa_pss_rsae_sha256 (0x0804) Signature Hash Algorithm Hash: Unknown (8) Signature Hash Algorithm Signature: SM2 (4) Signature Algorithm: rsa_pkcs1_sha256 (0x0401) Signature Hash Algorithm Hash: SHA256 (4) Signature Hash Algorithm Signature: RSA (1) Signature Algorithm: ecdsa_secp384r1_sha384 (0x0503) Signature Hash Algorithm Hash: SHA384 (5) Signature Hash Algorithm Signature: ECDSA (3) Signature Algorithm: ecdsa_sha1 (0x0203) Signature Hash Algorithm Hash: SHA1 (2) Signature Hash Algorithm Signature: ECDSA (3) Signature Algorithm: rsa_pss_rsae_sha384 (0x0805) Signature Hash Algorithm Hash: Unknown (8) Signature Hash Algorithm Signature: Unknown (5) Signature Algorithm: rsa_pss_rsae_sha384 (0x0805) Signature Hash Algorithm Hash: Unknown (8) Signature Hash Algorithm Signature: Unknown (5) Signature Algorithm: rsa_pkcs1_sha384 (0x0501) Signature Hash Algorithm Hash: SHA384 (5) Signature Hash Algorithm Signature: RSA (1) Signature Algorithm: rsa_pss_rsae_sha512 (0x0806) Signature Hash Algorithm Hash: Unknown (8) Signature Hash Algorithm Signature: Unknown (6) Signature Algorithm: rsa_pkcs1_sha512 (0x0601) Signature Hash Algorithm Hash: SHA512 (6) Signature Hash Algorithm Signature: RSA (1) Signature Algorithm: rsa_pkcs1_sha1 (0x0201) Signature Hash Algorithm Hash: SHA1 (2) Signature Hash Algorithm Signature: RSA (1)