I've built a VPN app that is based on wireguard on macOS (I have both AppStore ver. and Developer ID ver). I want to achieve split tunneling function without changing the system route table. Currently, I'm making changes in PacketTunnelProvider: NEPacketTunnelProvider. It has included/excluded routes that function as a split tunnel, just that all changes are immediately reflected on the route table: if I run netstat -rn in terminal, I would see all rules/CIDRs I added, displayed all at once. Since I have a CIDR list of ~800 entries, I'd like to avoid changing the route table directly. I've asked ChatGPT, Claude, DeepSeek, .etc. An idea was to implement an 'interceptor' to intercept all packets in packetFlow(_:readPacketsWithCompletionHandler:), extract the destination IP from each packet, check if it matches your CIDR list, and either reinject it back to the system interface (for local routing) or process it through your tunnel. Well, LLMs could have hallucinations and I've pretty new to macOS programming. I'm asking to make sure I'm on the right track, not going delusional with those LLMs :) So the question is, does the above method sounds feasible? If not, is it possible to achieve split tunneling without changing the route table?

I'm establishing a connection with NWListener and NWConnection which is working great. However, if the listener disappears, a lot of logs are appearing: Is there a way to hide these logs? I'm aware of OS_ACTIVITY_MODE=disabled, but that will also hide a lot of other logs. I also know you can hide these using Xcode's filtering. I'm looking for a programmatically way to hide these completely. I'm not interested in seeing these at all, or, at least, I want to be in control. Thanks!

I'm having a lot of trouble just getting a basic network extension startup, I have a main application that creates the configuration and requests the app extension based network extension to launch. The network extension implements a NEPacketTunnelProvider and the application doesn't receive an error when starting the tunnel but when I inspect the networkextension system logs, I keep getting errors and the network extension itself doesn't appear to start nor does it log anything. log stream --predicate 'subsystem == "com.apple.networkextension"' neagent: (NetworkExtension) [com.apple.networkextension:] Extension request with extension $(BUNDLE_ID) started with identifier (null) neagent: (NetworkExtension) [com.apple.networkextension:] Failed to start extension $(BUNDLE_ID): Error Domain=NSCocoaErrorDomain Code=4097 "connection to service named $(BUNDLE_ID)" UserInfo={NSDebugDescription=connection to service named $(BUNDLE_ID)} nesessionmanager: [com.apple.networkextension:] Validation failed - no audit tokens nesessionmanager: [com.apple.networkextension:] NEVPNTunnelPlugin($(BUNDLE_ID)[inactive]): Validation of the extension failed The network extension is written in Objective-C as it needs to integrate with another language. It's not entirely clear what kind of executable the network extension is meant to be, is it meant to have a main entrypoint, or is it supposed to be a shared library / bundle?

I’m working on an iOS parental-control app that needs to block specific network traffic (e.g. certain domains or URLs). We’ve already obtained the Family Controls entitlement (since our app is explicitly a parental-control solution), but we do not use MDM to supervise devices. In testing, our NEFilterDataProvider extension only activates when the device is enrolled under a managed Family Controls profile. I am aware that we can use a PacketTunnel to achieve this but i was wondering if there is any simpler solution to this? Thanks for you time!

I am trying to make http3 client with Network.framework on Apple platforms. Codes that implement NWConnectionGroup.start with NWListener don't always work with warning below. I assume NWConnectionGroup.newConnectionHandler or NWListener.newConnectionHandler will be called to start connection from the server if it works. nw_protocol_instance_add_new_flow [C1.1.1:2] No listener registered, cannot accept new flow quic_stream_add_new_flow [C1.1.1:2] [-fde1594b83caa9b7] failed to create new stream for received stream id 3 so I tried: create the NWListener -> not work check whether NWConnectionGroup has a member to register or not NWListener -> not work (it doesn't have). use NWConnection instead of NWConnectionGroup -> not work Is my understanding correct? How should I do to set or associate listener with NWConnection/Group for newConnectionHandler is called and to delete wanings? What is the best practice in the case? Sample codes are below. Thanks in advance. // http3 needs unidirectional stream by the server and client. // listener private let _listener: NWListener let option: NWProtocolQUIC.Options = .init(alpn:["h3"]) let param: NWParameters = .init(quic: option) _listener = try! .init(using: param) _listener.stateUpdateHandler = { state in print("listener state: \(state)") } _listener.newConnectionHandler = { newConnection in print("new connection added") } _listener.serviceRegistrationUpdateHandler = { registrationState in print("connection registrationstate") } // create connection private let _group: NWConnectionGroup let options: NWProtocolQUIC.Options = .init(alpn: ["h3"]) options.direction = .unidirectional options.isDatagram = false options.maxDatagramFrameSize = 65535 sec_protocol_options_set_verify_block(options.securityProtocolOptions, {(_: sec_protocol_metadata_t, _: sec_trust_t, completion: @escaping sec_protocol_verify_complete_t) in print("cert completion.") completion(true) }, .global()) let params: NWParameters = .init(quic: options) let group: NWMultiplexGroup = .init( to: .hostPort(host: NWEndpoint.Host("google.com"), port: NWEndpoint.Port(String(443))!)) _group = .init(with: group, using: params) _group.setReceiveHandler {message,content,isComplete in print("receive: \(message)") } _group.newConnectionHandler = {newConnection in print("newConnectionHandler: \(newConnection.state)") } _group.stateUpdateHandler = { state in print("state: \(state)") } _group.start(queue: .global()) _listener.start(queue: .global()) if let conn = _group.extract() { let data: Data = .init() let _ = _group.reinsert(connection: conn) conn.send(content: data, completion: .idempotent) }

Feedback Ticket: FB13812251 Problem Statement: We are currently facing internet connectivity issue with our VPN application where we try to disconnect the VPN from the Packet Tunnel Network Extension using - (void)cancelTunnelWithError:(nullable NSError *)error. Which API to use to disconnect the VPN from Packet Tunnel as VPN app is not running such that device retains its internet connectivity as soon as VPN disconnects. Configuration: We have configured PacketTunnelProvider with the following settings: (NETunnelProviderManager *)tunnelProvider.protocolConfiguration.includeAllNetworks = YES; (NETunnelProviderManager *)tunnelProvider.protocolConfiguration.excludeLocalNetworks = NO; (NETunnelProviderManager *)tunnelProvider.protocolConfiguration.enforceRoutes = NO; These settings are applied from the VPN app and allow us to successfully establish a VPN connection, with all traffic being routed through the tunnel as expected.We are setting above properties to address local net attack. Issue we are facing: However, we encounter a problem when we attempt to disconnect the VPN from. When we call the following method from PacketTunnel network extension: (void)cancelTunnelWithError:(nullable NSError *)error Upon calling this method, the VPN disconnects as expected, but the device loses all internet connectivity and is unable to access any resources. This is not the desired behavior. Observation : Interestingly, when we call the following method from the app side. The VPN disconnects and the device retains its internet connectivity. [enabledConfig.connection stopVPNTunnel]; We would like to achieve the same behavior when disconnecting the VPN from the Network Extension. So we are looking for an API that could be called from NE without causing any internet connectivity issue. Any guidance on how to resolve this issue would be greatly appreciated.

Crash within com.apple.CFNetwork.Connection , specifically due to EXC_BAD_ACCESS KERN_INVALID_ADDRESS. The crash occurred within the nghttp2_session_del() function indicating a problem with the nghttp2 library, which is commonly used for HTTP/2 communication. This points towards a memory management issue. EXC_BAD_ACCESS generally signifies that the application attempted to access memory it didn't have permission to access, often caused by using a pointer after it has been freed or pointing to an invalid memory address. ** Crashed: com.apple.CFNetwork.Connection 0 libapple_nghttp2.dylib 0xa6ec nghttp2_session_del + 124 1 CFNetwork 0xace4c + 428 2 CFNetwork 0xacc80 + 36 3 libdispatch.dylib 0x2370 _dispatch_call_block_and_release + 32 4 libdispatch.dylib 0x40d0 _dispatch_client_callout + 20 5 libdispatch.dylib 0xb6d8 _dispatch_lane_serial_drain + 744 6 libdispatch.dylib 0xc214 _dispatch_lane_invoke + 432 7 libdispatch.dylib 0xd670 _dispatch_workloop_invoke + 1732 8 libdispatch.dylib 0x17258 _dispatch_root_queue_drain_deferred_wlh + 288 9 libdispatch.dylib 0x16aa4 _dispatch_workloop_worker_thread + 540 10 libsystem_pthread.dylib 0x4c7c _pthread_wqthread + 288 11 libsystem_pthread.dylib 0x1488 start_wqthread + 8 ** The stack trace does not point to any code within our product codebase, hence making it difficult to pinpoint the root cause of the issue as there are multiple network calls running concurrently during the app's runtime.

Hi All, I am currently working on a Network Extension App for MacOS using 3 types of extensions provided by Apple's Network Extension Framework. Content Filter, App Proxy (Want to get/capture/log all HTTP/HTTPS traffic), DNS Proxy (Want to get/capture/log all DNS records). Later parse into human readable format. Is my selection of network extension types correct for the intended logs I need? I am able to run with one extension: Main App(Xcode Target1) <-> Content Filter Extension. Here there is a singleton class IPCConnection between App(ViewController.swift) which is working fine with NEMachServiceName from Info.plist of ContentFilter Extension(Xcode Target2) However, when I add an App Proxy extension as a new Xcode Target3, I think the App and extension's communication getting messed up and App not getting started/Crashing. Here, In the same Main App, I am adding new separate IPCConnection for this extension. Here is the project organization/folder structure. MyNetworkExtension ├──MyNetworkExtension(Xcode Target1) │ ├── AppDelegate.swift │ ├── Assets.xcassets │ ├── Info.plist │ ├── MyNetworkExtension.entitlement │ | ── Main │ |-----ViewController.swift │ └── Base.lproj │ └── Main.storyboard ├── ContentFilterExtension(Xcode Target2) │ ├── ContentFilterExtension.entitlement │ │ ├── FilterDataProvider.swift │ │ ├── Info.plist │ │ ├── IPCConnection.swift │ │ └── main.swift ├── AppProxyProviderExtension(Xcode Target3) │ ├── AppProxyProviderExtension.entitlement │ │ ├── AppProxyIPCConnection.swift │ │ ├── AppProxyProvider.swift │ │ ├── Info.plist │ │ └── main.swift └── Frameworks ├── libbsm.tbd └── NetworkExtension.framework Is my Approach for creating a single Network Extension App with Multiple extensions correct or is there any better approach of project organization that will make future modifications/working easier and makes the maintenance better? I want to keep the logic for each extension separate while having the same, single Main App that manages everything(installing, activating, managing identifiers, extensions, etc). What's the best approach to establish a Communication from MainApp to each extension separately, without affecting one another? Is it good idea to establish 3 separate IPC Connections(each is a singleton class) for each extension? Are there any suggestions you can provide that relates to my use case of capturing all the network traffic logs(including HTTP/HTTPS, DNS Records, etc), especially on App to Extension Communication, where my app unable to keep multiple IPC Connections and maintain them separately? I've been working on it for a while, and still unable to make the Network Extension App work with multiple extensions(each as a new Xcode target). Main App with single extension is working fine, but if I add new extension, App getting crashed. I suspect it's due to XPC/IPC connection things! I really appreciate any support on this either directly or by any suggestions/resources that will help me get better understand and make some progress. Please reach out if in case any clarifications or specific information that's needed to better understand my questions. Thank you very much

We've received several reports of a new bug while setting up our products with WAC. The Accessory Setup UI appears with a blank network selected and the message 'This accessory will be set up to join "(null)".' at top. The user can tap "Show Other Networks..." to select another network, but this experience is very confusing. Why does this UI present a choice that is known to be invalid when other valid choices exist? I've captured a screenshot and sysdiagnose from this case. In most cases this problem happens only intermittently, but I can reproduce it consistently by disconnecting my iPhone from any WiFi network (WiFi remains enabled). My suggestion for a better user experience is that this UI should select the default network according to these rules: The network to which iPhone is currently connected. Any network which is in the known/my list for this iPhone Any valid network I believe rule #1 is the existing behavior, but applying rules #2 and #3 as fallbacks would be an improvement. Is there anything I can change in my iOS code or in my accessory's WAC server to improve this experience?

Hello there, Starting from iOS 18.4, support was included for QWAC Validation and QCStatements. Using the official QWAC Validator at: https://eidas.ec.europa.eu/efda/qwac-validation-tool I was able to check that the domain "eidas.ec.europa.eu" has a valid QWAC certificate. However, when trying to obtain the same result using the new API, I do not obtain the same result. Here is my sample playground code: import Foundation import Security import PlaygroundSupport PlaygroundPage.current.needsIndefiniteExecution = true @MainActor class CertificateFetcher: NSObject, URLSessionDelegate { private let url: URL init(url: URL) { self.url = url super.init() } func start() { let session = URLSession(configuration: .ephemeral, delegate: self, delegateQueue: nil) let task = session.dataTask(with: url) { data, response, error in if let error = error { print("Error during request: \(error)") } else { print("Request completed.") } } task.resume() } nonisolated func urlSession(_ session: URLSession, didReceive challenge: URLAuthenticationChallenge, completionHandler: @escaping (URLSession.AuthChallengeDisposition, URLCredential?) -&gt; Void) { guard let trust = challenge.protectionSpace.serverTrust else { completionHandler(.cancelAuthenticationChallenge, nil) return } if let certificates = SecTrustCopyCertificateChain(trust) as? [SecCertificate] { self.checkQWAC(certificates: certificates) } let credential = URLCredential(trust: trust) completionHandler(.useCredential, credential) } nonisolated func checkQWAC(certificates: [SecCertificate]) { let policy = SecPolicyCreateSSL(true, nil) var trust: SecTrust? guard SecTrustCreateWithCertificates(certificates as CFArray, policy, &amp;trust) == noErr, let trust else { print("Unable to create SecTrust") return } var error: CFError? guard SecTrustEvaluateWithError(trust, &amp;error) else { print("Trust evaluation failed") return } guard let result = SecTrustCopyResult(trust) as? [String : Any] else { print("No result dictionary") return } let qwacStatus = result[kSecTrustQWACValidation as String] let qcStatements = result[kSecTrustQCStatements as String] print("QWAC Status: \(String(describing: qwacStatus))") print("QC Statements: \(String(describing: qcStatements))") } } let url = URL(string: "https://eidas.ec.europa.eu/")! let fetcher = CertificateFetcher(url: url) fetcher.start() Which prints: QWAC Status: nil QC Statements: nil Request completed. Am I making a mistake while using the Security framework? I would greatly appreciate any help or guidance you can provide.

Hi, after upgrading to MacOS Sequoia, my connection to my local IP address does not work. The issue is with the PF (MacOS advanced firewall), as I confirmed that my local application works disabling it temporarily. Does anyone know how can I do to solve this problem? As APP developer, this is a big problem for me. Thanks in advance.

In my application, there is a Network Extension with the bundle ID com.xxx.agent.yyy.zzz.ne. There is a user upgraded their system to macOS Sequoia 15.3, they faced an issue where enabling this Network Extension failed. Even after uninstalling the application and the Network Extension, restarting the system, and reinstalling multiple times, the enabling process still failed. it alert: Failed to enable the Network Extension. When checking the status via "systemextension list", it always shows "activated waiting for user". This shows the normal enabling process log: This shows the log when the enabling fails upon clicking. Strangely enough, there is no activation operation log when it fails. What could be the problem?

We are migrating our iOS app to macOS. On iOS, it works fine. But when I try and run on macOS and connect to the VPN, I am getting an error like failed to fetch /Users/stuart/Library/Developer/Xcode/DerivedData/app-byzvshkqegwzqxgervfswmsughkm/Build/Products/Debug/<app_name>.app/Contents/PlugIns/<network_extension_name>.appex/Contents/_CodeSignature/CodeRequirements-1 error=-10. If I have Settings -> VPN open, it rapidly is connecting and disconnecting. Is there anything I need to do specific to macOS to make this work? Or is this related to a broken code signature? Thanks in advance!

I had noticed that my slaac address changed between one beta and the other, but wasn't sure. Now with the RC 15.4 RC (24E247) I made point of preserving the info before updating from the previous beta. What I noticed is that not only the slaac address changes, but also the my ether address, even though I have it on Fixed in the settings. Is it expected that the ether, and the slaac, not be rotated after a OS update?

I want to configure one aspect of my networking configuration (the QUIC keepalive interval). This only seems to be configurable via Network.framework’s nw_quic_set_keepalive_interval. Is there any way to apply this to a URLSession? Or do I need to implement the whole connection management myself using Network.framework?

NEAppProxyUDPFlow contains below property: open var localEndpoint: NWEndpoint? { get } Why is localEndpoint not available for NEAppProxyTCPFlow? Is there a way to determine the source port of a flow of type NEAppProxyTCPFlow within the following method of NETransparentProxyProvider? override func handleNewFlow(_ flow: NEAppProxyFlow) -> Bool {

Hi folks, I would like to ask for clarification regarding Local Network Policy. I found 2 cases where I think the behaviour differs from the documentation. 1. Use case In a CI environment, we have multiple services (LaunchAgents) which require Local Network Access. We are fine by manually approving the Local Network Permission once (per service), but we also require these services to be able to self-update. Self update results in downloading the a binary with an (obviously) different UUID, which seems to result in re-triggering the Local Network Consent prompt. Strange thing: If I don't click either buttons (Allow of Reject), just restart macOS, it will result in an enabled entry in Privacy &amp; Security &gt; Local Network. I read a reply somewhere on this forum by an Apple engineer that the approval process is a mix of Bundle ID + UUID + other components, so I would expect a new binary with the same properties (but different UUID) to be already whitelisted. Is this behaviour intended? 2. Use Case Given the first issue, I decided to do this in the "right way". I was happy to read this sentence in the documentation: If you ship a launchd agent that’s not installed using SMAppService, make macOS aware of the responsible code by setting the AssociatedBundleIdentifiers property in your launchd property list. I have a properly setup (and code signed) Application, for which I have enabled Local Network permission in Privacy &amp; Security. I have a standalone LaunchAgent, which runs a long running binary from a user directory. The agent is managed with launchd, and in this sense it is "independent" from the main Application Bundle. I have setup AssociatedBundleIdentifiers in the Agent plist, to associate it with the Application. The TeamIdentifier of the 2 binaries are the same. Based on the documentation, this should be enough for my agent to signal macOS that the responsible code is the Application Bundle (which is already enabled from Local Network POV). Instead, once the LaunchAgent starts, the Local Network Consent popup appears for the binary. I would expect the Application to be the responsible code, thus no more Consent popup. Is this behaviour intended? I need this service to run as user, so I cannot just circumvent the Consent popup by running as a Daemon or Root. Nor I would like to manage the Agent with ServiceManagement. What do you guys think, have I misunderstood the documentation?

send a request and it returns with timeout Integration Team are Using Fortigate as a firewall and NGINX for some reasons so we use VPN TO Access , requests always succeed but at once it failed with timeout in randomize request not specific one we are using URLSession as a network layer when I retry the same failed request again, it success the request cannot connect apigee Sec Team concern { app session hits the security gateway with lots of SYN step to try to initiate a new session and doesn’t wait for (SYN-ACK / ACK) steps to happen to make sure the connection initiated correctly and gateway consider it flooding attack }

Hello, A quick background: I am developing an App that receives a data stream from a device through its Wi-Fi network. The device itself is not connected to the internet, so the app won't be either. Now, I am adding a new feature to the App that would require internet connection during the data stream. Consequently, my users would need to use their cellular data. On later versions of iPhone, the phone would occasionally detect the lack of internet connection and asks the user via a pop-up if they want to use their cellular data. However, this behavior is not consistent. So my question is- can we programmatically invoke this pop-up so the user can connect to the internet? Or even better- can we program the App to use cellular data while still being connected to a Wi-Fi network? Note: I have seen mixed answers on the internet whether this is doable or not, and I know that users are able do it themselves by manually configuring their IP in their WiFi settings page, but I doubt this operation can be done through the App for security reasons. Thanks!

I have an app with lots of networking calls that are currently done through URLSession. We would like to implement the new carried constrained entitlements and begin moving data through the ultra constrained network path for core features of our application. I have successfully implemented the NWPathMonitor to identify when the current network path is ultra constrained and I have been consistently on a physical device in a real world environment. I'm aware that we will not be able to use URLSession to do this from other posts in this forum like this one. Because of this problem with URLSession I am attempting to fallback to using NWConnection when the current path is ultra constrained. I have setup a NWConnection with the NWParameters.allowUltraConstrainedPaths set to true. The request works perfectly when connected to wifi or cellular. However, it does not work at all when the current path is ultra constrained. When attempting this request through my NWConnection I receive an error that says: The operation couldn’t be completed. (Network.NWError error 50 - Network is down) Is this expected? I have confirmed my physical device is connecting to carrier provided satellite and I have been able to load data in other ios apps from Apple like the music app while on this carrier constrained connection. If this is not the correct way to move data when the path is ultra constrained what is the correct way?