One thing I don't understand here, though, is that if you don't set up DNS settings in the packet tunnel provider, the packet tunnel provider simply doesn't work. No traffic goes through the packet flow, hence you can't route the packets through the tunnel. Try to make an http request and you get an immediate fail with "the internet connection appears to be offline", no packet seen in the flow. If you do set up the DNS settings, you will start to see DNS requests going through the packet tunnel provider, and that is specifically against TN3120. I would love not having to deal with DNS requests, but I can't find a way to set up the packet tunnel provider in a way that is transparent to them. Adding the DNS you set up in the excluded routes does nothing to prevent this to happen. The only way I see packets running through the packet tunnel provider without setting up DNS routes is if I set up a local proxy (and not just by putting bogus proxy settings, I mean actually having a proxy running), but the same TN3120 says you can't put a proxy in the packet tunnel provider. What's more puzzling, is that both Proxyman, Charles and Surge clearly do have a proxy running in the packet tunnel provider, Proxyman by own admission of the developer on StackOverflow. What gives?

I also found this in the console: Found 0 (0 active) registrations for ***.PacketTunnelProvider (com.apple.networkextension.packet-tunnel) So I'm guessing the problem lies here. If any Apple dev is listening, this really oughta be an error that should be raised in the startVPNTunnel. Anybody have any idea on why this happens?

Going through the console, it actually seems that the profile is loaded properly: NESMVPNSession[Primary Tunnel:XRTC Accelerator:6CB1FD0B-6268-4701-8968-2EE37DE109AC:(null)] starting with configuration: { name = **** identifier = 6CB1FD0B-6268-4701-8968-2EE37DE109AC applicationName = *** application = com.***.*** grade = 1 VPN = { enabled = YES onDemandEnabled = NO disconnectOnDemandEnabled = NO onDemandUserOverrideDisabled = NO protocol = { type = plugin identifier = E8C022C7-41EE-4627-B2CD-88CE84D2A1DD serverAddress = VPN Server identityDataImported = NO disconnectOnSleep = NO disconnectOnIdle = NO disconnectOnIdleTimeout = 0 disconnectOnWake = NO disconnectOnWakeTimeout = 0 includeAllNetworks = YES excludeLocalNetworks = YES excludeCellularServices = YES excludeAPNs = YES enforceRoutes = NO pluginType = com*** authenticationMethod = 0 providerConfiguration = { key = value, } providerBundleIdentifier = ***.PacketTunnelProvider } tunnelType = packet } } but then I get [4768]: Tearing down XPC connection due to setup error: Error Domain=NEAgentErrorDomain Code=2 "(null)" Any ideas on why this happens? Documentation on this error is quite sparse.