Thank you very much for your quick and thorough answer to my long post! It was very helpful: What I did not realise first when reading the API documentation is that if you use for example an NETransparentProxyManager, then you need to use NETransparentProxyNetworkSettings when calling setTunnelNetworkSettings in the provider. I figured this out from your reply, so I have now successfully written an AppProxyProvider that intercepts traffic based on NENetworkRules by using an NETransparentProxyManager. I was able to intercept both DNS traffic and also traffic to a subnet as I wanted. And it did seem to capture traffic from all apps. I do still have two follow up questions  First question: You write that: “… you can still use NEAppProxyProvider / NETransparentProxyManager but you will need to proxy all of your flows and will not have the ability to return false and let the OS handle the flow you do not wish to proxy.” Is that the different between using NEAppProxyProvider and NETransparentProxyProvider? That false returns from handleNewFlow means “block” for NEAppProxyProvider and “pass” for NETransparentProxyProvider? I cannot see any differences in the API documentation. I cannot test this as I currently only have access to MacOS 10.15. The target MacOS version for the project I work on is still up for discussion. Second question: What is the difference between using NEDNSProxyManager and NETransparentProxyManager with a rule of: NENetworkRule(destinationHost: NWHostEndpoint(hostname: "", port: "53") It seems to me like I get significantly more stuff captured with the NETransparentProxyManager approach. In particular a lot of requests going to an address on 10.0.0.0/8 which is not an address on my network and also to fe80::1. So maybe NETransparentProxyManager captures more DNS traffic than NEDNSProxyManager?