User Profile

I am running into an issue with running a PacketTunnelProvider as a system extension, and fast user switching. Since the VPN is running as root, it runs outside any user context, and is accessible to all users on the machine. I can see the following behavior: Login to User A Connect VPN Fast switch to user B Open Safari, observe that traffic is directed and sent out the VPN. (As noted by the ability to browse otherwise un-reachable websites). Is there a way to detect that a fast user switch is happening? And disconnect the VPN when user B takes control of the screen. I know NSWorkspace is not a daemon-safe API. So NSWorkspaceSessionDidResignActiveNotification and like will not be useful here. One alternative would be to use NSWorkspace notifications in the GUI and alert the system extension via XPC. But that wouldn't work in the case where there isn't a GUI, such as with ConnectOnDemand. Is there a daemon-safe API to use or some other alternative? Thanks

Hi, We run a PacketTunnelProvider VPN on our macbooks. When we updated the Mac to MacOS Sonoma, we see strange behavior with regards to the Wi-Fi menu in system settings. After we connect a VPN, the Wi-Fi switch gets blanked out, and it doesn't detect any other networks. This is in contrast to the wifi task-bar, where we can see it functioning normally. Wi-Fi and the VPN also function normally. Switching Wi-Fi networks does not work, and after, the Mac will not connect to any Wi-Fi networks until it restarts. After disconnecting the VPN, this problem remains. The only way to fix this is to restart the Mac. I've filed FB13205010. I'm wondering if anyone has seen anything like this, because it makes having a VPN unusable on this version of macOS. All of the following screenshots were taken at the same time.

Somewhere between iOS 16 and iOS 16.5, we've been noticing a new timer when starting up our PacketTunnelProvider. When we start the VPN session and if we take longer than 60 seconds to call the completion handler in (void)startTunnelWithOptions:(NSDictionary *)options completionHandler:(void (^)(NSError *))completionHandler We see that our VPN gets shutdown by the OS. 11:19:15.371532-0700 nesessionmanager NESMVPNSession[Primary Tunnel:test:7A492A00-109B-4DC9-970F-563A7BBC65A6:(null)]: Plugin NEVPNTunnelPlugin(com.netmotionwireless.Mobility[inactive]) initialized with Mach-O UUIDs ( "69923795-443E-3B0D-9D51-1DC84EB26A08" ) 11:19:15.372733-0700 nesessionmanager NESMVPNSession[Primary Tunnel:test:7A492A00-109B-4DC9-970F-563A7BBC65A6:(null)] in state NESMVPNSessionStateStarting: plugin NEVPNTunnelPlugin(com.netmotionwireless.Mobility[inactive]) started with PID 27315 error (null) 11:19:15.389348-0700 nesessionmanager NESMVPNSession[Primary Tunnel:test:7A492A00-109B-4DC9-970F-563A7BBC65A6:(null)] in state NESMVPNSessionStateStarting: plugin NEVPNTunnelPlugin(com.netmotionwireless.Mobility[inactive]) attached IPC with endpoint 0xd5a820210 . . . 11:20:15.290251-0700 nesessionmanager NESMVPNSession[Primary Tunnel:test:7A492A00-109B-4DC9-970F-563A7BBC65A6:(null)]: State timer (60 seconds) fired in state NESMVPNSessionStateStarting 11:20:15.290375-0700 nesessionmanager NESMVPNSession[Primary Tunnel:test:7A492A00-109B-4DC9-970F-563A7BBC65A6:(null)] in state NESMVPNSessionStateStarting: timed out 11:20:15.293574-0700 nesessionmanager NESMVPNSession[Primary Tunnel:test:7A492A00-109B-4DC9-970F-563A7BBC65A6:(null)]: Leaving state NESMVPNSessionStateStarting 11:20:15.293813-0700 nesessionmanager NESMVPNSession[Primary Tunnel:test:7A492A00-109B-4DC9-970F-563A7BBC65A6:(null)]: Entering state NESMVPNSessionStateStopping, timeout 20 seconds 11:20:15.294034-0700 nesessionmanager NESMVPNSession[Primary Tunnel:test:7A492A00-109B-4DC9-970F-563A7BBC65A6:(null)]: config request: pushing handler [(null)] (null) 11:20:15.294286-0700 nesessionmanager <NESMServer: 0xd5a904120>: Request to uninstall session: NESMVPNSession[Primary Tunnel:test:7A492A00-109B-4DC9-970F-563A7BBC65A6:(null)] 11:20:15.294426-0700 nesessionmanager NESMVPNSession[Primary Tunnel:test:7A492A00-109B-4DC9-970F-563A7BBC65A6:(null)]: status changed to disconnecting We can see this with the log message State timer (60 seconds) fired in state NESMVPNSessionStateStarting Is there anything we can do to influence the length of this timer or change the state the VPN is in, other than calling the completion handler? Thanks

Hi, If I am sending a UDP packet or ICMP packet through an unbound BSD socket, and I have the don't fragment bit enabled on those packets, is there a way to get the source IP address and interface MTU of whatever packet that was sent? I am specifically looking the case where the packet fails to leave the device I am using, due to the packet size being larger than the interface MTU. The way that this is indicated to me is the send operation returning EMSGSIZE. This is useful with PMTU discovery for example on a cellular interface, where the MTU can be around ~1430. Thank you.

Hi, I'm writing a test app to send ICMPv6 packets. When I try to set the IPV6_DONTFRAG socket option, I get the error "operation not permitted" (EPERM). I am able to set the IPV6_DONTFRAG socket option on UDP sockets running IPv6. I am also able to set the IP_DONTFRAG socket option on ICMPv4 sockets. To summarize: UDP - IPV4, don't fragment option can be set UDP - IPV6, don't fragment option can be set ICMP - IPV4, don't fragment option can be set ICMP - IPV6, don't fragment option can't be set Is there a reason/workaround to get this to work? Another example, if the following command, I get that output language ~ % ping6 -D www.google.com ping6: IPV6_DONTFRAG: Operation not permitted If I run language sudo ping6 -D -s 1600 www.google.com the pings start to be sent, but according to a packet capture, they are fragmented. It seems like the socket option is not set/not followed? Thanks

Hi, We are running a VPN in a network extension using the NEPacketTunnelProvider APIs. When we re-configure the VPN adapter, such as on a roam, any active NSURL session task fails. Using a test app we've been seeing that TCP streaming using BSD sockets remains unaffected, but NSURL tasks get killed. This is what the NSURL task fails with. 021-04-05 17:18:31.202678-0400 TCPStreamer[17967:460702] Task 2B2AE33C-145B-46E5-96F0-15C1E21791B5.4006 finished with error [-1009] Error Domain=NSURLErrorDomain Code=-1009 "The Internet connection appears to be offline." UserInfo={​​​​​​​​_kCFStreamErrorCodeKey=50, NSUnderlyingError=0x1144d42a0 {​​​​​​​​Error Domain=kCFErrorDomainCFNetwork Code=-1009 "(null)" UserInfo={​​​​​​​​_kCFStreamErrorCodeKey=50, _kCFStreamErrorDomainKey=1}​​​​​​​​}​​​​​​​​, _NSURLErrorFailingURLSessionTaskErrorKey=LocalDownloadTask 2B2AE33C-145B-46E5-96F0-15C1E21791B5.4006, _NSURLErrorRelatedURLSessionTaskErrorKey=(   "LocalDownloadTask 2B2AE33C-145B-46E5-96F0-15C1E21791B5.4006" ), NSLocalizedDescription=The Internet connection appears to be offline., NSErrorFailingURLStringKey=URL, NSErrorFailingURLKey=URL, _kCFStreamErrorDomainKey=1}​​​​​​​​ 2021-04-05 17:18:31.202699-0400 TCPStreamer[17967:460702] The Internet connection appears to be offline. 2021-04-05 17:18:31.203880-0400 TCPStreamer[17967:460700] Connection 4007: received failure notification 2021-04-05 17:18:31.203897-0400 TCPStreamer[17967:460700] Connection 4007: failed to connect 1:50, reason -1 2021-04-05 17:18:31.203934-0400 TCPStreamer[17967:460700] Connection 4007: encountered error(1:50) 2021-04-05 17:18:31.204591-0400 TCPStreamer[17967:460700] Task C0AB5E94-0CD8-4FBD-804F-99CA7C75F4CC.4007 HTTP load failed, 0/0 bytes (error code: -1009 [1:50]) I am wondering if this is intended, or if this is something I should file a bug for. Running the same test on macOS does not produce this issue. Thanks

Hi, We are looking for a way to identify the interface index. We need this information to bind our BSD sockets to the VPN's network interface (e.g. utun2). We've been unable to find a reliable way to determine the correct interface index to bind to. Thanks