Sorry about the delay responding here. I thought I would post in detail in case it helps someone else. The first mistake I made is in assuming that converting a packet tunnel to system extension is just a matter of updating the entitlements to say that I am using system extension, but I figured out that its incorrect - I needed to delete my old network extension target and create a NEW target in xcode selecting the type as system-extension. So I guess that makes xcode to package the application differently - the system extension app has the Library/SystemExtension folder with my system extension code inside it etc.. which will happen only if we create a target specifically marked as system-extension in xcode. Then in developer.apple.com for the app IDs, the UI APP ID has BOTH network and system extension checked, the packet-tunnel app ID has Network extension checked but NOT system extension. Then of course I had to mention it in my entitlements. I am listing it here for anyone's future reference Packet tunnel entitlement: UI App entitlement: And then I built the image, and uploaded to apple for "Developer ID" signing and it was signed all well and fine and then I exported the signed app as a mac app. Now this is where it was frustrating as hell - the app would work fine on my laptop, I can open it and it will ask permission to install system extension etc.., but it would NOT work on anyone else's laptop - it would not ask for permission to install system extension, radio silence. And in the system logs there is really nothing legible that says what the problem is. I spent at least a couple of days complete waste of time chasing this - and finally figured that the developer ID signed app has to be moved to the Applications folder and only then the system extension would work. And how did I find that out ? There was this slide deck - https://objectivebythesea.com/v3/talks/OBTS_v3_sKnight.pdf - where somewhere deep inside it there was an allusion to the need to move the app to Applications folder, and thanks to this kind soul who made the pdf, my pain ended in two days. These are the things which apple has been terrible in documenting. Does no one at apple run through the sequence end to end and see what are the steps required and document it ??? At any rate, after the above, it all works fine - it asks for permission to install system extension and I allow it and it creates a seperate process with my system extension code - that is a thing to note when writing system extensions, unlike the previous packet tunnel mechanism, the system extension code runs as a seperate process that keeps running for ever as long as the system extension is installed, ie it keeps running even after your app is terminated. And when you relaunch the app and again activate system extension, the process will still be the same, its not restarted - ie make sure to cleanup and have the process start from a clean state without actually restarting the process

cat NextensioAppMac.app/Contents/PlugIns/NextensioPacketTunnelMac.appex/Contents/Info.plist <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>BuildMachineOSBuild</key> <string>20E241</string> <key>CFBundleDevelopmentRegion</key> <string>en</string> <key>CFBundleDisplayName</key> <string>NextensioPacketTunnel</string> <key>CFBundleExecutable</key> <string>NextensioPacketTunnelMac</string> <key>CFBundleIdentifier</key> <string>io.nextensio.agent1.tunnel</string> <key>CFBundleInfoDictionaryVersion</key> <string>6.0</string> <key>CFBundleName</key> <string>NextensioPacketTunnelMac</string> <key>CFBundlePackageType</key> <string>XPC!</string> <key>CFBundleShortVersionString</key> <string>0.1.4</string> <key>CFBundleSupportedPlatforms</key> <array> <string>MacOSX</string> </array> <key>CFBundleVersion</key> <string>1</string> <key>DTCompiler</key> <string>com.apple.compilers.llvm.clang.1_0</string> <key>DTPlatformBuild</key> <string>12E262</string> <key>DTPlatformName</key> <string>macosx</string> <key>DTPlatformVersion</key> <string>11.3</string> <key>DTSDKBuild</key> <string>20E214</string> <key>DTSDKName</key> <string>macosx11.3</string> <key>DTXcode</key> <string>1250</string> <key>DTXcodeBuild</key> <string>12E262</string> <key>LSMinimumSystemVersion</key> <string>11.1</string> <key>NSExtension</key> <dict> <key>NSExtensionPointIdentifier</key> <string>com.apple.networkextension.packet-tunnel</string> <key>NSExtensionPrincipalClass</key> <string>NextensioPacketTunnelMac.PacketTunnelProvider</string> </dict> </dict> </plist>

cat NextensioAppMac.app/Contents/Info.plist <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>BuildMachineOSBuild</key> <string>20E241</string> <key>CFBundleDevelopmentRegion</key> <string>en</string> <key>CFBundleExecutable</key> <string>NextensioAppMac</string> <key>CFBundleIconFile</key> <string>AppIcon</string> <key>CFBundleIconName</key> <string>AppIcon</string> <key>CFBundleIdentifier</key> <string>io.nextensio.agent1</string> <key>CFBundleInfoDictionaryVersion</key> <string>6.0</string> <key>CFBundleName</key> <string>Nextensio</string> <key>CFBundlePackageType</key> <string>APPL</string> <key>CFBundleShortVersionString</key> <string>0.1.4</string> <key>CFBundleSupportedPlatforms</key> <array> <string>MacOSX</string> </array> <key>CFBundleURLTypes</key> <array> <dict> <key>CFBundleURLName</key> <string>io.nextensio.agent1</string> </dict> </array> <key>CFBundleVersion</key> <string>1</string> <key>DTCompiler</key> <string>com.apple.compilers.llvm.clang.1_0</string> <key>DTPlatformBuild</key> <string>12E262</string> <key>DTPlatformName</key> <string>macosx</string> <key>DTPlatformVersion</key> <string>11.3</string> <key>DTSDKBuild</key> <string>20E214</string> <key>DTSDKName</key> <string>macosx11.3</string> <key>DTXcode</key> <string>1250</string> <key>DTXcodeBuild</key> <string>12E262</string> <key>LSApplicationCategoryType</key> <string>public.app-category.utilities</string> <key>LSMinimumSystemVersion</key> <string>11.1</string> <key>NSMainStoryboardFile</key> <string>Main</string> <key>NSPrincipalClass</key> <string>NSApplication</string> </dict> </plist>

codesign -dv NextensioAppMac.app Executable=/Users/gopakumarchoorakkotedakkunni/NXT/NextensioAppMac.app/Contents/MacOS/NextensioAppMac Identifier=io.nextensio.agent1 Format=app bundle with Mach-O thin (arm64) CodeDirectory v=20500 size=959 flags=0x10000(runtime) hashes=19+7 location=embedded Signature size=9009 Timestamp=May 26, 2021 at 3:47:08 PM Info.plist entries=25 TeamIdentifier=3S6YLTX9PM Runtime Version=11.3.0 Sealed Resources version=2 rules=13 files=13 Internal requirements count=1 size=212

@matt Thx for the reply. I am aware of the metadata that can be seen in wireshark .. The ONLY INTERFACE in all of the metadata in wireshark is interface en0 (on my ipad), occassionaly there are some broadcasts and multicasts on some "en2" interface which I dont know what it is, but there is no metadata that points to any "tunnel" interface - so THAT was the question - it looks like rvictl captures everything on "physical" interfaces (like en0) only ??

And yes, I agree, this is seriously suboptimal.  @eskimo, my frustration was not about having to enable the kernel extension - that took me 5 mins and thats perfectly acceptable to me. My frustration was that rvictl FAILEd as a google search did not lead to any help page or anything, what it led to was this thread with potpourri of random suggestions. I am not kidding when I said I wasted a WHOLE DAY (at least) on this - I even thought that its probably that my ipad (attached to my mac mini) is too old and hence I drove one hour up and down to an apple store and got a new one, only to see that had the same issue. Then I kept at google searches till some kind soul somewhere had hinted about having to enable kernel extensions. So my point was that along with rvictl FAILEd, if there was one more line of message that said "please enable kernel extensions", that would have made my experience with apple development far more smoother

By the way, if anyone is trying this on a Mac M1 (apple silicon) and rvictl says FAILED, its because you need to enable mac system extensions - https://support.apple.com/guide/mac-help/change-startup-disk-security-settings-a-mac-mchl768f7291/mac - basically say "reduced security" and check all the freaking boxes that say enable kernel extensions and all that. And after you bootup, you have to again go to system---security&amp;preferences and there will be an "allow" button you have to click there which will again make you reboot. I wasted freaking a day on this crap and finally after lot of browsing I figured thats the reason. I enabled system extensions and its working fine

By the way, I tried this on a mac and it is NOT looping the packets back. That is, EVEN IF I advertise default route from the packetTunnel provider and then I open a plain regular tcp socket from the packetTunnel provider to some random destination (lets say 8.8.8.8), that goes out DIRECTLY, ie WITHOUT getting sucked into the packetTunnel provider app. Have not tried it on an iOS, fingers crossed that it works the same way on iOS. So in summary, there looks to be some magic / special sauce which makes the route lookups of the packetTunnel provider originated sockets to bypass the standard global routing table - which is good, which is what I hoped for, if apple can confirm that it is a LEGIT behaviour and it will continue to be so architecturally in future, that will be comforting to know!

Thanks a lot for the response Matt. So here is what I want to do I do not have any MDM, so I cant use NEAppRule, same goes for AppProxy provider (which is a bummer, I wish NEAppRule or AppProxy is supported without needing MDM) So having laid out the limitation in 1, I have no other option but to use PacketTunnelProvider. And I do not have a range of IP addresses in hand to allow/disallow - my solution is not IP address based but rather based on the results of my parsing. I see the existence of the API createTCPConnectionThroughTunnelToEndpoint which as per the thread below has to be used if an NETunnelProvider wants to create a session which gets routed via the tunnel - so the opposite of which would make me think that if I create a "normal" tcp session, it would NOT go via the tunnel, why else would there be a special API to force it via the tunnel ? https://developer.apple.com/forums/thread/94430 I was also going through the darwin kernel code to see if I can figure something out, but the only thing I could "guess" is that the regular routing table where I add a default route via my tunnel is different from the routing table used by the NETunnelProvider itself (it puts that app in some other scope ?). If its two seperate routing tables, then what I want would work just plain and easy, and I would assume thats what the developers would have done. I was just about to run my program under strace to see what happens underneath. I wish just the library code for the NETunnelProvider was open source like darwin and one could then peep into it and see what underlying bsd calls these APIs are making. I even tried reaching out to some of the developers to tell me the basics of what happens underneath so I dont have to burn a lot of my time (almost a week now) doing all these googling and wierd experiments to just be able to develop an application in ios - but so far I havent had any luck getting them to answer :)

I did not see this thread, asked the same question here - https://developer.apple.com/forums/thread/677180 So @kit228, do you see any loops ?