My App is a VPN APP, use [com.apple.networkextension.packet-tunnel] extension app to provider a VPN service.
A problem puzzled me for a long time: Sometimes the VPN doesn't start successfully, until the user restart the iOS System or reinstall my APP.
The detail is :
The user use the app normally for many times, and suddenly can't start the vpn service, the APP log show API "startVPNTunnelWithOptions" call success, and return success.
but the VPN extension status(NEVPNStatus) change from Disconnect to Connecting and then nothing happen, the VPN process not started, and not any log of the VPN extension created, my VPN log is start from the init function of the class inherit from PacketTunnelProvider, so can see that the vpn process not started.
My NETunnelProviderProtocol is :
NETunnelProviderProtocol *tunnel = [[NETunnelProviderProtocol alloc] init];
tunnel.providerBundleIdentifier = kTunBundleId;
tunnel.serverAddress = @"";
tunnel.disconnectOnSleep = NO;
[self.providerManager setEnabled:YES];
[self.providerManager setProtocolConfiguration:tunnel];
self.providerManager.localizedDescription = kAppName;
very simple, because my app use openvpn3 to provide the vpn service,so no need to set the serverAddress.
Because when this problem happened, I can't get any useful log (because APP can't get the iOS system log), so this is a really trouble for me. Could any body help !
Post
Replies
Boosts
Views
Activity
We are an SDK manufacturer, providing our clients with an HTTP network proxy SDK.
Recently on iOS 17.1.1 version, a problem was encountered. After the proxy is started, the system is prone to crash, which looks like a crash in the iOS network library. The crash information is as follows:
In other versions of iOS (15, 16) etc., I would like to ask whether the cause of the crash can be seen from the information provided? Is it an issue on our side, or a BUG in the iOS system?
We provided a VPN SDK (based on NEPackTunnelProvider) to our customer for their social networking app. The app wanted to use the speed service of the VPN SDK.
However, the app was rejected during the submission review. The reason for the rejection is:
So can NEPackTunnelProvider only be used in VPN apps?
Our application is a VPN app based on PackTunnelProvider.
In order to handle traffic based on domain name or accelerate it through a tunnel, we intercept almost all traffic.
The problem arises with the traffic that is being sourced back. We found that when the VPN is enabled and uploading files, the TCP data being sourced back through our VPN code is noticeably slower.
After capturing packets and analyzing them with Wireshark, we found that our TCP packets are being split, resulting in one larger packet and one smaller packet (as shown in the image below). However, when we checked our code's logs for the data being written to the TCP, we did not find any of these smaller packets.
Android also uses the same code, but Android does not have similar situations as shown in the figure below.
The code logic is that the data received from the VPN is parsed by lwip and then sent out through TCP.
I would like to ask why this situation occurs on iOS and if there is any way to avoid or optimize it.
testing ...
Here's the situation:
Our app implements a VPN service using NEPackTunnelProvider.
Recently, we noticed that when the DNS servers used in the WIFI environment are the same as those configured for the VPN, such as 8.8.8.8 and 8.8.4.4, DNS traffic will not pass through the VPN, which only occurs on iOS 16.
I think this is an optimization of the iOS system.
However, this creates a problem.
Our VPN server performs DNS resolution. If we use 8.8.8.8 and 8.8.4.4 for resolution and it fails, we will use our customer's internal DNS server for resolution, and then return the result to the client. For the client, it seems like the resolution was done with 8.8.8.8, but it's not actually.
Because iOS does not route traffic to 8.8.8.8 and 8.8.4.4 to the VPN, this causes our DNS resolution to fail.
Is there any method (such as a configuration option) to allow traffic to 8.8.8.8 and 8.8.4.4 to still go through the VPN?
My App is a VPN APP, use [com.apple.networkextension.packet-tunnel] extension app to provider a VPN service. Sometimes the VPN doesn't start successfully, until the user restart the iOS System or reinstall my APP
And I got get sysdiagnose log, and find nesessionmanager was stack in connecting state.
this is the log:
Issue log
It seems to be stuck by nw_path_necp_update_evaluator_block_invoke could you tell me what is this, and how can I avoid this.
We have found that the memory limit for NEPackTunnelProvider on some iOS 15 and iOS 16 devices is no longer 15MB and can reach up to 50MB. Could you please let me know the latest memory limit for NetworkExtension?
Our software is a VPN app that uses the PackTunnelProvider solution.Some customers have reported frequent failures to connect to the VPN server. Killing the app and restarting it does not work, but restarting the iOS system restores the connection.
We checked the logs and found that the TCP connection could not be established, with the error message "No route to host". This is usually a network problem.
However, the customer's other apps, including our host app, can access the network normally.
To check the network quality, the VPN process pings apple domain at the same time. We found that every time the user cannot connect to the VPN server, the VPN process ping apple has the following error: kCFErrorDomainCFNetwork-Fehler 2.
Can you tell me if there are any situations that could cause this problem?
I create private certificate and install it on my iPhone, and in [certificate Trust Setting], I already enable it.
But when I open the https website build by the private certificate, the safari still show "The Connection is not Private" warning.
First I think maybe my cert or something else I done wrong.
But, when I try install the same cert on my mac, and set always trust this cert in keychain then use safari of my mac to open the same website, it works( not show the warning)
So can I get the same result on my iOS device ? Or there is some limit different between iOS and mac OS
Our app is provided to our client companies for download, so we are not sure how many people and devices will download the app.
Only one range can be given at most, so we are worried that after the download volume exceeds our expectations, the App store will restrict users from downloading unllisted apps.
Our App using NEPackTunnelProvider to provider VPN service. We add IP: 0.0.0.0 subnetMask: 0.0.0.0 to IPv4Settings includedRoutes (We want all traffic pass through VPN ). But we found LAN traffic not hajack by VPN.
And after we add a route like : 192.168.3.33 mask 255.255.255.255 to IPv4Settings includedRoutes, which 192.168.3.33 is a host in the LAN, then VPN can hijack the traffic to 192.168.3.33. But the traffic could not be send to the host successfully.
So, could you tell me that LAN traffic won't be hijacked by VPN, is that by design?
If we want to hijack LAN traffic and send it normally, is it possible?
When the traffic is sent to the host, the traffic seems to be hijacked by the VPN again, so it cannot be sent normally.
Is there a way to avoid this?
I found that when make some HTTP request in VPN Process, the request won't go to the VPN tunnel, it won't be hijack.
So I would like to ask if there is any way to make request hijack by the NEPacketTunnelProvider traffic, in NEPacketTunnelProvider Process
When switch the net network from 5G to 4G in Setting->Cellular->Primary(the current card using for WANN) -> voice & data -> change to 4G.
The iOS API
SCNetworkReachabilitySetCallback
not callback.
I try using CTServiceRadioAccessTechnologyDidChangeNotification to get the notification, but won't work too.
And using addObserver:forKeyPath to observer the CTTelephonyNetworkInfo
instance's
currentRadioAccessTechnology value, it not change too.
But if you create a new CTTelephonyNetworkInfo instance, the currentRadioAccessTechnology will return a new value which is correct.
So it seems the only way to get the new currentRadioAccessTechnology in time, is to start a timer.
Is there a graceful way to get it ?
My App use NEPacketTunnelProvider to start a VPN service for iOS device.
And sometimes, after App Process call startTunnelWithOptions success, iOS system won't start the VPN process successfully.
And it need to reinstall the IPA to make it work find again.
After Recurrence problem and catch system log.
We found this log
Feb 14 10:09:22 nesessionmanager[13722] <Notice>: NESMVPNSession[Primary Tunnel:SecureLink:CFA3ACD5-6A37-44DD-8BE9-DB3317285D03:(null)]: Re-setting policies because the installed apps changed Feb 14 10:09:22 nesessionmanager[13722] <Notice>: NESMVPNSession[Primary Tunnel:CDNetwork:B5F6D081-F37E-4A27-B7A7-596C4AA03118:(null)]: Resetting VPN On Demand Feb 14 10:09:22 nesessionmanager[13722] <Notice>: NESMVPNSession[Primary Tunnel:SecureLink:CFA3ACD5-6A37-44DD-8BE9-DB3317285D03:(null)]: Resetting VPN On Demand Feb 14 10:09:22 nesessionmanager[13722] <Notice>: Found 0 (0 active) registrations for com.CDNetworks.ESA.packettunnel (com.apple.networkextension.packet-tunnel) Feb 14 10:09:22 nesessionmanager[13722] <Notice>: Found 0 (0 active) registrations for com.wangsu.securelink.packettunnel (com.apple.networkextension.packet-tunnel) Feb 14 10:09:22 nesessionmanager[13722] <Notice>: NESMVPNSession[Primary Tunnel:CDNetwork:B5F6D081-F37E-4A27-B7A7-596C4AA03118:(null)]: Plugin is installed Feb 14 10:09:22 nehelper[11452] <Error>: Denying connection from nesessionmanager (13722) because it is missing the com.apple.private.network.socket-delegate entitlement Feb 14 10:09:22 nesessionmanager[13722] <Notice>: NESMVPNSession[Primary Tunnel:SecureLink:CFA3ACD5-6A37-44DD-8BE9-DB3317285D03:(null)]: Plugin is installed Feb 14 10:09:22 nesessionmanager(libsystem_networkextension.dylib)[13722] <Notice>: UUID cache generation changed from 351 to 353 Feb 14 10:09:22 nesessionmanager(libsystem_networkextension.dylib)[13722] <Notice>: UUID cache miss for com.apple.VoiceMemos Feb 14 10:09:22 nesessionmanager(libsystem_networkextension.dylib)[13722] <Notice>: UUID cache generation changed from 353 to 354 Feb 14 10:09:22 nesessionmanager(libsystem_networkextension.dylib)[13722] <Notice>: UUID cache miss for com.apple.Translate Feb 14 10:09:22 nehelper[11452] <Error>: Denying connection from nesessionmanager (13722) because it is missing the com.apple.private.network.socket-delegate entitlement
So could somebody tell me, what is com.apple.private.network.socket-delegate entitlement
and how to fix that.