thank you matt. let me check if it is very peculiar with my application . and then take the next step .

thank you Matt . Checked the logs LoadAllPref has succeeded. SavePref has succeeded. startVPNTunnelAndReturnError has succeeded . since all apis are returning success it should connect . but the behaviour is something different . are there any race conditions where apple networking components are still not fully ready and the tunnel connection is initiated and hence returns success but in actual it is failing (which we cannot debug since the apis are returning success) .

I am sure I have removed the network system extension completely . in fact on installation it goes in green state . After reboot (where I am starting the tunnel from daemon) the status in Network Preferences is yellow . I have to manually start it again . it seems to be consistent now . is there any requirement that the user must be logged in for the tunnel to be started ?

excludedNetworkRules will not work here since 1 ). for client : source ip would be localhost and some volatile port and connecting to server ip & port 2) for proxy. : source ip would be localhost and some volatile port and connecting to server ip & port so no sure what rule to set here . there is no provision to filter by process id. /. token /bundle id, etc. so still not clear how to avoid these flows .

okay thank you . these are good pointers .

it appears that calling retain is a mandatory step . without calling retain it does not work . @matt : please can you confirm . jeev

thanks Matt for the suggestion. will try that . the documentation also says "If the App Proxy Provider decides to proxy the flow, it should create a reference to the flow in its data structures." doe this "reference "means "retain" ? if yes, does this suggested design retain the flow or we have to manually call retain method on the flow ?

thank you Matt . this gives a lot of clarity.

By "point the remote side of the connection anywhere" do you mean to connect to our proxy using NWTCPConnection ? Or can I modify in handleNewFlow the NEAppProxyFlow's destination IP/Port to my proxy ? sorry if it is a very basic question .

thank you matt. that did help .

many thank you Matt. as you have said "point the remote side of the connection anywhere" how to make it point to our proxy (127.0.0.1 and our port) ?

thank you Matt.

Use NETransparentProxyManager and not NETunnelProviderManager.after your code of save preferences call StartTheConnectionStartTheConnection(){-NETransparentProxyManager loadAllFromPreferences-From the array returned above point your NETransparentProxyManager object (TransProxy) to first element-NEVPNConnect connection = TransProxy.connection-connection.startVPNTunnel()}check if this helps .

Thanku Matt.Instead of NWConnection i am using socket functions to connect to remote.With socket APIs the connect to remote socket fails with Operation not permitted .is it okay to use socket? if not,any other c/objective c based api apart from NWConnection which is Swift only.

thank you Matt !That helped; Now getting called at handleNewFlow (but with faults in between )few observations though:1 > with endpointWithHostname: 0(dot)0(dot)0(dot)0 (where i am trying to fetch all the flows to a port) i see the above error "prefix must be less than or equal to 32" and proxy is disconnected .2 > with endpointWithHostname: "0" : same problem as above3 > with endpointWithHostname: "" , gets called at handleNewFlow but on the way see fault "nw_endpoint_create_host_with_numeric_port invalid empty string hostname"so what is the right string to use in endpointWithHostname to get all the traffic to a port ?