User Profile

Thanks Matt. I just want to add some more observe results: On an iPhone 5s iOS 12.5.4 run the same application the Message too long doesn't happen no matter it's on WiFi or Cellular network; On an iPhone 7 iOS 14.6, it's very easy to reproduce this issue on a WiFi network, but I never see it happen on a Cellular network; I didn't change the MTU in the code but set the tunnelOverheadBytes instead. When it's set to be 44 or 0 the same issue happens; If ignoring the EMSGSIZE error when it happens the setReadHandler seems to run into a Message too long error dead loop, so when it happens I have to restart the UDP session.

I also got this error Error Domain=NSPOSIXErrorDomain Code=40 "Message too long" with NWUDPSession setReadHandler method on iOS 14.6, WiFi network.

And another found is that on the home Wifi network(which has PPPoE router provided by carrier) with an iOS 14 iPhone the message will be like udp_validate_cksum_internal * udp incorrect IPv4-UDP non-offload checksum * ulen 1506 And the pppoe header length is 6. Compared with previous network with Vlan the error message showed ulen is 1502. I believe there most probably a bug exists somewhere in iOS 14 kernel or in network extension. Since I didn't found such issue under the same condition on iOS 12, this issue may only exists in iOS 14. The reproduce condition is with NEPacketTunnelProvider set the MTU of the UTUN to be a value bigger or equal than 1480(Theoretically we should be able to set this value to a very big size like 65535 and without any problem) or overhead size to be 0, and run it on an iOS 14 iPhone, on a Wifi network which has a Vlan setting or PPPoE, on inbound packets there will be such problem.

Thanks Matt. I just found that the checksum errors only happens when I'm testing with an iOS 14 device. When I'm testing with an iOS 12 device it works quite normal. When I set the MTU of the UTUN to be 1480(with an iOS 14 iPhone and WIFI with VLAN settings) and load *google.com* then there will be such errors shown on console. With other WIFI or mobile network I didn't see such errors.

Yes. If set includeAllNetworks to be false there is no such issue. Or firstly connect with the console without VPN switched on, when it shows messages then switch on the VPN it's also normal.

With this issue it also can not Attach to Process in the Xcode to the packet tunnel. It shows Details Failed to start remote service "com.apple.mobile.installation_proxy" on device. Domain: com.apple.dtdevicekit Code: 811 Recovery Suggestion: Please check your connection to your device. User Info: {   DVTRadarComponentKey = 261622; }- Could not connect to the device. Domain: com.apple.dt.MobileDeviceErrorDomain Code: -402653083 User Info: {   DVTRadarComponentKey = 261622;   MobileDeviceErrorCode = "(0xE8000065)";   "com.apple.dtdevicekit.stacktrace" = ( 0  DTDeviceKitBase           0x0000000127d3f93f DTDKCreateNSErrorFromAMDErrorCode + 220 1  DTDeviceKitBase           0x0000000127d4fb04 __63-[DTDKRemoteDeviceConnection startFirstServiceOf:unlockKeybag:]_block_invoke + 613 2  DTDeviceKitBase           0x0000000127d4f1d0 __48-[DTDKRemoteDeviceConnection futureWithSession:]_block_invoke_3 + 22 3  DTDeviceKitBase           0x0000000127d41a9f __DTDKExecuteInSession_block_invoke_2 + 35 4  DTDeviceKitBase           0x0000000127d41179 __DTDKExecuteWithConnection_block_invoke_2 + 218 5  DTDeviceKitBase           0x0000000127d41076 __DTDKExecuteWithConnection_block_invoke + 106 6  libdispatch.dylib          0x00007fff6c6c3658 _dispatch_client_callout + 8 7  libdispatch.dylib          0x00007fff6c6cf6ec _dispatch_lane_barrier_sync_invoke_and_complete + 60 8  DVTFoundation            0x000000010bf3edef DVTDispatchBarrierSync + 208 9  DVTFoundation            0x000000010bf15f06 -[DVTDispatchLock performLockedBlock:] + 60 10 DTDeviceKitBase           0x0000000127d40f77 DTDKExecuteWithConnection + 226 11 DTDeviceKitBase           0x0000000127d41943 DTDKExecuteInSession + 239 12 DTDeviceKitBase           0x0000000127d4f022 __48-[DTDKRemoteDeviceConnection futureWithSession:]_block_invoke_2 + 131 13 DVTFoundation            0x000000010bf3c2aa DVT_CALLING_CLIENT_BLOCK + 7 14 DVTFoundation            0x000000010bf3decc __DVTDispatchAsync_block_invoke + 1191 15 libdispatch.dylib          0x00007fff6c6c26c4 _dispatch_call_block_and_release + 12 16 libdispatch.dylib          0x00007fff6c6c3658 _dispatch_client_callout + 8 17 libdispatch.dylib          0x00007fff6c6c8c44 _dispatch_lane_serial_drain + 597 18 libdispatch.dylib          0x00007fff6c6c9609 _dispatch_lane_invoke + 414 19 libdispatch.dylib          0x00007fff6c6d2c09 _dispatch_workloop_worker_thread + 596 20 libsystem_pthread.dylib       0x00007fff6c91da3d _pthread_wqthread + 290 21 libsystem_pthread.dylib       0x00007fff6c91cb77 start_wqthread + 15 ); }- System Information macOS Version 10.15.7 (Build 19H2) Xcode 12.0.1 (17220)

Thanks Matt. Just raised a bug report: FB8815876 (With VPN switched on no messages can be seen on console and can not connect with Xcode) Also add more details here for others to see if they can reproduce the same issue step by step. Description of the issue: When I tested with my iPhone SE(1st generation, iOS 14.0.1) on Mac OS Catalina 10.15.7 / Xcode 12.0.1 I found that with the VPN(NETunnelProvider, 'includeAllNetworks' set to be true) switched on there are no messages being shown on the console, and also on Xcode it shows 'iPhone(unavailable)'. After I switched off the VPN it came back to normal. I was using a USB cable to connect the iOS device with the MBP's left side USB port. Steps to reproduce: An iPhone SE(1st generation, iOS 14.0.1) / Mac OS Catalina 10.15.7 / Xcode 12.0.1; A VPN application coded with NETunnelProvider, set 'includeAllNetworks' to be true (if it's false then cannot reproduce this issue); Install the VPN application on the iPhone and switch it on; Connect the iPhone to the Mac Book Pro with a USB cable; Only after the iPhone is connected with the Mac Book Pro then(this is critical to reproduce the issue) open 'Console' on the Mac Book Pro and check the messages on the iPhone; Open 'Xcode' to select a device to run. Expect results: On 'Console' could see the messages; On 'Xcode' could see the 'iPhone'; Actual results: On 'Console' there are no messages output; On 'Xcode' it shows iPhone(unavailable).

Thanks for your reply Matt. I was using a USB cable to connect the iOS device with the MBP's left side USB port. The mac OS version is Catalina 10.15.7. Xcode 12.0.1.

Thanks for your reply eskimo.After installing iOS 13 beta 5 on iPhone SE and it still has the same problem. Installed Xcode 11 beta 5 and rebuild the whole project and tested on iOS 13 beta 5 on an iPhone SE and the problem of switching from enterprise VPN to personal VPN issue is still there.Here's the link to the bug report:https://feedbackassistant.apple.com/feedback/6948214

Hi Quinn, thanks for your response.I compared your appmapping profile with mine word by word and can't find any difference except app's name and UUIDs. But it just doesn't work for me.As your suggestion I do the following things and checked some key points:created a local tcp client connect to a remote host and exchange some stream and got its DR by using the `codesign` tool. The platform is macOS Mojave 10.14.5 and Xcode 10.2.1(10E1001). Set the VPNUUID/identifier/SigningIdentifier/DR into the appmapping dict in the config profile.As you said on this thread to test app proxy provider running on macOS all need to do is to compose a correct profile( a .mobileconfig file) . So NETestAppMapping property is checked and removed from all info.plist in my project since it only works for iOS. I also tried with NETestAppMapping settings in info.plist according to this and it doesn't work either.I also checked the VPNUUID. It's generated by apple configurator 2. Have also tried the VPNUUID in your profile and let the VPNUUID in AppLayerVPNMapping to be the same value as in the com.apple.vpn.managed.applayer dict.It seems I have come to a dead end.Now my questions are as following:Are there any special requirements for the app whose flow will be captured by the app proxy provider?After the profile installed how many settings will be seen in System Preferences->Profiles? Since there're 2 dicts(one is com.apple.vpn.managed.applayer dict and one is com.apple.vpn.managed.appmapping dict) in the profile so I deem there should be 2 settings shown for this profile? But I always see only 1 setting in that profile.I notice that in your profile that \" is written as """. Should it be like this? Should I copy the whole DR output of codesign into the profile including the comment "/* exists */" at the end?Could you please share your whole test project for appmapping including the whole config profile? It will be great helpful. As in this link SimpleTunnel there isn't any profile example included. And I've googled around just found no one ever shared a workable profile.Thanks a lot!

Hi Quinn, could you please also paste a profile with a dict of appmapping embeded? I'm working on a per-app proxy running on MAC OSX. The profile with SafariDomains works for me but I don't know how to redirect other applications' flow to the app proxy.Here is the profile I used:<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>PayloadContent</key> <array> <dict> <key>IPv4</key> <dict> <key>OverridePrimary</key> <integer>0</integer> </dict> <key>PayloadDescription</key> <string>Configures VPN settings</string> <key>PayloadDisplayName</key> <string>VPN</string> <key>PayloadIdentifier</key> <string>com.apple.vpn.managed.applayer.330FBB83-639F-4F9E-9FA1-4FAC93E18B68</string> <key>PayloadType</key> <string>com.apple.vpn.managed.applayer</string> <key>PayloadUUID</key> <string>330FBB83-639F-4F9E-9FA1-4FAC93E18B68</string> <key>PayloadVersion</key> <integer>1</integer> <key>Proxies</key> <dict> <key>HTTPEnable</key> <integer>0</integer> <key>HTTPSEnable</key> <integer>0</integer> </dict> <key>UserDefinedName</key> <string>appmapping</string> <key>VPN</key> <dict> <key>AuthName</key> <string>somebody</string> <key>AuthPassword</key> <string>opendoor</string> <key>AuthenticationMethod</key> <string>Password</string> <key>ProviderBundleIdentifier</key> <string>com.blob.macappproxy.macappproxy</string> <key>ProviderType</key> <string>app-proxy</string> <key>RemoteAddress</key> <string>127.0.0.1</string> </dict> <key>VPNSubType</key> <string>com.blob.macappproxy</string> <key>VPNType</key> <string>VPN</string> <key>OnDemandMatchAppEnabled</key> <integer>1</integer> <key>VendorConfig</key> <dict/> <key>VPNUUID</key> <string>3D7A07D8-97D0-4E5A-BB04-1EB82DD12A35</string> </dict> <dict> <key>PayloadDescription</key> <string>Configures Per APP VPN mapping</string> <key>PayloadDisplayName</key> <string>Per APP VPN mapping</string> <key>PayloadIdentifier</key> <string>com.apple.vpn.managed.appmapping.A88E1A77-2CC2-4BF9-879C-97C3DF491EB2</string> <key>PayloadType</key> <string>com.apple.vpn.managed.appmapping</string> <key>PayloadUUID</key> <string>A88E1A77-2CC2-4BF9-879C-97C3DF491EB2</string> <key>PayloadVersion</key> <integer>1</integer> <key>UserDefinedName</key> <string>perappvpn</string> <key>AppLayerVPNMapping</key> <array> <dict> <key>Identifier</key> <string>com.google.Chrome</string> <key>VPNUUID</key> <string>3D7A07D8-97D0-4E5A-BB04-1EB82DD12A35</string> <key>DesignatedRequirement</key> <string>(identifier "com.google.Chrome" or identifier "com.google.Chrome.beta" or identifier "com.google.Chrome.dev" or identifier "com.google.Chrome.canary") and certificate leaf = H"c9a99324ca3fcb23dbcc36bd5fd4f9753305130a"</string> <key>SigningIdentifier</key> <string>com.google.Chrome</string> </dict> </array> </dict> </array> <key>PayloadDisplayName</key> <string>some app proxy</string> <key>PayloadIdentifier</key> <string>blob-MacBook-Pro.A953E629-CD95-45B4-A42D-ECA2BA870A79</string> <key>PayloadRemovalDisallowed</key> <false/> <key>PayloadType</key> <string>Configuration</string> <key>PayloadUUID</key> <string>1AEA709E-46D3-4293-B1E3-23EB8DD5B361</string> <key>PayloadVersion</key> <integer>1</integer> </dict> </plist>