That may not apply to your issue, but make sure that you don't have includeAllNetworks set to true (which would sound logical in the first place but causes all sorts of weird failures) in the NETunnelProviderProtocol instance you pass to the NETransparentProxyManager while configuring the proxy in the main app.Doing so causes a networking loop back into the transparent proxy that gets NECP deny messages, which really do not explain the base issue at all. Reported as FB7468866.
Post not yet marked as solved
I re-tested on Catalina GM, the issue is the same. As it's also likely to be a configuration issue with my project, I created a DTS request (721826592) so that some time can be devoted to investigating this.
Post not yet marked as solved
Thanks, the issue was previously calling NETransparentProxyManager.shared() (as in https://forums.developer.apple.com/thread/121823#379646) which is not overridden by NETransparentProxyManager and returns a NEVPNManager instead, which in turn wants a protocol configuration that is not the correct one in this case.The proxy shows up as a VPN in the network pref pane, starts and all network flows are diverted to it as I setup in the network rules, but I'm certainly missing something obvious after that:When I try to open a connection from the extension to the initial remote host (either a Network.NWConnection or a NetworkExtension.NWTCPConnection obtained from .createTCPConnection()), it stalls on waiting path (unsatisfied (Path was denied by NECP policy)) in the console with info logs on.This happens for every connection from the extension after the transparent proxy is started. Remote host and protocol have no influence on the result. The extension sandbox has the client / server entitlements. The only cases I've found about denial by NECP policy were on iOS and don't seem to apply here. Are there some special conditions for transparent proxy operation (like excluding the extension from the proxied path to avoid a loop, specific entitlements, or a need to hapen ) ?
Post not yet marked as solved
I have been using com.apple.developer.networking.networkextension with app-proxy-providerfor all my testing, as set by Xcode in the entitlements for both the main app and the extension.This is the same code and project I've used for the content filter / NEFilterDataProvider filtering that enables the SystemExtension, except that I switched the networkextension entitlement to app-proxy-provider using the UI and verified in the .entitlements file and switched the NEProviderClasses of the extension to the appropriate NEAppProxyProvider subclass, as for what I understand is the correct base class to use. Project cleaned and rebuilt to ensure nothing remained cached. Failure happens in the main app when trying to save the enabled manager to preferences at the same point as the referenced 121823 post. This occurs regardless of the install / enabled state of the SystemExtension as I've tried both cases. Is there some macOS Transparent Proxy sample code from which I could restart and check my own?
Post not yet marked as solved
I've tried the transparent proxy approach although I have the same issue as reported here https://forums.developer.apple.com/thread/121823 with the save failing with error 'Missing protocol or protocol has invalid type'. I've used a NETunnelProviderProtocol as you've instructed in the replies but the error stays the same, scarce docs don't help much.Below is the result of dumping the protocol object that caused the error to the logs: type = plugin
identifier = 7AB53020-1331-47DD-B39A-B3A3B90762E7
serverAddress = localhost
identityDataImported = NO
disconnectOnSleep = NO
disconnectOnIdle = NO
disconnectOnIdleTimeout = 0
disconnectOnWake = NO
disconnectOnWakeTimeout = 0
disconnectOnUserSwitch = NO
disconnectOnLogout = NO
includeAllNetworks = YES
excludeLocalNetworks = NO
authenticationMethod = 0
reassertTimeout = 0
providerBundleIdentifier = [redacted]
