Yes, inside of the PacketTunnel Provider we use sockets to bind to an interface. This is used for faster failover, avoiding bad networks and aggregating for speed. With include all networks set to on, we can successfully bind to pdp_ip0 when en0 is active however , attempting to use that socket it gets routed through the default en0 interface. You can test it out when binding to pdp_ip0 with include all networks on, sending a ping to ifconfig and it will return with the default interfaces IP.

One of the biggest issues is that if you set includeAllNetworks , then attempt to bind to a cellular adapter via sockets OR use NWConnection and prohibit WiFi and require Cellular but you are on a WiFi network, NECP will deny the cellular use. When binding, it will succeed, but then route traffic over the default route anyway. Ideally, with includeAllNetworks, we would like to bind to each adapter and decide when each should be used. Is this expected with includeAllNetworks?

I'm encountering issues with using includeAllNetworks where NECP is denying adapter usage, among other problems. Are you aware of any specific reasons why setting default routes wouldn't direct traffic through the tunnel? Additionally, it seems that with includeAllNetworks, enforcing routes may not function as expected. Any insights or guidance you could provide on these matters would be greatly appreciated.

Thanks for your reply Here is the ticket number - FB9002170

Matt, Im not sure why this is solved? I think a user should receive launch keys stating the helper wakes up the app. We get zero indication regardless if its a backgrounded process or a cold launch.

No I receive null keys either way when hotspot helper gets activated in the background.

Hey Matt thanks for your reply. We constantly are sending messages back and forth from container to the provider and back. We have a running daemon that updates the UI with statistics, setting updates and network changes relevant to the user. We currently use SendMessageToExtension but its not ideal. I would much rather use XPC (NEMachServices), is this available on iOS? Our current macOS uses the Network Extension ( we will send to the App Store ) and would like to use XPC there also, is it possible with a sandboxed app?

Hey Quinn, I managed to get the system extension launching correctly. My main problem now is the extension is not able to reach the internet. I see errors like this when attempting an outgoing connection. default 14:15:26.116883-0400 CSSM Exception: 3 unknown error 3=3 com.Sample.SampleExtension default 14:15:26.120630-0400 CSSM Exception: -2147414013 CSSMERR_DL_MDS_ERROR com.Sample.SampleExtension default 14:15:26.124533-0400 CSSM Exception: -2147414013 CSSMERR_DL_MDS_ERROR com.Sample.SampleExtension Last com.apple.managed.vpn.shared keychain access group That is not needed if I dont need to read creds from the profile, correct? BTW I created a second sample app just to be sure and it's hitting that as well. I can send you the sample app. I sent an email over to you today. I have SIP disabled and also have systemextensionsctl developer on

Hey Quinn, thanks for the reply! You already know how to dump a profile. To dump the entitlements of an app or extension, use: codesign -d --entitlements :- /path/to/your/bundle Here is the output. <plist version="1.0"> <dict> <key>com.apple.application-identifier</key> <string>com.appid</string> <key>com.apple.developer.networking.networkextension</key> <array> <string>packet-tunnel-provider-systemextension</string> </array> <key>com.apple.developer.system-extension.install</key> <true/> <key>com.apple.developer.team-identifier</key> <string>TEAMID</string> <key>com.apple.security.app-sandbox</key> <true/> <key>com.apple.security.application-groups</key> <array> <string>group.com.appid</string> </array> <key>com.apple.security.files.user-selected.read-write</key> <true/> <key>com.apple.security.network.client</key> <true/> <key>com.apple.security.network.server</key> <true/> <key>keychain-access-groups</key> <array> <string>TEAMID.com.apple.managed.vpn.shared</string> </array> </dict> </plist> default 12:25:15.618196-0400 Provider is signed with a Developer ID certificate neagent error 12:25:15.618223-0400 Rejecting app extension provider com.appid.PacketTunnel because it is signed with a Developer ID certificate neagent Everything seems right. Am I missing anything?

Running $ spctl -a -t exec -v MyApp.app MyApp.app: accepted source=Notarized Developer ID Also tried running with SIP disabled and it wouldn't launch at all. "No suitable image found" which is very weird. It opens with SIP enabled just not the extension

I am seeing this fail after notarizing my Packet Tunnel Provider. I see error 16:49:08.750262-0400 NEVPNTunnelPlugin([476]): Validation of the extension failed nesessionmanager default 16:49:08.750966-0400 NESMVPNSession[Primary Tunnel::7BB4FF26-2EAD-47AF-85F7-880749561AD0:(null)] in state NESMVPNSessionStateStarting: plugin NEVPNTunnelPlugin([476]) started with PID 0 error (null) nesessionmanager error 16:49:08.750013-0400 Rejecting app extension provider PacketTunnel because it is signed with a Developer ID certificate neagent I've checked my embedded profile security cms -D -i  /Applications/MYAPP.app/Contents/embedded.provisionprofile <key>Entitlements</key> <dict> <key>com.apple.developer.system-extension.install</key> <true/> <key>com.apple.developer.networking.networkextension</key> <array> <string>packet-tunnel-provider-systemextension</string> <string>app-proxy-provider-systemextension</string> <string>content-filter-provider-systemextension</string> <string>dns-proxy-systemextension</string> <string>dns-settings</string> </array> <key>com.apple.application-identifier</key> <string>BUNDLEID</string> <key>keychain-access-groups</key> <array> <string>TEAM.*</string> </array> <key>com.apple.developer.team-identifier</key> <string>TEAM</string> <key>com.apple.developer.associated-domains</key> <string>*</string> </dict> Notarization was approved with it's .dmg. Any idea's?

Xcode 12/11.5 Debug -> Simulate MetricKit Payloads crashes Xcode hard. Anyone else having these issues?

I'm wondering the same Does this memory limit also apply on mac OS?

I dont see any actual file warnings except for the build error. So it's hard to say which line it occurred on. Does anyone else see actual line numbers this occurs on?

Here some more information default 12:43:04.121690-0400 Initializing connection PacketTunnel default 12:43:04.121788-0400 Removing all cached process handles PacketTunnel default 12:43:04.121820-0400 Sending handshake request attempt #1 to server PacketTunnel default 12:43:04.122163-0400 Creating connection to com.apple.runningboard PacketTunnel default 12:43:04.123174-0400 Handshake succeeded PacketTunnel default 12:43:04.123205-0400 Identity resolved as xpcservice&lt;com.connectify.Speedify.PacketTunnel([daemon<com.apple.neagent-ios&gt;:465:465])> PacketTunnel default 12:43:04.123626-0400 Bootstrapping; Bootstrap complete. Ready for handshake from host. PacketTunnel error 12:43:04.126027-0400 setsockopt ENABLE_FLOWSWITCH failed (errno = 45) nesessionmanager default 12:43:04.152839-0400 Got a path update satisfied (Path is satisfied), interface: en0, scoped, ipv4, dns PacketTunnel default 12:43:04.153048-0400 Fatal error: Call of deleted method PacketTunnel error 12:43:04.153378-0400 Extension com.connectify.Speedify.PacketTunnel died unexpectedly neagent default 12:43:04.153446-0400 Scheduing timer for extension failure/exit for 2F06C5ED-2A05-484C-A137-E9EA07B15EB2 neagent