Post

Replies

Boosts

Views

Activity

PacketTunnelProvider NEDNSSettings not working on BigSur
Hi, We have a remote access VPN client implemented as SystemExtension using PacketTunnelProvider APIs. For DNS settings we are making use of NEDNSSettings APIs as follows:       settings.IPv4Settings = tun_ipv4_settings;   settings.MTU = tun_mtu;   settings.DNSSettings = tun_dns_config;   [tun_device setTunnelNetworkSettings:settings completionHandler:^(NSError *error){     if(error == NULL){       // Further processing     }else{       // Further processing     }   }]; Here are the issues we are experiencing with different MacOS versions: Catalina (10.15.6) Ping works, Chrome, Firefox can resolve DNS successfully. Issue seen with Safari. Things are working fine on Catalina (10.15.6) except for Safari, where Safari does not seem to resolve dns. Command line utilities like nslookup and dig don't work but I guess its fine as these tools refer to /etc/resolv.conf file for DNS resolution and MacOS handles it differently. Ping works fine with FQDN, Chrome, Firefox are able to resolve DNS successfully! For these we can see DNS queries/response packets on utun interface. I am not sure if there is a known issue with Safari for DNS on Catalina. BigSur (11.2.3) DNS resolution does not work at all! DNS config can be viewed using scutil --dns and it shows the correct configuration for utun interface. While testing our client on BigSur we see multiple issues related to DNS. We are not able to access servers behind VPN gateway via any browser. Ping doesnt not work. We cannot see any DNS traffic on utun interface. Is there any known issue with DNS on BigSur or are we missing something? Thanks.
2
0
1.9k
Mar ’21
PacketTunnelProvider - Issue with inbound TCP traffic
Hi, MacOS Version- 10.15.6 I have a remote access VPN application which made use of KEXT earlier and now I have migrated to NetworkExtension framework. I am running PacketTunnelProvider as SystemExtension. I maintain two threads, one for reading packets from utun and other for writing packets to utun. Here is a gist of my packet handler threads. Reading packets from utun read_packets_from_utun(){ &#9; [tun_device.packetFlow readPacketsWithCompletionHandler:^(NSArray<NSData *> * _Nonnull packets, NSArray<NSNumber *> * _Nonnull protocols) {     send_packets(packets, protocols);         }]; } send_packets(packets_array){ &#9;&#9;&#9;&#9;pcount = packets_array.count;         for(int i=0; i<pcount; i++){ &#9;&#9;&#9;&#9;&#9;&#9;// Encrypt and send packet to server           &#9;encrypt_and_send(packets_array[i]);         } // Read next packets } The 'send_packets' function then encrypts each packet in a loop, sends it to the server and then calls 'readPacketsWithCompletionHandler' again in order to keep receiving packets. 2. Writing packets to utun NSArray<NSData*>* packet_array = [NSArray arrayWithObject:packet];     NSArray<NSNumber*>* proto_arr = [NSArray arrayWithObject:proto_num];     [tun_device.packetFlow writePackets:packet_array withProtocols:proto_arr ]; After decrypting each packet, I write each packet back to utun via writePackets call. Question. Is this the correct way of using writePackets call? I ran some performance tests using iperf with the system extension and observed the following. (I also compared the performance numbers with that of older application with KEXT). Performance for UDP traffic (bidirectional) is observed to be the same for both the SystemExtension and KEXT. Performance for outbound TCP traffic (Macbook sending data to remote server) is found to be the same for both SystemExtension as well as KEXT. There is performance degradation seen for inbound TCP traffic (remote server sending data to macbook). The performance is degraded to approximately 10% of that of older app(KEXT). I also tried buffering packets before writing to utun, but there was no luck :( Am I missing something while handling packets? If that's not the case, Is there any known issue with TCP traffic with PacketTunnelProvider? Thanks.
1
0
515
Sep ’20
Error in socket communication with SystemExtension (PacketTunnelProvider)
Hi, Platform: MacOs 10.15.6 I am working on modifying my legacy remote access solution to make use of PacketTunnelProvider SystemExtension. Both my app and the extension are not sandboxed. I need to transfer many messages between my app and the extension. As I am dealing with a legacy code, I have some restrictions and have to make use of unix domain sockets to make data transfer between app and extension possible. When I try to test my application, I find that system extension is not able to read data from the socket even if the write operation from other end is successful. Ideally this should not be an issue as the extension and app are not sandboxed. Do I need any special entitlement for my extension so that I can get rid of this issue? Thanks
1
0
640
Aug ’20
PacketTunnelProvider Systemextesion : OSSystemExtensionErrorDomain error 8
Hi, I have a PacketTunnelProvider system extension which I am now building for Distribution using Developer ID certificate. I have correct provisioning profiles as well as entitlements required for distributing system extensions as mentioned in Network Extensions Entitlements - https://developer.apple.com/documentation/bundleresources/entitlements/com_apple_developer_networking_networkextension. Note: I have a test machine with SIP disabled as I have not yet Notarized my app and the system extension. After build and code signing is successful, I take the product to my test machine and try to run my app. My App comes up successfully but it submits an activation request for system extension, following error is observed: System extension request failed: The operation couldn't be completed. (OSSystemExtensionErrorDomain error 8.) I think error 8 stands for invalid code signature, but my provisioning profiles and entitlements are correct. Can we not run a system extension with SIP disabled? Is Notarization a mandatory requirement for system extensions to run? Thanks
1
0
1.5k
Aug ’20
Building project on a remote machine : Xcode couldn't find any provisioning profiles
Hi, We are trying to build our project on a remote machine (build machine) for distribution as we do not have the Developer ID certificate on the development machine. We have generated necessary provisioning profiles against the Developer ID certificate and have it present along with the project. We only have CLI access to the build machine and no root access. In order to build the project on the build machine, we follow this process: Make changes to the project via Xcode on development machine (local machine) Copy project and provisioning profiles on the build machine. Change the name of the provisioning profiles with their respective UUIDs keeping the .provisionprofile extension. Move the provisioning profiles to the ~/Library/MobileDevice/Provisioning Profiles directory. Fire xcodebuild command with suitable arguments. After this we are seeing this error: No profile for team 'TEAM_ID' matching 'PROVISIONING_PROFILE_NAME' found: Xcode couldn't find any provisioning profiles matching 'TEAM_ID/PROVISIONING_PROFILE_NAME'. Install the profile (by dragging and dropping it onto Xcode's dock item) or select a different one in the Signing &amp; Capabilities tab of the target editor When the project is opened in xcode on local machine, under the Signing &amp; Capabilities tab, there is no option to select the provisioning profile (Xcode prompts it as none required) but a provisioning profile can be selected through Build Settings tab. Are we following the correct approach when it comes to building the project remotely? Can someone please help out with this? Thanks.
0
0
1.6k
Aug ’20
PacketTunnelProvider: Unable to connect to Unix Domain Sockets
Hi,I am modifying my legacy remote access vpn application to make use of NetworkExtension framework.In order to achieve this I need my PacketTunnelProvider to exchange a few messages with a process running on the machine.Note that this is a separate process, not the containing application.I want this communication to happen over unix domain sockets. I have right entitlements in place for my extension as well as the containing application. &lt;/array&gt; &lt;key&gt;com.apple.security.app-sandbox&lt;/key&gt; &lt;true/&gt; &lt;key&gt;com.apple.security.files.user-selected.read-write&lt;/key&gt; &lt;true/&gt; &lt;key&gt;com.apple.security.network.client&lt;/key&gt; &lt;true/&gt; &lt;key&gt;com.apple.security.network.server&lt;/key&gt; &lt;true/&gt; &lt;key&gt;keychain-access-groups&lt;/key&gt; &lt;array&gt;When my PacketTunnelProvider tries to connect and send data over the unix domain socket, I see following errors on console:default 16:32:16.399061+0530 PacketTunnel Connect error: Operation not permitted default 16:32:16.399117+0530 PacketTunnel Write error: Socket is not connected error 16:32:16.439901+0530 sandboxd Sandbox: PacketTunnel(975) deny(1) network-outbound /Users/sumsum/socktes/msgsock Violation: deny(1) network-outbound /Users/sumsum/socktes/msgsockCan someone please let me know if I am missing something here? Is there any issue in app sandboxing that I am hitting?Thank You.
2
0
845
Jun ’20
PKG Stapling fails post successful notarization
Hi AllI am trying to Notarize and Staple a pkg installer of our app, I am facing issues with staplingMy PKG is product signed with a valid developer certificateFollowing is how i verify itspctl -a -v --type install test.pkg test.pkg: acceptedsource=Notarized Developer IDpkgutil --check-signature test.pkgPackage "test.pkg": Status: signed by a certificate trusted by macOSIt was successfully Notarized and status of the request shows success.But when i try Staple the same app it fails with following errorstapler staple --verbose test.pkgProcessing: /Users/admin/Downloads/test.pkgProperties are { NSURLIsDirectoryKey = 0; NSURLIsPackageKey = 0; NSURLIsSymbolicLinkKey = 0; NSURLLocalizedTypeDescriptionKey = "Installer package"; NSURLTypeIdentifierKey = "com.apple.installer-package-archive"; "_NSURLIsApplicationKey" = 0;}Sig Type is RSA. Length is 3Could not find an appropriate "code signature" in the test.pkg installer package.Cannot download ticket. CDHash must be set.Please let me know how can I resolve this error.
0
0
703
Nov ’19