User Profile

Hi, We have a remote access VPN client implemented as SystemExtension using PacketTunnelProvider APIs. For DNS settings we are making use of NEDNSSettings APIs as follows:       settings.IPv4Settings = tun_ipv4_settings;   settings.MTU = tun_mtu;   settings.DNSSettings = tun_dns_config;   [tun_device setTunnelNetworkSettings:settings completionHandler:^(NSError *error){     if(error == NULL){       // Further processing     }else{       // Further processing     }   }]; Here are the issues we are experiencing with different MacOS versions: Catalina (10.15.6) Ping works, Chrome, Firefox can resolve DNS successfully. Issue seen with Safari. Things are working fine on Catalina (10.15.6) except for Safari, where Safari does not seem to resolve dns. Command line utilities like nslookup and dig don't work but I guess its fine as these tools refer to /etc/resolv.conf file for DNS resolution and MacOS handles it differently. Ping works fine with FQDN, Chrome, Firefox are able to resolve DNS successfully! For these we can see DNS queries/response packets on utun interface. I am not sure if there is a known issue with Safari for DNS on Catalina. BigSur (11.2.3) DNS resolution does not work at all! DNS config can be viewed using scutil --dns and it shows the correct configuration for utun interface. While testing our client on BigSur we see multiple issues related to DNS. We are not able to access servers behind VPN gateway via any browser. Ping doesnt not work. We cannot see any DNS traffic on utun interface. Is there any known issue with DNS on BigSur or are we missing something? Thanks.

Hi, MacOS Version- 10.15.6 I have a remote access VPN application which made use of KEXT earlier and now I have migrated to NetworkExtension framework. I am running PacketTunnelProvider as SystemExtension. I maintain two threads, one for reading packets from utun and other for writing packets to utun. Here is a gist of my packet handler threads. Reading packets from utun read_packets_from_utun(){ &#9; [tun_device.packetFlow readPacketsWithCompletionHandler:^(NSArray<NSData *> * _Nonnull packets, NSArray<NSNumber *> * _Nonnull protocols) {     send_packets(packets, protocols);         }]; } send_packets(packets_array){ &#9;&#9;&#9;&#9;pcount = packets_array.count;         for(int i=0; i<pcount; i++){ &#9;&#9;&#9;&#9;&#9;&#9;// Encrypt and send packet to server           &#9;encrypt_and_send(packets_array[i]);         } // Read next packets } The 'send_packets' function then encrypts each packet in a loop, sends it to the server and then calls 'readPacketsWithCompletionHandler' again in order to keep receiving packets. 2. Writing packets to utun NSArray<NSData*>* packet_array = [NSArray arrayWithObject:packet];     NSArray<NSNumber*>* proto_arr = [NSArray arrayWithObject:proto_num];     [tun_device.packetFlow writePackets:packet_array withProtocols:proto_arr ]; After decrypting each packet, I write each packet back to utun via writePackets call. Question. Is this the correct way of using writePackets call? I ran some performance tests using iperf with the system extension and observed the following. (I also compared the performance numbers with that of older application with KEXT). Performance for UDP traffic (bidirectional) is observed to be the same for both the SystemExtension and KEXT. Performance for outbound TCP traffic (Macbook sending data to remote server) is found to be the same for both SystemExtension as well as KEXT. There is performance degradation seen for inbound TCP traffic (remote server sending data to macbook). The performance is degraded to approximately 10% of that of older app(KEXT). I also tried buffering packets before writing to utun, but there was no luck :( Am I missing something while handling packets? If that's not the case, Is there any known issue with TCP traffic with PacketTunnelProvider? Thanks.

Hi, Platform: MacOs 10.15.6 I am working on modifying my legacy remote access solution to make use of PacketTunnelProvider SystemExtension. Both my app and the extension are not sandboxed. I need to transfer many messages between my app and the extension. As I am dealing with a legacy code, I have some restrictions and have to make use of unix domain sockets to make data transfer between app and extension possible. When I try to test my application, I find that system extension is not able to read data from the socket even if the write operation from other end is successful. Ideally this should not be an issue as the extension and app are not sandboxed. Do I need any special entitlement for my extension so that I can get rid of this issue? Thanks

Hi, We are trying to build our project on a remote machine (build machine) for distribution as we do not have the Developer ID certificate on the development machine. We have generated necessary provisioning profiles against the Developer ID certificate and have it present along with the project. We only have CLI access to the build machine and no root access. In order to build the project on the build machine, we follow this process: Make changes to the project via Xcode on development machine (local machine) Copy project and provisioning profiles on the build machine. Change the name of the provisioning profiles with their respective UUIDs keeping the .provisionprofile extension. Move the provisioning profiles to the ~/Library/MobileDevice/Provisioning Profiles directory. Fire xcodebuild command with suitable arguments. After this we are seeing this error: No profile for team 'TEAM_ID' matching 'PROVISIONING_PROFILE_NAME' found: Xcode couldn't find any provisioning profiles matching 'TEAM_ID/PROVISIONING_PROFILE_NAME'. Install the profile (by dragging and dropping it onto Xcode's dock item) or select a different one in the Signing &amp; Capabilities tab of the target editor When the project is opened in xcode on local machine, under the Signing &amp; Capabilities tab, there is no option to select the provisioning profile (Xcode prompts it as none required) but a provisioning profile can be selected through Build Settings tab. Are we following the correct approach when it comes to building the project remotely? Can someone please help out with this? Thanks.

Hi AllI am trying to Notarize and Staple a pkg installer of our app, I am facing issues with staplingMy PKG is product signed with a valid developer certificateFollowing is how i verify itspctl -a -v --type install test.pkg test.pkg: acceptedsource=Notarized Developer IDpkgutil --check-signature test.pkgPackage "test.pkg": Status: signed by a certificate trusted by macOSIt was successfully Notarized and status of the request shows success.But when i try Staple the same app it fails with following errorstapler staple --verbose test.pkgProcessing: /Users/admin/Downloads/test.pkgProperties are { NSURLIsDirectoryKey = 0; NSURLIsPackageKey = 0; NSURLIsSymbolicLinkKey = 0; NSURLLocalizedTypeDescriptionKey = "Installer package"; NSURLTypeIdentifierKey = "com.apple.installer-package-archive"; "_NSURLIsApplicationKey" = 0;}Sig Type is RSA. Length is 3Could not find an appropriate "code signature" in the test.pkg installer package.Cannot download ticket. CDHash must be set.Please let me know how can I resolve this error.