I've developed a system-extension custom VPN app for macOS, which is in use by some internal testers.
The app works fine, except for one user, which can't connect to the VPN. I saw that on his machine, the system extension is getting terminated, very shortly after he's approving it. Sometime it happens while he's trying to connect, but sometimes it happens even without a connection attempt, he's just approving the sysExt and wait.
I saw at the logs the following lines:
sysextd: [com.apple.sx:StateChange] **** advancing state from activated_enabling to activated_enabled
sysextd: observer for **** reached success: activated_enabled
sysextd: [com.apple.sx:XPC] client connection (pid 667) invalidated
2022-01-12 21:45:50.844914+0200 0x26fa Activity 0xf149 496 0 sysextd: (Security) SecTrustEvaluateIfNecessary
2022-01-12 21:45:50.926046+0200 0x26fa Default 0x0 496 0 sysextd: request contains no authorizationref
2022-01-12 21:45:50.926390+0200 0x26fa Default 0x0 496 0 sysextd: returning cdhash for arbitrary arch x86_64 of extension ****
sysextd: [com.apple.sx:XPC] client connection (pid 1103) invalidated
nesessionmanager: [com.apple.networkextension:] Adding event subscription 775 for provider *** with extension point com.apple.networkextension.packet-tunnel
...
...
sysextd: received request to remove MDM payload with UUID ****
sysextd: removed MDM payload with UUID ****
sysextd: MDM payload change results in changed decision for Extension **** from Allow to UserOption
sysextd: deactivateExtension called for **** in state "activated_enabled"
sysextd: [com.apple.sx:StateChange] extension **** advancing state from activated_enabled to terminating_for_uninstall
Is this issue related somehow to MDM profiles?
Is it related to "client connection invalidated" ? And what is this thing?
How can I debug it/ understand where's the problem?
Post
Replies
Boosts
Views
Activity
I've developed a system-extension custom VPN app for macOS. As expected, the containing app is running under 'user' permissions, and the system-extension is running under 'root' permissions.
The containing app and the sys-ext can create (and save) log files.
The containing app has a button to 'collect' the logs from both the containing app and from the extension.
However, it can't really access to the extension's logs since it's under root/
What I'm doing is to ask the extension to send the logs via IPC,
but what should I do if the VPN is not connected? In this case the extension is not running, and I can't get it's logs.
Is there another way to get the file, or maybe to write logs from the extension to somewhere directly accessible to the containing app?
I've developed a system-extension for macOS (Packet Tunnel Provider, Developer ID, distribution outside the App Store).
There's a scenario where I want to present some webpages with the WebKit. It works fine, but on of my testing Macs the webpage display the page for a split second, and then becomes white.
I saw that the WebKit crashed, but I'm not sure why.
I attached the crash report.
Also, at the crash report, I saw this:
"is_first_party":1,"bug_type":"309"
Did my application cause this crash? Any advise on how to debug it or on how can I prevent if from happening?
com.apple.WebKit.WebContent-2021-12-12-063048.txt
As I mentioned in this thread
https://developer.apple.com/forums/thread/695207
I want my containing app to be active after Mac restarts.
I thought about something that could work - I wrote a "helper" embedded app which will be added to the login items, and after a restart this "helper" app will open the containing app.
However, after archiving the project (with developer ID, it will be distributed outside the App Store), I see the following error at the Console:
Non-fatal error enumerating at , continuing: Error Domain=NSCocoaErrorDomain Code=260 "The file “PlugIns” couldn’t be opened because there is no such file." UserInfo={NSURL=PlugIns/ -- file:///Applications/MyMainApp.app/Contents/Library/LoginItems/LauncherApplication.app/Contents/, NSFilePath=/Applications/MyMainApp.app/Contents/Library/LoginItems/LauncherApplication.app/Contents/PlugIns, NSUnderlyingError=0x7fc5cb02c6f0 {Error Domain=NSPOSIXErrorDomain Code=2 "No such file or directory"}}
I see that there's really no plugin folder, but why?
Is it a certificate/signing issue?
I configured my VPN to be 'on-demand' and I restarted my Mac.
After the restart, my Packet Tunnel Provider started (it was called by the OS, because of the on-demand).
The containing app is inactive - it's open (the icon is at the menu bar, with a circle at the bottom) but 'applicationDidFinishLaunching' is not being called.
Is there any way I can 'force start' the containing app?
Any way will be good - if it's by sending a message from the provider, or if it's possible to programmatically ask the OS to start the containing app after Mac restart..
Sry for the duplicate -
I added a comment on an old post, but it's tagged only with 'System Extension' and without 'Network Extension', so I'm posting it here as well:
Original post:
https://developer.apple.com/forums/thread/133933?login=true&page=1#694688022
My question:
Bumping this old thread - I have the same scenario, I created a VPN + Certificate payload, installed it, and now I have a VPN conf which I can access to only from the containing app, but I need to access it from the system-extension. As I read above it's not possible, I send messages between the extension and the app, and it worked fine for the SecCertificate, which I sent as a Data to the extension (using SecCertificateCopyData() and sendProviderMessage functions).
The problem is that at the extension I need also the SecKey, and I couldn't find any way to pass it from the containing app to the extension. I even tried to pass it via IPC, but it crashed ( "This coder only encodes objects that adopt NSSecureCoding").
Is there any way to pass SecKey to the Extension, or to access it directly from there?
Is it possible to use a custom VPN (Packet Tunnel Provider, for macOS) and inspect traffic via a proxy tool like Charles (https://developer.apple.com/documentation/network/taking_advantage_of_third-party_network_debugging_tools) at the same time ?
I've implemented a custom VPN app for macOS (Packet Tunnel Provider)
The VPN has the following conf:
disconnectOnSleep = true
tunnelProviderManager.isOnDemandEnabled = true
tunnelProviderManager.onDemandRules = [NEOnDemandRuleConnect()]
So the VPN should be 'almost always-on' - it should connect whenever possible (the only rule is to 'always' connect)
Also, the OS should kill the VPN when the Mac enters sleep, and restart it when the Mac awakes.
The question:
Some customers complained that sometimes after sleep/awake, the Mac loses all traffic.
From the logs it seems that the Mac enters sleep, and then immediately the OS restarts the VPN (probably because of the 'connect' rule). This process can happen multiple times in a row: Sleep (disconnect VPN), and then immediately the state is changing to 'connecting' again. Then sleep->connecting, and so on..
How can I prevent this from happening? If the Mac enters sleep, the OS shouldn't restart the VPN.
Is it a bug? Can I change something at the on-demand rules to 'make it better' but to keep the same behavior?
I have a scenario where the user needs to login using SSO, and then the server will use a url-scheme to communicate with my app.
If I'm opening an external browser - everything works great.
But I tried to use an embedded browser instead (WebView), and for some reason I'm getting this unclear error:
[ProcessSwapping] 0x11fd863f0 - ProvisionalPageProxy::didFailProvisionalLoadForFrame: pageProxyID=23 webPageID=34, frameID=3, navigationID=4
At the Console I saw more similar issues, like:
0x11fd863f0 - ProvisionalPageProxy::didFailProvisionalLoadForFrame: pageProxyID=23 webPageID=34, frameID=3, navigationID=4
<nw_activity 16:1 [E08406EE-456B-4302-913A-6C46229FDFC7] (reporting strategy default) complete (reason cancelled)> complete with reason 4 (cancelled), duration 599ms
How can I tell what's the problem and how to fix it?
P.S
In order to debug/fix it, I tried to implement the WKNavigationDelegate protocol, so I could see
that I'm getting this error as well:
error:Error Domain= Code=0 "Redirection to URL with a scheme that is not HTTP(S)" UserInfo={_WKRecoveryAttempterErrorKey=<WKReloadFrameErrorRecoveryAttempter: 0x600002b1c200>, NSErrorFailingURLStringKey=mycustomurlscheme://someresponse
I'm not sure why the url scheme must be http(s) in this case.
I've implemented a custom VPN app for macOS (Packet Tunnel Provider, network extension).
In my app there's a situation where the user tries to connect (vpn is starting), the server rejects the connection (vpn stops), and the user should enter some code and then the vpn will reconnect again (vpn should start again).
Most of the time this works as expected, but every now and then - the second connection (after the user entered the code) is stuck - the VPN goes into 'connecting' state, but it stays as connecting, without changing the state to connected or disconnected. The extension is not starting in this case.
I saw those logs at the Console:
failed to create the delegate
Tearing down XPC connection due to setup error: Error Domain=NEAgentErrorDomain Code=2
There are more related logs, but I think the above logs are the problematic ones.
After this issue, if I'm pressing the 'connect' button again, it will connect without a problem. So I think it's something related to the OS.
P.S - I also saw this thread, which looks very similar -
https://developer.apple.com/forums/thread/652708?login=true
I've implemented a custom VPN app for macOS (Network Extension, Packet Tunnel Provider).
I got some reports that my app crashed. I asked for the Console logs, and I saw this log:
MyAppExtension[85331]: BUG in libdispatch client: vnode, monitored resource vanished before the source cancel handler was invoked { 0x7f9debe12120[source], ident: 5 / 0x5, handler: 0x107f09ced }
This log appeared multiple times (every couple of hours), each time with a different PID:
MyAppExtension[85765]: BUG in libdispatch client: vnode, monitored resource vanished before the source cancel handler was invoked { 0x7fe76fc1ae70[source], ident: 5 / 0x5, handler: 0x1007d5ced }
Is it what crashed the app? The PID was different each time, so I guess it did crash the app.
What info can I get from this message (how to debug it)?
While working on a dev version of my custom macOS VPN (Network Extension, Packet Tunnel Provider), I had cases where the VPN was suppose to start, but it didn't.
It's configured with an on-demand rule to always connect, and also to be on the safe side, I called connection.startVPNTunnel()
From the Console logs I see the following:
myClientClient Saving configuration myClient example - myname_mfa.mynameaccount with existing signature {length = 20, bytes = 0x3be5a6633b963d04c5e0a226cccff4c83a799e14}
default 12:33:36.686853+0200 secd myClientClient[8416]/1#11 LF=0 copy_matching Error Domain=NSOSStatusErrorDomain Code=-50 "query missing class name" (paramErr: error in user parameter list) UserInfo={numberOfErrorsDeep=0, NSDescription=query missing class name}
default 12:33:36.687705+0200 myClientClient MacOS error: -25304
default 12:33:36.690077+0200 myClientClient MacOS error: -25304
NESMVPNSession[Primary Tunnel:myClient example - myname_mfa.mynameaccount:2A6C1B7D-19E8-4EF7-8872-C1D0F8899A17:(null)]: Received a start command from myClientClient[8416]
default 12:33:36.763724+0200 nesessionmanager Registering session NESMVPNSession[Primary Tunnel:myClient example - myname_mfa.mynameaccount:2A6C1B7D-19E8-4EF7-8872-C1D0F8899A17:(null)]
default 12:33:36.764739+0200 nesessionmanager Received a com.apple.neconfigurationchanged notification with token 23
default 12:33:36.765486+0200 nesessionmanager Clearing E853F1E7-23BD-4F01-915B-65DCBB9D9AB8 from the loaded configurations
default 12:33:36.765604+0200 nesessionmanager Clearing 8A4A1803-C370-42A1-8758-35E3D4337959 from the loaded configurations
default 12:33:36.765717+0200 nesessionmanager Clearing 2A6C1B7D-19E8-4EF7-8872-C1D0F8899A17 from the loaded configurations
nesessionmanager nw_network_agent_open_control_socket Successfully connected netagent socket 8
default 12:33:36.760869+0200 SystemUIServer Received a com.apple.neconfigurationchanged notification with token 48
default 12:33:36.790775+0200 neagent Looking for an extension with identifier com.myClientexample.mac.myClientClient.myClientClientExtension and extension point com.apple.networkextension.packet-tunnel
default 12:33:36.791728+0200 neagent [d private] PKHost:0x7f9bc9c29fb0 Beginning discovery for flags: 0, point: com.apple.networkextension.packet-tunnel
default 12:33:36.794692+0200 pkd Waiting on thread private until Launch Services database seeding is complete.
default 12:33:36.783780+0200 nesessionmanager NESMVPNSession[Primary Tunnel:myClient example - myname_mfa.mynameaccount:2A6C1B7D-19E8-4EF7-8872-C1D0F8899A17:(null)]: status changed to connecting
default 12:33:36.811018+0200 neagent [d private] PKHost:0x7f9bc9c29fb0 Completed discovery. Final of matches: 1
default 12:33:36.762607+0200 myClientClient startToggled
default 12:33:36.811362+0200 nesessionmanager com.myClientexample.mac.myClientClient[743]: disposing
default 12:33:36.811575+0200 nesessionmanager com.myClientexample.mac.myClientClient[743]: Tearing down agent connection
default 12:33:36.811641+0200 nesessionmanager NESMVPNSession[Primary Tunnel:myClient example - myname_mfa.mynameaccount:2A6C1B7D-19E8-4EF7-8872-C1D0F8899A17:(null)]: Plugin is installed
default 12:33:36.763228+0200 myClientClient starting vpn tunnel
default 12:33:36.811729+0200 nesessionmanager NESMVPNSession[Primary Tunnel:myClient example - myname_mfa.mynameaccount:2A6C1B7D-19E8-4EF7-8872-C1D0F8899A17:(null)]: Enabling VPN On Demand
default 12:33:36.811145+0200 neagent Found 1 extension(s) with identifier com.myClientexample.mac.myClientClient.myClientClientExtension and extension point com.apple.networkextension.packet-tunnel
default 12:33:36.813142+0200 nesessionmanager NESMVPNSession[Primary Tunnel:myClient example - myname_mfa.mynameaccount:2A6C1B7D-19E8-4EF7-8872-C1D0F8899A17:(null)]: Matched no on demand rule
default 12:33:36.784619+0200 myClientClient vpnStatusDidChange: Connecting
default 12:33:36.784729+0200 myClientClient display Connecting
default 12:33:36.813445+0200 nesessionmanager NESMVPNSession[Primary Tunnel:myClient example - myname_mfa.mynameaccount:2A6C1B7D-19E8-4EF7-8872-C1D0F8899A17:(null)]: Matched on demand rule
action = connect
interfaceTypeMatch = any
And after that there is a very big amount of
"Received a start command from" and "Skip a start command from " (and I copied only part of the log), but the VPN stays at the 'connecting' phase.
Any idea what's causing it?
Can it happen also on the production version of my app? I never reproduced it at the Store version, but it's not always reproduces anyway..
I've implemented a custom VPN (Packet Tunnel Provider) for macOS.
I'm using lib-curl from the provider. The traffic is not going via the tunnel. Is it possible to pass this traffic to the tunnel?
What should happen if I'll set the 'capture all traffic' flag? Will the traffic created from lib-curl at the provider will reach the tunnel?
I'm planning to covert my Network Extension to a System Extension (custom VPN, Packet Tunnel Provider, macOS).
I have some questions regarding this process: I'm using keychain groups, so I would be able to get the user's password from the keychain both from app and from the Extension, is it possible to do also with a system extension?
A similar question, but this time for a certificate - I have the entitlement for managed.vpn.shared - is it possible to use also from the system extension, and get the certificate for the VPN?
I'm passing data between the containing app and the extension via 'App Groups' ("shared" user defaults). Can I do the same for the system extension?
I've added a deinit function at the Packet Tunnel Provider (Network Extension)
deinit {
NSLog("PacketTunnelProvider deinit")
}
And I noticed that it's not being called when I'm disconnecting the VPN
Calling stopTunnelWithReason because: Configuration was disabled After a little investigation it seems that the problem is related to packetFlow: I have this function
func readPacketsFromTUN(_ packets: [Data], protocols: [NSNumber]) {
	for i in 0...packets.count-1 {
		//handle packet
	}
	packetFlow.readPackets { inPackets, inProtocols in
			self.readPacketsFromTUN(inPackets, protocols:	 inProtocols)
	}
}
It seems that if (just for the test) I won't call packetFlow.readPackets each time, after I'm stopping the VPN it will get to the deinit function. However, I can't remove this call..
Is it a bug on my side, or at the Extension?