Post

Replies

Boosts

Views

Activity

LAN traffic
I've implemented a custom system extension VPN for macOS using a Packet Tunnel Provider. At the Protocol Configuration, the 'includeAllNetworks' flag is unset. At the provider, I included all routes (IPv4 default route). What is the expected behavior for LAN traffic? Should the LAN traffic go via the VPN? By 'LAN traffic', I'm referring to local hosts, ssh, printer access, etc.
3
0
491
May ’24
Authentication with Certificates
I've implemented a custom VPN for iOS using a Packet Tunnel Provider. I have the entitlement for 'com.apple.managed.vpn.shared'. One option to connect is to use a certificate - this can be done by distributing a VPN payload with the required certificate for the connection. My question is if there's any way to distribute multiple certificates and that I'll be able to read them on my iOS app. For example, on the Certificates payload, I can add multiple certificates, but on the VPN payload, I can choose only one of them. So, can my app read more than one certificate?
2
0
511
Feb ’24
IncludeAllNetworks + split tunnel
Is it possible to have both 'includeAllNetworks' and split-tunnel simultaneously? I want to enable a split tunnel so only some of the traffic will reach the tunnel, but at the same time, to make sure that the above traffic will always reach the tunnel - even if it's coming from some low-level networking API or even if the traffic started before creating the tunnel. Setting the 'includeAllNetworks' flag will help with the above cases, but then I'll get all the traffic via the tunnel without consideration in the split tunnel configuration. (Details: System-extension, PacketTunnelProvider)
0
0
404
Dec ’23
ES sample project
I downloaded the ES sys-ext sample project. I built the 'NOTIFY' extension, and I was able to install it. However, it doesn't seem to work (or - it doesn't report anything). This is what I did: I download the project I renamed the bundle IDs I disabled SIP I tried both signing options - let 'Xcode automatically manage signing', and I also tried to use my 'Developer ID' I moved the app to the Applications folder I grant the 'Full Disk Access' permission to the extension I verified that the extension is running I did not get the needed entitlement yet, but since SIP is disabled, I don't think it's a problem I did get the message 'Successfully installed the extension ✅' At the terminal, I tried to capture relevant logs: log stream --style compact --predicate 'sender == "myBundleId"' (I tried it with the app bundleID, and with the extension's bundleId) And yet, 'ps' triggers no logs. *At the Console, I get those messages: "Unsatisfied entitlements: com.apple.developer.endpoint-security.client" Disallowing: myBundleId amfid: Restricted entitlements not validated, bailing out. Error: Error Domain=AppleMobileFileIntegrityError Code=-413 "No matching profile found" UserInfo={NSURL=, unsatisfiedEntitlements=, NSLocalizedDescription=No matching profile found} Any idea where's the problem at?
5
0
1.6k
May ’23
Signing with SecKeyCreateSignature and verification with OpenSSL
At my app I have a SecKey which I want to sign some Data with it, and at my sever I need to do the verification process, but this time with openSSL. I didn't find any common key or any steps to achieve this between Apple Security framework and OpenSSL. For example, I've tried the following: Signing (Apple Security): let signedStrCFData = SecKeyCreateSignature(key, .rsaSignatureRaw, plaintextData, &error) Verifying (OpenSSL): ret = RSAverify(NIDrsaSignature, (const unsigned char *)challenge, (unsigned int)strlen(challenge), challengeenc, challengeenc_size, rsa); Which key to choose is not really important to me (as long as it's a reasonable signing key), so I tried multiple types of keys, but I wasn't able to do it. Any idea what I'm missing here?
8
0
1.5k
Sep ’20
DoH and Network Extension
[Network Extension, Packet Tunnel Provider, iOS, split tunnel] I've implemented a custom network extension app for iOS using Packet Tunnel Provider. A customer enabled a split tunnel, set the tunnel's DNS servers, and added relevant 'search domains' and 'match domains'. Then, he reported an error related to DNS, specifically, DNS Over HTTPS. He noticed that DNS queries were sent over HTTPS. He also has the corresponding app for Mac (Packet Tunnel Provider, macOS, system extension), and everything works fine with the same DNS configuration, and the DNS queries were sent as a 'clear text', not DoH. Is DoH the default behavior on iOS? Is it the default on macOS? Can we somehow change this behavior? Are DoH queries reach the tunnel as plain DNS queries?
0
0
680
Oct ’23
ExcludeLocalNetworks flag
Now that the flag includeAllNetworks is working as expected (see https://developer.apple.com/forums/thread/722156), I tried to set it and also the ExcludeLocalNetworks flag. As described in the documentation, I'm able to use AirPlay and AirDrop while being connected, but what I was hoping for was to exclude from the tunnel all the LAN traffic, including pings to local hosts, ssh, printer access, etc. Isn't it what ExcludeLocalNetworks should accomplish? If not, how can I exclude LAN traffic from a full tunnel (i.e. not a split tunnel)? [Custom VPN, macOS, Packet Tunnel Provider, system extension]
0
0
533
May ’23
Phased release - change percentage of users
The feature of phased release is very useful for our company, but a big minus for us is that the 'Percentage of Users' starts very slow, and at the last two days it's go up very fast. For now what we can do is to start the phased release, pause it after 50% of users get the new version, and after a weak - resume the release. I know it's not the purpose of the pause/resume but we want a better control at the percentages/days of the phase release. Is it possible to change those somehow? Change the percentages per day/ change number of days for the phased release?
1
0
2.3k
Nov ’20
includeAllNetworks - Can't establish tunnel when includeAllNetworks is set
I've implemented a custom VPN app for macOS (using Packet Tunnel Provider). I set includeAllNetworks at the protocolConfiguration. When this field is set, I can't connect and I can't send traffic even at the extension. Even simple calls at the extension, like getaddrinfo or curl fails. If I'm unsetting this variable (includeAllNetworks = false) then I can connect without a problem. In addition I can see those lines at the Xcode Console: Connection 2: encountered error(1:53) Connection 3: encountered error(1:53) Connection 1: encountered error(1:53) And those lines at the Console: No mDNS_Keepalive for interface en8/IOSkywalkLegacyEthernetInterface kr 0xE00002C0 NetWakeInterface: en8 <private> no WOMP uDNS_CheckCurrentQuestion: host unreachable error for DNS server <private> for question failed to send packet on InterfaceID 0x5 en8/4 to <private>:53 skt 74 error -1 errno 65 (No route to host) 
16
0
2.9k
Jul ’20
Split Tunnel + split DNS
I've implemented a custom VPN for macOS (system extension, Packet Tunnel Provider). My question is related to the tunnel's DNS servers: I would like that even when a split-tunnel is enabled, all DNS queries will reach the tunnel's DNS, but I'm aware that this case is not 'working well', and the Packet Tunnel Provider is not supposed to capture all DNS queries, see those threads:https://developer.apple.com/forums/thread/662443, https://developer.apple.com/forums/thread/661601 So as a workaround, on a split-tunnel I have a list of 'match domains', and 'search domains'. But now it seems that the default interface will answer those queries as well, and they still won't reach the tunnel's DNS. To verify this, I connected with the VPN, and when I checked 'scutil --dns', I got the list of resolvers, where resolver #1, wasn't the utun (it was en7), and it handled all the 'match domain'/'search domains'. Any idea how to force some/add DNS queries to the tunnel's DNS even when for a split tunnel?
3
0
2.1k
Jul ’22
Packet Tunnel Provider - sleep/wake
I've implemented a custom VPN for macOS (system extension, Packet Tunnel Provider). I've configured disconnectOnSleep = false, and at the Provider I've implemented the sleep() and wake() functions. At the wake() func, I'm trying to re-establish the connection, and most of the time it's working well. However, there are times when even after wake() is called, it seems that the interfaces aren't ready/available, and I'm getting "Network is unreachable" errors (I'm working with BSD Sockets). Any idea why the interfaces aren't available at this point, after wake() had been called? Any idea on how to be updated when the interfaces are available?
4
0
1.7k
May ’22
WKWebView - challenge
I have a question very similar to this one, from 5 years ago: https://developer.apple.com/forums/thread/75710 I have a macOS app, in which I have a webview, which loads a login page for the user. The user can log in using an SSO, and the SSO login process might require verifying that a certificate is installed on the user's machine. The certificate and the user login credentials aren't related to my app in any way. The certificate should be already installed at the Keychain. My question is related to the function webView(_ webView: WKWebView, didReceive challenge:) Should I implement this function? As I said, the certificate is not related to my app, so it would be better to let the OS handle the challenge, if possible. In case I have to implement this function, is there any way for my app to answer this challenge? Any example on how to do it?
1
0
916
May ’22
Packet Tunnel Provider - Writing SSL3_RT_ALERT 2 bytes
I've implemented a VPN app with Packet Tunnel Provider for macOS.To send the packets, I'm using BSD sockets.I noticed that when sending big files (1GB), in most of the time the uploading fails, and the relevant errors I see at the console are the following errors:[Extension com.myExtension]: IPC detached NESMVPNSession[Primary Tunnel:My Company - myUserName:6EF9650B-D1DA-418B-B617-AE0874DDCBD3:(null)] in state NESMVPNSessionStateRunning: plugin NEVPNTunnelPlugin(com.MyContainingApp]) did detach from IPC [NOTICE] : networking grace period is over for #lifetime boringssl_context_message_handler(2257) [C6.1:2][0x1048aeac0] Writing SSL3_RT_ALERT 2 bytes boringssl_context_handle_warning_alert(1892) [C6.1:2][0x1048aeac0] write alert, level: warning, description: close notify boringssl_session_disconnect(539) [C6.1:2][0x1048aeac0] SSL_shutdown 0 nw_flow_disconnected [C6.1 20.185.73.23:443 cancelled socket-flow ((null))] Output protocol disconnected nw_connection_report_state_with_handler_on_nw_queue [C6] reporting state cancelled Connection 6: destroyed nw_protocol_boringssl_remove_input_handler(1012) [C6.1:2][0x1048aeac0] nw_protocol_boringssl_remove_input_handler forced true nw_protocol_boringssl_remove_input_handler(1030) [C6.1:2][0x1048aeac0] Transferring nw_protocol_boringssl_t handle back into ARC for autoreleaseSo I'm guessing it's related to "did detach from IPC" or to "SSL3_RT_ALERT 2 bytes", but what's the next step here? How can I try to figure out what's causing this?P.S: It seems that the VPN stays connected and functional, it's just the uploading that fails.
10
0
2.2k
Apr ’20
Network Extension + BSD Sockets
I've implemented a custom VPN system extension for macOS (Packet Tunnel Provider). I created a tunnel, and I have a VPN connection, with the default (IPv4) routes. My question is about sending traffic which was originated at the extension, via the tunnel. Is it possible to create a BSD socket at the extension, and bind it to a specific interface, so the traffic (that was created from the extension) for this socket will be routed via the tunnel?
1
0
855
May ’22