Since no answer here, I submitted a feedback - FB7730197

Still reproduces

Great, I just tried it (on iOS) and it worked, thanks!

If the VPN is connected, but the containing app is at the background, would the observer still detect the VPN status changes? Would it be possible to manually disconnect the VPN when the containing app isn't on foreground?

I'll try the packet trace, but before that, I missed something at your other answer -"utun_output - ctl_enqueuembuf failed: 55 Refers to an ENOBUFS error (55) on your control socket for utun interface when data is received but your read queue on the socket is full."Which read queue is full?The one related to the packets coming from packetFlow.readPackets? So I'm asking the OS for more packets where I shouldn't?Or is the buffer to which I'm reading the responses from the network? In that case, if I'll empty the buffer before sening new packets to the network it should help, right? Becuase I think it's all related to this error, I'll try to handle it first.Edit: For sending/receiving traffic, I'm creating a pipe. Is it possible to change its size? Something like F_SETPIPE_SZ? Would it help?int pipe_fds[2]; int ret = pipe(pipe_fds); fcntl(pipe_fds[0], soemthing like F_SETPIPE_SZ, 64 * 1024);

I think you are right, and it's related to memory issues -I saw cases where the Memory keeps increasing (slowly, but still). At the 'View Memory Graph Hierarchy' - there are a huge number os Malloc Blocks.However, I can't find a leak anywhere. All the buffers I'm using (including for sending/receiving data) are fixed in size.From the other hand, at the Console I didn't see any message about killing my app.And I noticed that sometime, when sending a big file (1GB), the memory climbed up to 12MB, and I saw the infamous 'boringssl_context_message_handler(2257) [C8.1:2][0x10484dea0] Writing SSL3_RT_ALERT 2 bytes''boringssl_context_handle_warning_alert(1892) [C8.1:2][0x10484dea0] write alert, level: warning, description: close notify' messages,but AFAIK, 12MB is not the memory limit for the extension, so I can't tell why it failed, even if there's a leak.Which steps should I take to debug it? I already decreased the memory usage, but it didn't help.P.S - the CPU also reached 80% in some cases

Done, feedback number: FB7688534, I even added there some more details (In those cases, there are some times in which the Mac exits the Sleep mode, but then I see at my app the error 'Network is unreachable').And thanks for all your anwers!

I can't say for sure, but if there was such an activity I think that one of those should happen:1. The OS won't start the VPN because the device is about to enter sleep2. The OS will start the VPN, but it won't put the device on sleep modeFrom my logs it seems that in the above case, where 'stopTunnelWithReason' was called, and then the VPN started again, at the middle of the connection attempt, specifically - at the getaddrinfo() func, this function not returns. This is a blocking func, and I suspect that it's not returning because there isn't netwrok access anymore (because the device entered sleep).

So this is baisically what I've asked, because it's not working that way: This is my code -let newSettings = NEPacketTunnelNetworkSettings(tunnelRemoteAddress: "y.y.y.y")let IPv4Settings = NEIPv4Settings(addresses: ["x.x.x.x"], subnetMasks: ["255.255.255.255"])newSettings.ipv4Settings?.includedRoutes = [NEIPv4Route.default()]And as you said it should claim all traffic, but for some reason - it isn't: As the other example I wrote above, the user is able to access resources on his LAN but can't access the 'remote' resource.

I think that this traffic isn't passing through the tunnel - all the traffic for the tunnel is sent outside, so the tunnel shouldn't have access to the local resources.And for example, lets say I have something like this:This is my local network:net 192.168.1.122 netmask 0xffffff00 broadcast 192.168.1.255And when I'm starting the VPN I set thisipv4Settings = NEIPv4Settings(addresses: [10.41.50.8], subnetMasks: ["255.255.255.255"])so the TUN interface has Pv4 address 10.41.50.8 with a netmask 255.255.255.255.If all traffic goes via the tunnel, the tunnel shouldn't have access to the resources on my LAN.Are you looking for all traffic over IPv4 to go through the tunnel, no matter what it's acccessing?First I want to know how is it suppose to work - all traffic should go via the tunnel, or traffic for the LAN should not reach it at all?Then, I would like to know how to configure it, so every customer can choose what he wants (As for now I told them to use split tunnel, I'm not sure if it's correct and if there are any other ways).And the final part - the reason I asked it is because I got a question from a customer: He has the following configuration:IOS device (ipad) ip: 172.16.0.x/12Local resource 172.27.252.12Remote resource 172.27.252.12Customer is seeing traffic sent to the local resource and not to the remote resource when the VPN is connected.

The memory at the extension reached to 16.5 MBAlso, those msgs appeared again (multiple times, as in the other thread I posted): utun_output - ctl_enqueuembuf failed: 55Edit: According to this post https://forums.developer.apple.com/thread/73148the memory limit for iOS is 15MB, but 1. It doesn't say what's the limit for macOS 2. The app/extension didn't crash, everything still works, it's just the upload that stop at the middle without any error.

Thanks again for a great answer!The reason I aksed it here, is the fact that this is an app with a Packet Tunnel Provider, so I'm guessing that the experts around this area are probably here. I'll try to check the resources you mentioned. Thanks again!

Great, that's what I'm looking for, thanks!And a question regarding this - looking at your post, I see that some people said they couldn't run the app with packet-tunnel when it's signed with a Developer ID, and you suggested to open a bug. Do you happen to know if it has any problems?And for iPhone there's no way to distribute outside the App Store , correct?And a final question - for iOS, can a customer download my app from the store, and distribute it to his organization via MDM?Let's say that there's a company with thousands of users, each of them need to install my app from the store? No other way to distribute to them?

Thanks, I'll do it, but also - when trying to reproduce I saw those msgs coming from the kernel:X86PlatformPlugin::evaluateSoftLimit NOT calling cgDispatchCallbackIt appeared many times, is it also related?And maybe "playing" with the MTU might help here?

Great! It sounds very reasonable, thank you very much for all the help!