Post not yet marked as solved
I've implemented a custom system-extension VPN (Packet Tunnel Provider) for macOS.
At the extension, I need to use a 3rd party dynamic lib.
The steps I did:
Build phases:
Copy files, with Frameworks destination
Link Binary With Libraries
Build Settings:
I set 'Dynamic Library Install Name', 'Dynamic Library Install Name Base', and 'Library Search Path' to the lib folder
I set 'Header Search Path' to the headers folder
But when running the extension, it's crashing with the error
Termination Reason: Namespace DYLD, Code 1 Library missing
Library not loaded: @loader_path/somelib.dylib
And
Reason: tried: '/Library/SystemExtensions/A1111-someID-11111/com.myapp.myappSysExtension.systemextension/Contents/MacOS/libwavmodapi.dylib' (no such file), '/usr/local/lib/libwavmodapi.dylib' (no such file), '/usr/lib/libwavmodapi.dylib' (no such file)
(terminated at launch; ignore backtrace)
Any idea what I'm doing wrong here?
Also, is it even possible to use dynamic libs from a sys-ext?
I've implemented a VPN app with Packet Tunnel Provider for MacOS and iOS.I have two questions regarding the Extension's sleep/wake functions:1. If the VPN configuration is set with disconnectOnSleep = false, and at the extension I'm sending keep-alives every X seconds, What would happen when the device enters sleep mode? Will it keep sending keep-alive (because the VPN is configured with disconnectOnSleep=false) ?2. If the VPN configuration is set with disconnectOnSleep = true, and also isOnDemandEnabled = true. When the device enters sleep mode, do I need to disconnect the VPN myself? Or the OS would take care of it? And if I should disconnect it myself, the on-demand won't try to turn it on again (because the on-demand) ?
Post not yet marked as solved
I've developed a VPN app for iOS and macOS with Packet Tunnel Provider.Once the VPN is enabled all the traffic should go via the VPN. The VPN is configured to be on demand (isOnDemandEnabled is set), with a rule to always connect.There are some cases where this configuration might cause a problem -When the user goes to a place with a captive portal, the VPN won't be able to connect (because the user will first need to login to the captive portal), but the user also won't be able to login to the captive portal (because all traffic triggers the network extension).In such a case, I need that the captive portal will be shown to the user, and I also need to exclude at least some of the traffic from the VPN, so the user would be able to login to the captive portal (but I don't want to open all traffic, just the traffic needed for the login).Is there any API for those cases? If the answer is no, I'll try to detect this case at the Extension. But I won't be able to open the captive portal from there, so the only thing I would be able to do is to display a message to the user, correct?
Post not yet marked as solved
-I've implemented a VPN app (with Packet Tunnel Provider).I have an ovserver for NEVPNStatusDidChangeNotification.When the user press the "connect" button, 90 % of the time I get the notifications where the connection.status goes from Disconnected to Connecting and then to Connected.But I've already encounterd several cases, where the connection succeeded, but the notifications I got wereDisconnected -> Connecting - > InvalidAnd as I said, the connection been made and the VPN had been activated, so why I got the Invalid state ?Edit:Those are some of the system logs:name = <40-char-str>
identifier = some-identifier-I-dont-know-1
applicationName = myApp
application = myAppBundle
grade = 1
VPN = {
enabled = YES
onDemandEnabled = YES
onDemandRules = (
{
action = connect
interfaceTypeMatch = any
},
)
protocol = {
type = plugin
identifier = some-identifier-I-dont-know-2
serverAddress = <16-char-str>
username = <24-char-str>
password = {
identifier = some-identifier-I-dont-know-1
domain = user
}
passwordReference = <67656e70 00000000 00000417>
identityDataImported = NO
disconnectOnSleep = YES
disconnectOnIdle = NO
disconnectOUpdated network agent (inactive)vpnStatusDidChange: InvalidNESMVPNSession in state NESMVPNSessionStateIdle: update configuration
NESMVPNSession: Received a start command from myApp
Post not yet marked as solved
I'm implementing a VPN client using PacketTunnelProvider.I have a C code that talk to my sever, and this C code also has callbacks to my Swift code.In those callbacks I just need to send / receive packets.I do not need to create a tunnel with the server, because the C code does it for me.So my question is, how to get all the packets ? I tried doing it with packetFlow, but without any success.(And as for the moment, i'm trying to do it at the startTunnelWithOptions function, but not sure if it's the right place)Thanks!
Post not yet marked as solved
I've developed a system-extension for macOS (Packet Tunnel Provider, Developer ID, distribution outside the App Store).
There's a scenario where I want to present some webpages with the WebKit. It works fine, but on of my testing Macs the webpage display the page for a split second, and then becomes white.
I saw that the WebKit crashed, but I'm not sure why.
I attached the crash report.
Also, at the crash report, I saw this:
"is_first_party":1,"bug_type":"309"
Did my application cause this crash? Any advise on how to debug it or on how can I prevent if from happening?
com.apple.WebKit.WebContent-2021-12-12-063048.txt
Post not yet marked as solved
I have some questions regarding life cycle of Packet Tunnel Provider:
I have some static vars at the PacketTunnelProvider. The user connected to the VPN, then disconnected, so I called the relevant compilation handler.
After some time, the user will start VPN again, PacketTunnelProvider will be recreated.
Will it use the same class as before, and all static vars will hold their last value? Or would it create a new PacketTunnelProvider?
Is it the same behavior for Network Extension vs System Extension?
Is it the same behavior for macOS vs iOS?
What about running threads? If I created a thread, and then I called the completion handler, will this thread continue to run?
P.S
If I'm adding exit(0) before 'quitting' the Packet Tunnel Provider, it will force cleaning the memory. But I guess it's not a good behavior for a System Extension to use exit(0)
class PacketTunnelProvider: NEPacketTunnelProvider {
static var isInitiated = false
...
}
override func startTunnel(options: [String : NSObject]?, completionHandler: @escaping (Error?) -> Void) {
...
PacketTunnelProvider.isInitiated = true
...
Post not yet marked as solved
Hi
I've developed a custom VPN app for macOS (system-extension, Packet Tunnel Provider), and I have the following problem:
I'm connected vie Ethernet only (not Wi-Fi). I configured on the Ethernet interface HTTP and HTTPS proxies.
I'm connecting to my VPN:
If I'm using a 'full tunnel' - the traffic won't pass to the Ethernet proxies, this is expected
If I'm using a split tunnel - even the routes included on the tunnel will reach the Ethernet proxies, this is not expected.
Am I right that this behavior is not expected? How can I fix this issue?
Post not yet marked as solved
I've developed a custom VPN system extension (macOS, Packet Tunnel Provider).
On a first installation, the user has to allow installation of the system extension (via Security & Privacy).
My question is, what should happen when the user updates the app to a newer version - will he get the 'allow system extension installation' popup again? Or is it a 'one time popup' only?
Post not yet marked as solved
I've developed a system-extension custom VPN app for macOS, which is in use by some internal testers.
The app works fine, except for one user, which can't connect to the VPN. I saw that on his machine, the system extension is getting terminated, very shortly after he's approving it. Sometime it happens while he's trying to connect, but sometimes it happens even without a connection attempt, he's just approving the sysExt and wait.
I saw at the logs the following lines:
sysextd: [com.apple.sx:StateChange] **** advancing state from activated_enabling to activated_enabled
sysextd: observer for **** reached success: activated_enabled
sysextd: [com.apple.sx:XPC] client connection (pid 667) invalidated
2022-01-12 21:45:50.844914+0200 0x26fa Activity 0xf149 496 0 sysextd: (Security) SecTrustEvaluateIfNecessary
2022-01-12 21:45:50.926046+0200 0x26fa Default 0x0 496 0 sysextd: request contains no authorizationref
2022-01-12 21:45:50.926390+0200 0x26fa Default 0x0 496 0 sysextd: returning cdhash for arbitrary arch x86_64 of extension ****
sysextd: [com.apple.sx:XPC] client connection (pid 1103) invalidated
nesessionmanager: [com.apple.networkextension:] Adding event subscription 775 for provider *** with extension point com.apple.networkextension.packet-tunnel
...
...
sysextd: received request to remove MDM payload with UUID ****
sysextd: removed MDM payload with UUID ****
sysextd: MDM payload change results in changed decision for Extension **** from Allow to UserOption
sysextd: deactivateExtension called for **** in state "activated_enabled"
sysextd: [com.apple.sx:StateChange] extension **** advancing state from activated_enabled to terminating_for_uninstall
Is this issue related somehow to MDM profiles?
Is it related to "client connection invalidated" ? And what is this thing?
How can I debug it/ understand where's the problem?
Post not yet marked as solved
I've developed a system-extension custom VPN app for macOS. As expected, the containing app is running under 'user' permissions, and the system-extension is running under 'root' permissions.
The containing app and the sys-ext can create (and save) log files.
The containing app has a button to 'collect' the logs from both the containing app and from the extension.
However, it can't really access to the extension's logs since it's under root/
What I'm doing is to ask the extension to send the logs via IPC,
but what should I do if the VPN is not connected? In this case the extension is not running, and I can't get it's logs.
Is there another way to get the file, or maybe to write logs from the extension to somewhere directly accessible to the containing app?
As I mentioned in this thread
https://developer.apple.com/forums/thread/695207
I want my containing app to be active after Mac restarts.
I thought about something that could work - I wrote a "helper" embedded app which will be added to the login items, and after a restart this "helper" app will open the containing app.
However, after archiving the project (with developer ID, it will be distributed outside the App Store), I see the following error at the Console:
Non-fatal error enumerating at , continuing: Error Domain=NSCocoaErrorDomain Code=260 "The file “PlugIns” couldn’t be opened because there is no such file." UserInfo={NSURL=PlugIns/ -- file:///Applications/MyMainApp.app/Contents/Library/LoginItems/LauncherApplication.app/Contents/, NSFilePath=/Applications/MyMainApp.app/Contents/Library/LoginItems/LauncherApplication.app/Contents/PlugIns, NSUnderlyingError=0x7fc5cb02c6f0 {Error Domain=NSPOSIXErrorDomain Code=2 "No such file or directory"}}
I see that there's really no plugin folder, but why?
Is it a certificate/signing issue?
Post not yet marked as solved
I configured my VPN to be 'on-demand' and I restarted my Mac.
After the restart, my Packet Tunnel Provider started (it was called by the OS, because of the on-demand).
The containing app is inactive - it's open (the icon is at the menu bar, with a circle at the bottom) but 'applicationDidFinishLaunching' is not being called.
Is there any way I can 'force start' the containing app?
Any way will be good - if it's by sending a message from the provider, or if it's possible to programmatically ask the OS to start the containing app after Mac restart..
Post not yet marked as solved
Sry for the duplicate -
I added a comment on an old post, but it's tagged only with 'System Extension' and without 'Network Extension', so I'm posting it here as well:
Original post:
https://developer.apple.com/forums/thread/133933?login=true&page=1#694688022
My question:
Bumping this old thread - I have the same scenario, I created a VPN + Certificate payload, installed it, and now I have a VPN conf which I can access to only from the containing app, but I need to access it from the system-extension. As I read above it's not possible, I send messages between the extension and the app, and it worked fine for the SecCertificate, which I sent as a Data to the extension (using SecCertificateCopyData() and sendProviderMessage functions).
The problem is that at the extension I need also the SecKey, and I couldn't find any way to pass it from the containing app to the extension. I even tried to pass it via IPC, but it crashed ( "This coder only encodes objects that adopt NSSecureCoding").
Is there any way to pass SecKey to the Extension, or to access it directly from there?
I have an iOS app and a MacOS app in which I want to display to the user it's device's local IP.If there is more than one IP, I would dispaly one of them, not matter which one.This is the code I'm using:func getIFAddresses() -> String {
//var addresses = [String]()
var address = "N/A"
deviceLocalIp = "N/A"
// Get list of all interfaces on the local machine:
var ifaddr : UnsafeMutablePointer?
guard getifaddrs(&ifaddr) == 0 else { return address }
guard let firstAddr = ifaddr else { return address }
// For each interface ...
for ptr in sequence(first: firstAddr, next: { $0.pointee.ifa_next }) {
let flags = Int32(ptr.pointee.ifa_flags)
var addr = ptr.pointee.ifa_addr.pointee
// Check for running IPv4, IPv6 interfaces. Skip the loopback interface.
if (flags & (IFF_UP|IFF_RUNNING|IFF_LOOPBACK)) == (IFF_UP|IFF_RUNNING) {
if addr.sa_family == UInt8(AF_INET) || addr.sa_family == UInt8(AF_INET6) {
let interfaceName = String.init(cString: &ptr.pointee.ifa_name.pointee)
//DDLogInfo("interfaceName:\(interfaceName)")
// Convert interface address to a human readable string:
var hostname = [CChar](repeating: 0, count: Int(NI_MAXHOST))
if (getnameinfo(&addr, socklen_t(addr.sa_len), &hostname, socklen_t(hostname.count),
nil, socklen_t(0), NI_NUMERICHOST) == 0) {
if interfaceName == "en0" {
deviceLocalIp = String(cString: hostname)
address = deviceLocalIp
break
}
//if we don't have address from en0 - try get it from another interface
//(but prefer from en0)
if address == "N/A" && (interfaceName == "en0" || interfaceName == "en1" || interfaceName == "en2" || interfaceName == "pdp_ip" || interfaceName == "ap1") {
deviceLocalIp = String(cString: hostname)
address = deviceLocalIp
}
}
}
}
}
freeifaddrs(ifaddr)
return address
}
}For IPv4 it seems to work well.For IPv6 (via Mac's Internet Sharing), I'm getting an IPv6 address, but it's not the address I'm expecting to connect -at the Network I see that my device is connected and has the IP address X and the result I'm getting with this code is address Y.P.S -For debugging, I printed all the IPs, not just the first, and still didn't get the correct one..
roee84.