For future reference, here is the reply from Apple to my enhancement request: Create a com.apple.vpn.managed profile payload with VPNSubType set to your app’s bundle identifier and ProviderType set to app-proxy in the VPN dictionary. Please see https://developer.apple.com/documentation/devicemanagement/vpn?language=objc for details.

Thank you for your responses (to all of my threads) Matt. Unfortunately this is not an option as it requires us to restart the VPN as a privileged user after every reboot and I'm not sure how the installation story look like. Besides this would probably be an undocumented/unsupported configuration. I have submitted Enhancement Requests 9657389, 9657399, and 9657405. I guess for the time being we should live with these issues while looking forward to a response with crossed fingers. Thanks again for your time.

NETransparentProxyProvider can't process port 53 specifically for some reason (I don't see a technical reason it shouldn't), but it seems to work (i.e. catch UDP 53 traffic) when you don't specify a port: NENetworkRule(remoteNetwork: nil, remotePrefix: 0, localNetwork: nil, localPrefix: 0, protocol: .UDP, direction: .outbound) You can then ignore everything you are not interested in filtering: override func handleNewUDPFlow(_ flow: NEAppProxyUDPFlow, initialRemoteEndpoint: NWEndpoint) -> Bool {     if let endpoint = initialRemoteEndpoint as? NWHostEndpoint {         if endpoint.port == "53" { // Do the filtering } else { return false // Let OS handle it } } } Beware of this bug though. I'm not sure if it has been resolved yet.