Post not yet marked as solved
Thanks, Matt. I opened an enhancement request, and I got reponse suggest me to use App Proxy instead. I will give it a try. -Xin
Post not yet marked as solved
Hi Matt, Thanks for your reply. Those audio/video session's destination ports may change all the time, makes it's extremely difficult to identify. So I'm wondering if there is any mechanism that I can just set an "IncludeApp" instead of "NetworkSettings" to specifically proxy an App's traffic? If NETransparentProxy cannot do it, do you know any other way that I can try?Thanks,Xin
IP_BOUND_IF works! Thank you so much!
Yes. I did try it. But connect() API call failed.I set IP1 to NETransparentProxyNetworkSettings.includedNetworkRules, then set network setting using [MYNEAppProxyProvider setTunnelNetworkSettings] method, so in [MyNEAppProxyProvider handleNewFlow:flow] I can get the flow connecting to IP1. The bind() to Wifi address success, however, connect() to IP1 failure immedaitely with error 49 which is EADDRNOTAVAIL (Can't assign requested address). I tried call [flow openWithLocalEndpoint:IP1Address completionHandler:^(){NSError *error}] before establishing new connection via Wifi, [flow openWithLocalEndpoint] is success, but connect() failed with same error. If I didn't call bind() before connect(), then the connection will go through LAN instead of Wifi I think because LAN is primaryInterface.
Thank you for helping. Already filed TSI.
No. I've updated to macOS Catalina latest official release 10.15 (19A602). For me, nothing is change, system still doesn't invoke setTunnelNetworkSettings.completionHandler.
According to Network Extension Framework Entitlements, com.apple.managed.vpn.shared entitlement "is only necessary if your VPN supports configuration via a configuration profile and needs to access credentials from that profile". I don't use any configuration profile, and no keychain accessing required at all in this testing App. I basically programmatically create a testing NETunnelProviderManager, call NETunnelProviderManager.saveToPreferencesWithCompletionHandler to save it, then start tunnle.Here is my code to create testing NETunnelProviderManager, NETunnelProviderManager *m = [[NETunnelProviderManager alloc] init]; NETunnelProviderProtocol *protocol = [[NETunnelProviderProtocol alloc] init]; protocol.providerBundleIdentifier = (NSString *)@NEVPN_TEST_EXTENSION_BUNDLE_ID; // bundle ID of tunnel provider NSMutableDictionary *providerConfig = [NSMutableDictionary new]; providerConfig[@"Testing Configuration"] = @"TestingJDids98aFJ#QFEP#JFEL"; protocol.providerConfiguration = providerConfig; protocol.serverAddress = @REMOTE_TUNNEL_SERVER_IP; protocol.username = @"testuser1"; [providerConfig release]; m.protocolConfiguration = protocol; m.localizedDescription = name; [protocol release];
Yes. You are right about the scenario.The App entitlement is:<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"><plist version="1.0"><dict> <key>com.apple.developer.networking.networkextension</key> <array> <string>packet-tunnel-provider</string> </array> <key>com.apple.developer.system-extension.install</key> <true/> <key>com.apple.security.app-sandbox</key> <true/> <key>com.apple.security.application-groups</key> <array> <string>$(TeamIdentifierPrefix)com.mycompany.mytestbundleID</string> </array> <key>com.apple.security.files.downloads.read-write</key> <true/> <key>com.apple.security.files.user-selected.read-write</key> <true/> <key>com.apple.security.network.client</key> <true/> <key>com.apple.security.network.server</key> <true/></dict></plist>The System Extension entitlement is:<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"><plist version="1.0"><dict> <key>com.apple.developer.networking.networkextension</key> <array> <string>packet-tunnel-provider</string> </array> <key>com.apple.security.app-sandbox</key> <true/> <key>com.apple.security.application-groups</key> <array> <string>$(TeamIdentifierPrefix)com.mycompany.mytestbundleID</string> </array> <key>com.apple.security.files.downloads.read-write</key> <true/> <key>com.apple.security.files.user-selected.read-write</key> <true/> <key>com.apple.security.network.client</key> <true/> <key>com.apple.security.network.server</key> <true/></dict></plist>I activate SystemExtension in the App is:OSSystemExtensionRequest* request = [OSSystemExtensionRequest activationRequestForExtension:@"com.mycompany.mytestbundleID.PacketTunnel" queue:dispatch_get_main_queue()];request.delegate = (id)self;[[OSSystemExtensionManager sharedManager] submitRequest:request];System Preferences will be requested to be launched to Allow the SystemExtension. I Allow it. Then I use "systemextensionsctl list", I can see the SystemExtension is "[activated enabled]". After that, in the App, it load NETunnelProviderManager, then call NEVPNConnection.startVPNTunnelAndReturnError, I can see the SysemExtension process ( /Library/SystemExtensions/E7EF657E-F2EB-446A-8630-120A52F6098E/com.mycompany.mytestbundleID.PacketTunnel.systemextension/Contents/MacOS/com.mycompany.mytestbundleID.PacketTunnel ) be launched by launchd, and NEPacketTunnelProvider.startTunnelWithOptions() be invoked.
1) I passed "nil" first, the completionHandler be called immediately with success (error is nil). Then I passed "tns", no completionHandler be called at all. The system log in console.app is like,//passing "nil"2019-10-11 13:38:11.046842-0700 0x14be9f Info 0xe2a83 13364 0 nesessionmanager: (NetworkExtension) [com.apple.networkextension:] [Host com.mycompany.mytestbundleID]: setting tunnel configuration2019-10-11 13:38:11.046581-0700 0x14bf4d Default 0xe2a83 21346 0 com.mycompany.mytestExtensionbundleID: (NetworkExtension) [com.apple.networkextension:Large] [Extension com.mycompany.mytestbundleID]: provider set tunnel configuration to (null)2019-10-11 13:38:11.048107-0700 0x14bfc3 Default 0xe2a83 21346 0 com.mycompany.mytestExtensionbundleID: Successfully Clear tunnel settings //my log shows completionHandler with nil error be called.//then passing "tns"2019-10-11 13:38:11.048510-0700 0x14bf4d Default 0xe2a83 21346 0 com.mycompany.mytestExtensionbundleID: (NetworkExtension) [com.apple.networkextension:Large] [Extension com.mycompany.mytestbundleID]: provider set tunnel configuration to tunnelRemoteAddress = <10-char-str> DNSSettings = { server = ( <11-char-str>, <9-char-str>, ) searchDomains = () matchDomains = ( <0-char-str>, ) matchDomainsNoSearch = NO } IPv4Settings = { configMethod = PPP addresses = ( <11-char-str>, ) subnetMasks = ( 255.255.255.255, ) includedRoutes = ( { destinationAddress = <7-char-str> destinationSubnetMask = 0.0.0.0 }, ) excludedRoutes = ( { destinationAddress = <10-char-str> destinationSubnetMask = 255.255.255.255 }, ) overridePrimary = NO } MTU = 1400//After 10 seconds, no completionHandler be called. I tried even 90 seconds, the result is the same.2019-10-11 13:38:21.050124-0700 0x14bf4d Default 0xe2a83 21346 0 com.mycompany.mytestExtensionbundleID: Setting tunnel parameters timed out2) I use tcpdump to capture all network packets. Unfortunately, I didn't see any ARP or DNS network packages at the time of "setTunnelNetworkSettings:tns" being called.I call setTunnelNetworkSettings in NEPacketTunnelProvider handleAppMessage:completionHandler: method. I tried creating a new dispatch queue to invoke it, the result is the same.Thanks,Xin
The system log (via Console.app) stopped at[Extension com.mycompany.mytestbundleID]: provider set tunnel configuration to tunnelRemoteAddress = <10-char-str> DNSSettings = { server = ( <11-char-str>, <9-char-str>, ) searchDomains = () matchDomains = ( <0-char-str>, ) matchDomainsNoSearch = NO } IPv4Settings = { configMethod = PPP addresses = ( <11-char-str>, ) subnetMasks = ( 255.255.255.255, ) includedRoutes = ( { destinationAddress = <7-char-str> destinationSubnetMask = 0.0.0.0 }, ) excludedRoutes = ( { destinationAddress = <10-char-str> destinationSubnetMask = 255.255.255.255 }, ) overridePrimary = NO } MTU = 1400In App NetworkExtension, after this log, the compmletionHandler be called immediately. The network settings are exact same.
Post not yet marked as solved
Have exact same question. In WWDC 2019, it mentioned TransparentProxy could do it. But so far no docus, no samples. Don't know how to do it.