Unable to start packettunnel on Mac OS

Hi - We have had a packettunnel working well on iOS for a long time and now looking into one for Mac OS. However, we haven't been able to get it to work.


Summary of what we see:

The app can successfully install the VPN profile:

nesessionmanager    11:06:26.027252-0700    NESMVPNSession[Primary Tunnel:XyzCatalyst:E2A089D5-A18B-4543-94F5-827E4DB3357D
:(null)]: handling configuration changed: {
    name = XyzlizeCatalyst
    identifier = E2A089D5-A18B-4543-94F5-827E4DB3357D
    applicationName = XyzCatalyst
    application = com.xyz.mac.vpn
    grade = 1
    VPN = {
        enabled = YES
        onDemandEnabled = NO
        disconnectOnDemandEnabled = NO
        protocol = {
            type = plugin
            identifier = 0A3DA48C-EE69-479C-A2CD-994028B01CC0
            serverAddress = 127.0.0.1
            identityDataImported = NO
            disconnectOnSleep = NO
            disconnectOnIdle = NO
            disconnectOnIdleTimeout = 0
            disconnectOnWake = NO
            disconnectOnWakeTimeout = 0
            disconnectOnUserSwitch = NO
            disconnectOnLogout = NO
            includeAllNetworks = NO
            excludeLocalNetworks = NO
            pluginType = com.xyz.mac.vpn
            authenticationMethod = 0
            reassertTimeout = 0
            providerBundleIdentifier = com.xyz.mac.vpn.PacketTunnelProvider
            designatedRequirement = identifier "com.xyz.mac.vpn.PacketTunnelProvider" and anchor apple generic and 
certificate leaf[subject.CN] = "Apple Development: xyz (XYZ)" 
and certificate 1[field.1.2.840.113635.100.6.2.1] /* exists */
        }
        tunnelType = packet
    }
}

But when trying to start the PT, the appex is never found:

nesessionmanager    11:06:26.025938-0700    Found 0 (0 active) registrations for com.xyz.mac.vpn.PacketTunnelProvider
 (com.apple.networkextension.packet-tunnel)


Things we've tried w/o any success starting the PT:

  1. Created a new target for the PT specifically for macOS, per this discussion: https://forums.developer.apple.com/thread/126355
  2. Tried an empty PT (instead of our existing iOS PT)
  3. Created a new app target specifically for macOS (instead of Catalyst)
  4. Installed manually using pluginkit from command line


The entitlements appear correct:

App:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>com.apple.application-identifier</key>
<string>XYZ.com.xyz.mac.vpn</string>
<key>com.apple.developer.networking.networkextension</key>
<array>
<string>packet-tunnel-provider</string>
</array>
<key>com.apple.developer.team-identifier</key>
<string>XYZ</string>
<key>com.apple.security.app-sandbox</key>
<true/>
<key>com.apple.security.get-task-allow</key>
<true/>
<key>com.apple.security.network.client</key>
<true/>
<key>com.apple.security.network.server</key>
<true/>
</dict>
</plist>

PT:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>com.apple.application-identifier</key>
<string>XYZ.com.xyz.mac.vpn.PacketTunnelProvider</string>
<key>com.apple.developer.networking.networkextension</key>
<array>
<string>packet-tunnel-provider</string>
</array>
<key>com.apple.developer.team-identifier</key>
<string>XYZ</string>
<key>com.apple.security.app-sandbox</key>
<true/>
<key>com.apple.security.network.client</key>
<true/>
<key>com.apple.security.network.server</key>
<true/>
<key>keychain-access-groups</key>
<array>
<string>XYZ.group.xyz</string>
</array>
</dict>
</plist>


We also confirmed that the PT is registered:

pluginkit -mDv |grep Packet
     com.xyz.mac.vpn.PacketTunnelProvider(1.0) BE156DB2-1A2D-4AB2-8CD9-6E7E22D2B807 2020-05-28 03:20:10 +0000
 /Users/xyz/Documents/xyz/xyz/iOS/DerivedData/xyz/Build/Products/Debug-maccatalyst/XyzCatalyst.app/Contents
 /PlugIns/PacketTunnelMac.appex


Is there something we're doing wrong? I can provide the full console output if that would help.

Up vote post of lbc Down vote post of lbc
1.9k views
Posted by
lbc
Reply
Add a Comment

Replies

Yeah, the part about your PacketTunnelProvider having 0 registrations means that the system cannot find your tunnel. 


nesessionmanager    11:06:26.025938-0700    Found 0 (0 active) registrations for com.xyz.mac.vpn.PacketTunnelProvider 
(com.apple.networkextension.packet-tunnel)

How are you loading, saving, and starting your connection?


Matt Eaton

DTS Engineering, CoreOS

meaton3 at apple.com

Posted by
meaton
Up vote reply of meaton Down vote reply of meaton
Add a Comment

Hi Matt,


We are using NETunnelProviderManager:

        let protocolConfiguration = NETunnelProviderProtocol()
        protocolConfiguration.serverAddress = "127.0.0.1"
        protocolConfiguration.providerBundleIdentifier = "com.xyz.mac.vpn.PacketTunnelProvider"

        manager.protocolConfiguration = protocolConfiguration
        manager.isEnabled = true
        manager.localizedDescription = profileName
        
        manager.saveToPreferences { (error: Error?) in
            if let error = error as NSError? {
                NSLog("Install error: \(error)")
                completionHandler?(error, false)
            } else {
                NSLog("VPN saved")
                self.loadManager { _ in
                    completionHandler?(nil, true)
                }
            }
        }


This creates the VPN in the Network system preferences and has a "Connect" button, which is what we're using to try to start our PT.


The providerBundleIdentifier is the same one as in the log messages from nesessionmanager that I provided previously, and also is shown as being registered in the output I provided from pluginkit.

Posted by
lbc
Up vote reply of lbc Down vote reply of lbc
Add a Comment

Hi Matt - Is there any other information needed to help figure out this issue, e.g. console output?

Posted by
lbc
Up vote reply of lbc Down vote reply of lbc
Add a Comment

No, that only thing I can see if that you are hitting a configuration issue somewhere because you have "(0 active) registrations." I would keep debugging this aspect of your project. I also see that your project is in Mac Catalyst app. If you are in need of accessing the keychain there may be some previous bugs you are running into here.

Also, make sure to load the current manager and save the preferences you are defining while going through the configuration process.


NETunnelProviderManager.loadAllFromPreferences { managers, error in

  let manager = managers.first

  ...

  manager.saveToPreferences { (error: Error?) in 
  ...
  }
}


If you come up with nothing, go ahead and open a TSI so I can take a deeper look.



Matt Eaton

DTS Engineering, CoreOS

meaton3 at apple.com

Posted by
meaton
Up vote reply of meaton Down vote reply of meaton
Add a Comment
Same issue here. Did you solved the problem?
Posted by
Dannel
Up vote reply of Dannel Down vote reply of Dannel
Add a Comment
For anyone running into Packet Tunnel Configuration issues on macOS or iOS using the NETunnelProviderManager or NETunnelProviderProtocol APIs, check out the 7/8 step process I listed out on this thread for setting up your Network Configuration and getting your Packet Tunnel Provider running. Note that on iOS step 1 is not needed.


Matt Eaton
DTS Engineering, CoreOS
meaton3@apple.com
Posted by
meaton
Up vote reply of meaton Down vote reply of meaton
Add a Comment
Sorry Matt, I'm trying to run a packet tunnel provider built through Mac Catalyst from an iOS application. On iOS, everything works well. But on Mac Catalyst, the profile is installed on the system, but it does not start.

I can't get receive about 
Code Block 
- (void)startTunnelWithOptions:(NSDictionary *)options completionHandler:(void (^)(NSError *))completionHandler


I've tried w/o any success starting the PT:It is not work too.

:(
Posted by
Dannel
Post not yet marked as solved Up vote reply of Dannel Down vote reply of Dannel
Add a Comment