Unable to start packettunnel on Mac OS

App & System Services Networking
lbc OP
Created May ’20
Replies 7
Boosts 0
Views 2.3k
Participants 3

Hi - We have had a packettunnel working well on iOS for a long time and now looking into one for Mac OS. However, we haven't been able to get it to work.


Summary of what we see:

The app can successfully install the VPN profile:

nesessionmanager    11:06:26.027252-0700    NESMVPNSession[Primary Tunnel:XyzCatalyst:E2A089D5-A18B-4543-94F5-827E4DB3357D
:(null)]: handling configuration changed: {
    name = XyzlizeCatalyst
    identifier = E2A089D5-A18B-4543-94F5-827E4DB3357D
    applicationName = XyzCatalyst
    application = com.xyz.mac.vpn
    grade = 1
    VPN = {
        enabled = YES
        onDemandEnabled = NO
        disconnectOnDemandEnabled = NO
        protocol = {
            type = plugin
            identifier = 0A3DA48C-EE69-479C-A2CD-994028B01CC0
            serverAddress = 127.0.0.1
            identityDataImported = NO
            disconnectOnSleep = NO
            disconnectOnIdle = NO
            disconnectOnIdleTimeout = 0
            disconnectOnWake = NO
            disconnectOnWakeTimeout = 0
            disconnectOnUserSwitch = NO
            disconnectOnLogout = NO
            includeAllNetworks = NO
            excludeLocalNetworks = NO
            pluginType = com.xyz.mac.vpn
            authenticationMethod = 0
            reassertTimeout = 0
            providerBundleIdentifier = com.xyz.mac.vpn.PacketTunnelProvider
            designatedRequirement = identifier "com.xyz.mac.vpn.PacketTunnelProvider" and anchor apple generic and 
certificate leaf[subject.CN] = "Apple Development: xyz (XYZ)" 
and certificate 1[field.1.2.840.113635.100.6.2.1] /* exists */
        }
        tunnelType = packet
    }
}

But when trying to start the PT, the appex is never found:

nesessionmanager    11:06:26.025938-0700    Found 0 (0 active) registrations for com.xyz.mac.vpn.PacketTunnelProvider
 (com.apple.networkextension.packet-tunnel)


Things we've tried w/o any success starting the PT:

  1. Created a new target for the PT specifically for macOS, per this discussion: https://forums.developer.apple.com/thread/126355
  2. Tried an empty PT (instead of our existing iOS PT)
  3. Created a new app target specifically for macOS (instead of Catalyst)
  4. Installed manually using pluginkit from command line


The entitlements appear correct:

App:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>com.apple.application-identifier</key>
<string>XYZ.com.xyz.mac.vpn</string>
<key>com.apple.developer.networking.networkextension</key>
<array>
<string>packet-tunnel-provider</string>
</array>
<key>com.apple.developer.team-identifier</key>
<string>XYZ</string>
<key>com.apple.security.app-sandbox</key>
<true/>
<key>com.apple.security.get-task-allow</key>
<true/>
<key>com.apple.security.network.client</key>
<true/>
<key>com.apple.security.network.server</key>
<true/>
</dict>
</plist>

PT:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>com.apple.application-identifier</key>
<string>XYZ.com.xyz.mac.vpn.PacketTunnelProvider</string>
<key>com.apple.developer.networking.networkextension</key>
<array>
<string>packet-tunnel-provider</string>
</array>
<key>com.apple.developer.team-identifier</key>
<string>XYZ</string>
<key>com.apple.security.app-sandbox</key>
<true/>
<key>com.apple.security.network.client</key>
<true/>
<key>com.apple.security.network.server</key>
<true/>
<key>keychain-access-groups</key>
<array>
<string>XYZ.group.xyz</string>
</array>
</dict>
</plist>


We also confirmed that the PT is registered:

pluginkit -mDv |grep Packet
     com.xyz.mac.vpn.PacketTunnelProvider(1.0) BE156DB2-1A2D-4AB2-8CD9-6E7E22D2B807 2020-05-28 03:20:10 +0000
 /Users/xyz/Documents/xyz/xyz/iOS/DerivedData/xyz/Build/Products/Debug-maccatalyst/XyzCatalyst.app/Contents
 /PlugIns/PacketTunnelMac.appex


Is there something we're doing wrong? I can provide the full console output if that would help.

Replies  7
Boosts  0
Views  2.3k
Participants  3
Systems Engineer OP
Apple
May ’20

Yeah, the part about your PacketTunnelProvider having 0 registrations means that the system cannot find your tunnel. 


nesessionmanager    11:06:26.025938-0700    Found 0 (0 active) registrations for com.xyz.mac.vpn.PacketTunnelProvider 
(com.apple.networkextension.packet-tunnel)

How are you loading, saving, and starting your connection?


Matt Eaton

DTS Engineering, CoreOS

meaton3 at apple.com

0
lbc OP
Jun ’20

Hi Matt,


We are using NETunnelProviderManager:

        let protocolConfiguration = NETunnelProviderProtocol()
        protocolConfiguration.serverAddress = "127.0.0.1"
        protocolConfiguration.providerBundleIdentifier = "com.xyz.mac.vpn.PacketTunnelProvider"

        manager.protocolConfiguration = protocolConfiguration
        manager.isEnabled = true
        manager.localizedDescription = profileName
        
        manager.saveToPreferences { (error: Error?) in
            if let error = error as NSError? {
                NSLog("Install error: \(error)")
                completionHandler?(error, false)
            } else {
                NSLog("VPN saved")
                self.loadManager { _ in
                    completionHandler?(nil, true)
                }
            }
        }


This creates the VPN in the Network system preferences and has a "Connect" button, which is what we're using to try to start our PT.


The providerBundleIdentifier is the same one as in the log messages from nesessionmanager that I provided previously, and also is shown as being registered in the output I provided from pluginkit.

0
lbc OP
Jun ’20

Hi Matt - Is there any other information needed to help figure out this issue, e.g. console output?

0
Systems Engineer OP
Apple
Jun ’20

No, that only thing I can see if that you are hitting a configuration issue somewhere because you have "(0 active) registrations." I would keep debugging this aspect of your project. I also see that your project is in Mac Catalyst app. If you are in need of accessing the keychain there may be some previous bugs you are running into here.

Also, make sure to load the current manager and save the preferences you are defining while going through the configuration process.


NETunnelProviderManager.loadAllFromPreferences { managers, error in

  let manager = managers.first

  ...

  manager.saveToPreferences { (error: Error?) in 
  ...
  }
}


If you come up with nothing, go ahead and open a TSI so I can take a deeper look.



Matt Eaton

DTS Engineering, CoreOS

meaton3 at apple.com

0
Dannel OP
Oct ’20
Same issue here. Did you solved the problem?
0
Systems Engineer OP
Apple
Oct ’20
For anyone running into Packet Tunnel Configuration issues on macOS or iOS using the NETunnelProviderManager or NETunnelProviderProtocol APIs, check out the 7/8 step process I listed out on this thread for setting up your Network Configuration and getting your Packet Tunnel Provider running. Note that on iOS step 1 is not needed.


Matt Eaton
DTS Engineering, CoreOS
meaton3@apple.com
0
Dannel OP
Oct ’20
Sorry Matt, I'm trying to run a packet tunnel provider built through Mac Catalyst from an iOS application. On iOS, everything works well. But on Mac Catalyst, the profile is installed on the system, but it does not start.

I can't get receive about 
Code Block 
- (void)startTunnelWithOptions:(NSDictionary *)options completionHandler:(void (^)(NSError *))completionHandler


I've tried w/o any success starting the PT:It is not work too.

:(
1
Unable to start packettunnel on Mac OS
First post date Last post date
 
 
Q