Equivalent to Network Kernel Extension API on macOS?

You can use NEPacketTunnelProvider to create a split-tunnel VPN.

You can also use NEAppProxyProvider to implement a transparent proxy that modifies the egress interface of flows.

Also, I strongly recommend that you watch WWDC 2019 Session 714 Network Extensions for the Modern Mac which is a great overview of the facilities we created for this sort of thing.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@apple.com"

@Systems Engineer Thanks for your reply! However, looking at the docs for NEPacketTunnelProvider this is the wrong kind of split tunneling. The docs indicate it allows splitting traffic based on destination IP, which can already be achieved via the routing table and is not quite what I want.

I need to be able to split traffic based on the PID of a process (or the executable path of a process). That is, based on the PID (or executable path) of an arbitrary process i want to be able have its traffic either bypass the VPN or force its traffic through the VPN - this should be possible whether or not the VPN endpoint has the default route.

Note that we are not currently using apple APIs to set up our VPN - we are just using a standard openvpn/wireguard setup and use the routing table directly to control routes - but with the NKE to make routing exceptions for specific apps (apps that bypass the vpn or apps that are forced on the vpn)

@eskimo thanks for your reply. I watched that video, but i still have many questions. In particular the 'per-app VPN' functionality LOOKS as if it's suitable, but reading your comments on another thread: https://developer.apple.com/forums/thread/87484

You seem to imply that it is NOT suitable as: "On macOS it can only be deployed via a configuration profile (which is typically deployed via MDM but you could do that manually)" - whereas we need the user to be able to add/remove arbitrary apps from the split tunnel according to their needs.

Just to state clearly again what it is i'm trying to do:

• We have a VPN product that is cross-platform and implements openvpn and wireguard VPN using standard cross-platform apprroaches (that is, we do not use any apple-specific APIs for creating/maintaining the vpn connection)

• We need to allow the user to add/remove apps from the 'split tunnel' - at run time - that is, these apps are not known ahead of time or hard-coded.

• The apps in the split tunnel need to be able to either bind to the VPN (in the case the VPN does not have the default route) or bypass the VPN (in the case the VPN *does* have the default route).

Your comments on that linked thread, albeit 2 years old are very worrying as you give advice to another user who is attempting to do something similar to write a, now inaccessible, NKE to achieve what he wants.

I hope now i've explained more clearly what i'm trying to achieve, is it possible to achieve what i want using the Network Extension APIs ? I will note, that on linux this is trivial to achieve, and on Windows (via WFP) this is trivial also --- but with the deprecation of NKEs, it's now worrying that the APIs are not sufficient.

Thanks again in advance!

Months of surfing and exploring information about apps traffic interception leveraging network extension I assume your choice is NEAppProxyProvider. But you would have to use apple's APIs anyway and adapt your cross-platform solution for it.