How can a process outside AppGroup, addObserver for a TransparentProxyProvider Network VPN Interface

Is there a method available using which I can add observer on the VPN status outside process?

Not directly on something like NEVPNStatus outside of the container app, no. There are not a lot of great options here either. Essentially you could communicate over XPC to your service from the container app, but that breaks down when the container app goes away and your service is still available. You could communicate over XPC from the network system extension to the service, but this will only tell you things like didStart and didStop etc... You could also attempt to poll scutil or SCDynamicStoreRef for information, but this may not get you what you exactly what you are looking for.

Matt Eaton
DTS Engineering, CoreOS
meaton3@apple.com

Matt’s right that this is going to be tricky. I’d like to clarify this:

Now I have another service (a C++ Project) which needs to takes some action when the above VPN status is changing (from Disconnected -> Connecting -> Connected). I have this limitation that I cannot put this service in the same project where SystemExtension is build.

Is this other service signed by the same team as your sysex?

And what context is it running in? As a daemon? Or in a GUI login context? Or something else?

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Thanks Matt and Quinn for your response.

Is this other service signed by the same team as your sysex?

Yes both systemExtn and service is signed by same team.

And what context is it running in? As a daemon? Or in a GUI login context? Or something else?

It is a daemon, but build outside the systemexten container. I have a limitation that I cannot keep this daemon in same container.

I have related question, is there a way I could block/disable the 'Disconnect' button for the VPN in network settings? Current this can be disabled even without opening the lock (bottom).

Or Can we somehow disable the effect of the disconnect action, ie user cannot stop VPN from this place?

I have related question

It’s probably best to put that in a separate thread.

With regards your original issue, if all your code is from the same team then you could:

1. Track the VPN state within your sysex (it seems likely that you’re already doing that).

2. Have the sysex publish an XPC service that vends that state.

3. Have your unrelated daemon use that XPC service to learn about state changes.

Alternatively, is your service visible to SCNetworkConnection? If so, SCNetworkConnectionGetStatus might be sufficient for your needs.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Thanks Quinn, both the approach will work for me. But the 2nd approach is more suitable as it will be independent of the App (SysEx) which is doing 'addObserver' for VPN status.

I was trying to find a small example of code for:

SCNetworkConnection vpnConn = <?> 
SCNetworkConnectionStatus status = SCNetworkConnectionGetStatus(vpnConn)

Could you please help me with API and arg which i can use to get 'SCNetworkConnection' in my C++ project?

For the back end of this you can look at the SimpleDial (wow, that’s not something I’ve referenced in a long time!). To get this working you need to start with a service ID. I’m not sure whether the system allocates a service ID for a transparent proxy. That’s why I wrote:

is your service visible to SCNetworkConnection?

If you run this command:

% networksetup -listallnetworkservices
An asterisk (*) denotes that a network service is disabled.
Thunderbolt Ethernet
Thunderbolt FireWire
Wi-Fi
Bluetooth PAN
Thunderbolt Bridge
…

does your transparent proxy show up in the list?

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

is your service visible to SCNetworkConnection?

I dont see my service where you suggested:

% networksetup -listallnetworkservices
An asterisk (*) denotes that a network service is disabled.
USB 10/100/1000 LAN
Thunderbolt Bridge
Wi-Fi
Bluetooth PAN

To get this working you need to start with a service ID. I’m not sure whether the system allocates a service ID for a transparent proxy.

Do I need to anything special while configuring my TransparentProxyProvider in my App, which will let the system allocate serviceID to my VPN?

Do I need to anything special while configuring my TransparentProxyProvider in my App, which will let the system allocate serviceID to my VPN?

No. I had assumed that the system would set this up for you because of how this stuff is plumbed into our existing infrastructure. If it does not then the whole SCNetworkConnection avenue is a dead end.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Thanks Quinn, I will probably raise a feedback for the development team if they can add some provision for outside process (container app) to be able to monitor the VPN status. Meanwhile I will go with the 1st approach what you and Matt suggested.

Thanks