VPN - Plugin *** does not have a bundle URL(iOS10.0.2)

Hi,


I have a per-app VPN that contains a NetworkExtension provider, but I got error once the vpn try to start. Below is the log:


Oct 10 10:45:15 iPad-mini nesessionmanager(NetworkExtension)[2544] <Info>: NESMFlowDivertSession[Per app VPN:ASDFASDF-DE20-EFE0-E352-A123543545ASDFS]: Entering state NESMVPNSessionStatePreparingNetwork

Oct 10 10:45:15 iPad-mini nesessionmanager(NetworkExtension)[2544] <Info>: Handling a com.apple.networkextension.file-descriptor-maintainer event

Oct 10 10:45:15 iPad-mini nesessionmanager(NetworkExtension)[2544] <Info>: NESMFlowDivertSession[Per app VPN:ASDFASDF-DE20-EFE0-E352-A123543545ASDFS]: Network available via interface en0

Oct 10 10:45:15 iPad-mini nesessionmanager(NetworkExtension)[2544] <Error>: Plugin *** does not have a bundle URL

Oct 10 10:45:15 iPad-mini nesessionmanager(NetworkExtension)[2544] <Error>: Failed to find the primary plugin (type = ***)


What should I check to fix it?

Replies

Does your app also use the old, semi-private VPN plug-in mechanism? AFAICT the “does not have a bundle URL” log message only shows up in that case.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

Hi Eskimo,


Thanks for your prompt response.


I am not sure which old VPN-plugin mechanism. We are using TunnelProvider APIs for the VPN app. It works well when used as a device level VPN but while launching as per-app VPN it fails with the above error.


We have checked the MDM payloads that configure the VPN and they look correct. The VPN shows up correctly on the device i.e. with the correct App Name, Server, Apps etc.


Thanks

I am not sure which old VPN-plugin mechanism.

Oh, if you were using the old VPN plugin mechanism you’d know (-:

I recommend you start by removing MDM from the equation. What happens if you set things up per the Testing Per-App VPN section of the NETunnelProviderManager class reference (that is, the

NETestAppMapping
key in your
Info.plist
)?

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

Hi Eskimo,


Thanks for your prompt response.


I checked it by setting things up Testing Per-App VPN section of the NETunnelProviderManager class reference (that is, the

NETestAppMapping
key in
Info.plist of my app
), same error happened.


As testing, I try to change the VPNType to IKEv2 from VPN in the profile, It is working, my VPN extension plugin got started. But my VPN client VPNType should be VPN

I checked it by setting things up Testing Per-App VPN … same error happened.

It seems likely that there’s a packaging issue within your app. One way to debug issues like this is to build the SimpleTunnel sample code and then compare the packaging in the resulting app with the packaging in your app. And by packaging I mean:

  • the present and location of all the parts, like the

    .app
    , the
    .appex
    , the executables, and the
    Info.plist
  • the contents of the relevant

    Info.plist
    properties
  • the code signature, and especially the entitlements of each component (see this post)

If you can’t figure it out you should open a DTS tech support incident and I’ll take things from there.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

Hi Eskimo,


The same issue happened with SimpleTunnel sample code.


By packaging all the components are present. Is there any special for the location of them, and the content of Info.plist properties?


The present and location of all parts inside VPNApp.app as below:


_CodeSignature -[folder]

Assets.car

Base.lproj -[folder]

embedded.mobileprovision

en.lproj -[folder]

Frameworks -[folder]

Info.plist

PkgInfo

PlugIns -[folder]

VPNExtension.aapex

VPNApp

VPNBackgroundView.nib



Below is the entitlements output by command "codesign -d --entitlements :- VPNapp.app":


<?xml version="1.0" encoding="UTF-8"?>

<!DOCTYPE plist PUBLIC "-/

<plist version="1.0">

<dict>

<key>application-identifier</key>

<string>74PR523F2B.com.***.***.vpnapp</string>

<key>com.apple.developer.networking.networkextension</key>

<array>

<string>packet-tunnel-provider</string>

</array>

<key>com.apple.developer.networking.vpn.api</key>

<array>

<string>allow-vpn</string>

</array>

<key>com.apple.developer.team-identifier</key>

<string>74PR523F2B</string>

<key>com.apple.security.application-groups</key>

<array>

<string>group.com.***.vpnappshareddata</string>

</array>

<key>get-task-allow</key>

<true/>

<key>keychain-access-groups</key>

<array>

<string>74PR523F2B.com.***.***.vpnapp</string>

<string>com.apple.managed.vpn.shared</string>

</array>

</dict>

</plist>

Below is the entitlements output by command "codesign -d --entitlements :- VPNapp.app":

You also need to check the entitlements for the embedded

.appex
.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

Of cause I did.


This is the entitlements for embeded .appex. And also checked all by following ( this post), all are expected.


<?xml version="1.0" encoding="UTF-8"?>

<!DOCTYPE plist PUBLIC "-/

<plist version="1.0">

<dict>

<key>application-identifier</key>

<string>74PR523F2B.com.***.***.vpnapp.extn</string>

<key>com.apple.developer.networking.networkextension</key>

<array>

<string>packet-tunnel-provider</string>

</array>

<key>com.apple.developer.networking.vpn.api</key>

<array>

<string>allow-vpn</string>

</array>

<key>com.apple.developer.team-identifier</key>

<string>74PR523F2B</string>

<key>com.apple.security.application-groups</key>

<array>

<string>group.com.***.vpnappshareddata</string>

</array>

<key>get-task-allow</key>

<true/>

<key>keychain-access-groups</key>

<array>

<string>com.apple.managed.vpn.shared</string>

<string>74PR523F2B.com.***.***.vpnapp.extn</string>

</array>

</dict>

</plist>

Hi Eskimo,


Any idea for this ticket?


By the way, we’ve opened a Code-level support ticket 650441425, please follow up.


Thanks a lot!

we’ve opened a Code-level support ticket 650441425

Yep, it’s in my DTS queue. I will follow up in that context (I got most of my answer written yesterday but then ran out of time)-:

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

Hi Eskimo,

When I use NEFilterManager I also encountered this problem.


Oct 25 14:24:05 *** nesessionmanager[1916] <Error>: Plugin com.yunfei.net does not have a bundle URL

Oct 25 14:24:05 *** nesessionmanager[1916] <Error>: Failed to find plugin com.***.net

Oct 25 14:24:05 *** nesessionmanager[1916] <Notice>: NESMFilterSession[com.***.net:1815DB6D-8625-415A-A65F-516FFD8B31D7]: status changed to disconnected, last stop reason Plugin failed


I compared the Info.plist between SimpleTunnel.app and my,I can't find the problem. But when I running the SimpleTunnel.app it works well.

I have opened a Code-level support ticket 650940398.

What should I check to fix it? Hopping for your help.

I have opened a Code-level support ticket 650940398.

That is also in my queue; I will respond in that context.

Alas, it’s a very long queue right now )-:

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

The issue got fixed, just because of missing ProviderType field in profile. below is the discription for it.


"If the VPN provider extension is a Packet Tunnel Provider extension, then the

ProviderType
field in the
com.apple.vpn.managed.applayer
payload should be set to
packet-tunnel
. If the VPN provider extension is an App Proxy Provider extension, then the
ProviderType
field in the
com.apple.vpn.managed.applayer
should be set to
app-proxy
."