Post not yet marked as solved
I can send IP packets from System Extension/Network Extension on both iOS and MacOS to the Application. From the Application I may or may not modify the IP packets or sniff the IP packets. For the current scenario, I am not modifying the IP packets and I am just sending the IP packets as it is back to the packet tunnel.
My understanding is that when I use packetFlow's write property to inject the packet back into the networking stack, that the packets would then resume the normal flow and establish connectivity with whatever is the destination address for that packet(basically resume internet activity) and then I expect to further see the response packets or ACK packets on the Tunnel side. Is that a wrong expectation?
When I look at the Network Connectivity Tab in Xcode, the state of the packets are SynSent, and basically I don't see the response or the ACK packets coming in back from the utun interface.
But if I do rvictl and check wireshark to trace the packets, I do see the ACK packets, but I believe they are in a different interface from utun.
Post not yet marked as solved
I am trying to use 2 approaches on macOS using system extension where neither the app nor the system extension is sandboxed : PacketTunnel with per-app-vpn
Here I am trying to add app-rules to match the traffic I want to tunnel.
2. NEAppProxyProvider
Here I am trying to get traffic related to specific apps.
In both cases I am trying to get the traffic just from Google Chrome.
For case 2 , I initialize vpnManager as follows :
For case 1, I initialize vpnManager as follows :
Here is the code snippet I use to create the vpn and start the tunnel
func createVPN(){
let protocolConfig = NETunnelProviderProtocol()
protocolConfig.serverAddress = "localhost"
protocolConfig.providerBundleIdentifier = "com.identifier"
protocolConfig.username = "Some username"
var rules = [NEOnDemandRule]()
let rule = NEOnDemandRuleConnect()
rule.interfaceTypeMatch = .any
rules.append(rule)
var appRules = [NEAppRule]()
let appRule = NEAppRule()
appRule.matchPath = "/Applications/Google Chrome"
appRules.append(appRule)
vpnManager.protocolConfiguration = protocolConfig
vpnManager.localizedDescription = "VPN name"
// vpnManager.onDemandRules = rules
vpnManager.appRules = appRules
// vpnManager.isOnDemandEnabled = true
vpnManager.isEnabled = true
vpnManager.saveToPreferences(completionHandler: { (error) in
guard error == nil else {
NSLog("Error found while creating VPN : \(String(describing: error))")
return
}
self.vpnManager.loadFromPreferences(completionHandler: { (loadError) in
guard loadError == nil else {
return
}
do {
try self.vpnManager.connection.startVPNTunnel()
self.registerWithProvider()
} catch (let vpnError){
NSLog("Error found while starting VPN: \(String(describing: vpnError))")
}
})
})
}
In both cases vpn is running, but I don't get the traffic from Chrome. Any ideas as to why the rules aren't being set?
Post not yet marked as solved
Is there a way I can use the Packet Tunnel to get where the packet originated from? Like from which App the packet is coming from and basically allow specific packets that originated from an App to just pass through. I understand I can do that with AppProxy provider. Would it be possible to do the same thing without having to switch to AppProxy providers.
Previously when using Kernel extension, I was able to do something similar by getting the pid for the flow, and that helped in realizing what originated the App traffic.
Post not yet marked as solved
I am working on an MacOS app that I don't plan on releasing it via the app store. So basically it's not sandboxed. I am using Packet Tunnel as a System extension. I do send the packets from System extension to the App side. I am reusing part of the iOS code base and trying to make it work on the MacOS App. On the iOS side I was using CFMessagePorts to send packets from the Network Extension to the Application, and basically that involved using App Groups as the port name. So on the mac side, since the app is not sandboxed my understanding is that I don't need to use App groups at all. If the app's bundle id is com.example.transparentproxy then by using the following line, it should create a portvar remotePort : CFMessagePort? = CFMessagePortCreateRemote(kCFAllocatorDefault, "com.example.transparentproxy.out" as CFString) But it doesn't. It returns nil. The only log that I see corresponding to this in the console is taskgated-helper Couldn't read values in CFPrefsPlistSource<0x7fa2f3f2e040> (Domain: kCFPreferencesAnyApplication, User: kCFPreferencesAnyUser, ByHost: Yes, Container: (null), Contents Need Refresh: No): accessing preferences outside an application's container requires user-preference-read or file-read-data sandbox access've made sure I don't have sandbox access on SystemExtension, nor sandbox access on the App itself. Any idea as to how to debug this or if my understanding of sandbox access on System Extension is wrong. Using the System extension, I did access a file and write to it and it did work. If the System extension is not sandboxed I should be able to create a port remotely right? var localPort : CFMessagePort? = CFMessagePortCreateLocal(kCFAllocatorDefault, "com.example.transparentproxy.in" as CFString, nil, nil, nil)I can create a port locally. since the above line does return an object. But it's just the remote port that keeps returning nil. Also I had added this entitlement to the entitlements of both the app and extension : <key>com.apple.security.temporary-exception.mach-lookup.global-name</key><array> <string>com.example.transparentproxy.out</string> <string>com.example.transparentproxy.in</string></array><key>com.apple.security.temporary-exception.mach-register.global-name</key><array> <string>com.example.transparentproxy.out</string> <string>com.example.transparentproxy.in</string></array>
zifty.