What are the conditions for the OS to call stopTunnel?

Hey,


I am working on an NEPacketTunnelProvider https://developer.apple.com/documentation/networkextension/nepackettunnelprovider Extension and I try to understand when the stopTunnel(with:completionHandler:) function is called from the system. I am using an On Demand Profile but never see the function beeing called.


This thread describes a problem when the startTunnel Function is not returning. https://forums.developer.apple.com/message/234030#234030 I verified that my startTunnel function is returning. Nonetheless, I create an workerthread which handles the packetflow which does not return. Is this possibly a problem?


According to this document https://help.apple.com/configurator/mac/2.0/#/apd4CE9487D-EC56-4548-BE53-12639EAF8CAC , it is never called when VPN is enabled by hand in the settings, otherwise it shall stop after 2 minutes.


Is it necessary that the screen is off?

Is the timeout starting when no packets are send to the TUN device?


What are the conditions for the OS to call stopTunnel(with:completionHandler:)?

Replies

The decision about when to stop the VPN is more of a user-level thing than an API-level thing. From an API perspective the OS calls your stop tunnel method when it wants to disconnect VPN. The exactly circumstances under which the OS does that are not documented because they are many, varied, and likely to change over time. [FYI, that’s why the information you’ve found about this in the Apple Configurator help, that is, a user-level document.]

What API-level issue are you seeing here? When asked to stop the tunnel, you should stop the tunnel, call the completion handler, and you’re done. What part of that is causing an issue?

Is it necessary that the screen is off?

If you’re curious about how Network Extension tunnel providers and sleep interact, check out this post.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

I was expecting that the system calls stopTunnel when the device is inactive for some time. So I tried to understand what the conditions are that this is happening.


I only see the system calling stopTunnel when I disable the VPN from the OS settings by hand or if the configuration profile is removed.


But I found a solution now, using the sleep(completionHandler:) method. If I disable the VPN when this method is called, I get the expected behaviour.

With regards VPN and sleep, but see this thread.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"