Read and Update iOS VPN Profiles inside PacketTunnel Extension

I have a VPN application which supports On-Demand L3 VPN profiles/configurations. For the on demand VPN profile we have few match domains as on demand rules to trigger the VPN when user accesses the matching resource.


Now, we have a situation where the match domains of the VPN profile may change in the VPN server. To support Split tunnelling In packet tunnel, we call a Rest API to get new match domains every time the VPN Packet Tunnel is launched on-demand.


Now, everything is fine except for that we are not able to update the VPN profile with new match domains (we have received in the packet tunnel extension) without opening the containing application. Since its an on-demand VPN, users are not expected to open the App for a long time. However, having stale match domains as on-demand rule is also not an ideal condition, either.


So, we thought of updating VPN profiles from packet tunnel extension. However, whenever I call the API to read the profiles from preferences, it simply crashes the packet tunnel. This gives me indication that it is not allowed to access VPN profiles from within the extension.


So my question is, whether it's allowed read and update VPN profiles inside packettunnel extension using `NETunnelProviderManager loadAllFromPreferencesWithCompletionHandler` API? If not, is there any other API to do it? Or is it simply not allowed?

Accepted Reply

So my question is, whether it's allowed read and update VPN [configurations] inside packet tunnel extension using

NETunnelProviderManager loadAllFromPreferencesWithCompletionHandler
API?

No. The API for manipulating VPN configurations was designed to be used by the container app, not the provider, and it just doesn’t work in the provider’s context. You’re not the first person to notice this limitation. My advice is that you file an enhancement request describing your requirements.

Please post your bug number, just for the record.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

Replies

Just noticed in console logs below error:

NETunnelProviderManager objects cannot be instantiated from NEProvider processes.

Is this expected? Is there any other way to achieve it?

So my question is, whether it's allowed read and update VPN [configurations] inside packet tunnel extension using

NETunnelProviderManager loadAllFromPreferencesWithCompletionHandler
API?

No. The API for manipulating VPN configurations was designed to be used by the container app, not the provider, and it just doesn’t work in the provider’s context. You’re not the first person to notice this limitation. My advice is that you file an enhancement request describing your requirements.

Please post your bug number, just for the record.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

Thanks eskimo. I have added a suggestion: FB7706550