We've released our app on the App Store and are facing the following issue: Some users are unable to connect to the server with the app, and the "Cellular Data" settings for our app are missing in the system settings. The app is developer on Qt framework (qt.io) This is how it should be This is what some users reporting - app unable to make requests to the server by https (request timeout) Why it happening? Any tips how to fix?

Hello! I'm trying to capture socket state changes for an endpoint security product and have tried the Endpoint Security APIs as well as a Network Extension but there doesn't seem to be a way to detect listening sockets in real time. I've so far been able to capture all process, file and network flow/packet information in real-time but I'm also interested in getting an event when a server socket is opened for listening for incoming connections. Is there a way to do this? If yes, can someone please point me to the documentation or any other information on how to go about it? Thanks!

Hi everyone, I'm working on an iOS app where I need to implement content filtering functionality. I've successfully implemented a network extension target in my iOS app to filter data locally. However, I'm now aiming to extend this functionality to filter content over HTTPS. Currently, I'm utilizing a local data source for filtering, but I want to explore options for filtering content directly over HTTPS connections, like this URL: https://dns.nextdns.io/46d65d. I've reviewed the available Apple APIs and documentation but haven't found a straightforward solution for HTTPS content filtering. Can anyone provide guidance or suggest any relevant resources for implementing HTTPS content filtering within a network extension target on iOS? Any help or insights would be greatly appreciated! Thank you in advance!

Hi, in my Extension FilterDataProvider class that is inherited from NEFilterDataProvider i am trying to insert logs into my CoreData entity, but when i insert it gives me error "NSCocoaErrorDomain: -513 "reason": Unable to write to file opened Readonly Any suggestions please to update the read write permission i already have tried this way but no luck let description = NSPersistentStoreDescription(url: storeURL) description.shouldInferMappingModelAutomatically = true description.shouldMigrateStoreAutomatically = true description.setOption(false as NSNumber, forKey: NSReadOnlyPersistentStoreOption) ?

I have an installation workflow that works by a user double clicking on the mpkg and going through the prompts to install some software. Within the postinstall of the mpkg, /usr/sbin/installer -pkg "path_to_pkg" -target / is done to install additional software. The software contained in the mpkg contains system extensions and installs without issue. The software contained in the pkg file also contains system extensions and a prompt with this message displayed. "XSoftware" is damaged and can't be opened. You should move it to the Trash This file was downloaded on an unknown date. This is causing issues with the system extension being installed from XSoftware. Curiously enough, when I run /usr/sbin/installer -pkg "path_to_pkg" -target / manually in a terminal window it works successfully and XSoftware is able to install the System Extensions and run properly. I've used the pkgutil --check-signature to check the notarization and signing and it looks correct. This is my dmg structure: dmg | mpkg data_folder | pkg Any suggestions or help would be greatly appreciated. I can provide more details if neccessary.

Hello, i am trying to record logs in my network extension class, and then i want to read it in my application class, i.e. viewModel. However, i am unable to read the data. I have tried different ways like UserDefaults, Keychain, FileManager, NotificationCenter and CoreData. I have also used Appgroups but still there is blocker for reading data outside the scope of Extension class.

This one is sorta behaving similar to the FaceTime / AirDrop issue, but it does depend on order, which makes me wonder if it's a programming choice. Specifically, using FortiNet's VPN client, using IPSec, if I have a TPP installed and then try to connect it, it fails. If, however, I connect and then start the TPP, it succeeds, which at least makes it better than FaceTime and AirDrop. So my question here is... hm, not as well-articulated as I would like. I'm curious if a VPN can check to see if other VPNs are installed and configured, and if so say "nope." Hm, saying that more clearly: I think it's possible for a network extension to check the interface that a packet/flow is going to, and cause a failure of some sort if it's a VPN, correct? Does anyone do that? Or am I seeing lions in the waterhole weeds? I'm also curious if Apple's networking code has issues with multiple VPNs. (Although, I will note, our TPP works just fine with Tailscale, so it's not an inherent conflict. Also Cisco AnyConnect. So maybe it's just IPSec?) ETA: to make it clear, my test case involves using a ****** TPP, where handleNewUDPFlow and handleNewFlow both immediately return false, meaning that the system should behave as if it's not there, and yet... doesn't. I appreciate any comments/assistance/guffaws.

Hi, I have been working on some kind of network filtering app for iOS using Content Filter Provider. And I have stored rules for each domain. As of right now, I use UserDefaults with my app's bundle suite to store and observe rules. I have also read this documentation page for UserDefaults link. Is it okay to use UserDefaults in my case, if I have rules added/modified dynamically as the flow is intercepted, or should I pick some other approach like Core Data, SwiftData, etc.? Thank you!

Hello, I have some question about the usage of the function: func update(NEFilterSocketFlow, using: NEFilterDataVerdict, for: NETrafficDirection) (https://developer.apple.com/documentation/networkextension/nefilterdataprovider/3543400-update) provided by the NEFilterDataProvider class of the content filter network extension. If I understand correctly, this function can be used on an instance of NEFilterDataProvider to update an already issued verdict for a network flow. By "issuing verdict" I mean returning any of .allow()/.drop()/.init(pass: peek:) in handleNewFlow/handleInboundData/handleOutboundData However, I am having difficulty with it. My workflow involves maintaining an array of currently active flows. Flows are inserted in handleNewFlow() and they are deleted when handleReport(report: NEFilterReport) with event flowClosed is called (flow identification is based on their UUID). Then, at some point in future, based on our business logic, I iterate through the container of "active flows" and attempt to call func update(NEFilterSocketFlow, using: NEFilterDataVerdict, for: NETrafficDirection) on all of them, with intention of changing the already issued verdict. However, calling that function seems to have no effect. Am I using it the wrong way? What is the intended usage? Is it even possible to update verdict of already allowed or postponed by .init(peek:pass:) flows? The issue I'm trying to solve is that we evaluate flows based on our business logic and return either .drop() or .init(pass: peek:) verdicts for them. Sometimes, we want to reevaluate the .init(pass: peek:) verdict immediately, which is when we attempt to call the update() function and provide a new .init(pass:peek) or .drop() verdict. The main objective is to promptly drop certain flows, particularly those awaiting further data evaluation due to .init(pass: peek), immediately on demand. Thanks.

I am working on a VPN app featuring Wireguard. The app was working fine. I planned to make a Framework for the Wireguard Target, Network Extension Target and the Code managing VPN, Now after removing all errors, resolving Bundle IDs and making all the targets compatible to iOS 16.0, I am getting this error in the Settings app as shown in the following In short, same code is not working when moved into the framework. I have read the similar thread talking about lowering the minimum deployments. All of my minimum deployments are set to iOS 16.0. Any suggestions would be appreciated. Thanking you in anticipation. Ali.

On the [documentation page](Implement a completely custom DNS proxying protocol) it says For example, a DNS proxy provider might: Implement a completely custom DNS proxying protocol I would like to add some filtering logic to the NEDNSProxyProvider (for example, return nxdomain if the flow is not passing the filtering process). Is it possible to implement with NEDNSProxyProvider? It also says that func handleNewFlow(_ flow: NEAppProxyFlow) -> Bool from NEDNSProxyProvider returns a Boolean value set to true if the proxy implementation decides to handle the flow, or false if it instead decides to terminate the flow link. Does it mean that the filtering logic could be added here by just returning false for the flows that are not matching the rules? Because I first tried to handle UDP flows like this in handleNewFlow(_ flow: NEAppProxyUDPFlow) function and form my own packets in connection.transferData, by first passing empty Data object and then by setting RCODE to 3, which is supposedly a nxdomain response code. However, both implementations didn't work: even though I was getting logs about handling failure, the flow was still able to go through. try await flow.open(withLocalEndpoint: flow.localEndpoint as? NWHostEndpoint) let datagrams = try await flow.readDatagrams() let results = try await datagrams.parallelMap { let connection = try DatagramConnection($0) return try await connection.transferData() } try await flow.writeDatagrams(results) flow.closeReadWithError(nil) flow.closeWriteWithError(nil) I am new to NEDNSProxyProvider and my networking knowledge is on a pretty basic level, so I would be very grateful to hear any suggestions. Thank you!

I want to use Network Extension Relay to implement a system-wide proxy. First, I will setup a local http2 proxy and forward to a local http proxy. The problem is How to implement this http2relayurl link to? Is it a regular http2 proxy protocol? What should I pass to raw public keys? Is it a bytes like rsa public key, or is .pem, .pub like plain text string? And I will use self signed certificate, will it be a problem?

hi, I made an interface for VPN applications for iOS, and I just need to make a connection to the protocol, I wanted to use wireguard, but I can’t do it, what can you suggest me?

How can you change the behaviour of the system resolver on iOS? need help eskimo..!

Hello, we are developing an open source vpn program that is developed with Flutter and native parts with Swift, and we plan to publish it on the App Store soon, but the project programmers say that you must have an account to publish this app on the App Store. On the other hand, my other friends say that this is not the case, and to publish a vpn app, only one Apple Developer account is enough, and there is no need for a business account!

Hey everyone, I'm currently working on an app where I've already implemented a packet tunnel provider. Now, I'm looking to introduce a content filter. One crucial feature I need is the ability to read the bundle ID of the app originating the network flows. However, I've hit a roadblock when combining both components; When I run the content filter sans packet tunnel provider, I can read the originating app's bundle ID for network flows just fine. But when I add packet tunnel provider, the app's bundle ID defaults to my own app's bundle ID, which is unexpected. Has anyone else encountered this? Any thoughts on why it's happening or how to fix it? Cheers!

Hi, I was working on some new filtering logic for my Content Filter that I would like to add. It involves making requests to remote DNS resolvers. Is it possible to use it within sync override func handleNewFlow(_ flow: NEFilterFlow) -> NEFilterNewFlowVerdict of the NEFilterDataProvider? As of right now, I have a concept working in Command Line Tool and playground, however, when I try to add working module to the main project, it's not working (connections are not loading). Function that makes requests to the servers: In this function I use DispatchGroup and notify for non-main queue @available(iOS 12, *) public class NetworkService { private let nonMainQueue: DispatchQueue = DispatchQueue(label: "non-main-queue") func isBlocked(hostname: String, completion: @escaping (Bool) -> Void) { var isAnyBlocked = false let group = DispatchGroup() for server in servers { group.enter() let endpoint = NWEndpoint.Host(server) query(host: endpoint, domain: hostname, queue: .global()) { response, error in defer { group.leave() } /* * some code that determines the filtering logic * if condition is true => isAnyBlocked = true & return */ } } group.notify(queue: nonMainQueue) { completion(isAnyBlocked) } } } And, for example, in playground Semaphores make it work as expected, but the same approach doesn't work with the NEFilterDataProvider playground code sample let hostname = "google.com" func returnResponse() -> String { var result = "" let semaphore = DispatchSemaphore(value: 0) DispatchQueue.global().async { NetworkService.isBlocked(hostname: hostname) { isBlocked in result = isBlocked ? "blocked" : "allowed" semaphore.signal() } } semaphore.wait() return result } print(returnResponse()) Output: allowed

MacOS Version: 14.3 (23D56) In my testing of PacketTunnelProvider on MacOS I have observed that when I do a system shutdown or reboot, PacketTunnelProvider::stopTunnelWithReason() is getting called with reason: NEProviderStopReasonUserInitiated. Note: when I try to disconnect the VPN from system settings PacketTunnelProvider::stopTunnelWithReason() is called with the same reason: NEProviderStopReasonUserInitiated. I am facing an issue here to identify what caused PacketTunnelProvider::stopTunnelWithReason(), system shutdown or any user action?

We want to display our application name should be suggested on wifi network which are insecure. Similar like following: Please suggest, which class or extension we can use for achieve this.

hello everyone, I want to create VPN app with swiftUI but i do not know where to start. I have already created some beautiful UI but now i want to configurate network to connect another country server. any suggestions?