I am developing an App based on Network Extension that lets all network requests on device access the Internet through a private Relay. I created an empty iOS App and only the entitlements file and ViewController.swift(Main.storyboard) file have been modified. The code was copied from the official video https://developer.apple.com/videos/play/wwdc2023/10002/ But, running the App on iPhone, the saveToPreferences API reported Error Domain=NERelayErrorDomain Code=3 "(null)" and the App doesn't look like it's changed at all (it doesn't jump to the Settings - VPN&Relay). Does anyone know why？Any reply would be greatly appreciated. The contents of the entitlements file: <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>com.apple.developer.networking.networkextension</key> <array> <string>relay</string> </array> </dict> </plist> ViewController.swift: import UIKit import NetworkExtension class ViewController: UIViewController { override func viewDidLoad() { super.viewDidLoad() // Do any additional setup after loading the view. } @IBAction func tap(_ sender: Any) { let newRelay = NERelay() let relayURL = URL(string: "https://relay.example.com:443/") newRelay.http3RelayURL = relayURL newRelay.http2RelayURL = relayURL newRelay.additionalHTTPHeaderFields = ["Authorization" : "PrivateToken=123"] let manager = NERelayManager.shared() manager.relays = [newRelay] manager.matchDomains = ["internal.example.com"] manager.isEnabled = false manager.saveToPreferences { err in print(err) } } }

I am developing a program on my chip and attempting to establish a connection with the WiFi Aware demo app launched by iOS 26. Currently, I am encountering an issue during the pairing phase. If I am the subscriber of the service and successfully complete the follow-up frame exchange of pairing bootstrapping, I see the PIN code displayed by iOS. Question 1: How should I use this PIN code? Question 2: Subsequently, I need to negotiate keys with iOS through PASN. What should I use as the password for the PASN SAE process? If I am the subscriber of the service and successfully complete the follow-up frame exchange of pairing bootstrapping, I should display the PIN code. Question 3: How do I generate this PIN code? Question 4: Subsequently, I need to negotiate keys with iOS through PASN. What should I use as the password for the PASN SAE process?

Hi all! I’m having trouble distributing an iOS app with a DNS Proxy NetworkExtension via AdHoc. The app and extension work perfectly with development profiles, but when I export and install the AdHoc IPA, I get a “permission denied” error when trying to install/enable the DNS Proxy extension. What I’ve done: Both the app and the DNS Proxy extension have their own App IDs in the Apple Developer portal. Both App IDs have the same App Group enabled: group.com.irakai.SafeLinkApp2. The extension App ID has the NetworkExtension capability with dns-proxy enabled. I created two AdHoc provisioning profiles (one for the app, one for the extension), both including the same devices and the correct entitlements. I assigned the correct AdHoc profiles to each target in Xcode and exported the IPA via Organizer. I install the IPA on a registered device using Apple Configurator. Entitlements (extracted from the signed binaries on device): App: <key>application-identifier</key><string>6PBG234246.com.irakai.SafeLinkApp2</string> <key>com.apple.developer.networking.networkextension</key><array> <string>packet-tunnel-provider</string> <string>dns-proxy</string> </array> <key>com.apple.developer.team-identifier</key><string>6PBG234246</string> <key>com.apple.security.application-groups</key><array> <string>group.com.irakai.SafeLinkApp2</string> </array> <key>get-task-allow</key><false/> DNSProxy Extension: <key>application-identifier</key><string>6PBG234246.com.irakai.SafeLinkApp2.DNSProxy</string> <key>com.apple.developer.networking.networkextension</key><array> <string>dns-proxy</string> </array> <key>com.apple.developer.team-identifier</key><string>6PBG234246</string> <key>com.apple.security.application-groups</key><array> <string>group.com.irakai.SafeLinkApp2</string> </array> <key>get-task-allow</key><false/> Error message (from my app’s logs): Error instalando DNS Proxy: permission denied Usuario: Roberto AppGroup: group.com.irakai.SafeLinkApp2 AppGroupPath: /private/var/mobile/Containers/Shared/AppGroup/D8AD2DED-AD96-4915-9B7A-648C9504679B Entitlements: BundleId: com.irakai.SafeLinkApp2 Debug info: Error Domain=NEDNSProxyErrorDomain Code=1 "permission denied" UserInfo={NSLocalizedDescription=permission denied} Other details: The device is included in both AdHoc profiles. The App Group is present and identical in both entitlements. The extension’s bundle identifier matches the App ID in the portal. The extension is signed with the correct AdHoc profile. I have tried rebooting the device and reinstalling the IPA. The error only occurs with AdHoc; development builds work fine. Questions: Is there anything else I should check regarding AdHoc provisioning for NetworkExtension DNS Proxy? Are there any known issues with AdHoc and NetworkExtension on recent iOS versions? Is there a way to get more detailed diagnostics from the system about why the permission is denied? Could this be a bug in iOS, or am I missing a subtle configuration step? Any help or suggestions would be greatly appreciated. Thank you!

Macbook OS Version: macOS 14.7.3 (23H417) Mobile OS: iOS Mobile OS Version: iOS 18.6.2 Mobile Manufacturer: Apple Mobile Model: iPhone 12 Pro Max Page Type: vue vue Version: vue2 Packaging Method: Cloud Packaging Project Creation Method: HBuilderX Steps: The backend server is deployed on AWS in Japan with a Japanese IP. Packaging the APP in HBuilderX and publishing it to the Apple App Store were both successful. In a subsequent version, we planned to add a push notification feature and selected uniPush V2. Due to the separation of frontend and backend, the frontend APP implements functions such as registration, login, password change, page content display, and product lists through the server's RESTful APIs. Test colleagues reported that the APP could not load pages when used in Japan; however, it worked normally in China. In China: Pinging the server IP and domain from a MacBook was successful. Testing the API with Postman on a MacBook was successful. In Japan: Pinging the server IP and domain from a MacBook was successful. Testing the API with Postman on a MacBook failed with the error: HandshakeException: Connection terminated during handshake This appears to be an SSL communication failure. We tested the SSL certificate using www.ssllabs.com/ssltest and received an A+ rating. The certificate should not be an issue. we deselected uniPush V2, repackaged the APP, and uploaded it to TestFlight. The result remained the same: the APP content failed to load in Japan, while it worked normally in China. Expected Result: Access to the Japanese server APIs should work normally both in China and Japan. Actual Result: The APP content fails to load when used in Japan, but works normally in China.

Good morning, I have been playing with he new Networking framework released in beta, and i think its amazing how powerful and simple it is. However i have been tackling some issues with it, it seems that the NetworkListener does not allow us to configure a specific endpoint for any of the protocols, UDP, TCP (QUIC, TLS) Is this intended or just not missing features as of the Beta ? I figured out how to use bonjour to get a port (as i am brand new to using Networking on macOS and Swift) I get that the use of this is mainly as a client to connect to servers, but it would make more sense to have a high level abstraction of what already exist, wouldn't it be more intuitive to configure a NetworkEndpoint that contains either a Bonjour Service or an endpoint with configured port that we can then configure on the Listener, instead of doing .service(...) ?

Hi everyone, I'm currently experimenting with building a simple DNS filter using Apple's Packet Tunnel framework. Here's the flow I'm trying to implement: Create a TUN interface Set up a UDP socket Read packets via packetFlow.readPackets Parse the raw IP packet Forward the UDP payload through the socket Receive the response from the server Reconstruct the IP packet with the response Write it back to the TUN interface using packetFlow.writePackets Here’s an example of an intercepted IP packet (DNS request): 45 00 00 3c 15 c4 00 00 40 11 93 d1 c0 a8 00 64 08 08 08 08 ed 6e 00 35 00 28 e5 c9 7f da 01 00 00 01 00 00 00 00 00 00 04 74 69 6d 65 05 61 70 70 6c 65 03 63 6f 6d 00 00 01 00 01 And here’s the IP packet I tried writing back into the TUN interface (DNS response): 45 00 00 89 5e 37 40 00 40 11 0b 11 08 08 08 08 c0 a8 00 64 00 35 ed 6e 00 75 91 e8 7f da 81 80 00 01 00 04 00 00 00 00 04 74 69 6d 65 05 61 70 70 6c 65 03 63 6f 6d 00 00 01 00 01 c0 0c 00 05 00 01 00 00 0c fb 00 11 04 74 69 6d 65 01 67 07 61 61 70 6c 69 6d 67 c0 17 c0 2c 00 01 00 01 00 00 03 04 00 04 11 fd 74 fd c0 2c 00 01 00 01 00 00 03 04 00 04 11 fd 74 7d c0 2c 00 01 00 01 00 00 03 04 00 04 11 fd 54 fb Unfortunately, it seems the packet is not being written back correctly to the TUN interface. I'm not seeing any expected DNS response behavior on the device. Also, I noticed that after creating the TUN, the interface address shows up as 0.0.0.0:0 in Xcode. The system log includes this message when connecting the VPN: NWPath does not have valid interface: satisfied (Path is satisfied), interface: utun20[endc_sub6], ipv4, dns, expensive, uses cellular Does anyone know how to properly initialize the TUN so that the system recognizes it with a valid IP configuration? Or why my written-back packet might be getting ignored? Any help would be appreciated!

Hi, I developed a network extension program on macOS. I tried to update the program by changing the version number. My update process was to first turn off network filtering via "NEFilterManager.sharedManager.enabled = NO", and then use "[OSSystemExtensionRequest activationRequestForExtension:bundleid queue:dispatch_get_global_queue(DISPATCH_QUEUE_PRIORITY_HIGH, 0)];" to let the system replace the old network extension program. However, sometimes the old network extension process will become a zombie process like pid=86621 in the figure. As long as the zombie process exists, the network cannot be used. After about 10 minutes, it will be cleared and the network will be available. Restarting Wi-Fi can also clear the zombie process immediately. Why is this? How to avoid this problem?

I’m developing an app designed for hospital environments, where public internet access may not be available. The app includes two components: the main app and a Local Connectivity Extension. Both rely on persistent TCP socket connections to communicate with a local server. We’re observing a recurring issue where the extension’s socket becomes unresponsive every 1–3 hours, but only when the device is on the lock screen, even if the main app remains in the foreground. When the screen is not locked, the connection is stable and no disconnections occur. ❗ Issue Details: • What’s going on: The extension sends a keep-alive ping packet every second, and the server replies with a pong and a system time packet. • The bug: The server stops receiving keep alive packets from the extension.  • On the server, we detect about 30 second gap on the server, a gap that shows no packets were received by the extension. This was confirmed via server logs and Wireshark).  • On the extension, from our logs there was no gap in sending packets. From it’s perspective, all packets were sent with no error.  • Because no packet are being received by the server, no packets will be sent to the extension. Eventually the server closes the connection due to keep-alive timeout.  • FYI we log when the NEAppPushProvider subclass sleeps and it did NOT go to sleep while we were debugging. 🧾 Example Logs: Extension log: 2025-03-24 18:34:48.808 sendKeepAliveRequest() 2025-03-24 18:34:49.717 sendKeepAliveRequest() 2025-03-24 18:34:50.692 sendKeepAliveRequest() ... // continuous sending of the ping packet to the server, no problems here 2025-03-24 18:35:55.063 sendKeepAliveRequest() 2025-03-24 18:35:55.063 keepAliveTimer IS TIME OUT... in CoreService. // this is triggered because we did not receive any packets from the server 2025-03-24 18:34:16.298 No keep-alive received for 16 seconds... connection ID=95b3... // this shows that there has been no packets being received by the extension ... 2025-03-24 18:34:30.298 Connection timed out on keep-alive. connection ID=95b3... // eventually closes due to no packets being received 2025-03-24 18:34:30.298 Remote Subsystem Disconnected {name=iPhone|Replica-Ext|...} ✅ Observations: • The extension process continues running and logging keep-alive attempts. • However, network traffic stops reaching the server, and no inbound packets are received by the extension. • It looks like the socket becomes silently suspended or frozen, without being properly closed or throwing an error. ❓Questions: • Do you know why this might happen within a Local Connectivity Extension, especially under foreground conditions and locked ? • Is there any known system behavior that might cause the socket to be suspended or blocked in this way after running for a few hours? Any insights or recommendations would be greatly appreciated. Thank you!

I am writing to seek clarification on two technical issues related to iOS frameworks (CoreBluetooth and NetworkExtension). These observations are critical for optimizing our app's performance, and I would appreciate any official guidance or documentation references. CoreBluetooth Scanning Frequency and Cycle Issue: We noticed inconsistent BLE device discovery times (ranging from 0.5s to 1.5s) despite the peripheral advertising at 2Hz (500ms interval). Questions: Does iOS regulate the BLE scan interval or duty cycle internally? If yes, what factors affect this behavior (e.g., foreground/background state, connected devices)? Are there recommended practices to reduce discovery latency for peripherals with fixed advertising intervals? Is there a way to configure scan parameters (e.g., scan window/interval) programmatically, similar to Android's BluetoothLeScanner? Test Context: Device: iPhone 13 mini (iOS 17.6.1) Code: CBCentralManager.scanForPeripherals(withServices: nil, options: [CBCentralManagerScanOptionAllowDuplicatesKey: true]) NEHotspotConfigurationManager Workflow and Latency Issue: Using NEHotspotConfigurationManager.shared.apply(_:) to connect to Wi-Fi occasionally takes up to 8 seconds to complete. Questions: What is the internal workflow of the apply method? Does it include user permission checks, SSID scanning, authentication, or IP assignment steps? Are there known scenarios where this method would block for extended periods (e.g., waiting for user interaction, network timeouts)? Is the latency related to system-level retries or radio coexistence with other wireless activities (e.g., Bluetooth)? Test Context: Configuration: NEHotspotConfiguration(ssid: "TestSSID") Behavior: Delay occurs even when the Wi-Fi network is in range and credentials are correct.

My application (using a nested framework for networking) was working correctly on iPadOS 18, but failed to perform a UDP broadcast operation after upgrading the device to iPadOS 28. The low-level console logs consistently show a "Permission denied" error. Symptoms & Error Message: When attempting to send a UDP broadcast packet using NWConnection (or a similar low-level socket call within the framework), the connection fails immediately with the following error logged in the console: nw_socket_service_writes_block_invoke [C2:1] sendmsg(fd 6, 124 bytes) [13: Permission denied] (Error code 13 corresponds to EACCES). Verification Steps (What I have checked): Multicast Networking Entitlement is Approved and Applied: The necessary entitlement (com.apple.developer.networking.multicast) was granted by Apple. The Provisioning Profile used for signing the Host App Target has been regenerated and explicitly includes "Multicast Networking" capability (see attached screenshot). I confirmed that Entitlements cannot be added directly to the Framework Target, only the Host App Target, which is the expected behavior. Local Network Privacy is Configured: The Host App's Info.plist contains the NSLocalNetworkUsageDescription key with a clear usage string. Crucially, the Local Network Access alert does not reliably appear when the Broadcast function is first called (despite a full reinstall after OS upgrade). Even when Local Network Access is manually enabled in Settings, the Broadcast still fails with EACCES. Code Implementation: The Broadcast is attempted using NWConnection to the host 255.255.255.255 on a specific port. Request: Since all required entitlements and profiles are correct, and the failure is a low-level EACCES on a newly updated OS version, I suspect this may be a regression bug in the iPadOS 28 security sandbox when validating the Multicast Networking Entitlement against a low-level socket call (like sendmsg). Has anyone else encountered this specific Permission denied error on iPadOS 28 with a valid Multicast Entitlement, and is there a known workaround aside from switching to mDNS/Bonjour?

I'm creating a custom VPN app which should only work on Cellular. Apart from cellular interface binding VPN is working fine. Even though I specified cellular interface like let cellularParams = NWParameters.udp cellularParams.requiredInterfaceType = .cellular It is going via Wifi when it is ON. I know this is the default iOS behaviour. How can I prevent this and route through cellular only even when Wifi is enabled on device?

My application (using a nested framework for networking) was working correctly on iPadOS 18, but failed to perform a UDP broadcast operation after upgrading the device to iPadOS 26. The low-level console logs consistently show a "Permission denied" error. Symptoms & Error Message: When attempting to send a UDP broadcast packet using NWConnection (or a similar low-level socket call within the framework), the connection fails immediately with the following error logged in the console: nw_socket_service_writes_block_invoke [C2:1] sendmsg(fd 6, 124 bytes) [13: Permission denied] (Error code 13 corresponds to EACCES). Verification Steps (What I have checked): Multicast Networking Entitlement is Approved and Applied: The necessary entitlement (com.apple.developer.networking.multicast) was granted by Apple. The Provisioning Profile used for signing the Host App Target has been regenerated and explicitly includes "Multicast Networking" capability (see attached screenshot). I confirmed that Entitlements cannot be added directly to the Framework Target, only the Host App Target, which is the expected behavior. Local Network Privacy is Configured: The Host App's Info.plist contains the NSLocalNetworkUsageDescription key with a clear usage string. Crucially, the Local Network Access alert does not reliably appear when the Broadcast function is first called (despite a full reinstall after OS upgrade). Even when Local Network Access is manually enabled in Settings, the Broadcast still fails with EACCES. Code Implementation: The Broadcast is attempted using NWConnection to the host 255.255.255.255 on a specific port. Request: Since all required entitlements and profiles are correct, and the failure is a low-level EACCES on a newly updated OS version, I suspect this may be a regression bug in the iPadOS 26 security sandbox when validating the Multicast Networking Entitlement against a low-level socket call (like sendmsg). Has anyone else encountered this specific Permission denied error on iPadOS 26 with a valid Multicast Entitlement, and is there a known workaround aside from switching to mDNS/Bonjour?

I have an iOS app that connects to a server running on macOS by leveraging NWListener & NWBrowser. It also makes use of the peerToPeer functionality / AWDL offered via the Network framework. This works great in the iOS app. Now I would like to add support for Shortcuts / App Intents in general. The NWConnection on its own is also working great in the App Intent, but only if I provide the host/port manually, which means I can't use the peer to peer functionality. If I try to run my NWBrowser in the AppIntent it immediately changes its state to failed with a NoAuth (-65555) error: nw_browser_cancel [B1517] The browser has already been cancelled, ignoring nw_browser_cancel(). nw_browser_fail_on_dns_error_locked [B1518] DNSServiceBrowse failed: NoAuth(-65555) NWClientManager: Browser failed: -65555: NoAuth I haven't found documentation/information on whether NWBrowser should work in an AppIntent extension or not.

We are developing an iOS application with a key feature designed to enhance user safety: real-time assessment of Wi-Fi network security. The "Safe Wi-Fi" feature aims to inform users about the security level of the Wi-Fi network they are currently connected to. Our goal is to provide this information seamlessly and continuously, even when the user isn't actively using the app. Currently, we've implemented this feature using a NWPathMonitor. The limitation of NWPathMonitor is that it doesn't function when the app is in a kill state. We are looking for guidance on how to achieve persistent Wi-Fi security monitoring in the background or when the app is killed. Is there any API (Public, Special API, etc) or a recommended approach that allows for real-time Wi-Fi connection monitoring (including connection changes and network details) even when the app is not actively running or is in a kill state. Thank you in advance for your help.

I’m building a Personal VPN app (non-MDM) that uses a NEPacketTunnelProvider extension for content filtering and blocking. When configuring the VPN locally using NETunnelProviderManager.saveToPreferences, the call fails with: Error Domain=NEConfigurationErrorDomain Code=10 "permission denied" Error Domain=NEVPNErrorDomain Code=5 "permission denied" The system does prompt for VPN permission (“Would Like to Add VPN Configurations”), but the error still occurs after the user allows it. Setup: • Main App ID – com.promisecouple.app • Extension ID – com.promisecouple.app.PromiseVPN • Capabilities – App Group + Personal VPN + Network Extensions • Main app entitlements:   com.apple.developer.networking.vpn.api = allow-vpn   com.apple.developer.networking.networkextension = packet-tunnel-provider • Extension entitlements: same + shared App Group Problem: • If I remove the networkextension entitlement, the app runs locally without the Code 5 error. • But App Store Connect then rejects the build with: Missing Entitlement: The bundle 'Promise.app' is missing entitlement 'com.apple.developer.networking.networkextension'. Question: What is the correct entitlement configuration for a Personal VPN app using NEPacketTunnelProvider (non-MDM)? Is com.apple.developer.networking.networkextension required on the main app or only on the extension? Why does including it cause saveToPreferences → Code 5/10 “permission denied” on device? Environment: Xcode 26.1 (17B55), iOS 17.3+ on physical device (non-MDM) Both provisioning profiles and certificates are valid.

Hi I am developing the packet tunnel extension on a SIP enabled device. If I build the app and notarize and install it on the device, it works fine. If I modify, build and execute the App (which contains the system extension), it fails with below error. 102.3.1.4 is production build. And 201.202.0.101 is for XCode build. SystemExtension "&lt;&lt;complete name&gt;&gt;.pkttunnel" request for replacement from 102.3.1.4 to 201.202.0.101 Packet Tunnel SystemExtension "&lt;&lt;complete name&gt;&gt;.pkttunnel" activation request did fail: Error Domain=OSSystemExtensionErrorDomain Code=8 "(null)" If SIP is disabled, it works fine. Is there a way the system extension can be developed even if SIP remains enabled?

I have a question regarding /etc/pf.conf. If I use this rule, rdr pass on bridge100 inet proto tcp from 192.168.2.104 to any port {80, 443, 8883} -> 127.0.0.1 port 8080 all other traffic on bridge100 will not function properly, even the traffic that is not destined for 192.168.2.104. Additionally, the hotspot generated through bridge100 will also become unavailable. Even if I comment out this rule and run sudo pfctl -e -f /etc/pf.conf, the problem still persists. The situation will only return to normal when I restart my Mac. my macos:15.3.2 my /etc/pf.conf # scrub-anchor "com.apple/*" nat-anchor "com.apple/*" rdr-anchor "com.apple/*" rdr pass on bridge100 inet proto tcp from 192.168.2.104 to any port {80, 443, 8883} -> 127.0.0.1 port 8080 dummynet-anchor "com.apple/*" anchor "com.apple/*" load anchor "com.apple" from "/etc/pf.anchors/com.apple"

Configure the App ID in the Apple Developer Portal. In the Network Extensions section, the Packet Tunnel section is not displayed, as shown in the figure below How to proceed with the configuration of App ID. In the Network Extensions section: Display the Packet Tunnel section Our account is a China region account

Dear Developers, I would like to suggest an optimization for the logic governing the download and installation queue for app updates. Currently, when multiple applications are awaiting updates, the prioritization does not appear to consider the update payload size. My proposal is to implement a logic that prioritizes the download and installation of updates with a smaller delta size (fewer MB) before those with a larger delta. Practical Example: A 1MB update would be processed before a 500MB update, even if their arrival order in the queue was inverted. Potential Benefits: Perceived Speed Optimization (UX): Users would gain access to functional applications more quickly, especially in scenarios with multiple pending updates. Network Efficiency: In limited or intermittent bandwidth scenarios, completing smaller downloads first can reduce the chance of download failures and optimize network resource utilization. Device Resource Management: Frees up temporary storage and processing resources more rapidly for smaller updates. I believe this optimization would bring significant gains in terms of User Experience (UX) and the operational efficiency of the platform. Thank you for your attention and consideration. Sincerely,

We have a setup where the system uses proxy settings configured via a PAC file. We are investigating how NWConnection behaves inside a Network Extension (NETransparentProxyProvider) with a transparent proxy configuration based on this PAC file. Scenario: The browser makes a connection which the PAC file resolves as "DIRECT" (bypassing the proxy) Our Network Extension intercepts this traffic for analysis The extension creates a new connection using NWConnection to the original remote address. The issue: despite the PAC file’s "DIRECT" decision, NWConnection still respects the system proxy settings and routes the connection through the proxy. Our questions: Is it correct that NWConnection always uses the system proxy if configured ? Does setting preferNoProxies = true guarantee bypassing the system proxy? Additionally: Whitelisting IPs in the Network Extension to avoid interception is not a viable solution because IPs may correspond to multiple services, and the extension only sees IP addresses, not domains (e.g., we want to skip scanning meet.google.com traffic but still scan other Google services on the same IP range). Are there any recommended approaches or best practices to ensure that connections initiated from a Network Extension can truly bypass the proxy (for example, for specific IP ranges or domains)?