So I wanted to get my hands dirty with objective-c so I decided to create a project to list all outbound traffic, after digging a little I found that I could use the Network Extension API. I created a simple command line project with xcode and tried to load this extension but for some reason I can't get it to work.
I don't have a developer license yet and I'm not sure if it has anything to do with the problem I'm facing.
This is just some test code so there are 2 free functions, one for loading the system extension and another for checking its status:
// activates the extension?
BOOL toggleNetworkExtension(NSUInteger action)
{
BOOL toggled = NO;
__block BOOL wasError = NO;
__block NEFilterProviderConfiguration* config = nil;
dispatch_semaphore_t semaphore = 0;
semaphore = dispatch_semaphore_create(0);
NSLog(@"toggling the network extension");
[NEFilterManager.sharedManager loadFromPreferencesWithCompletionHandler:^(NSError * _Nullable error) {
if(nil != error)
{
wasError = YES;
NSLog(@"loadFromPreferencesWithCompletionHandler error");
}
dispatch_semaphore_signal(semaphore);
}];
NSLog(@"waiting for the network extension configuration...");
if(YES == wasError) goto fail;
NSLog(@"loaded current filter configuration for the network extension");
if(1 == action)
{
NSLog(@"activating network extension...") ;
if(nil == NEFilterManager.sharedManager.providerConfiguration)
{
config = [[NEFilterProviderConfiguration alloc] init];
config.filterPackets = NO;
config.filterSockets = YES;
NEFilterManager.sharedManager.providerConfiguration = config;
}
NEFilterManager.sharedManager.enabled = YES;
}
else
{
NSLog(@"deactivating the network extension...");
NEFilterManager.sharedManager.enabled = NO;
}
{ [NEFilterManager.sharedManager saveToPreferencesWithCompletionHandler:^(NSError * _Nullable error) {
if(nil != error)
{
wasError = YES;
NSLog(@"saveToPreferencesWithCompletionHandler error!");
}
dispatch_semaphore_signal(semaphore);
}]; }
NSLog(@"waiting for network extension configuration to save...");
if(YES == wasError) goto fail;
NSLog(@"saved current filter configuration for the network extension");
toggled = YES;
fail:
return toggled;
}
Then there's this function to check if the extension is enabled which for some reason always returns false.
BOOL isNetworkExtensionEnabled(void)
{
__block BOOL isEnabled = NO;
dispatch_semaphore_t semaphore = dispatch_semaphore_create(0);
[NEFilterManager.sharedManager loadFromPreferencesWithCompletionHandler:^(NSError * _Nullable error) {
if (error != nil)
{
NSLog(@"Error with loadFromPreferencesWithCompletionHandler");
}
else
{
isEnabled = NEFilterManager.sharedManager.enabled;
}
dispatch_semaphore_signal(semaphore);
}];
return isEnabled;
}
Is something wrong is this code or is this related to entitlements or the developer license?
As a side note I have already disabled SIP not sure if it matters in this case.
Thanks in advance.
Networking
RSS for tagExplore the networking protocols and technologies used by the device to connect to Wi-Fi networks, Bluetooth devices, and cellular data services.
Post
Replies
Boosts
Views
Activity
How can we get the BSSID value for a wifi network without sudo
we have tried with different options but they dont seem to work.It seems they have been deprecated.
/System/Library/PrivateFrameworks/Apple80211.framework/Versions/Current/Resources/airport en1 --getinfo | grep BSSID | awk -F ': ' '{print $2}'
ioreg -l -n AWDLPeerManager | perl -lne 'print $1 if $_ =~ /IO80211BSSID.<(.)>/;' | fold -w2 | paste -sd: -
Greetings,
I am trying to mimic what the official WireGuard client (available on AppStore, source code is publicly available) does regarding the routing tables. The client uses NetworkExtension framework.
When a VPN connection is established with all traffic routed through WireGuard (AllowedIPs = 0.0.0.0/0), the routing table is amend with something like this:
Destination Gateway RT_IFA Flags Refs Use Mtu Netif Expire
default link#36 10.10.10.2 UCSg 114 0 1420 utun7
10.10.10.2 10.10.10.2 10.10.10.2 UH 0 10 1420 utun7
224.0.0/4 link#36 10.10.10.2 UmCS 0 0 1420 utun7
255.255.255.255/32 link#36 10.10.10.2 UCS 0 0 1420 utun7
Please note that another default route exists to the working Ethernet interface, but I have not mentioned it above.
I would like to do something similar for wireguard-go (open source WireGuard implementation written in Go), in particular start it, assign an IP address, then add the routes.
sudo env LOG_LEVEL=debug wireguard-go -f utun
sudo ifconfig utun5 10.10.10.2 10.10.10.2 netmask 255.255.255.255
Here is the code fragment written in C which suppose to add default route (0.0.0.0/0) to the link layer address:
void add_link_route() {
struct {
struct rt_msghdr hdr;
struct sockaddr_in dest;
struct sockaddr_dl gateway;
struct sockaddr_in netmask;
} rt;
memset(&rt, 0, sizeof(rt));
int sockfd = socket(PF_ROUTE, SOCK_RAW, 0);
if (sockfd == -1) {
perror("socket");
return;
}
unsigned int if_index = if_nametoindex("utun5");
rt.hdr.rtm_msglen = sizeof(rt);
rt.hdr.rtm_version = RTM_VERSION;
rt.hdr.rtm_type = RTM_ADD;
rt.hdr.rtm_index = if_index;
rt.hdr.rtm_flags = RTF_UP | RTF_STATIC | RTF_CLONING;
rt.hdr.rtm_addrs = RTA_DST | RTA_GATEWAY | RTA_NETMASK;
rt.hdr.rtm_seq = 1;
rt.hdr.rtm_pid = getpid();
rt.dest.sin_len = sizeof(struct sockaddr_in);
rt.dest.sin_family = AF_INET;
rt.dest.sin_addr.s_addr = INADDR_NONE;
rt.gateway.sdl_len = sizeof(struct sockaddr_dl);
rt.gateway.sdl_family = AF_LINK;
rt.gateway.sdl_index = if_index;
rt.gateway.sdl_type = IFT_PPP;
rt.netmask.sin_len = sizeof(struct sockaddr_in);
rt.netmask.sin_family = AF_INET;
rt.netmask.sin_addr.s_addr = INADDR_NONE;
if (write(sockfd, &rt, sizeof(rt)) == -1) {
perror("write");
}
close(sockfd);
}
But, when executed, write() returns EEXIST (File exists) error, meaning, the default route cannot be overwritten (because another default route exists which points to the existing Ethernet interface).
At this point I have no idea how the routes could be created successfully inside NetworkExtension, and I would like to do the same.
For comparison, there is another case when all traffice is not routed through the VPN. Then, the routes are created like this:
Destination Gateway RT_IFA Flags Refs Use Mtu Netif Expire
default link#36 10.10.10.2 UCSIg 0 0 1420 utun7
10.10.10.2 10.10.10.2 10.10.10.2 UH 0 0 1420 utun7
224.0.0/4 link#36 10.10.10.2 UmCSI 0 0 1420 utun7
255.255.255.255/32 link#36 10.10.10.2 UCSI 0 0 1420 utun7
The difference is that now the scope is bound to the network interface. And in such case, my C code succeeds, providing I add RTF_IFSCOPE flag to rtm_flags.
I would appreciate if someone helped me with this problem.
Howdy everyone, I'm researching for a potential product so I can't give too many details. To be brief, I need to put an iPhone or iPad into Wifi Monitor mode. I plan on creating an app to control this for users to utilize. I can't find material on this topic in the Xcode Docs, or if the iPhone/iPad even supports Wifi Monitor mode.
Does anyone know if it's even possible?
Hey, I have been working on the app that implements both Content Filter Providers and DNS Proxy for custom network security app. However, I would like to display traffic logs from Content Filter. What's the best way to do that?
I know that it works with UserDefaults under shared container with App Group. But I am not sure that it's the best approach for storing data that is constantly changing. I also tried to use CoreData with:
FileManager.default.containerURL(forSecurityApplicationGroupIdentifier: appGroup)
But I receive error that "The file couldn’t be saved because you don’t have permission., ["reason": No permissions to create file; code = 1]" because my FilterDataProvider has access to CoreData model.
Our app has been crashing in the CFNetwork Framework frequently, but the attached TestFlight crash logs do not help in identifying the possible root cause of the same. Any help would be greatly appreciated.
Hello everyone,
Can someone help me understand how the following code works?
let params = NWParameters(tls: tlsOptions, tcp: tcpOptions)
params.requiredInterfaceType = .cellular
connection = NWConnection(to: connectionHostPort, using: params)
Does this configuration guarantee that all network calls made using the connection will always use cellular data? What happens if both WiFi and cellular are connected simultaneously? Is there any underlying UNIX library which can confirm this?
TIA
arup[dot]s[at]icloud[dot]com
I would like to connect an iPhone to Wi-Fi from my app without any popups. I work for a Wi-Fi testing company, and we have hundreds of iPhones that need to be connected to and disconnected from Wi-Fi frequently. We need to automate this process. Please let me know if there is any way to achieve this. Thanks in advance.
Since Apple Multipeer framework does not really work without crashes, I implemented my own multipeer with the Network.framework.
like
let tcpOptions = NWProtocolTCP.Options.createDefault()
let parameters = NWParameters(tls: NWProtocolTLS.Options(), tcp: tcpOptions)
parameters.setDefaultSettings()
let browser = NWBrowser(
for: .bonjour(
type: config.bonjourServiceType,
domain: nil
),
using: parameters
)
and
extension NWParameters {
func setDefaultSettings() {
self.includePeerToPeer = true
self.requiredInterfaceType = .wifi
self.preferNoProxies = true
}
}
extension NWProtocolTCP.Options {
static func createDefault() -> NWProtocolTCP.Options {
let tcpOptions = NWProtocolTCP.Options()
tcpOptions.enableKeepalive = true
tcpOptions.keepaliveIdle = 10 // 10 seconds keepalive interval
tcpOptions.noDelay = true // Disable Nagle's algorithm for low latency
return tcpOptions
}
}
it works well up to approx. 30 meter outside with free view.
What's the max range for the peer to peer via bonjour? And is there a way to get longer distance than 30 meter?
Can we download a file directly into a connected external storage like a pendrive without downloading it into App Sandbox environment first and then copying the file to external storage, in case of larger files.
NETransparentProxyProvider have below method:
override func handleNewFlow(_ flow: NEAppProxyFlow) -> Bool
This method is blocking. Until we returns value from this method, next flow will be blocked, macOS doesn’t calls it on new thread.
for example: if we take 10 second to check what to do with this flow, whether to handle it(true) or return to kernel(false), another flow will be block for 10 sec.
how to not block future flow while it is taking longer to process current flow?
I have 3 functions to run in series , all have api calls to make but 2nd function has multiple api call and after all api of 2nd function is executed and saved to Core Data then 3rd function is called .
Then after 3rd function again all functions are called
I want all this to work when app in background .
i am currently using begin background task and end background task
It does not seem to be stored in the system or user TCC database?
Having a way to programatically grant the permission to a given app without user interaction, for example when automatically provisioning a CI node for macOS testing (with SIP disabled, so full disk access available), would be nice.
Filed as FB14878596
Hi, in my Extension FilterDataProvider class that is inherited from NEFilterDataProvider i am trying to insert logs into my CoreData entity, but when i insert it gives me error
"NSCocoaErrorDomain: -513
"reason": Unable to write to file opened Readonly
Any suggestions please to update the read write permission
i already have tried this way but no luck
let description = NSPersistentStoreDescription(url: storeURL) description.shouldInferMappingModelAutomatically = true description.shouldMigrateStoreAutomatically = true description.setOption(false as NSNumber, forKey: NSReadOnlyPersistentStoreOption)
?
I am trying to establish a connection using NetworkExtension and NEVPNProtocolIKEv2. It needs to work on an iOS device. I have a test.mobileconfig file and I have set up all configurations based on its content. However, I am unsure how to assign the value for identityData. I have tried multiple methods, but each time, I receive the following errors on my server:
"ikev2-cp"[200] "my_ip_address" #1387: Peer attempted EAP authentication, but IKE_AUTH is required
"ikev2-cp"[200] "my_ip_address" #1387: responding to IKE_AUTH message (ID 1) from "my_ip_address" with encrypted notification AUTHENTICATION_FAILED
"ikev2-cp"[200] "my_ip_address" #1387: encountered fatal error in state STATE_V2_PARENT_R1
First of all, I used the first PayloadContent value inside the .mobileconfig file that I tested. I should mention that there is a certificate inside the file. However, the certificate is not password-protected.
func getIKEv2Protocol(address: NSString, username: NSString, password: NSString) -> NEVPNProtocolIPSec {
let p = NEVPNProtocolIKEv2()
let kcs = KeychainService()
p.certificateType = .RSA
p.authenticationMethod = .certificate
kcs.save(key: "ikev2_password", value: password as String)
p.passwordReference = kcs.load(key: "ikev2_password")
p.identityDataPassword = "cHH....B3"
p.ikeSecurityAssociationParameters.encryptionAlgorithm = .algorithmAES256GCM
p.ikeSecurityAssociationParameters.integrityAlgorithm = .SHA256
p.ikeSecurityAssociationParameters.diffieHellmanGroup = .group19
p.ikeSecurityAssociationParameters.lifetimeMinutes = 1410
p.childSecurityAssociationParameters.encryptionAlgorithm = .algorithmAES256GCM
p.childSecurityAssociationParameters.integrityAlgorithm = .SHA256
p.childSecurityAssociationParameters.diffieHellmanGroup = .group19
p.childSecurityAssociationParameters.lifetimeMinutes = 1410
if let certData = Data(base64Encoded: base64String) {
p.identityData = certData
p.authenticationMethod = .certificate
}
p.serverCertificateIssuerCommonName = "***"
p.serverCertificateCommonName = "***-2"
p.deadPeerDetectionRate = .medium
p.disableRedirect = true
p.enableRevocationCheck = false
p.useExtendedAuthentication = true
p.remoteIdentifier = address as String
p.localIdentifier = username as String
p.serverAddress = address as String
p.enablePFS = false
return p;
}
and
let vpnManager = NEVPNManager.shared()
// inside > vpnManager.loadFromPreferences { (error) -> Void in
let p = self.getIKEv2Protocol(address: address, username: username, password: password)
vpnManager.protocolConfiguration = p
vpnManager.localizedDescription = "IKEv2 VPN"
vpnManager.isEnabled = true
vpnManager.saveToPreferences(completionHandler: { (error) -> Void in
...
vpnManager.loadFromPreferences(completionHandler: { error in
...
try vpnManager.connection.startVPNTunnel()
// And this section starts without any errors.
How can I properly provide the value for p.identityData and .mobileconfig password?
Please explain in detail if there is an answer, as I am inexperienced with Swift and VPNs.
I'm looking to see if there's any suggested libraries / frameworks to use for transferring files between Macs. The setup is a few dozen Macs (each with 10g networking) and a custom app that handles the transfer of files between them on a local network.
I looked into raw TCP sockets but the file sizes will make this tricky. Some files can be up to 150gb. Maybe SFTP to AFP? But not sure how this looks in code and I know I don't want to be mounting computers in finder - ideally it's an app that hosts it's own server to handle the transfers.
Any insight on this would be helpful. Thanks!
Good day. From IOS 17 have a problem with connecting to local ip devices. When i try to scan local network:
zeroconf.scan('http', 'tcp', 'local.');
i get en error:
Error: { NSNetServicesErrorCode = "-72007"; NSNetServicesErrorDomain = 10; }
I use the react-native-zeroconf libruarry, config the infoPlist with:
"NSBonjourServices": ["_http._tcp"],
"NSLocalNetworkUsageDescription":
"Allow Turkov application to configure LLC devices"
"NSAppTransportSecurity": {
"NSAllowsArbitraryLoads": true,
"NSExceptionDomains": {
"localhost": {
"NSExceptionAllowsInsecureHTTPLoads": true
}
}
And also i get approve sertificate to use multicast from apple team, and apply it in project
"entitlements": {
"com.apple.developer.networking.multicast": true
},
Below IOS17 (i tested at 16.6) - all work fine.. Can some one help with that problem?
Hi everyone,
I am developing a MacOS app where a network extension and a content filter are installed as system extensions when the app is launched. I'd like to test the flow where user get a "System Extension Blocked" prompt like this:
But I couldn't find a way to revoke the approval I gave at the first place. I've tried remove the system extensions using "sudo systemextensionsctl uninstall [TEAM ID] [BUNDLE ID]" with SIP disabled but no luck. I've also tried to remove them from the KextPolicy database but they are not even in the database.
I am on MacOS Sonoma 14.5. All I want is to revoke the system extension approval and recreate this prompt. Has anyone experienced a similar issue or have any suggestions on how to achieve this?
WireGuard Apple VPN Client App for macOS with System Extension to Distribute Outside App Store
Checkout the source code of WireGuard Apple.
https://github.com/WireGuard/wireguard-apple
I have fixed several issues and now I can create and connect to the VPN.
This source code uses the App Network Extension (appex) which can only be distributed on the App Store. But I don't want to distribute it via the App Store. I will distribute it outside the App Store.
But for this, we need to sign the app with the Developer ID Application certificate and we also need to notarize it. So for this, the App Network Extension (appex) will not help. We need to use the System Extension Network Extension (sysex). So we need to make changes to the WireGuard Apple source code to be able to connect the VPN via the System Extension Network Extension (sysex), this means we need to migrate existing App Network Extension (appex) to System Extension Network Extension (sysex) in this source code.
I am facing this challenge, that's why I am looking for a solution here.
I have already done changes explained here https://forums.developer.apple.com/forums/thread/695550.
Also done with changes for getting system extension permission and network extension permission. Real problem is, VPN client app is not getting connect to VPN and to fix this, we need to fix in WireGuard Apple Kit source code.
Please help me to solve this problem.
Hi Team,
Is there a way to disable secure DNS in macOS that is set at the OS level, like 8.8.8.8, which supports secure DNS on ports 443 and 853?