Adopting iOS 9 network extension points

[clowwindy]

Network extension points:
Use the Packet Tunnel Provider extension point to implement the client side of a custom VPN tunneling protocol.
Use the App Proxy Provider extension point to implement the client side of a custom transparent network proxy protocol.
Use the Filter Data Provider and the Filter Control Provider extension points to implement dynamic, on-device network content filtering.
Each of the network extension points requires special permission from Apple.

[conradev]

Each of the network extension points requires special permission from Apple :(

[clowwindy]

Now that Apple allows anyone to run the code on their own devices, we don't have to publish the app on the App Store.

No, it still requires some entitlements to run on the devices.

[conradev]

Totally, but - the API documentation is hard to piece together and there is no template in Xcode for the extension point. Gonna have to do some reverse engineering.

[clowwindy]

There's no documentation at all at the moment. The headers of NetworkExtension.framework are public, so we can figure out how to implement the proxy.

I guess we need to subclass NEAppProxyProvider to handle both NEAppProxyTCPFlow and NEAppProxyUDPFlow. And somehow activate the proxy.

Or we can subclass NEPacketTunnelProvider to create a VPN tunnel that handles NEPacketTunnelFlow.

[conradev]

Totally. We need to find the extension point identifier, too. Cisco and OpenVPN need to update their apps...

[clowwindy]

I guess it works just like an app that controls IPSec VPN settings. Before calling manager.connection.startVPNTunnelAndReturnError, we should register our own protocol with

[NETunnelProviderManager loadAllFromPreferencesWithCompletionHandler:(void (^)(NSArray<NETunnelProviderManager *> * __nullable managers, NSError * __nullable error))completionHandler]

I'll give it a try when I have time.

[conradev]

I'm going to wait for the single WWDC session before diving in

[clowwindy]

NEAppProxyProvider is actually per-app exclusive. Good news is we can use NEPacketTunnelProvider to create global VPN services.

I'm writing to Apple to see if we can get permission for the API.

[blackgear]

A ref: WWDC: What's New in Network Extension and VPN

[icodesign]

Have you made any progress on packet tunnel?

[clowwindy]

Still no reply from Apple.

[icodesign]

I'm writing to Apple to see if we can get permission for the API.

So does this mean only those who have grant permissions from Apple can develop global proxy apps?

[clowwindy]

I'm afraid yes.

[icodesign]

I'm afraid yes.

Sad but reasonable. Good luck with SS. 🙏

[muenzpraeger]

The NEAppProxyProvider API only require a MDM deployed app. That can be "simulated" as described in the video.

[xmxsuperstar]

https://developer.apple.com/library/prerelease/ios/releasenotes/General/WhatsNewIniOS/Articles/iOS9.html

[angelovAlex]

There're actually templates for Xcode. You need to install them from

/System/Library/Frameworks/NetworkExtension.framework/Versions/A/Resources/NEProviderTargetTemplates.pkg

But I have not found the way of how to activate a vpn. As there's no shared instance for NETunnelProviderManager I think we need to create a new one.

[NETunnelProviderManager loadAllFromPreferencesWithCompletionHandler:^(NSArray<NETunnelProviderManager *> * __nullable managers, NSError * __nullable error) {

        if (managers.count <= 0){
            NETunnelProviderProtocol *protocol = [[NETunnelProviderProtocol alloc] init];
            protocol.providerConfiguration = @{ @"some parameter" : @"some value" };
            protocol.providerBundleIdentifier = @"com.example.vpn.vpntunnel";

            NETunnelProviderManager *manager = [[NETunnelProviderManager alloc] init];
            [manager setProtocol:protocol];
            [manager setLocalizedDescription:@"My VPN"];
            [manager setOnDemandEnabled:NO];
            [manager setEnabled:YES];

            [manager loadFromPreferencesWithCompletionHandler:^(NSError * __nullable error) {
                NSLog(@"%@", error);
            }];
        }
    }];

On the line NETunnelProviderManager *manager = [[NETunnelProviderManager alloc] init];, the following message appears in the console app:

6/27/15 5:31:13.845 PM VPNOSX[1403]: Application does not have the required entitlements.

It doesn't say which entitlements and there's no any documentation about it.
I want to try this api on MAC OS 10.11. I understand the reason why I need to ask apple for some permission to publish the app with this api to app store, but I can't believe that I have to ask them for permission to run this api on my development machine.
Sorry, that's a little bit off topic, but that is the only thread that I found in the internet so far.

[clowwindy]

Yes. You need to send an email to Apple to get the entitlements. And I'm waiting for their reply.

[manjonn]

Any luck on this yet? I am looking at NEAppProxyProvider for a project for a client. I think I do understand some things, but can't be sure till I can run it on the device.

[EkkoG]

https://developer.apple.com/library/prerelease/ios/samplecode/SimpleTunnel/Introduction/Intro.html#//apple_ref/doc/uid/TP40016140

Maybe this demo is helpful to this problem?

[clowwindy]

let newManager = NETunnelProviderManager()

You'll get a warning complaining about missing entitlements when you execute this line of code.

[angelovAlex]

In README.md it says:

The NEProvider family of APIs require the following entitlement:
<key>com.apple.developer.networking.networkextension</key>
<array>
    <string>packet-tunnel-provider</string>
    <string>app-proxy-provider</string>
    <string>content-filter-provider</string>
</array>
</plist>
The SimpleTunnel.app and the provider extensions will not run if they are not code signed with this entitlement.
You can request this entitlement by sending an email to networkextension@apple.com.

If you try to compile the app with this entitlement, your app will be killed by taskgated daemon. If you like to move com.apple.taskgated.plist from /System/Library/LaunchDaemons with root permission, you will get a nice response:

sudo mv com.apple.taskgated-helper.plist ~
mv: rename com.apple.taskgated-helper.plist to /Users/alex/com.apple.taskgated-helper.plist: Operation not permitted

means that you are not admin now, you are nothing and you are in sandbox:

7/9/15 12:37:27.138 PM sandboxd[113]: ([3711]) mv(3711) System Policy: deny file-write-unlink /System/Library/LaunchDaemons/com.apple.taskgated-helper.plist

[muenzpraeger]

We just received the entitlements.

[clowwindy]

Got the entitlements, too.

[jedisct1]

[jedisct1]

Did you apply as an individual or as a company?

I didn't dare filling the form because it seemed like you had to apply as a company.

[clowwindy]

I applied as an open source organization. I explained a bit about this project in the Company name and address field.

[clowwindy]

Update:

Now I can get a virtual tun device running and route packets through UDP. While I find it a little hard to debug as I can't attach to the extension.

[jianpx]

Thanks , and good luck!

[jianpx]

Can Network Extension support to implement OpenVPN protocol ?

[tahasiddiqui123]

I have the same question like jianpx.

[Liwink]

Thank you.

[WordlessEcho]

Thanks.

[b9AobJ]

You are a hero in china.Thanks a lot.
We will never forget your great work.
Take care of yourself.🙃

[xiaochunyong]

thanks

[angrykub]

I just want to ask a question, how can I get the tun fd on ios9.x?
I can't find tun devices in "/dev/" folder, Do anyone tell me how to do?
@clowwindy @linusyang @conradev @chrisballinger

[angrykub]

thanks man!!!

[Azarealice]

Thank you.

[nevermoreluo]

Thank you so much for all you have done

[ghost]

Thank you

[SiqingYu]

Thanks for your great work.

[ztdexter]

thank you ！

[halilemreozen]

Thanks a lot!

[ablebodied]

Great job for Chinese people and for a better China.

[ButcherOfBlaviken]

Thank you, you are our hero!

[SMR]

Thanks

[keepthethink]

Thank you.

[daydreamzzz]

Thanks

[flyco2016]

路过，这里我谁也不认识

[lyhong508]

感谢， 牛逼！

[Yoomin233]

pay the respect to you, the pioneer of anti-sensorship!

[wwwlookformetop]

fighting！！！

[Project-Magenta]

Thank you.

[ghost]

Two days ago the police came to me and wanted me to stop working on this. Today they asked me to delete all the code from GitHub. I have no choice but to obey.

I hope one day I'll live in a country where I have freedom to write any code I like without fearing.

I believe you guys will make great stuff with Network Extensions.

Cheers!

When will there be the Anti Great Firewall Movement?

[cross-hello]

Just a late letter: Thank you

[Andy17269]

Thank you !

[Tommyeth]

Thx

[Sancho-Z]

great software