New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Adopting iOS 9 network extension points #124

Open
clowwindy opened this Issue Jun 9, 2015 · 542 comments

Comments

Projects
None yet
@clowwindy
Contributor

clowwindy commented Jun 9, 2015

Network extension points:
Use the Packet Tunnel Provider extension point to implement the client side of a custom VPN tunneling protocol.
Use the App Proxy Provider extension point to implement the client side of a custom transparent network proxy protocol.
Use the Filter Data Provider and the Filter Control Provider extension points to implement dynamic, on-device network content filtering.
Each of the network extension points requires special permission from Apple.

@conradev

This comment has been minimized.

Show comment
Hide comment
@conradev

conradev Jun 9, 2015

Each of the network extension points requires special permission from Apple :(

conradev commented Jun 9, 2015

Each of the network extension points requires special permission from Apple :(

@clowwindy

This comment has been minimized.

Show comment
Hide comment
@clowwindy

clowwindy Jun 9, 2015

Contributor

Now that Apple allows anyone to run the code on their own devices, we don't have to publish the app on the App Store.

No, it still requires some entitlements to run on the devices.

Contributor

clowwindy commented Jun 9, 2015

Now that Apple allows anyone to run the code on their own devices, we don't have to publish the app on the App Store.

No, it still requires some entitlements to run on the devices.

@conradev

This comment has been minimized.

Show comment
Hide comment
@conradev

conradev Jun 9, 2015

Totally, but - the API documentation is hard to piece together and there is no template in Xcode for the extension point. Gonna have to do some reverse engineering.

conradev commented Jun 9, 2015

Totally, but - the API documentation is hard to piece together and there is no template in Xcode for the extension point. Gonna have to do some reverse engineering.

@clowwindy

This comment has been minimized.

Show comment
Hide comment
@clowwindy

clowwindy Jun 10, 2015

Contributor

There's no documentation at all at the moment. The headers of NetworkExtension.framework are public, so we can figure out how to implement the proxy.

I guess we need to subclass NEAppProxyProvider to handle both NEAppProxyTCPFlow and NEAppProxyUDPFlow. And somehow activate the proxy.

Or we can subclass NEPacketTunnelProvider to create a VPN tunnel that handles NEPacketTunnelFlow.

Contributor

clowwindy commented Jun 10, 2015

There's no documentation at all at the moment. The headers of NetworkExtension.framework are public, so we can figure out how to implement the proxy.

I guess we need to subclass NEAppProxyProvider to handle both NEAppProxyTCPFlow and NEAppProxyUDPFlow. And somehow activate the proxy.

Or we can subclass NEPacketTunnelProvider to create a VPN tunnel that handles NEPacketTunnelFlow.

@conradev

This comment has been minimized.

Show comment
Hide comment
@conradev

conradev Jun 10, 2015

Totally. We need to find the extension point identifier, too. Cisco and OpenVPN need to update their apps...

conradev commented Jun 10, 2015

Totally. We need to find the extension point identifier, too. Cisco and OpenVPN need to update their apps...

@clowwindy

This comment has been minimized.

Show comment
Hide comment
@clowwindy

clowwindy Jun 10, 2015

Contributor

I guess it works just like an app that controls IPSec VPN settings. Before calling manager.connection.startVPNTunnelAndReturnError, we should register our own protocol with

[NETunnelProviderManager loadAllFromPreferencesWithCompletionHandler:(void (^)(NSArray<NETunnelProviderManager *> * __nullable managers, NSError * __nullable error))completionHandler]

I'll give it a try when I have time.

Contributor

clowwindy commented Jun 10, 2015

I guess it works just like an app that controls IPSec VPN settings. Before calling manager.connection.startVPNTunnelAndReturnError, we should register our own protocol with

[NETunnelProviderManager loadAllFromPreferencesWithCompletionHandler:(void (^)(NSArray<NETunnelProviderManager *> * __nullable managers, NSError * __nullable error))completionHandler]

I'll give it a try when I have time.

@conradev

This comment has been minimized.

Show comment
Hide comment
@conradev

conradev Jun 10, 2015

I'm going to wait for the single WWDC session before diving in

conradev commented Jun 10, 2015

I'm going to wait for the single WWDC session before diving in

@clowwindy

This comment has been minimized.

Show comment
Hide comment
@clowwindy

clowwindy Jun 13, 2015

Contributor

NEAppProxyProvider is actually per-app exclusive. Good news is we can use NEPacketTunnelProvider to create global VPN services.

I'm writing to Apple to see if we can get permission for the API.

Contributor

clowwindy commented Jun 13, 2015

NEAppProxyProvider is actually per-app exclusive. Good news is we can use NEPacketTunnelProvider to create global VPN services.

I'm writing to Apple to see if we can get permission for the API.

@blackgear

This comment has been minimized.

Show comment
Hide comment
@icodesign

This comment has been minimized.

Show comment
Hide comment
@icodesign

icodesign Jun 23, 2015

Have you made any progress on packet tunnel?

icodesign commented Jun 23, 2015

Have you made any progress on packet tunnel?

@clowwindy

This comment has been minimized.

Show comment
Hide comment
@clowwindy

clowwindy Jun 24, 2015

Contributor

Still no reply from Apple.

Contributor

clowwindy commented Jun 24, 2015

Still no reply from Apple.

@icodesign

This comment has been minimized.

Show comment
Hide comment
@icodesign

icodesign Jun 24, 2015

I'm writing to Apple to see if we can get permission for the API.

So does this mean only those who have grant permissions from Apple can develop global proxy apps?

icodesign commented Jun 24, 2015

I'm writing to Apple to see if we can get permission for the API.

So does this mean only those who have grant permissions from Apple can develop global proxy apps?

@clowwindy

This comment has been minimized.

Show comment
Hide comment
@clowwindy

clowwindy Jun 24, 2015

Contributor

I'm afraid yes.

Contributor

clowwindy commented Jun 24, 2015

I'm afraid yes.

@icodesign

This comment has been minimized.

Show comment
Hide comment
@icodesign

icodesign Jun 24, 2015

I'm afraid yes.

Sad but reasonable. Good luck with SS. 🙏

icodesign commented Jun 24, 2015

I'm afraid yes.

Sad but reasonable. Good luck with SS. 🙏

@muenzpraeger

This comment has been minimized.

Show comment
Hide comment
@muenzpraeger

muenzpraeger Jun 24, 2015

The NEAppProxyProvider API only require a MDM deployed app. That can be "simulated" as described in the video.

muenzpraeger commented Jun 24, 2015

The NEAppProxyProvider API only require a MDM deployed app. That can be "simulated" as described in the video.

@angelovAlex

This comment has been minimized.

Show comment
Hide comment
@angelovAlex

angelovAlex Jun 27, 2015

There're actually templates for Xcode. You need to install them from

/System/Library/Frameworks/NetworkExtension.framework/Versions/A/Resources/NEProviderTargetTemplates.pkg

But I have not found the way of how to activate a vpn. As there's no shared instance for NETunnelProviderManager I think we need to create a new one.

[NETunnelProviderManager loadAllFromPreferencesWithCompletionHandler:^(NSArray<NETunnelProviderManager *> * __nullable managers, NSError * __nullable error) {

        if (managers.count <= 0){
            NETunnelProviderProtocol *protocol = [[NETunnelProviderProtocol alloc] init];
            protocol.providerConfiguration = @{ @"some parameter" : @"some value" };
            protocol.providerBundleIdentifier = @"com.example.vpn.vpntunnel";

            NETunnelProviderManager *manager = [[NETunnelProviderManager alloc] init];
            [manager setProtocol:protocol];
            [manager setLocalizedDescription:@"My VPN"];
            [manager setOnDemandEnabled:NO];
            [manager setEnabled:YES];

            [manager loadFromPreferencesWithCompletionHandler:^(NSError * __nullable error) {
                NSLog(@"%@", error);
            }];
        }
    }];

On the line NETunnelProviderManager *manager = [[NETunnelProviderManager alloc] init];, the following message appears in the console app:

6/27/15 5:31:13.845 PM VPNOSX[1403]: Application does not have the required entitlements.

It doesn't say which entitlements and there's no any documentation about it.
I want to try this api on MAC OS 10.11. I understand the reason why I need to ask apple for some permission to publish the app with this api to app store, but I can't believe that I have to ask them for permission to run this api on my development machine.
Sorry, that's a little bit off topic, but that is the only thread that I found in the internet so far.

angelovAlex commented Jun 27, 2015

There're actually templates for Xcode. You need to install them from

/System/Library/Frameworks/NetworkExtension.framework/Versions/A/Resources/NEProviderTargetTemplates.pkg

But I have not found the way of how to activate a vpn. As there's no shared instance for NETunnelProviderManager I think we need to create a new one.

[NETunnelProviderManager loadAllFromPreferencesWithCompletionHandler:^(NSArray<NETunnelProviderManager *> * __nullable managers, NSError * __nullable error) {

        if (managers.count <= 0){
            NETunnelProviderProtocol *protocol = [[NETunnelProviderProtocol alloc] init];
            protocol.providerConfiguration = @{ @"some parameter" : @"some value" };
            protocol.providerBundleIdentifier = @"com.example.vpn.vpntunnel";

            NETunnelProviderManager *manager = [[NETunnelProviderManager alloc] init];
            [manager setProtocol:protocol];
            [manager setLocalizedDescription:@"My VPN"];
            [manager setOnDemandEnabled:NO];
            [manager setEnabled:YES];

            [manager loadFromPreferencesWithCompletionHandler:^(NSError * __nullable error) {
                NSLog(@"%@", error);
            }];
        }
    }];

On the line NETunnelProviderManager *manager = [[NETunnelProviderManager alloc] init];, the following message appears in the console app:

6/27/15 5:31:13.845 PM VPNOSX[1403]: Application does not have the required entitlements.

It doesn't say which entitlements and there's no any documentation about it.
I want to try this api on MAC OS 10.11. I understand the reason why I need to ask apple for some permission to publish the app with this api to app store, but I can't believe that I have to ask them for permission to run this api on my development machine.
Sorry, that's a little bit off topic, but that is the only thread that I found in the internet so far.

@clowwindy

This comment has been minimized.

Show comment
Hide comment
@clowwindy

clowwindy Jun 28, 2015

Contributor

Yes. You need to send an email to Apple to get the entitlements. And I'm waiting for their reply.

Contributor

clowwindy commented Jun 28, 2015

Yes. You need to send an email to Apple to get the entitlements. And I'm waiting for their reply.

@manjonn

This comment has been minimized.

Show comment
Hide comment
@manjonn

manjonn Jul 8, 2015

Any luck on this yet? I am looking at NEAppProxyProvider for a project for a client. I think I do understand some things, but can't be sure till I can run it on the device.

manjonn commented Jul 8, 2015

Any luck on this yet? I am looking at NEAppProxyProvider for a project for a client. I think I do understand some things, but can't be sure till I can run it on the device.

@cielpy

This comment has been minimized.

Show comment
Hide comment
@clowwindy

This comment has been minimized.

Show comment
Hide comment
@clowwindy

clowwindy Jul 9, 2015

Contributor
let newManager = NETunnelProviderManager()

You'll get a warning complaining about missing entitlements when you execute this line of code.

Contributor

clowwindy commented Jul 9, 2015

let newManager = NETunnelProviderManager()

You'll get a warning complaining about missing entitlements when you execute this line of code.

@angelovAlex

This comment has been minimized.

Show comment
Hide comment
@angelovAlex

angelovAlex Jul 9, 2015

In README.md it says:

The NEProvider family of APIs require the following entitlement:
<key>com.apple.developer.networking.networkextension</key>
<array>
    <string>packet-tunnel-provider</string>
    <string>app-proxy-provider</string>
    <string>content-filter-provider</string>
</array>
</plist>
The SimpleTunnel.app and the provider extensions will not run if they are not code signed with this entitlement.
You can request this entitlement by sending an email to networkextension@apple.com.

If you try to compile the app with this entitlement, your app will be killed by taskgated daemon. If you like to move com.apple.taskgated.plist from /System/Library/LaunchDaemons with root permission, you will get a nice response:

sudo mv com.apple.taskgated-helper.plist ~
mv: rename com.apple.taskgated-helper.plist to /Users/alex/com.apple.taskgated-helper.plist: Operation not permitted

means that you are not admin now, you are nothing and you are in sandbox:

7/9/15 12:37:27.138 PM sandboxd[113]: ([3711]) mv(3711) System Policy: deny file-write-unlink /System/Library/LaunchDaemons/com.apple.taskgated-helper.plist

angelovAlex commented Jul 9, 2015

In README.md it says:

The NEProvider family of APIs require the following entitlement:
<key>com.apple.developer.networking.networkextension</key>
<array>
    <string>packet-tunnel-provider</string>
    <string>app-proxy-provider</string>
    <string>content-filter-provider</string>
</array>
</plist>
The SimpleTunnel.app and the provider extensions will not run if they are not code signed with this entitlement.
You can request this entitlement by sending an email to networkextension@apple.com.

If you try to compile the app with this entitlement, your app will be killed by taskgated daemon. If you like to move com.apple.taskgated.plist from /System/Library/LaunchDaemons with root permission, you will get a nice response:

sudo mv com.apple.taskgated-helper.plist ~
mv: rename com.apple.taskgated-helper.plist to /Users/alex/com.apple.taskgated-helper.plist: Operation not permitted

means that you are not admin now, you are nothing and you are in sandbox:

7/9/15 12:37:27.138 PM sandboxd[113]: ([3711]) mv(3711) System Policy: deny file-write-unlink /System/Library/LaunchDaemons/com.apple.taskgated-helper.plist
@muenzpraeger

This comment has been minimized.

Show comment
Hide comment
@muenzpraeger

muenzpraeger Jul 9, 2015

We just received the entitlements.

muenzpraeger commented Jul 9, 2015

We just received the entitlements.

@clowwindy

This comment has been minimized.

Show comment
Hide comment
@clowwindy

clowwindy Jul 12, 2015

Contributor

Got the entitlements, too.

Contributor

clowwindy commented Jul 12, 2015

Got the entitlements, too.

@jedisct1

This comment has been minimized.

Show comment
Hide comment
@jedisct1

jedisct1 commented Jul 12, 2015

Yipee!

@jedisct1

This comment has been minimized.

Show comment
Hide comment
@jedisct1

jedisct1 Jul 12, 2015

Did you apply as an individual or as a company?

I didn't dare filling the form because it seemed like you had to apply as a company.

jedisct1 commented Jul 12, 2015

Did you apply as an individual or as a company?

I didn't dare filling the form because it seemed like you had to apply as a company.

@clowwindy

This comment has been minimized.

Show comment
Hide comment
@clowwindy

clowwindy Jul 12, 2015

Contributor

I applied as an open source organization. I explained a bit about this project in the Company name and address field.

Contributor

clowwindy commented Jul 12, 2015

I applied as an open source organization. I explained a bit about this project in the Company name and address field.

@clowwindy

This comment has been minimized.

Show comment
Hide comment
@clowwindy

clowwindy Jul 18, 2015

Contributor

Update:

Now I can get a virtual tun device running and route packets through UDP. While I find it a little hard to debug as I can't attach to the extension.

Contributor

clowwindy commented Jul 18, 2015

Update:

Now I can get a virtual tun device running and route packets through UDP. While I find it a little hard to debug as I can't attach to the extension.

@m-oscartong

This comment has been minimized.

Show comment
Hide comment
@m-oscartong

m-oscartong Jan 16, 2016

Thanks a lot

m-oscartong commented Jan 16, 2016

Thanks a lot

@waseemsmartfissiom

This comment has been minimized.

Show comment
Hide comment
@waseemsmartfissiom

waseemsmartfissiom Jan 18, 2016

Can i read SSID and BSSID of any wifi (being scanned by my device) using NSHotspotHelper?

waseemsmartfissiom commented Jan 18, 2016

Can i read SSID and BSSID of any wifi (being scanned by my device) using NSHotspotHelper?

@zxbiao

This comment has been minimized.

Show comment
Hide comment
@zxbiao

zxbiao Jan 22, 2016

感谢您开发了这么一个好的东西!!!

zxbiao commented Jan 22, 2016

感谢您开发了这么一个好的东西!!!

@shingwasix

This comment has been minimized.

Show comment
Hide comment
@shingwasix

shingwasix Jan 29, 2016

You are a hero in china.Thanks a lot.
We will never forget your great work.
Take care of yourself.🙂

shingwasix commented Jan 29, 2016

You are a hero in china.Thanks a lot.
We will never forget your great work.
Take care of yourself.🙂

@zhEdward

This comment has been minimized.

Show comment
Hide comment
@zhEdward

zhEdward Feb 11, 2016

Is too late for me to know you and your contribution.Just a little sadness . Take care bro

zhEdward commented Feb 11, 2016

Is too late for me to know you and your contribution.Just a little sadness . Take care bro

@ajjing

This comment has been minimized.

Show comment
Hide comment
@ajjing

ajjing Feb 19, 2016

Thank you!and take care.best wishes~~

ajjing commented Feb 19, 2016

Thank you!and take care.best wishes~~

@simdm

This comment has been minimized.

Show comment
Hide comment
@simdm

simdm Mar 1, 2016

good luck! thanks

simdm commented Mar 1, 2016

good luck! thanks

@zaypen

This comment has been minimized.

Show comment
Hide comment
@zaypen

zaypen Mar 1, 2016

Great job! Thanks a loooooooooooooot

zaypen commented Mar 1, 2016

Great job! Thanks a loooooooooooooot

@hieixu

This comment has been minimized.

Show comment
Hide comment
@hieixu

hieixu Mar 16, 2016

Thank you!

hieixu commented Mar 16, 2016

Thank you!

@lisces

This comment has been minimized.

Show comment
Hide comment
@lisces

lisces Mar 24, 2016

The GFW will falling.
thx.

lisces commented Mar 24, 2016

The GFW will falling.
thx.

@yangchenghu

This comment has been minimized.

Show comment
Hide comment
@yangchenghu

yangchenghu commented Mar 27, 2016

Thank u!

@f0rb1d

This comment has been minimized.

Show comment
Hide comment
@f0rb1d

f0rb1d Apr 9, 2016

THANK U
GOD BLESS U
菜逼只能说这么多了

f0rb1d commented Apr 9, 2016

THANK U
GOD BLESS U
菜逼只能说这么多了

@f0rb1d

This comment has been minimized.

Show comment
Hide comment
@f0rb1d

f0rb1d Apr 9, 2016

THANK U
GOD BLESS U
作为菜逼只能说这么多了

f0rb1d commented Apr 9, 2016

THANK U
GOD BLESS U
作为菜逼只能说这么多了

@steffie11

This comment has been minimized.

Show comment
Hide comment
@steffie11

steffie11 Jun 7, 2016

谢谢. 那几年多亏有了你. 没有你我就用不了google scholar, 没有google scholar我也不会申请上心仪的学校.
后来出了国一直记得这个代理, 我还到处给国内朋友打广告, 直到你被请去喝茶..
辛苦了!

steffie11 commented Jun 7, 2016

谢谢. 那几年多亏有了你. 没有你我就用不了google scholar, 没有google scholar我也不会申请上心仪的学校.
后来出了国一直记得这个代理, 我还到处给国内朋友打广告, 直到你被请去喝茶..
辛苦了!

@Schrodinger123

This comment has been minimized.

Show comment
Hide comment
@Schrodinger123

Schrodinger123 Jul 13, 2016

Thank you, and take care.

Schrodinger123 commented Jul 13, 2016

Thank you, and take care.

@jianpx

This comment has been minimized.

Show comment
Hide comment
@jianpx

jianpx Aug 11, 2016

Thanks , and good luck!

jianpx commented Aug 11, 2016

Thanks , and good luck!

@jianpx

This comment has been minimized.

Show comment
Hide comment
@jianpx

jianpx Aug 12, 2016

Can Network Extension support to implement OpenVPN protocol ?

jianpx commented Aug 12, 2016

Can Network Extension support to implement OpenVPN protocol ?

@tahasiddiqui123

This comment has been minimized.

Show comment
Hide comment
@tahasiddiqui123

tahasiddiqui123 Aug 15, 2016

I have the same question like jianpx.

tahasiddiqui123 commented Aug 15, 2016

I have the same question like jianpx.

@Liwink

This comment has been minimized.

Show comment
Hide comment
@Liwink

Liwink Oct 8, 2016

Thank you.

Liwink commented Oct 8, 2016

Thank you.

@WordlessEcho

This comment has been minimized.

Show comment
Hide comment
@WordlessEcho

WordlessEcho commented Feb 3, 2017

Thanks.

@b9AobJ

This comment has been minimized.

Show comment
Hide comment
@b9AobJ

b9AobJ Feb 13, 2017

You are a hero in china.Thanks a lot.
We will never forget your great work.
Take care of yourself.🙃

b9AobJ commented Feb 13, 2017

You are a hero in china.Thanks a lot.
We will never forget your great work.
Take care of yourself.🙃

@xiaochunyong

This comment has been minimized.

Show comment
Hide comment
@xiaochunyong

xiaochunyong commented Mar 3, 2017

thanks

@wxz1989

This comment has been minimized.

Show comment
Hide comment
@wxz1989

wxz1989 Apr 28, 2017

I just want to ask a question, how can I get the tun fd on ios9.x?
I can't find tun devices in "/dev/" folder, Do anyone tell me how to do?
@clowwindy @linusyang @conradev @chrisballinger

wxz1989 commented Apr 28, 2017

I just want to ask a question, how can I get the tun fd on ios9.x?
I can't find tun devices in "/dev/" folder, Do anyone tell me how to do?
@clowwindy @linusyang @conradev @chrisballinger

@wxz1989

This comment has been minimized.

Show comment
Hide comment
@wxz1989

wxz1989 Apr 28, 2017

thanks man!!!

wxz1989 commented Apr 28, 2017

thanks man!!!

@sakuralethe

This comment has been minimized.

Show comment
Hide comment
@sakuralethe

sakuralethe commented Jul 21, 2017

Thank you.

@nevermoreluo

This comment has been minimized.

Show comment
Hide comment
@nevermoreluo

nevermoreluo Jan 16, 2018

Thank you so much for all you have done

nevermoreluo commented Jan 16, 2018

Thank you so much for all you have done

@yogaskung

This comment has been minimized.

Show comment
Hide comment
@yogaskung

yogaskung commented Feb 17, 2018

Thank you

@SiqingYu

This comment has been minimized.

Show comment
Hide comment
@SiqingYu

SiqingYu Mar 16, 2018

Thanks for your great work.

SiqingYu commented Mar 16, 2018

Thanks for your great work.

@ztdexter

This comment has been minimized.

Show comment
Hide comment
@ztdexter

ztdexter Jul 1, 2018

thank you !

ztdexter commented Jul 1, 2018

thank you !

@halilemreozen

This comment has been minimized.

Show comment
Hide comment
@halilemreozen

halilemreozen Oct 17, 2018

Thanks a lot!

halilemreozen commented Oct 17, 2018

Thanks a lot!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment