There are multiple report of crashes on URLConnectionLoader::loadWithWhatToDo. The crashed thread in the stack traces pointing to calls inside CFNetwork which seems to be internal library in iOS. The crash has happened quite a while already (but we cannot detect when the crash started to occur) and impacted multiple iOS versions recorded from iOS 15.4 to 18.4.1 that was recorded in Xcode crash report organizer so far. Unfortunately, we have no idea on how to reproduce it yet but the crash keeps on increasing and affect more on iOS 18 users (which makes sense because many people updated their iOS to the newer version) and we haven’t found any clue on what actually happened and how to fix it on the crash reports. What we understand is it seems to come from a network request that happened to trigger the crash but we need more information on what (condition) actually cause it and how to solve it. Hereby, I attach sample crash report for both iOS 15 and 18. I also have submitted a report (that include more crash reports) with number: FB17775979. Will appreciate any insight regarding this issue and any resolution that we can do to avoid it. iOS 15.crash iOS 18.crash

Goal : Block all outbound connections to a static list of hosts (both In-app requests and WKWebView/Safari). App & both extensions have Network Extension entitlement with content-filter-provider and filter-control-provider What’s working: Safari and WKWebView requests matching the block list are dropped. What’s broken: In-app traffic never reaches the Data Provider—those requests always succeed. Setup: • NEFilterProviderConfiguration with both Data & Control providers, filterBrowsers = true, filterSockets = true • Data Provider implements handleNewFlow for socket/browser flows • Control Provider implements handleNewFlow for browser flows • Enabled via saveToPreferences() and toggled ON in Settings

I'm working with Apple's SimpleURLFilter sample project and consistently encountering an error when trying to implement the URL filter. Here are the details: Setup: Downloaded the official SimpleURLFilter sample project from Apple Set the developer team for both targets (main app and extension) Built and ran the PIR server on my laptop using Docker as per the sample instructions Built the iOS project on my iPhone running iOS 26.0.1 Server is accessible at my Mac's IP address on port 8080 Configuration: PIR Server URL: http://[my-mac-ip]:8080 Authentication Token: AAAA (as specified in service-config.json) Privacy Pass Issuer URL: (left empty) Fail Closed: enabled Code Changes: The only modifications I made were: Updated bundle identifiers to include my team identifier Updated PIR server's service-config.json to match: com.example.apple-samplecode.SimpleURLFilter[TEAM_ID].url.filtering Modified URLFilterControlProvider.swift: Added existingPrefilterTag: String? parameter to fetchPrefilter() method Added tag: "bloom_filter" parameter to NEURLFilterPrefilter initializer Issue: After configuring the filter and entering my passcode in Settings, I consistently see: Received filter status change: <FilterStatus: 'starting'> Received filter status change: <FilterStatus: 'stopped' errorMessage: 'The operation couldn't be completed. (NetworkExtension.NEURLFilterManager.Error error 9.)'> Questions: What does NEURLFilterManager.Error error 9 specifically indicate? Could the URLFilterControlProvider modifications be causing this issue? Are there debugging steps to get more detailed error information? Any guidance would be appreciated!

Hi! My project has the Local Push Connectivity entitlement for a feature we have requiring us to send low-latency critical notifications over a local, private Wi-Fi network. We have our NEAppPushProvider creating a SSE connection using the Network framework with our hardware running a server. The server sends a keep-alive message every second. On an iPhone 16 with iOS 18+, the connection is reliable and remains stable for hours, regardless of whether the iOS app is in the foreground, background, or killed. One of our QA engineers has been testing on an iPhone 13 running iOS 16, and has notice shortly after locking the phone, specifically when not connected to power the device seems to turn off the Wi-Fi radio. So when the server sends a notification, it is not received. About 30s later, it seems to be back on. This happens on regular intervals. When looking at our log data, the provider does seem to be getting stopped, then restarted shortly after. The reason code is NEProviderStopReasonNoNetworkAvailable, which further validates that the network is getting dropped by the device in regular intervals. My questions are: Were there possibly silent changes to the framework between iOS versions that could be the reason we're seeing inconsistent behavior? Is there a connection type we could use, instead of SSE, that would prevent the device from disconnecting and reconnecting to the Wi-Fi network? Is there an alternative approach to allow us to maintain a persistent network connection with the extension or app?

Hi everyone, I'm currently working on a project where I need to send multicast packets across all available network interfaces using Apple Network Framework's NWConnectionGroup. Specifically, the MacBook (device I am using for sending multicast requests, MacOS: 15.1) is connected to two networks: Wi-Fi (Network 1) and Ethernet (Network 2), and I need to send multicast requests over both interfaces. I tried using the .requiredInterface property as suggested by Eskimo in this post, but I’m running into issues. It seems like I can't create an NWInterface object because it doesn't have any initializers. Here is the code which I wrote: var multicast_group_descriptor : NWMulticastGroup var multicast_endpoint : NWEndpoint multicast_endpoint = NWEndpoint.hostPort(host: NWEndpoint.Host("234.0.0.1"), port: NWEndpoint.Port(rawValue: 49154)!) var connection_group : NWConnectionGroup var multicast_params : NWParameters multicast_params = NWParameters.udp var interface = NWInterface(NWInterface.InterfaceType.wiredEthernet) I get following error: 'NWInterface' cannot be constructed because it has no accessible initializers I also experimented with the .requiredInterfaceType property. Even when I set it to .wiredEthernet and then change it to .wifi, I am still unable to send requests over the Wi-Fi network. Here is the code I wrote: var multicast_params : NWParameters multicast_params = NWParameters.udp multicast_params.allowLocalEndpointReuse = true multicast_params.requiredInterfaceType = .wiredEthernet var ip = multicast_params.defaultProtocolStack.internetProtocol! as! NWProtocolIP.Options ip.disableMulticastLoopback = true connection_group = NWConnectionGroup(with: multicast_group_descriptor, using: multicast_params) connection_group.stateUpdateHandler = { state in print(state) if state == .ready { connection_group.send(content: "Hello from machine on 15".data(using: .utf8)) { error in print("Send to mg1 completed on wired Ethernet with error \(error?.errorCode)") var params = connection_group.parameters params.requiredInterfaceType = .wifi connection_group.send(content: "Hello from machine on 15 P2 on Wi-Fi".data(using: .utf8)) { error in print("Send to mg1 completed on Wi-Fi with error \(error?.errorCode)") } } } } Is this expected behavior when using NWConnectionGroup? Or is there a different approach I should take to ensure multicast requests are sent over both interfaces simultaneously? Any insights or suggestions would be greatly appreciated! Thanks in advance, Harshal

I encountered an undesired DNS behaviour when using L2TP/ipsec VPN. I have DHCP configured Wi-Fi connection, which send dns servers and search domain (192.168.0.10, lan) VPN sends its own DNS server (10.0.0.2), search domain (intranet) is added manually in VPN DNS config settings. I expect, when VPN is connected, to be still able to resolve local names, i.e some-host.lan. However, they become unresolvable. quick check shows that the remote dns server is used to resolve local names. shilishper@mac ~ % host -v some-host.lan Trying "some-host.lan" Host some-host.lan not found: 3(NXDOMAIN) Received 106 bytes from 10.0.0.2#53 in 16 ms Received 106 bytes from 10.0.0.2#53 in 16 ms Actually, all dns queries are going to the remote server. I would expect that only queries for the configured domain (intranet) should go to that server. I played with the service order, but it didn't change anything. Is anything can be done about this, programmatically? PS new to macOS, but have extensive linux knowledge

1) Blocked page UX When a URL is blocked, the browser typically shows a generic error like “"Safari cannot open the page because it couldn’t load any data,” with no indication that the page was blocked by a policy. Is there any plan to add an API that allows developers to present a custom “blocked” page or remediation action, similar to NEFilterControlProvider’s remediationMap? Even a minimal hook (custom HTML, deep link, or support URL) would make the experience clearer for users. 2) Cross‑app link‑opening behavior With a block rule in place, direct navigation in Safari is blocked as expected. However, tapping the same URL in a messaging app (e.g., WhatsApp) opens Safari - and the page loads, not blocked. Repro steps: Configure a URL Filter extension that blocks https://example.com. Case A: Open a browser and type the URL in the address bar → blocked (expected). Case B: Tap the same URL in WhatsApp (or another messenger) → a browser opens and the page loads (unexpected). iOS version - 26.0

I haven’t been able to get this to work at any level! I’m running into multiple issues, any light shed on any of these would be nice: I can’t implement a bloom filter that produces the same output as can be found in the SimpleURLFilter sample project, after following the textual description of it that’s available in the documentation. No clue what my implementation is doing wrong, and because of the nature of hashing, there is no way to know. Specifically: The web is full of implementations of FNV-1a and MurmurHash3, and they all produce different hashes for the same input. Can we get the proper hashes for some sample strings, so we know which is the “correct” one? Similarly, different implementations use different encodings for the strings to hash. Which should we use here? The formulas for numberOfBits and numberOfHashes give Doubles and assign them to Ints. It seems we should do this conversing by rounding them, is this correct? Can we get a sample correct value for the combined hash, so we can verify our implementations against it? Or ignoring all of the above, can we have the actual code instead of a textual description of it? 😓 I managed to get Settings to register my first attempt at this extension in beta 1. Now, in beta 2, any other project (including the sample code) will redirect to Settings, show the Allow/Deny message box, I tap Allow, and then nothing happens. This must be a bug, right? Whenever I try to enable the only extension that Settings accepted (by setting its isEnabled to true), its status goes to .stopped and the error is, of course, .unknown. How do I debug this? While the extension is .stopped, ALL URL LOADS are blocked on the device. Is this to be expected? (shouldFailClosed is set to false) Is there any way to manually reload the bloom filter? My app ships blocklist updates with background push, so it would be wasteful to fetch the filter at a fixed interval. If so, can we opt out of the periodic fetch altogether? I initially believed the API to be near useless because I didn’t know of its “fuzzy matching” capabilities, which I’ve discovered by accident in a forum post. It’d be nice if those were documented somewhere! Thanks!!

I'm developing a per-app VPN iOS app with Wireguard. For that, I created a configuration file with payload type "com.apple.vpn.managed.applayer". Using the MDM server I installed some apps which need to use the VPN connection. But when I open these apps, I could see the VPN getting enabled in the device. The VPN icon appears on the notification bar but no internet connection. The VPN and internet is working correctly if I change the payload type to "com.apple.vpn.managed" in configuration file.

send a request and it returns with timeout Integration Team are Using Fortigate as a firewall and NGINX for some reasons so we use VPN TO Access , requests always succeed but at once it failed with timeout in randomize request not specific one we are using URLSession as a network layer when I retry the same failed request again, it success the request cannot connect apigee Sec Team concern { app session hits the security gateway with lots of SYN step to try to initiate a new session and doesn’t wait for (SYN-ACK / ACK) steps to happen to make sure the connection initiated correctly and gateway consider it flooding attack }

I've been wondering what is the memory limit for network extensions. Specifically, I'm using the NEPacketTunnelProvider extension point.The various posts on this forum mention 5 MB and 6 MB for 32-bit and 64-bit respectively. However I find that (at least on iOS 10) the upper limit seems to be 15 MB. Is this the new memory limit for extensions?

Getting cannot parse response on all downalod tasks. Example output "BackgroundDownloadTask <E277D3D6-2FF0-4574-A617-1612ED779151>.<1>", "LocalDownloadTask <E277D3D6-2FF0-4574-A617-1612ED779151>.<1>" ), NSLocalizedDescription=cannot parse response, _kCFStreamErrorDomainKey=4, NSErrorFailingURLStringKey=https://traffic.megaphone.fm/ESP7536701051.mp3?updated=1740573440, NSErrorFailingURLKey=https://traffic.megaphone.fm/ESP7536701051.mp3?updated=1740573440} Can't seem to find a workaround that i can push for app to work with 18.4 beta. Can't believe that beta went to the public.

I have currently created an app which contains an upload button which when clicked upload health data using HealthKit to an AWS S3 bucket. Now I want to implement an automatic file upload mechanism which would mean that the app is installed and opened just once - and then the upload must happen on a schedule (once daily) from the background without ever having to open the app again. I've tried frameworks like NSURLSession and BackgroundTasks but nothing seems to work. Is this use case even possible to implement? Does iOS allow this? The file is just a few KBs in size. For reference, here is the Background Tasks code: import UIKit import BackgroundTasks import HealthKit class AppDelegate: NSObject, UIApplicationDelegate { let backgroundTaskIdentifier = "com.yourapp.healthdata.upload" func application(_ application: UIApplication, didFinishLaunchingWithOptions launchOptions: [UIApplication.LaunchOptionsKey: Any]?) -&gt; Bool { // Register the background task BGTaskScheduler.shared.register(forTaskWithIdentifier: backgroundTaskIdentifier, using: nil) { task in self.handleHealthDataUpload(task: task as! BGAppRefreshTask) } // Schedule the first upload task scheduleDailyUpload() return true } // Schedule the background task for daily execution func scheduleDailyUpload() { print("[AppDelegate] Scheduling daily background task.") let request = BGAppRefreshTaskRequest(identifier: backgroundTaskIdentifier) request.earliestBeginDate = Date(timeIntervalSinceNow: 24*60*60) do { try BGTaskScheduler.shared.submit(request) print("[AppDelegate] Daily background task scheduled.") } catch { print("[AppDelegate] Could not schedule daily background task: \(error.localizedDescription)") } } // Handle the background task when it's triggered by the system func handleHealthDataUpload(task: BGAppRefreshTask) { print("[AppDelegate] Background task triggered.") // Call your upload function with completion handler HealthStoreManager.shared.fetchAndUploadHealthData { success in if success { print("[AppDelegate] Upload completed successfully.") task.setTaskCompleted(success: true) // Schedule the next day's upload after a successful upload self.scheduleDailyUpload() } else { print("[AppDelegate] Upload failed.") task.setTaskCompleted(success: false) } } // Handle task expiration (e.g., if upload takes too long) task.expirationHandler = { print("[AppDelegate] Background task expired.") task.setTaskCompleted(success: false) } } }

When handleNewUDPFlow in NETransparentProxyProvider is used to handle UDP data from port 53, at the same time, run the script continuously to execute nslookup or dig, about tens of thousands of times later, the nslookup shows the error "isc_socket_bind: address not available". So I check the system port status, and find all of the ports from 49152 to 65535 are occupied. The number of net.inet.udp.pcbcount is also very high. net.inet.udp.pcbcount: 91433 Then I made the following attempts: handleNewUDPFlow function return false directly, the nslookup script runs with no problems. I write a simple network extension that use handleNewUDPFlow to reply the mock data directly, and only hijack the UDP data from my test program (HelloWorld-5555). My network exntension code: override func handleNewUDPFlow(_ flow: NEAppProxyUDPFlow, initialRemoteEndpoint remoteEndpoint: NWEndpoint) -> Bool { guard let tokenData = flow.metaData.sourceAppAuditToken, tokenData.count == MemoryLayout<audit_token_t>.size else { return false } let audit_token = tokenData.withUnsafeBytes { buf in buf.baseAddress?.assumingMemoryBound(to: audit_token_t.self).pointee } let pid = audit_token_to_pid(audit_token ?? audit_token_t()) if (!flow.metaData.sourceAppSigningIdentifier.starts(with: "HelloWorld-5555")) { return false } Logger.statistics.log("handleNewUDPFlow \(remoteEndpoint.debugDescription, privacy: .public) \(flow.hash), pid:\(pid), \(flow.metaData.sourceAppSigningIdentifier, privacy: .public)") flow.open(withLocalEndpoint: nil) { error in if let error { os_log("flow open error: %@", error.localizedDescription) return } flow.readDatagrams { data_grams, remote_endpoints, read_err in guard let read_data_grams = data_grams, let read_endpoints = remote_endpoints, read_err == nil else { os_log("readDatagrams failed") flow.closeReadWithError(nil) flow.closeWriteWithError(nil) return } let mockData = Data([0x01,0x02,0x03]) let datagrams = [ mockData ] guard let remoteEnd = remoteEndpoint as? NWHostEndpoint else { os_log("Not the NWHostENdpoint") flow.closeReadWithError(nil) flow.closeWriteWithError(nil) return } let endpoints = [ NWHostEndpoint(hostname: remoteEnd.hostname, port: remoteEnd.port) ] flow.writeDatagrams(datagrams, sentBy: endpoints) { error in if let error { os_log("writeDatagrams error: %@", error.localizedDescription) } os_log("writeDatagrams close") flow.closeReadWithError(nil) flow.closeWriteWithError(nil) } } } return true } My test program code: void send_udp() { int sockfd; struct sockaddr_in server_addr; char buffer[BUFFER_SIZE]; int bytes_sent; // create socket if ((sockfd = socket(AF_INET, SOCK_DGRAM, 0)) < 0) { perror("socket create failed"); exit(EXIT_FAILURE); } struct sockaddr_in local_addr; memset(&local_addr, 0, sizeof(local_addr)); local_addr.sin_family = AF_INET; local_addr.sin_addr.s_addr = htonl(INADDR_ANY); local_addr.sin_port = htonl(0); // bind if (bind(sockfd, (struct sockaddr*)&local_addr, sizeof(local_addr)) < 0) { printf("IPV4 bind errno:%d\n", errno); close(sockfd); return; } // server addr memset(&server_addr, 0, sizeof(server_addr)); server_addr.sin_family = AF_INET; server_addr.sin_port = htons(SERVER_PORT); server_addr.sin_addr.s_addr = inet_addr(SERVER_IP); // send & recv strcpy(buffer, "Hello, UDP server!"); bytes_sent = sendto(sockfd, buffer, strlen(buffer), 0, (struct sockaddr *)&server_addr, sizeof(server_addr)); if (bytes_sent < 0) { perror("sendto failed"); close(sockfd); exit(EXIT_FAILURE); } printf("sendto ok\n"); char recvbuf[128] = {0}; socklen_t len = sizeof(server_addr); int sz = recvfrom(sockfd, recvbuf, sizeof(recvbuf), MSG_WAITALL, (struct sockaddr *) &server_addr, &len); printf("recv sz: %d\n", sz); close(sockfd); return; } int main() { send_udp(); return 0; } 2.1 When I use bind in my program, after the program running tens of thousands of times, the ports are exhausted, and nslookup return the error "isc_socket_bind: address not available". The case looks like running the nslookup script, because the nslookup will call the bind. 2.2 When I remove the bind from my program, all the tests are go. I have made the above experiments on different systems: 13.x, 14.x, 15.x, and read the kernel source code about bind and port assignment, bsd/netinet/in_pcb.c bsd/netinet/udp_usrreq.c and find kernel will do different action for network extension by call necp_socket_should_use_flow_divert I have checked my network extension process by lsof and netstat, its sockets or flows are all closed properly. I don't know how I can avoid this problem to ensure my network extension to work long time properly. Apparently, the port exhaustion is related to the use of bind function and network extension. I doubt there is a port leak problem in system when use network extension. Hope for your help.

PLATFORM AND VERSION: iOS Development environment: Xcode 15.3, macOS 14.7.1 (23H222) Run-time configuration: iOS 18.3.1 DESCRIPTION OF PROBLEM: Our app uses NEHotspotConfigurationManager with joinOnce set to false to connect to an IoT device's Wi-Fi hotspot. Later, we programmatically disconnect from this hotspot. We are wondering if, after this programmatic disconnection, there is a possibility that the iPhone will automatically reconnect to the hotspot (even when our app is not running). Does it matter if the hotspot's SSID is hidden or not? This concern arises because the iPhone is already familiar with the hotspot's network configuration. Our testing indicates that this does not happen, but we want to be certain. This is a behavior we do NOT want to occur. We set joinOnce to false because we experience connectivity issues with the IoT device when joinOnce is true (there are several discussions in forums regarding issues with setting it to true). Thank you. Thanks.

Hi~ I implemented network filtering on iOS using NEFilterControlProvider and NEFilterDataProvider. However, I found that their usage is restricted when distributing in the App Store. Does ADEP-based distribution allow the use of NEFilterControlProvider and NEFilterDataProvider? In TN3134, it states that NEPacketTunnelProvider requires MDM. Should I assume that NEFilterControlProvider and NEFilterDataProvider also require MDM in the same way? thanks.

I'm running a Node.js server on my MacBook with Apple M4 Pro chip, macOS Sequoia 15.4, and Node.js v23.10.0. The server starts normally on port 5000 and logs show that it's listening correctly. However, when I try to access it via browser or Postman (http://localhost:5000/api/...), I get a 403 Forbidden error. After checking with lsof -i :5000, I noticed that the ControlCenter process is listening on port 5000 under the name commplex-main. Interestingly, this doesn't happen on M3 Pro machines. On those devices, Node.js runs fine on port 5000 and can be accessed from Postman and browsers. Is port 5000 now internally reserved by macOS or used by some system-level service in Sequoia or Apple Silicon (M4 Pro)? Should I avoid using this port going forward? Any official clarification would be appreciated.

I’m working with the NEHotspotHelper API in my iOS app, and I noticed the following log message in Console: "(BUNDLE ID ) is using NEHotspotHelper API and it's unresponsive to API's evaluate command. The API gives 45 seconds to 3rd party apps to respond, and then it launches WebSheet to allow user to interact with the portal." I have two different apps that both register a NEHotspotHelper handler: App A checks for .evaluate and calls createResponse(.unsupportedNetwork) if we don’t manage that particular network. App B registers for hotspot events but does not handle .evaluate at all. In App A, whenever I see that “unresponsive” or “45 seconds” log, the system eventually launches the standard captive portal WebSheet. In App B, I never see those logs. I have a few questions: Are these “unresponsive” logs indeed triggered by the .evaluate command specifically? In other words, do we only see that 45-second timeout and the subsequent WebSheet message if our app is registered to handle Evaluate but doesn’t respond quickly (or responds with .unsupportedNetwork)? Is it best practice (or required) to always respond to .evaluate—for example, sending .unsupportedNetwork if we don’t plan on managing the user’s login or captive portal? Does ignoring .evaluate lead to other unexpected behavior or logs? Should we still explicitly respond to Evaluate with .unsupportedNetwork? Or is it okay to skip Evaluate handling entirely on every app or invocation? I’d love to confirm whether .evaluate handling is the direct cause of these logs, and how best to avoid the “unresponsive”/“45 seconds” fallback if our app isn’t intended to manage the portal. Thanks in advance for any insights!

My personal project is a bit further along however after not being able to get this to work in my app I fell back to a much simpler/proven implementation out there. There is this project on GitHub with a guide that implements a barebones app extension with packet tunneling. I figure this can give us common ground. After changing the bundle and group identifiers to all end with -Caleb and or match up I tried running the app. The app extension does not work whatsoever and seemingly for reasons that are similar to my personal project. If I pull up the console and filter for the subsystem (com.github.kean.vpn-client-caleb.vpn-tunnel) I see the following. First you see installd installing it 0x16ba5f000 -[MIUninstaller _uninstallBundleWithIdentity:linkedToChildren:waitForDeletion:uninstallReason:temporaryReference:deleteDataContainers:wasLastReference:error:]: Destroying container com.github.kean.vpn-client-caleb.vpn-tunnel with persona 54D15361-A614-4E0D-931A-0953CDB50CE8 at /private/var/mobile/Containers/Data/PluginKitPlugin/2D0AE485-BB56-4E3E-B59E-48424CD4FD65 And then installd says this (No idea what it means) 0x16b9d3000 -[MIInstallationJournalEntry _refreshUUIDForContainer:withError:]: Data container for com.github.kean.vpn-client-caleb.vpn-tunnel is now at /private/var/mobile/Containers/Data/PluginKitPlugin/2D0AE485-BB56-4E3E-B59E-48424CD4FD65 Concerningly runningboardd seems to immediately try and stop it? Executing termination request for: <RBSProcessPredicate <RBSProcessBundleIdentifiersPredicate| {( "com.github.kean.vpn-client-caleb", "com.github.kean.vpn-client-caleb.vpn-tunnel" )}>> [app<com.github.kean.vpn-client-caleb(54D15361-A614-4E0D-931A-0953CDB50CE8)>:1054] Terminating with context: <RBSTerminateContext| explanation:installcoordinationd app:[com.github.kean.vpn-client-caleb/54D15361-A614-4E0D-931A-0953CDB50CE8] uuid:963149FA-F712-460B-9B5C-5CE1C309B2FC isPlaceholder:Y reportType:None maxTerminationResistance:Absolute attrs:[ <RBSPreventLaunchLimitation| <RBSProcessPredicate <RBSProcessBundleIdentifiersPredicate| {( "com.github.kean.vpn-client-caleb", "com.github.kean.vpn-client-caleb.vpn-tunnel" )}>> allow:(null)> ]> Then runningboardd leaves a cryptic message Acquiring assertion targeting system from originator [osservice<com.apple.installcoordinationd>:244] with description <RBSAssertionDescriptor| "installcoordinationd app:[com.github.kean.vpn-client-caleb/54D15361-A614-4E0D-931A-0953CDB50CE8] uuid:963149FA-F712-460B-9B5C-5CE1C309B2FC isPlaceholder:Y" ID:33-244-5222 target:system attributes:[ <RBSPreventLaunchLimitation| <RBSProcessPredicate <RBSProcessBundleIdentifiersPredicate| {( "com.github.kean.vpn-client-caleb", "com.github.kean.vpn-client-caleb.vpn-tunnel" )}>> allow:(null)> ]> And that seems to be all I have to go off of.... If I widen my search a bit I can see backboardd saying things like Connection removed: IOHIDEventSystemConnection uuid:57E97E5D-8CDE-467B-81CA-36A93C7684AD pid:1054 process:vpn-client type:Passive entitlements:0x0 caller:BackBoardServices: <redacted> + 280 attributes:{ HighFrequency = 1; bundleID = "com.github.kean.vpn-client-caleb"; pid = 1054; } state:0x1 events:119 mask:0x800 dropped:0 dropStatus:0 droppedMask:0x0 lastDroppedTime:NONE Or Removing client connection <BKHIDClientConnection: 0xbf9828cd0; IOHIDEventSystemConnectionRef: 0xbf96d9600; vpid: 1054(vAF7); taskPort: 0x5D777; bundleID: com.github.kean.vpn-client-caleb> for client: IOHIDEventSystemConnection uuid:57E97E5D-8CDE-467B-81CA-36A93C7684AD pid:1054 process:vpn-client type:Passive entitlements:0x0 caller:BackBoardServices: <redacted> + 280 attributes:{ HighFrequency = 1; bundleID = "com.github.kean.vpn-client-caleb"; pid = 1054; } state:0x1 events:119 mask:0x800 dropped:0 dropStatus:0 droppedMask:0x0 lastDroppedTime:NONE source:HID There's really nothing in the sysdiagnose either. No crash no nothing. I am stumped. Any idea what might be going wrong for me here? Has something about the way app extensions or sandbox rules work changed in later OSes?

Hi, DNS resolution using libresolv (res_nquery) fails in 15.4 when connected to VPN. The same is working fine for 15.3 and lower and this happens for all the domains. The method returns -1 and res->res_h_errno is set to 2. In wireshark we can see that the DNS request is sent and server also returns the response successfully. The same works fine if we use TCP instead of UDP by setting the following option res->options |= RES_USEVC;