// MUST eventually call `NSApp.reply(toApplicationShouldTerminate: true)`

func applicationShouldTerminate(_:NSApplication)->NSApplication.TerminateReply{

await vpn.quit()

await vpn.stop()

NSApp.reply(toApplicationShouldTerminate:true)

return.terminateLater

/// An actor that handles configuring, enabling, and disabling the VPN tunnel via the

/// NetworkExtension APIs.

// Updates the UI if a previous configuration exists

func loadNetworkExtension()async{

neState=.disabled

neState=.unconfigured

func configureNetworkExtension(proto:NETunnelProviderProtocol)async{

// removing the old tunnels, rather than reconfiguring ensures that configuration changes

// are picked up.

func enableNetworkExtension()async{

if !tm.isEnabled{

tm.isEnabled=true

tryawait tm.saveToPreferences()

logger.debug("saved tunnel with enabled=true")

try tm.connection.startVPNTunnel()

logger.error("enable network extension:\(error)")

logger.error("start tunnel:\(error)")

neState=.failed(error.localizedDescription)

logger.debug("enabled andstarted tunnel")

logger.debug("started tunnel")

neState=.enabled

func disableNetworkExtension()async{

tm.connection.stopVPNTunnel()

tm.isEnabled=false

tryawait tm.saveToPreferences()

logger.error("disable network extension:\(error)")

logger.error("stop tunnel:\(error)")

neState=.failed(error.localizedDescription)

logger.debug("saved tunnel with enabled=false")

logger.debug("stopped tunnel")

neState=.disabled

privatefunc getTunnelManager()asyncthrows(VPNServiceError)->NETunnelProviderManager{

func getTunnelManager()asyncthrows(VPNServiceError)->NETunnelProviderManager{

tunnels=tryawaitNETunnelProviderManager.loadAllFromPreferences()

func recordSystemExtensionState(_ state:SystemExtensionState)async{

sysExtnState= state

if state==.uninstalled{

if state==.installed{

neState=.disabled

neState=.unconfigured

// system extension was successfully installed, so we don't need the delegate any more

systemExtnDelegate=nil

return extensionBundle

func installSystemExtension(){

func checkSystemExtensionStatus(){

logger.info("checking SystemExtension status")

guardlet bundleID= extensionBundle.bundleIdentifierelse{

logger.error("Bundle has no identifier")

letrequest=OSSystemExtensionRequest.propertiesRequest(forExtensionWithIdentifier: bundleID, queue:.main)

letdelegate=SystemExtensionDelegate(asyncDelegate:self)

request.delegate= delegate

systemExtnDelegate= delegate

OSSystemExtensionManager.shared.submitRequest(request)

logger.info("submitted SystemExtension properties request with bundleID:\(bundleID)")

privatefunc installSystemExtension(){

logger.info("activating SystemExtension")

guardlet bundleID= extensionBundle.bundleIdentifierelse{

logger.error("Bundle has no identifier")

forExtensionWithIdentifier: bundleID,

queue:.main

letdelegate=SystemExtensionDelegate(asyncDelegate:self)

systemExtnDelegate= delegate

request.delegate= delegate

request.delegate= systemExtnDelegate

OSSystemExtensionManager.shared.submitRequest(request)

logger.info("submitted SystemExtension request with bundleID:\(bundleID)")

logger.info("submitted SystemExtensionactivaterequest with bundleID:\(bundleID)")

privatevarlogger=Logger(subsystem:Bundle.main.bundleIdentifier!, category:"vpn-installer")

// TODO: Refactor this to use a continuation, so the result of a request can be

// 'await'd for the determined state

init(asyncDelegate:AsyncDelegate){

logger.info("Replacing\(request.identifier) v\(existing.bundleShortVersion) with v\(`extension`.bundleShortVersion)")

return.replace

publicfunc request(

_:OSSystemExtensionRequest,

foundProperties properties:[OSSystemExtensionProperties]

// In debug builds we always replace the SE to test

// changes made without bumping the version

Task{[asyncDelegate]in

await asyncDelegate.recordSystemExtensionState(.uninstalled)

letversion=Bundle.main.object(forInfoDictionaryKey:"CFBundleVersion")as?String

letshortVersion=Bundle.main.object(forInfoDictionaryKey:"CFBundleShortVersionString")as?String

letversionMatches= properties.contains{ sysexin

sysex.isEnabled

&& sysex.bundleVersion== version

&& sysex.bundleShortVersion== shortVersion

if versionMatches{

Task{[asyncDelegate]in

await asyncDelegate.recordSystemExtensionState(.installed)

// Either uninstalled or needs replacing

Task{[asyncDelegate]in

await asyncDelegate.recordSystemExtensionState(.uninstalled)

varlogger=Logger(subsystem:Bundle.main.bundleIdentifier!, category:"vpn")

lazyvarxpc:VPNXPCInterface=.init(vpn:self)

@PublishedvartunnelState:VPNServiceState=.disabled

super.init()

NotificationCenter.default.addObserver(

selector: #selector(vpnDidUpdate(_:)),

NotificationCenter.default.removeObserver(self)

func clearPeers(){

agents=[:]

workspaces=[:]

func start()async{

switch tunnelState{

case.disabled,.failed:

logger.info("network extension stopped")

// Instructs the service to stop the VPN and then quit once the stop event

// is read over XPC.

// MUST only be called from `NSApplicationDelegate.applicationShouldTerminate`

// MUST eventually call `NSApp.reply(toApplicationShouldTerminate: true)`

func quit()async{

guard tunnelState==.connectedelse{

NSApp.reply(toApplicationShouldTerminate:true)

terminating=true

func configureTunnelProviderProtocol(proto:NETunnelProviderProtocol?){

iflet proto{

func onExtensionPeerState(_ data:Data?){

logger.info("network extension peer state")

guardlet dataelse{

logger.error("could not retrieve peer state from network extension")

letmsg=tryVpn_PeerUpdate(serializedBytes: data)

debugPrint(msg)

applyPeerUpdate(with: msg)

logger.error("failed to decode peer update\(error)")

func applyPeerUpdate(with update:Vpn_PeerUpdate){

// Delete agents

update.deletedAgents

switch connection.status{

case.disconnected:

if terminating{

NSApp.reply(toApplicationShouldTerminate:true)

connection.fetchLastDisconnectError{ errin

self.tunnelState=iflet err{

.failed(.internalError(err.localizedDescription))

case.connecting:

tunnelState=.connecting

case.connected:

// If we moved from disabled to connected, then the NE was already

// running, and we need to request the current peer state

ifself.tunnelState==.disabled{

xpc.getPeerState()

tunnelState=.connected

case.reasserting:

tunnelState=.connecting

func getPeerState(){

xpc.getPeerState{ datain

self.svc.onExtensionPeerState(data)

func onPeerUpdate(_ data:Data){

svc.onExtensionPeerUpdate(data)

// Retrieves the current state of all peers,

// as required when starting the app whilst the network extension is already running

funcgetPeerInfo()asyncthrows(ManagerError)->Vpn_PeerUpdate{

funcgetPeerState()asyncthrows(ManagerError)->Vpn_PeerUpdate{

logger.info("sending peer state request")

func getPeerInfo(with reply:@escaping()->Void){

// TODO: Retrieve from Manager

func getPeerState(with reply:@escaping(Data?)->Void){

letreply=CallbackWrapper(reply)

letdata=try?await manager?.getPeerState().serializedData()

reply(data)

func ping(with reply:@escaping()->Void){

funcgetPeerInfo(with reply:@escaping()->Void)

funcgetPeerState(with reply:@escaping(Data?)->Void)

func ping(with reply:@escaping()->Void)