iOS: full-tunnel VPN app — UI parity, build fix, SNI pool#1398
Merged
therealaleph merged 9 commits intoMay 28, 2026
Conversation
iOS NetworkExtension full-tunnel client (leaf + FakeIP -> SOCKS5 -> mhrv-rs): - Build: produce the static lib via `cargo rustc --crate-type staticlib`. `cargo build --lib` also links the cdylib, which fails on iOS (undefined ___chkstk_darwin under -nodefaultlibs), aborting the build and leaving a stale .a so device builds never picked up changes. - utun fd: getsockopt(UTUN_OPT_IFNAME) fallback when the KVC keypath returns nil (newer iOS), plus dup() so leaf owns the fd independently. - leaf log level "none" so leaf's tracing init doesn't panic against the already-installed global subscriber; panic hook logs payload + location. - UI: full-tunnel mode, multi deployment IDs, auth key show/hide, SNI pool editor with per-SNI TLS probe, auto-detect Google IP, QUIC/STUN/DoH toggles. - Config import: mhrv-rs:// (zlib) + JSON/TOML, Android-compatible. - Signing team read from a gitignored Local.xcconfig (no team ID in VCS); generated .xcodeproj and build/ are gitignored. - App icon; version from MARKETING_VERSION; iOS README incl. TestFlight steps. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
ITSAppUsesNonExemptEncryption=false skips the export-compliance prompt on TestFlight uploads (standard TLS only). Also removes a duplicate CFBundleIdentifier key from Info.plist. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Explains appending a unique suffix (e.g. .pixel) to the app + extension bundle IDs (and matching tunnelId) to install a parallel build without claiming the reserved com.therealaleph.mhrv ID. Local-only; not committed. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
App Store validation 90474: a universal (iPhone+iPad) build must support all four interface orientations for iPad multitasking, but the app is portrait-only. Targeting iPhone only drops that requirement. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Adds coalesce_step_ms / coalesce_max_ms controls (full-mode tunnel batching) to the Advanced section, matching the Android settings. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
ForEach(enumerated, id: \.offset) with index-based bindings would read a stale/out-of-range index after a row was removed. Guard all index accesses in the get/set and the delete button. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Tapping empty space or scrolling now resigns first responder. Interactive controls consume their own taps, so fields and buttons keep working. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Share now emits mhrv-rs:// + URL-safe base64 of zlib-compressed (RFC 1950) JSON — byte-compatible with Android's ConfigStore.encode/decode. Import also falls back to raw UTF-8 for uncompressed payloads. Verified round-trip against Android's zlib decode. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Owner
|
Validated locally before merge:
I also attempted Merging this now. Answered via LLM, Supervised @therealaleph |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
iOS NetworkExtension full-tunnel VPN client (leaf + FakeIP → SOCKS5 → mhrv-rs).
cargo rustc --crate-type staticlib.cargo build --libalso links the cdylib, which fails on iOS (undefined___chkstk_darwinunder-nodefaultlibs), aborting the build and leaving a stale.aso device builds never picked up changes.getsockopt(UTUN_OPT_IFNAME)fallback when the KVC keypath returns nil on newer iOS;dup()so leaf owns the fd.noneso leaf's tracing init doesn't panic against the already-installed global subscriber; panic hook logs payload + location.mhrv-rs://(zlib) + JSON/TOML, Android-compatible.Local.xcconfig(no team ID in VCS); generated.xcodeprojandbuild/gitignored.MARKETING_VERSION; iOS README incl. TestFlight steps.Other modes (apps_script/direct) and the SNI native probe are deferred to follow-up PRs.
Test plan
cd ios && cp Local.xcconfig.example Local.xcconfig(set team),xcodegen generate, build to device