# Guideline 5.4 - Legal: VPN App Not Using NEVPNManager API

**Guideline:** 5.4 · **Store:** Apple App Store · **Risk:** high · **Difficulty:** hard · **Typical turnaround:** 1-3 days

Canonical URL: https://appstorereject.com/rejections/apple/5/guideline-54-legal-vpn-app-not-using-nevpnmanager-api

## Description

Apple is rejecting your VPN app because it implements VPN-like functionality without using the Network Extension framework and NEVPNManager API. Under guideline 5.4, all VPN apps must use Apple's official NEVPNManager API — apps that achieve VPN behavior through alternative technical means (proxy configuration profiles, DNS-over-HTTPS redirection, SOCKS proxy clients, custom socket tunneling, or system-level configuration profile installation) will be rejected. This rejection is technical in nature and requires a significant code change. Apple mandates NEVPNManager because it provides system-level VPN integration that users can see and control in iOS Settings, gives Apple visibility into how the VPN operates, and ensures the VPN follows Apple's sandboxing and security requirements. The Network Extension framework requires a special entitlement that must be requested from Apple separately. The turnaround for entitlement approval is typically 1-5 business days. You'll need to implement a Packet Tunnel Provider (NEPacketTunnelProvider) as a separate app extension target in your Xcode project.

## Common variations

- VPN app does not use NEVPNManager API
- VPN functionality implemented without Network Extension framework
- App uses proxy or DNS redirection instead of NEVPNManager
- Custom VPN tunnel implementation not using Apple's approved APIs
- App installs VPN configuration profiles directly

## Example rejection email

```
Guideline 5.4 - Legal - VPN Apps

Your app provides VPN-like functionality but does not use the NEVPNManager API as required.

Specifically, your app implements a virtual private network or proxy using [custom socket connections/configuration profiles/DNS redirection/proxy settings] instead of the Network Extension framework's NEVPNManager API.

Next Steps:
Please update your app to use the NEVPNManager API (Network Extension framework) for all VPN functionality. You may need to request the Network Extension entitlement from Apple if you have not already done so.

For more information, see the Network Extension documentation: https://developer.apple.com/documentation/networkextension
```

## Resolution steps

## Quick Assessment
- **Risk level:** High
- **Resolution path:** Fix & Resubmit (significant technical rework required)
- **Typical turnaround:** 1-3 days (plus entitlement approval time)

## The Fix

01. **Request Network Extension entitlement** — Submit an entitlement request to Apple via developer.apple.com. This is a prerequisite — you cannot use NEVPNManager without it. Typical approval: 1-5 business days.

02. **Create a Packet Tunnel Provider extension** — Add a new Network Extension target to your Xcode project. Implement `NEPacketTunnelProvider` as your tunnel provider subclass.

03. **Implement NEVPNManager configuration** — Use `NEVPNManager` to configure the VPN connection. Set up the `NETunnelProviderProtocol` with your server addresses, authentication credentials, and tunnel configuration.

04. **Remove alternative implementations** — Remove any custom proxy configurations, DNS redirection code, SOCKS client implementations, or configuration profile installation code.

05. **Test system-level integration** — Verify the VPN appears in iOS Settings > VPN when active, can be toggled from Settings, and shows the VPN status bar indicator.

06. **Add the entitlement to your provisioning profile** — Ensure both the main app target and the Network Extension target have the com.apple.developer.networking.networkextension entitlement.

## Prevention
- Always use NEVPNManager for VPN functionality from the start
- Request the Network Extension entitlement early in development
- Don't attempt to build VPN-like features using workarounds

## Before / after examples

**Before:** App establishes VPN tunnel by configuring SOCKS5 proxy settings and routing DNS queries through a custom DoH resolver; no Network Extension target in the Xcode project
**After:** App uses NEPacketTunnelProvider extension with NEVPNManager configuration; VPN appears in iOS Settings; VPN status bar indicator shows when connected; SOCKS5 and DNS code removed
**Why it works:** Apple requires NEVPNManager for system-level VPN integration, visibility, and user control. Alternative tunnel implementations are not accepted.

## Common questions

**How long does this typically take to fix?**

Typical turnaround is 1-3 days (difficulty: hard). After resubmission, most re-reviews complete within 24-48 hours.

---
*Machine-readable source: https://api.appstorereject.com/api/rejections/detail?slug=guideline-54-legal-vpn-app-not-using-nevpnmanager-api*