Guideline 5.4

Guideline 5.4 - Legal: VPN App Not Using NEVPNManager API

High RiskHardTypical Fix: 1-3 days0 Reports
Also known as:VPN app does not use NEVPNManager APIVPN functionality implemented without Network Extension frameworkApp uses proxy or DNS redirection instead of NEVPNManagerCustom VPN tunnel implementation not using Apple's approved APIsApp installs VPN configuration profiles directly

Our Take

Apple is rejecting your VPN app because it implements VPN-like functionality without using the Network Extension framework and NEVPNManager API. Under guideline 5.4, all VPN apps must use Apple's official NEVPNManager API — apps that achieve VPN behavior through alternative technical means (proxy configuration profiles, DNS-over-HTTPS redirection, SOCKS proxy clients, custom socket tunneling, or system-level configuration profile installation) will be rejected. This rejection is technical in nature and requires a significant code change. Apple mandates NEVPNManager because it provides system-level VPN integration that users can see and control in iOS Settings, gives Apple visibility into how the VPN operates, and ensures the VPN follows Apple's sandboxing and security requirements. The Network Extension framework requires a special entitlement that must be requested from Apple separately. The turnaround for entitlement approval is typically 1-5 business days. You'll need to implement a Packet Tunnel Provider (NEPacketTunnelProvider) as a separate app extension target in your Xcode project.

Resolution Guide

01

**Request Network Extension entitlement** — Submit an entitlement request to Apple via developer.apple.com. This is a prerequisite — you cannot use NEVPNManager without it. Typical approval: 1-5 business days.


02

**Create a Packet Tunnel Provider extension** — Add a new Network Extension target to your Xcode project. Implement `NEPacketTunnelProvider` as your tunnel provider subclass.


03

**Implement NEVPNManager configuration** — Use `NEVPNManager` to configure the VPN connection. Set up the `NETunnelProviderProtocol` with your server addresses, authentication credentials, and tunnel configuration.


04

**Remove alternative implementations** — Remove any custom proxy configurations, DNS redirection code, SOCKS client implementations, or configuration profile installation code.


05

**Test system-level integration** — Verify the VPN appears in iOS Settings > VPN when active, can be toggled from Settings, and shows the VPN status bar indicator.


06

**Add the entitlement to your provisioning profile** — Ensure both the main app target and the Network Extension target have the com.apple.developer.networking.networkextension entitlement.

Prevention

  • Always use NEVPNManager for VPN functionality from the start
  • Request the Network Extension entitlement early in development
  • Don't attempt to build VPN-like features using workarounds
  • Example Rejection Email

    From:Apple App Review Team
    Subject:Guideline 5.4 - Legal: VPN App Not Using NEVPNManager AP
    Guideline 5.4 - Legal - VPN Apps Your app provides VPN-like functionality but does not use the NEVPNManager API as required. Specifically, your app implements a virtual private network or proxy using [custom socket connections/configuration profiles/DNS redirection/proxy settings] instead of the Network Extension framework's NEVPNManager API. Next Steps: Please update your app to use the NEVPNManager API (Network Extension framework) for all VPN functionality. You may need to request the Network Extension entitlement from Apple if you have not already done so. For more information, see the Network Extension documentation: https://developer.apple.com/documentation/networkextension

    Before & After

    Before — Rejected

    App establishes VPN tunnel by configuring SOCKS5 proxy settings and routing DNS queries through a custom DoH resolver; no Network Extension target in the Xcode project

    After — Approved

    App uses NEPacketTunnelProvider extension with NEVPNManager configuration; VPN appears in iOS Settings; VPN status bar indicator shows when connected; SOCKS5 and DNS code removed

    What changed: Apple requires NEVPNManager for system-level VPN integration, visibility, and user control. Alternative tunnel implementations are not accepted.

    Community Solutions · 0

    Sign in to share your solution.

    More Guideline 5 (Legal) rejections

    View all Guideline 5 rejections