Senior Software Engineer - C++/Swift (contractor)

Engagement Summary

Contract role to design and build the OpenVPN 3 tunnel adapter for an iOS VPN application. You will own a self-contained Objective-C++ module that wraps the OpenVPN 3 C++ client library and integrates it with Apple's Network Extension framework. The surrounding Swift application, design, product, project management, QA, and client coordination are handled by other members of the project team. Your work is deliberately bound to the adapter: you write C++ and Objective-C++, the rest of the team handles everything else, and the integration point is a single Objective-C delegate header that you define and document.

About the Project

We are building a production iOS VPN application using the open-source OpenVPN 3 C++ client library as the tunneling engine. The application is managed via MDM and uses per-app VPN configuration to route traffic from designated managed apps (Microsoft Edge, Google Chrome) through the tunnel.

The iOS Network Extension environment is notoriously constrained: the tunnel runs inside a sandboxed extension process with a 50 MB memory ceiling on iOS 17 (our minimum deployment target), limited debugging support, and tight platform rules. Earlier iOS versions imposed a much tighter 15 MB ceiling; iOS 17 relaxed it, which removes the most aggressive memory pressure but still requires disciplined buffer management and allocation hygiene. Getting OpenVPN 3 to run correctly inside that environment is the core challenge and is what we are hiring for.

Your Role

You will be the sole engineer responsible for the adapter module. Specifically, you will:

• Cross-compile OpenVPN 3 and its dependencies (mbedTLS, standalone ASIO, LZ4) for iOS arm64, including both device and simulator targets
• Subclass OpenVPNClient from the OpenVPN 3 client API and implement the TunBuilder interface (tunnel configuration, routes, DNS, MTU, gateway, dual-stack IPv4 and IPv6)
• Implement the bidirectional packet I/O loop between NEPacketTunnelFlow and OpenVPN 3's encryption pipeline. The adapter owns this loop internally; the Swift side never sees individual packets.
• Validate and tune OpenVPN 3's built-in ASIO transport inside the Network Extension sandbox, including network-transition handling (WiFi to cellular, airplane mode, path changes) and dual-stack edge cases
• Ensure thread safety across ASIO's event loop, NEPacketTunnelFlow completion handlers, and delegate dispatching back to Swift
• Optimize allocations to stay within the 50 MB Network Extension memory ceiling on iOS 17 through buffer pooling, bounded queues, lazy initialization, and allocation profiling with Instruments
• Contain all C++ exceptions at the adapter boundary and translate errors to the Swift-facing delegate protocol
• Implement the connection lifecycle (connect, disconnect, pause, resume) and accurate byte-count statistics
• Emit structured logs that the Swift container app can surface to the user and bundle for diagnostics
• Expose a narrow Objective-C delegate header that the Swift Network Extension target imports via a standard Xcode bridging header. You define this interface; the Swift side of the project team implements the delegate methods.

During the retainer and QA bug fix phase (project weeks 9 through 14), you will also:

• Write unit and integration test scaffolding for the adapter module, primarily landing during the tail end of the primary phase and refined as QA surfaces gaps
• Profile memory usage under sustained load with Instruments and address any issues the profiling surfaces, including packet bursts and extended connection durations
• Fix bugs and iterate through the stabilization phase alongside the rest of the project team. Retainer hours ramp with QA activity: lighter load during weeks 9 and 10 while the Swift developers finish integration, heavier during weeks 11 through 14 when QA hits the adapter with network transition tests (WiFi to cellular to airplane), captive portal handling, and memory profiling
• Remain available for synchronous pairing sessions when QA finds race conditions, packet I/O edge cases, or thread-safety issues that require your context to diagnose efficiently

Required Skills

• Strong modern C++ (C++17, which is the pinned dialect for this project): comfortable with templates, the STL, RAII, smart pointers, concurrency primitives, and exception-safe design
• Shipped at least one iOS framework, library, or app that integrates a C++ codebase. You have seen an Xcode project with mixed .cpp, .hpp, .mm, and .h files and understand how they link together.
• Comfortable with Objective-C++ (.mm) or willing to pick it up quickly. If you know C++ and can read Objective-C message-send syntax, you can write .mm productively within a day or two.
• Xcode build system proficiency: cross-compilation targets, static library linking, framework packaging, build settings for C++ standard and ARC
• Familiarity with Apple's Automatic Reference Counting (ARC) and how it interacts with C++ object lifetimes inside .mm files
• Debugging experience in constrained environments: iOS app extensions, embedded systems, browser sandboxes, or similar places where standard debugging tools are limited

Highly Valued (Not Required)

• Direct experience with the OpenVPN 3 client library, or with other C++ VPN or tunneling libraries (WireGuard, strongSwan, OpenConnect)
• Hands-on work with Apple's Network Extension framework, particularly NEPacketTunnelProvider and NEPacketTunnelFlow
• Experience cross-compiling C++ dependencies for iOS arm64 (mbedTLS, OpenSSL, Boost, ASIO, FFmpeg, OpenCV, or similar)
• Prior work on iOS VPN, network security, packet processing, or protocol implementation products
• Familiarity with ASIO (standalone or Boost.Asio) and its event loop model
• Knowledge of the OpenVPN protocol (control channel, data channel, TLS handshake, push/pull options)

Company Information

System One, and its subsidiaries including Joulé and Mountain Ltd., are leaders in delivering outsourced services and workforce solutions across North America. We help clients get work done more efficiently and economically, without compromising quality. System One not only serves as a valued partner for our clients, but we offer eligible employees health and welfare benefits coverage options including medical, dental, vision, spending accounts, life insurance, voluntary plans, as well as participation in a 401(k) plan.

System One is an Equal Opportunity Employer. All qualified applicants will receive consideration for employment without regard to race, color, religion, sex (including pregnancy, childbirth, or related medical conditions), sexual orientation, gender identity, age, national origin, disability, family care or medical leave status, genetic information, veteran status, marital status, or any other characteristic protected by applicable federal, state, or local law.

#M-2

Ref: #856-Baltimore-S1