WireGuard is broken on iOS 15 beta

Andrej Mihajlov and at mullvad.net
Fri Jun 11 08:42:14 UTC 2021


My bad, you’re right regarding the Personal VPN.

I just ran your patch and it works great. As David pointed out, the call to valueForKeyPath should be guarded because it throws exception if the given key path does not exist. I use the availability check to bruteforce utun on iOS 15, macOS 12 and onwards while keeping the Key value coding approach on older iOS and macOS as we know that it works great on iOS < 15 and macOS < 12. Just ran the app on macOS 11.4 and it’s still working and using the old code path.

I took a liberty to refactor the proposed solution (see: https://git.zx2c4.com/wireguard-apple/commit/?id=a7ccc8e3031f3502ea4b53a914d37589186e40f8)


> On 11 Jun 2021, at 09:53, Jason A. Donenfeld <Jason at zx2c4.com> wrote:
> On 6/11/21, Andrej Mihajlov <and at mullvad.net> wrote:
>> IIRC one thing to consider with that lookup: iOS enables users to run
>> Personal VPN and Custom VPN (aka WireGuard) side-by-side so there is a
>> chance you may pick the wrong utun.
> That doesn't make any sense. File descriptors are not OS-global;
> they're process-local. That's how Unix FDs have worked since forever.
> Unless you're suggesting "personal VPN" is somehow resident in the
> same network extension process as WireGuard's "custom VPN"?
> By the way, did the experiment in your branch work? I'd prefer a
> direct route to brute forcing FDs, if possible. But if not, seems like
> my kludge might ultimately do the trick.

More information about the WireGuard mailing list