WireGuard is broken on iOS 15 beta

Andrej Mihajlov and at mullvad.net
Wed Jun 16 13:25:47 UTC 2021

It was less about performance but more about security. Just wanted to share some good news!

A little bit of background story:

There was an article a little while ago that highlighted a traffic leak, when connections established before the VPN would continue going through the primary interface outside of the tunnel: 

Then at some point around iOS 14.2, Apple introduced a kill-switch to address that issue (via VPN configuration flag). 

However it never really worked with WireGuard as the tunnel would always fail to establish the connection with peers. There is a thread on Apple forums with some of Apple engineers trying to figure out what’s going on:

Now it’s too early to say, but I just ran WireGuard with kill switch enabled on iOS 15 beta and the tunnel is magically up and running, which was still broken on iOS 14.3. I am going to test it on iOS 14.4 today too. So it looks like Apple did something to fix their SDK to make the kill switch work.

Potential low effort improvement for WG, in practice it looks as such:

let protocolConfig = NETunnelProviderProtocol()
if #available(iOS 15.0, *) {
    protocolConfig.includeAllNetworks = true // kill-switch
    protocolConfig.excludeLocalNetworks = true // enable LAN networking


> On 10 Jun 2021, at 13:51, Jason A. Donenfeld <Jason at zx2c4.com> wrote:
> Patches with a proper performance comparison of the two techniques in
> the description would be appreciated.
> Thanks,
> Jason

More information about the WireGuard mailing list