WireGuard Configurations Gone After iOS 15 Upgrade
miguel.arroz at gmail.com
Wed Sep 22 16:50:29 UTC 2021
I have two devices upgraded to iOS 15, an iPhone and iPad. Both had a tunnel configured with on-demand set. The behaviour was the same on both: the tunnel worked, but the app couldn’t show information, the exact way Eddie described. When I click the Edit button, I see all the fields blank, and the peer is gone, just like if I was creating a new configuration from scratch.
I tried the following on the iPhone:
- Turned the tunnel off using the switch in the app. As soon as it tried to turn itself on again (due to the on-demand flag), it showed an error and the tunnel could not be brought back up (I don’t remember the exact wording of the error alert).
- I deleted the tunnel configuration, and created one from scratch. Everything is working now. The tunnel works, and the app can read the configuration. I rebooted the iPhone to make sure it could reload everything afterwards, and it did.
I still have the iPad in the original state.
The log is essentially a repetition of the following line: "Unable to open config from keychain: -25300”.
I’m not sure if a local build made by me would help debugging this, as if I recall correctly from the Keychain API, the app group key (kSecAttrAccessGroup) is dependent on the team and bundle IDs (enforced by the code signing and runtime verification process), so I doubt I can build something that will be able to access the keychain that is already there. The only valid test would be building and installing it on iOS 14 and then upgrading to iOS 15, or distributing a beta version using TestFlight using the official team ID.
> On Sep 22, 2021, at 8:23 AM, Eddie <stunnel at attglobal.net> wrote:
> On 9/21/2021 9:50 PM, Jason A. Donenfeld wrote:
>> I'm not able to reproduce the bug quite yet, but I'd like to get a
>> better idea of what the bug is. Can you confirm that after reimporting
>> configs into iOS 15, they work just fine? And the issue is just in the
>> 14->15 flow? If this is correct, I see two issues:
> I haven't tried re-importing anything yet, in case you needed more information before trying that.
>> 1. Something goes wrong with the keychain from 14->15 and the app
>> loses authorization.
>> 2. When the app can't open a keychain item, it deletes the VPN
>> profile? Or does it just gray it out? If it's deleting it, that's
>> wrong; it ought to just remain disabled until it's readable again.
> If I select one of the tunnels, all I see on the "Edit" page is the status slider and the on demand status. The section under INTERFACE is completely missing. Selecting Edit brings up the screen you would see when creating a new tunnel, with all parameters showing (in grey) Required, Automatic, Optional, etc. There are no values from the original configuration shown.
More information about the WireGuard