WireGuard Configurations Gone After iOS 15 Upgrade

Jason A. Donenfeld Jason at zx2c4.com
Thu Sep 23 03:09:08 UTC 2021

Hi Miguel,

On Wed, Sep 22, 2021 at 8:54 PM Miguel Arroz <miguel.arroz at gmail.com> wrote:
>   If I understand correctly, this ends up being "group.$(APP_ID_IOS)”. I’m a bit surprised this doesn’t need the Team ID before “group”, as it definitely needs that in macOS.

Indeed it's prefixed with the team on macOS, but IIRC that never worked on iOS.

>   - The openReference() function, because it’s not setting the same kSecAttrAccessGroup parameter when reading. The documentation mentions what happens when it’s not set (https://developer.apple.com/documentation/security/ksecattraccessgroup), I wonder if that changed (intentionally or due to a bug in iOS 15):
> > If you don’t explicitly set a group, keychain services defaults to the app’s first access group, which is either the first keychain access group, or the app ID when the app has no keychain groups.

For setting, but for reading/updating, that page says:

> By default, the SecItemUpdate, SecItemDelete, and SecItemCopyMatching
> methods search all the app’s access groups. Add the kSecAttrAccessGroup
> attribute to the query to limit the search to a particular group.

So in theory, it should be fine to omit that in openReference().
Adding it in there also doesn't cause any changes, unfortunately.

>   None of these explain why the tunnel keeps working after upgrading to iOS 15 (if the on-demand flag is set

Oh, I didn't realize that was happening. Are you *sure* about that? Is
the tunnel actually working? Or is it on, but crashing? When I go to
enable the tunnel from the system preferences view of it, it starts
and then stops, indicating the network extension couldn't open the
keychain ref either. And in the log, I see the [NET] process indeed
failing in the same spot as the [APP] process.


More information about the WireGuard mailing list