UAPI socket for the macOS sandboxed Wireguard app

z dzm at unexpl0.red
Thu Nov 23 14:32:17 UTC 2023


Would like to see this reviewed, as it appears to accomplish #4 on the MacOS TODO list[0].

I know Jason hasn't gotten a chance to review yet, as he says in the wgctrl-go PR.  If we need extra review bandwidth, I can do some testing if desired.

-dzm

[0]: https://docs.google.com/document/d/1BnzImOF8CkungFnuRlWhnEpY2OmEHSckat62aZ6LYGY/edit

On Sat, Oct 7, 2023, at 10:46 PM, Jan Noha wrote:
> Hello,
>
> I want to submit a series of patches concerning Wireguard on macOS.
>
> If it's ok, I will just link to a github PR which links to three other
> PRs (in wireguard-apple, wireguard-go and wireguard-tools).
>
> https://github.com/WireGuard/wgctrl-go/pull/143
>
> Let me explain what this is about. I've been trying to automate
> Wireguard tunnel configuration for some P2P use cases and I wanted to
> use wgctrl-go library for the task.
>
> This already works fine on Linux and Windows. On macOS, it's a bit
> more complicated. If you only use CLI for creating tun interfaces
> (using wireguard from homebrew for example), it also works.
> Specifically, wgctrl-go communicates with the wireguard user-space
> daemon via a unix domain socket located in /var/run/wireguard/ (this
> is referred to as UAPI in the code).
>
> However, if you want to use Wireguard from the App Store - which has
> some other advantages besides the UI (such as on-demand VPN and
> generally nice OS integration) - it comes as a sandboxed Network
> Extension. Currently, it does not expose any UAPI socket, so wgctrl-go
> cannot be used to configure it.
>
> The socket can be opened except it has to be inside the sandbox home
> directory. There is no problem connecting to it from "outside" using
> cli tools which are not sandboxed themselves.
>
> That's basically what I did here. Changes were needed in
> wireguard-apple and wireguard-go to open the socket in a
> macOS-specific location, then I updated wgctrl-go and wireguard-tools
> (so that wg commands work too) to look for UAPI sockets in both the
> sandbox location and the default one.
>
> If you're interested in discussing this topic further, I'll look
> forward to any feedback.
>
> Thank you,
> Jan Noha


More information about the WireGuard mailing list