UAPI socket for the macOS sandboxed Wireguard app

Jan Noha nohajc at gmail.com
Sat Oct 7 22:47:20 UTC 2023


Hello,

I want to submit a series of patches concerning Wireguard on macOS.

If it's ok, I will just link to a github PR which links to three other
PRs (in wireguard-apple, wireguard-go and wireguard-tools).

https://github.com/WireGuard/wgctrl-go/pull/143

Let me explain what this is about. I've been trying to automate
Wireguard tunnel configuration for some P2P use cases and I wanted to
use wgctrl-go library for the task.

This already works fine on Linux and Windows. On macOS, it's a bit
more complicated. If you only use CLI for creating tun interfaces
(using wireguard from homebrew for example), it also works.
Specifically, wgctrl-go communicates with the wireguard user-space
daemon via a unix domain socket located in /var/run/wireguard/ (this
is referred to as UAPI in the code).

However, if you want to use Wireguard from the App Store - which has
some other advantages besides the UI (such as on-demand VPN and
generally nice OS integration) - it comes as a sandboxed Network
Extension. Currently, it does not expose any UAPI socket, so wgctrl-go
cannot be used to configure it.

The socket can be opened except it has to be inside the sandbox home
directory. There is no problem connecting to it from "outside" using
cli tools which are not sandboxed themselves.

That's basically what I did here. Changes were needed in
wireguard-apple and wireguard-go to open the socket in a
macOS-specific location, then I updated wgctrl-go and wireguard-tools
(so that wg commands work too) to look for UAPI sockets in both the
sandbox location and the default one.

If you're interested in discussing this topic further, I'll look
forward to any feedback.

Thank you,
Jan Noha


More information about the WireGuard mailing list