[BUG] Specific IPv6 AllowedIPs Values Cause "Go Backend Library" error

[grates_54_doyenne at icloud.com]

Hi folks,

I am writing to inquire about a potential bug.

Description:
Certain IPv6 ranges in the AllowedIPs field trigger the following error when activating a tunnel:
"Activation failure: Unable to turn on Go backend library.”

The issue was first observed in the macOS WireGuard client and later reproduced on iOS.

Root Cause:
When the following IPv6 ranges are added to the config:
fe80:1::/32, fe80:2::/31, fe80:4::/30, fe80:8::/29, fe80:10::/28
The client silently modifies them upon saving, replacing them with:
fe80::%lo0/32, fe80::%gif0/31, fe80::%anpi0/30, fe80::%en1/29, fe80::%awdl0/28
The injected suffixes (%lo0, %en1, etc.) appear to be network interface names, which then cause the Go backend to fail during activation, I guess.

Steps to Reproduce:
    • Create a new tunnel in the macOS or iOS WireGuard client.
    • Add the following to AllowedIPs:
fe80:1::/32, fe80:2::/31, fe80:4::/30, fe80:8::/29, fe80:10::/28
    • Save and activate the tunnel → Error occurs.
    • Reopen the config → Observe the modified IPs.

Environment:
    • OS: macOS 15.5, iOS 18.5
    • WireGuard version: 1.0.16 (both clients)

Notes:
    • The issue appears specific to the GUI clients (macOS/iOS); CLI utilities were not tested.
    • The automatic substitution of fe80:X::/Y with fe80::%<interface>/Y suggests a parsing bug in the config sanitization logic.


Igor