
WireGuard for MacOS - helper
https://lists.zx2c4.com/pipermail/wireguard/2019-February/003853.html
======
KenanSulayman
I had been using wireguard-go (macports) on the Mac for a few months now and
I'm simply amazed by the performance. Also using it on my phone. Weirdly
enough when it's on my connection is more stable, probably because it bypasses
the traffic shaping by my ISP through its UDP use.

I couldn't find any information on whether or not this uses wireguard-go
internally? Or maybe even the Rust implementation?

p.s. the snow on [https://data.zx2c4.com/wireguard-for-macos-screenshots-
febru...](https://data.zx2c4.com/wireguard-for-macos-screenshots-
february-2019/) is pretty hilarious

~~~
qalmakka
The is no native XNU kext or bsd module AFAIK, so I guess it must be using the
Go implementation underneath.

~~~
loeg
There is a WIP (Net)BSD wireguard implementation, but that's a long way from
something you could just use on MacOS, and the developers are unaffiliated
with zx2c4.

[https://github.com/ozaki-r/netbsd-
src/tree/wireguard](https://github.com/ozaki-r/netbsd-src/tree/wireguard)

~~~
zx2c4
There's also a WIP OpenBSD port in progress. Over the next week or so I've got
some plans to try to start working more closely with these developers and make
sure the BSD kernel ports are first party supported implementations.

~~~
gonzo
If you don’t know of any efforts to make this available on FreeBSD, I’m
interested in doing so. If you do: I’m willing to help. One end-goal is to
subsequently enable pfsense.

------
adamfeldman
I've had a great experience deploying Wireguard using Streisand [1]. I'm
excited to migrate to this GUI client, instead of using `wg-quick` in the
macOS terminal.

With Streisand, I only needed to choose some options and input a few
credentials. 20 minutes later, Streisand had created a locked-down, self-
updating box dedicated to hosting nothing but Wireguard. I deployed to a
$5/month Digital Ocean droplet.

[1]:
[https://github.com/StreisandEffect/streisand](https://github.com/StreisandEffect/streisand)

Streisand previously on HN:
[https://news.ycombinator.com/item?id=18903780](https://news.ycombinator.com/item?id=18903780),
[https://news.ycombinator.com/item?id=8082444](https://news.ycombinator.com/item?id=8082444)

~~~
nsomaru
AFAIK all software on Streisand does not auto update so you need to redeploy
periodically (and the repo hasn’t been updated in a while, the main author has
little time for it anymore) which isn’t great if you’ve shared certs with non
technical users

~~~
adamfeldman
Further detail for the curious:

Recent enhancements to Streisand include automatic updates for Wireguard:
[https://github.com/StreisandEffect/streisand/issues/513#issu...](https://github.com/StreisandEffect/streisand/issues/513#issuecomment-431588195).

Streisand automatically installs Ubuntu security and other updates using the
"unattended-upgrades" package:
[https://help.ubuntu.com/community/AutomaticSecurityUpdates](https://help.ubuntu.com/community/AutomaticSecurityUpdates).

Streisand's unattended-upgrades config
[https://github.com/StreisandEffect/streisand/blob/master/pla...](https://github.com/StreisandEffect/streisand/blob/master/playbooks/roles/common/templates/50unattended-
upgrades.j2)

~~~
nsomaru
Streisand installs around 70 different services. If all of them are not
patched there’s a good chance your box becomes vulnerable over time. Remember,
you’re piping all your internet traffic through this box.

~~~
sascha_sl
it's modular if you enter the extended configuration, poster above mentioned
it runs "nothing but wireguard"

------
morpheuskafka
I'm excited to hear that they are making a new TUN infrastructure for Windows.
After the website redesign, OpenVPN doesn't even ship builds of Windows-TAP
anymore and it is quite a pain to build, plus you have to sign it yourself.
One of my current projects will need a TUN and we've decided to make it Linux
only because its just too much work to support Windows. There is a new VPN
provider API only accessible to UWP apps, but there is literally zero
documentation or examples beyond the auto generated .NET API docs.

~~~
zx2c4
Indeed we looked in to UWP and got something sort of working there, but it's
super new, undocumented, and has a lot of limitations that wouldn't have
worked well for WireGuard, like roaming. Actually when we asked Microsoft for
documentation and improvements, they asked us to sign an NDA, which obviously
doesn't fly for an open source project. Plus, we'd then leave Windows 7 users
in the cold, which AFAIK, is still an important target for enterprise.

~~~
hug
Not speaking to the NDA issue, which is gross, but just to the Windows 7 users
issue:

Windows 7 is currently under extended support (i.e.: critical security updates
only) and that extended support ends as of January 2020. In other words:
Standard end users have 11 months to migrate away from Windows 7 entirely.

There is a horrifically expensive option to purchase even further extended
support from Microsoft, which a few large companies may do.

~~~
miles
> There is a horrifically expensive option to purchase even further extended
> support from Microsoft, which a few large companies may do.

It's actually not that expensive[0]:

" _Year one (January 2020 to 2021), that add-on will cost $25 per device for
that set of users. Year two (January 2021 to 2022) that price goes up to $50
per device. And Year three (January 2022 to January 2023) it goes up to $100
per device._ "

And while this requires a volume license agreement[1]:

" _Windows 7 ESUs will be available to all Windows 7 Professional and Windows
7 Enterprise customers in Volume Licensing, with a discount to customers with
Windows software assurance, Windows 10 Enterprise or Windows 10 Education
subscriptions._ "

it is not difficult or expensive to acquire[2]:

" _While five licenses are required to enter into a new VL agreement, they
need not all be for LTSC. According to a rep I spoke with at a Microsoft
Partner, this combination would work as an upgrade from a Windows OEM license
(i.e., it would allow a user who bought a PC with Windows 10 preinstalled to
run Windows 10 LTSC instead): 1x Windows 10 Enterprise LTSC 2019 Single
Upgrade Open Business $269.04 & 4x Microsoft Identity Manager - 1 User CAL -
Open Business $7.81_"

[0] [https://www.zdnet.com/article/how-much-will-staying-
patched-...](https://www.zdnet.com/article/how-much-will-staying-patched-on-
windows-7-cost-you-heres-the-price-list/)

[1] [https://www.microsoft.com/en-
us/microsoft-365/blog/2018/09/0...](https://www.microsoft.com/en-
us/microsoft-365/blog/2018/09/06/helping-customers-shift-to-a-modern-desktop/)

[2]
[https://tinyapps.org/blog/windows/201811300700_windows_10_lt...](https://tinyapps.org/blog/windows/201811300700_windows_10_ltsc.html)

~~~
microcolonel
> _It 's actually not that expensive_

> _it is not difficult or expensive to acquire_

For reference, these options are more than the replacement cost of many
business PCs. I'd say that's pretty expensive.

And especially when you note that loss of support is often the _only_ reason
they have to change, it starts seeming a bit unreasonable.

~~~
morpheuskafka
There are a lot of big companies with ThinkPad P-series mobile workstations on
7 that would cost quite a bit to replace. And the main concern isn't the cost
of replacing vs. licensing, but of updating line-of-business workflows, custom
apps, and user knowledge.

------
dombili
It works great. As a user, I love that it's being distributed via the Mac App
Store. The one and only nitpick I have is the lack of bulk import support of
the config files, but that's something I can live without.

I'm looking forward to the Windows version. Thank you for taking the long and
careful route with it.

~~~
zx2c4
You can bulk import by selecting a .zip archive of files, actually. But
perhaps we can make the open file dialog multiselect. Good idea. I added it to
the TODO list here:
[https://docs.google.com/document/d/1BnzImOF8CkungFnuRlWhnEpY...](https://docs.google.com/document/d/1BnzImOF8CkungFnuRlWhnEpY2OmEHSckat62aZ6LYGY)

~~~
dombili
Oh, I didn't know that. ZIP import solves the issue for me, but I'm glad
you've got the multi-select feature on your to-do list.

------
vinay_ys
Jason, thank you for Wireguard. It is just awesome!

Which hosting provider is recommended for running your own wireguard server? I
have tried various cloud providers like (digital ocean, google, aws etc) I
noticed that Apple ID and app store does not work when traffic exits via these
cloud instances. Has anyone else faced this issue? Any solutions?

~~~
pyt
I've been running a VPN (currently WireGuard, previously StrongSwan) on a VPS
through [https://www.vultr.com/](https://www.vultr.com/) for a little over a
year now and have had no issues with the App Store. Signed-out Google Search,
however, is a different story...

~~~
out_of_protocol
Do you know any good guides on configuring server to act as a vpn/proxy
(routing mostly)? Regular wireguard articles don't cover this use-case at all,
assuming reader know everything beforehand

~~~
0x38B
I just set up Wireguard on a VPS.

I followed the installation instructions at
[https://www.wireguard.com/install/](https://www.wireguard.com/install/)

For VPN setup, the Arch Wiki is a great reference:
[https://wiki.archlinux.org/index.php/WireGuard#Specific_use-...](https://wiki.archlinux.org/index.php/WireGuard#Specific_use-
case:_VPN_server)

I also set up Unbound + Stubby with DNS-over-TLS.

For what it's worth, the RELATED, ESTABLISHED rule in FORWARD is a bad thing
to forget; I was getting all sorts of interesting ICMP timeout errors because
I didn't have it. New connections from clients were allowed, but I didn't have
a rule to allow related and established, which made some things work, but
mostly not.

~~~
out_of_protocol
Looks great, thanks!

------
benbristow
I love the screenshot page, funny! Comic Sans and over-the-top JavaScript
effects.

[https://data.zx2c4.com/wireguard-for-macos-screenshots-
febru...](https://data.zx2c4.com/wireguard-for-macos-screenshots-
february-2019/)

Brings me back to the days of JavaScript Kit and Dynamic Drive

~~~
crooked-v
The "trail following the cursor" effect is an instant jolt of year 2000
nostalgia for me.

------
pixelcort
Which APIs were only available via Mac App Store that prevented distribution
outside it?

~~~
zx2c4
[https://developer.apple.com/documentation/networkextension/n...](https://developer.apple.com/documentation/networkextension/nepackettunnelprovider)

~~~
Wowfunhappy
Wow.

Is there any way around this for a user? What if SIP is off?

If there's no workaround, that makes me quite uncomfortable.

~~~
oneplane
There are plenty of workarounds, but the issue is that when you want to pass
quality control you have to play by they platform owner's rules. While not
always nice on one hand, on the other hand this does mean that most users will
be safe to install most software checked and distributed that way, without
needing the intimate knowledge we have.

I totally understand that if Apple builds and maintains a PKI-based security
model, they are going to want to check your stuff before allowing you in. If,
on the other hand, the user doesn't care, they can simply turn off the
security model or adjust it.

~~~
fauigerzigerk
The problem is that on iOS Apple's "quality control" includes banning normal
and fun human activities such as sex.

If that is now coming to the Mac as well then I will stop being Mac user and I
will move away from Apple's platforms altogether.

Requiring Apple's permission to run WireGuard automatically means requring the
permission of the government as well.

You don't even have to resort to China to see why that is bad. Many western
governments are aggressively working towards banning various forms of
encrypted communications.

~~~
oneplane
That's not their quality control you are referring to but the content
guidelines (censor). It's a choice they are free to make, and are probably
mostly copied off some American idea on what should be public or not.

The problem you are running in to is that your ideas don't match their ideas
and you want them to match your ideas (which they won't because they don't
live in your world, they live in their world, which at this time is mostly the
USA world).

If in your country the government would enforce some law stating that
companies should not block sex in their content pipelines, then Apple, just
like they do in every other country, will comply. This is also the reason they
censor stuff in China, it's the law over there.

So while their ideas and values might not match with you, they do still have
to follow the law. If you believe companies with a large impact should not
block certain information from flowing, that is something you can enforce by
law.

A company has to deal with the law, and cannot go and be an anarchist whenever
it feels like it (but people can) because then they cease to exist.

~~~
Wowfunhappy
If Apple did not block sideloading on iOS, they wouldn't practically be able
to implement this kind of censorship in China and elsewhere. They would be
able to remove it from the App Store, but people would be able to acquire the
software via other means.

(This topic doesn't really apply to macOS though, just iOS.)

~~~
fauigerzigerk
I agree, but now it appears to apply to the Mac as well, at least to some
degree.

That's what I find so concerning. There has to be some general purpose
computing device that allows me to take full responsibility in terms of
security and in terms of complying with the law.

Other platforms often tend to imitate Apple. So if this is the general
direction of travel then I find that very worrying

~~~
Wowfunhappy
Someone downthread says the macOS signing requirements still go away fully
when Gatekeeper is disabled, which is a simple terminal command. As long as
that's the case, I don't think there's a real problem here.

It's hard to quantify "moving in a direction", but Gatekeeper was introduced
nearly a decade ago and has _always_ been possible to disable via a quick
Terminal command. Apple did remove it from the UI in Sierra, so perhaps you
could say that's a sign of things to come, but I honestly doubt it.

------
simplify
Can someone explain the use cases for WireGuard? I think I'm pretty new to
this whole topic.

~~~
bmh
I have a few computers at home. I'd like to access them securely from anywhere
in the world. WireGuard makes that easy.

~~~
mbrock
Same, but also various project computers on various WiFis that autoconnect to
my WireGuard server.

------
dividedbyzero
This looks amazing. I currently use OpenVPN to tunnel into a Kubernetes
cluster, it's great how simple debugging distributed apps has become due to
being able to do that.

I wonder if I could use WireGuard to do the same, it appears to be much easier
to set up.

~~~
sascha_sl
Yes, and if you're installing it on all your nodes anyway, you can use it to
encrypt a flannel overlay net too.

[https://github.com/coreos/flannel/blob/master/dist/extension...](https://github.com/coreos/flannel/blob/master/dist/extension-
wireguard)

------
tcd
Funny how the developer doesn't respond to [1] from a VPN provider about
improving security...DO NOT USE if you want to actually be secure!

[1]:[https://lists.zx2c4.com/pipermail/wireguard/2019-January/003...](https://lists.zx2c4.com/pipermail/wireguard/2019-January/003777.html)

~~~
Tharre
On the contrary, it has triggered development of wg-dynamic[0] which should
eventually fix those issues.

[0] [https://git.zx2c4.com/wg-dynamic/](https://git.zx2c4.com/wg-dynamic/)

~~~
zx2c4
wg-dynamic was proposed well before that email. Actually, that email came
after discussion the two of us had shortly prior to the email.

------
Aissen
I can't wait for WireGuard to be merged into the Linux Kernel, so that we can
start using it everywhere.

------
emadb
Question: how many of you uses a crypted VPN Tunnel daily? We all know that
privacy is important and it will became more and more important in the next
few years. Does tools like WireGuard help in these cases? Or I miss the main
focus? Should we all used a private VPN tunnel?

~~~
chrisper
It depends on what you want to protect. It is obviously great if you use a lot
of public wifi for example.

It's also great if your government is spying on you.

Otherwise you just delegate the privacy issues from your ISP to the ISP of
your output server.

Personally, there is no reason to run a VPN all time from your home
connection.

~~~
gmac
I run one most of the time (IKEv2). I'm in the UK, and do it on principle to
stop my ISP storing details of every domain I visit on behalf of government
agencies. If I were in the US I'd do it to prevent my ISP selling that data
on.

(I also thought about setting something up for others, but this is currently
100% vapourware: [http://digitalsnorkel.net/](http://digitalsnorkel.net/))

~~~
jtms
Really great name - you should keep going with this!

------
nixgeek
Do you have a Patreon or some other means of supporting you?

~~~
reaperhulk
The project accepts donations:
[https://www.wireguard.com/donations/](https://www.wireguard.com/donations/)

------
Accacin
So I use Mullvad, that have WireGuard servers setup. Downloaded the config
files (which work perfectly on Linux) and I can't get WireGuard for iOS to
work at all. I get the VPN icon in the top left but I have no actual internet
connection (on either WiFi or 4G).

Downloaded the TunSafe Client and the very same config files work perfectly.
Obviously I'd prefer to use the WireGuard app though, but I cannot get it to
work at all sadly.

~~~
LukaD
I had some weird issues with DNS using the iOS app. It worked when I set
8.8.8.8 as my DNS in the app but that's not a real solution.

~~~
mosselman
1.1.1.1 & 1.0.0.1 are better options with regards to privacy

~~~
gsich
Why? Just because you swapped Company A with B? Neither of them are
trustworthy in regards to privacy.

~~~
kdtsh
1.1.1.1 is definitely the least worst option of the two here.

------
doubletgl
How does it compare to Tunnelblick and Viscosity? Any reason to switch if I'm
using a paid subscription to a mainstream VPN provider?

~~~
apexalpha
Tunnelblick and Viscosity are _implementations_ of a protocol: OpenVPN.
Wireguard is a different protocol than OpenVPN. Not just a different
implementation of the same.

~~~
Fnoord
True, but all 3 are a frontend (Tunnelblick/Viscosity for OpenVPN and
WireGuard for macOS is a frontend for the Go implementation). You could argue
someone's asking for a comparison of the UIs.

FWIW, I've tested the UI, and I very much like it, except that the whole
public and private key are visible on the screen. The Android version only
shows it partly (could be my resolution).

------
gvand
Thanks for this, have been following the project for a while.

A minor annoyance, right now the usual option that allows to forward all
traffic through the vpn is missing (the os and others put everything in an
advance options pane accessible via button on the main screen) and route have
to be configured manually each time... please keep this in mind for the next
release ;)

~~~
kdtsh
You should be able to route all traffic through to the VPN by setting
AllowedIPs to 0.0.0.0/0.

------
antihero
Excellent! How easy is it to connect to our algo VPN servers with this?

Edit: Very easy, you just scan the QR!

------
ridgeguy
App store tells me it requires MacOS 10.14. Any chance of eventual 10.13
compatibility?

~~~
zx2c4
[https://lists.zx2c4.com/pipermail/wireguard/2019-February/00...](https://lists.zx2c4.com/pipermail/wireguard/2019-February/003869.html)

------
amaccuish
I look forward to solutions to solve autoconfiguration. I love how with say
OpenConnect, I just enter a server address and my address and auth methods are
all configured automatically. Otherwise very much a fan of WG!

~~~
helper
They are working on it: [https://git.zx2c4.com/wg-
dynamic/about/docs/idea.md](https://git.zx2c4.com/wg-
dynamic/about/docs/idea.md)

------
Hamuko
Looks great. I've been using WireGuard on the command line with my work
MacBook and it's been solid despite the massive warnings about alpha software.
I'll have to look into switching to this next week.

------
Down_n_Out
I'm using Wireguard in combination with Pi-Hole on a cheap VPS as a VPN on my
iPhone, it's blazingly fast and super stable. Will be trying this on my Mac as
well now.

~~~
out_of_protocol
Do you know any good guides on configuring server to act as a vpn/proxy (i.e.
routing)? Regular wireguard articles don't cover this use-case at all,
assuming reader know everything beforehand

------
8077628
The real question is, where can I get some hott wireguard swag?

------
mikkelam
Slightly offtopic.. but can WireGuard circumvent netflix country restriction?
i.e. can it be used to watch netflix content in other countries?

~~~
zahllos
This depends on your VPN service provider, not the WireGuard software - the
software itself simply tunnels your traffic to the VPN provider, who then
route it out to the internet. It doesn't matter if you use IPsec, OpenVPN,
PPP, L2TP or WireGuard to send your traffic to your provider if their address
has been blacklisted.

What WireGuard does get you is a much simpler configuration format for VPNs
(IPsec is notoriously overcomplicated) and a modern set of cryptography
choices (most other VPN techologies are old and come with legacy baggage, or
strange TLS-like connection setup that then becomes its own thing like
OpenVPN).

~~~
mikkelam
Gotcha, makes sense

------
gok
Does this use the golang implementation internally?

~~~
js2
It appears so:

[https://git.zx2c4.com/wireguard-ios/tree/](https://git.zx2c4.com/wireguard-
ios/tree/)

------
xCatbodi
how would I go about implementing a killswitch for this? I'd like for it wait
until I said its OK to either try to reconnect or allow network without
WireGuard connection. I was very happy with how Tunnelblick would do this for
shitty internet scenarios. Is something like that even necessary in this
situation?

also: i do have connect on demand on.

apologies if stupid question

~~~
8077628
On the configs I've seen, "killswitch" is a few lines that tell iptables to
stop sending when the connection drops. I don't know how tunnenblick does it,
but this might actually, and I'm not joking, be a job for applescript? Since
it looks like wireuard doesn't do killswitch on its own.
[http://krypted.com/mac-security/command-line-firewall-
manage...](http://krypted.com/mac-security/command-line-firewall-management-
in-os-x-10-10/) might be a starting point.

------
kkm
Thank you for the work <3

------
dbcooper
Does this support obfuscation now?

------
jamesb93
Why only 10.14 and up? most devs I know havent gone past 10.12.

~~~
tambourine_man
Mojave has been a smooth sailing from day one for me.

A few rendering issues from the move to Metal but no KPs or major
incompatibilities.

Sooner or later, things stop running. On the iOS side, I was surprised to
learn you can’t run Netflix on an iOS 9 device.

I think the days of hanging on to old system versions are over.

~~~
r00fus
Uh. I have an old iPad1 that can’t run iOS10 but runs Netflix fine. Have you
tried updating the app?

~~~
tambourine_man
Can’t install it. Can’t be downloaded from the App Store. You probably
downloaded the version that did some time ago and it just continued to run

