
WireGuard for iOS - dmmalam
https://lists.zx2c4.com/pipermail/wireguard/2018-November/003526.html
======
zx2c4
As the mailing list post mentions, this is a super new code base, and we could
certainly use a hand, if any iOS developers out there are itching to help out.
Opportunity to jump into a codebase while it's still pretty fresh, if that
sort of experience is appealing to you. Don't hesitate to email me (jason [at]
zx2c4.com) or poke me on IRC (I'm zx2c4 on freenode in #wireguard).

~~~
xoa
Thanks so much for your work on this, I think iOS is the last major platform
right? Amazing effort in so short a time, I guess that's another advantage
alongside the security ones of having a very simple, focused code base without
unnecessary knobs and dials.

I'm sorry it didn't make it into the kernel this cycle though, granted maybe
that was a little much to hope for at this stage of things, and I really hope
Vancouver goes well for you and Zinc. It's not that WG is hard to get setup on
any given system, but I think kernel integration will lower the bar towards
getting it available as a standard feature in a lot of turnkey appliance
systems that I see a ton in SMB usage in particular. I can understand being
conservative there but man do I already want it everywhere :)!

~~~
zx2c4
Our final frontier is Windows, actually. Hope to have that out soon!

~~~
dancodes
There's TunSafe [1], a client for Windows. Its source code [2] has been
published as well.

[1]: [https://tunsafe.com/](https://tunsafe.com/)

[2]: [https://github.com/TunSafe/TunSafe](https://github.com/TunSafe/TunSafe)

~~~
Fnoord
By the same programmer as uTorrent.

------
indiv0
If anyone is interested in setting up a VPN with wireguard [0], I'd like to
whole-heartedly recommend Algo [1]. It's a set of Ansible scripts that sets up
a dual IPSec/wireguard VPN on a VM or other machine.

Wireguard itself is already super simple to setup and configure, and Algo
makes it even easier by automating most of the surrounding process.

I personally used it to setup a VPN a few days ago, and then manually tweaked
it a bit to turn it into a site-to-site VPN instead of having it be just for
tunneling (fun fact: wireguard works on Vyatta (AKA Ubiquiti) [2], and is
currently running flawlessly on my Edgerouter Lite).

Seriously, this is amazing software that just works and runs incredibly fast.
Huge thanks to Jason and all the contributors to the various projects for
their great work.

[0]: [https://www.wireguard.com/](https://www.wireguard.com/)

[1]:
[https://github.com/trailofbits/algo](https://github.com/trailofbits/algo)

[2]: [https://github.com/Lochnair/vyatta-
wireguard](https://github.com/Lochnair/vyatta-wireguard)

~~~
orra
Ooh. Thanks for the algo recommendation. I had been looking for something
which can easily support multiple users (having unique keys!), for a
small/medium office. Algo looks perfect.

~~~
teknologist
I would also suggest Streisand, which offers a nice web page with client
config downloads after you've set it up. You can do a WireGuard-only build
through the setup wizard.

[https://github.com/StreisandEffect/streisand](https://github.com/StreisandEffect/streisand)

~~~
tptacek
I don't recommend Streisand; it spins up a bizarre collection of services. If
you're excited about WireGuard (as I am), a huge part of the reason why is not
to have all the horrible attack surface of legacy tunneling protocols,
cryptography, and tools.

~~~
teknologist
You can turn a lot of it off during the setup process. I usually block off
most of the ports via ufw, leaving open the bare minimum of ssh and wireguard.

~~~
akerl_
If you’re going to disable the other services, why not use Algo instead

------
matthewaveryusa
Just to comment on the paid version joke. You can simply offer a carbon-copy
of your app with a cost of 3.99 -- I'd personally be more than happy to pay
for it to compensate you for your effort and support the software -- it's the
least frictional way for me to pay you.

A bon entendeur, salut

~~~
megaremote
Not necessarily. The reviewers may get upset if two apps are too similar.

~~~
bjoli
Not if you claim that the apps are exactly the same in the description in
thestore.

~~~
hazz99
You'll still get people complaining, it's the nature of user reviews.

------
ivank
I am using WireGuard for iOS and already vastly prefer it over OpenVPN
Connect: WireGuard stays connected and doesn't exhibit OpenVPN's unreliable
reconnect-on-unlock behavior. Your efforts are much appreciated.

~~~
maltalex
OpenVPN on IOS is horrible. But if you're looking for something a bit more
mature than wireguard for now, IKEv2 IPSec VPNs based on strongswan work
great.

There are some ready made docker containers [0] that set up an IKEv2 VPN and
can generate an IOS _mobileconfig_ file for your phone.

[0]: [https://github.com/gaomd/docker-ikev2-vpn-
server](https://github.com/gaomd/docker-ikev2-vpn-server)

~~~
pilif
The configuration PFSense uses for Strongswan works without requiring you to
install a mobileconfig file on iOS.

This has rapidly become my favourite solution for a VPN setup because it uses
only built-in software on the client and it's extremely stable.

~~~
auslander
You still need an mobileconfig to configure On Demand (kind of always on)
mode. But yeah, native IKEv2 on iOS is pretty solid.

------
newscracker
Nice joke on the pricing of the app. :) Though you have a donation option on
your website, it probably makes sense to put in the iOS app, in some way, a
message to tell the user that this is an option to support the development
(I’m not going to tell you what the best way to do this is, because it
involves usability and other considerations, including App Store rules).

------
NamTaf
Can't wait to give this a spin next time I'm in China. Streisand[1] claims
that Wireguard can jump the GFW and I'm interested in seeing how the
performance stacks up compared to Shadowsocks with simple-obfs.

One particular feature I like with Shadowrocket on iOS is the VPN-on-demand
feature it offers. I can tell the app to only turn my VPN on when on wifi, for
example, since global roaming is itself essentially a VPN back to my home
telco. In that instance, I don't want to route my traffic back up from
Australia to the US (which I pick for my VPN due to its close routing from
China). Can I expect the Wireguard app to feature something similar in time?

[1]:
[https://github.com/StreisandEffect/streisand](https://github.com/StreisandEffect/streisand)

~~~
reaperhulk
I use WireGuard (including WireGuard iOS) every day in Shanghai. It’s mostly
fast and performant but nothing escapes the occasional “drop all UDP to your
endpoint”. Typically this manifests as windows of time (typically a few
minutes) where no traffic to the VPN gets through. However, unlike an openVPN
solution WireGuard recovers without having to bounce the tunnel or constantly
reconnect.

The GFW is not a monolithic entity though so be aware that performance and
blocking characteristics can vary widely between cities, ISPs, and sometimes
even between cell towers.

VPN on demand features are on the iOS todo list. iOS supports the idea of
making a VPN on demand for cellular or WiFi so it will be able to do what you
want once that feature is merged.

~~~
NamTaf
That's all good news.

I'm aware that them blackholing all UDP traffic is always going to be an
issue, but it's good to hear that Wireguard recovers gracefully. So, too, does
Shadowsocks.

Alternatives are always good, and having something more reflecting a true VPN
rather than a SOCKS proxy will be useful once it makes it to Windows.

~~~
cyphar
The really nice thing about WireGuard on Linux is that it acts like a regular
network device and thus you can use iptables or network namespaces for free
with it. Very clean and genius design that eradicates the need for any client
support as well as removing the potential for leaking at the network device
level (if you configure it in the "container" mode where you move your host
network devices into an inaccessible network namespace and only provide wg0 on
the host).

~~~
palunon
At lot of Linux VPN creates network interfaces (tap/tun), and support
namespacing them - you can do the same thing with OpenVPN .

The really nice thing is the full in-kernel implementation, and the lack of
configurability.

~~~
cyphar
Right, sorry. I was comparing it to the shadow-socks project GP was referring
to. (And the userspace WireGuard implementation uses TUN/TAP. In fact one of
the rootless containers subprojects I've worked on is using TAP to allow for
unprivileged network bridge emulation for rootless containers.)

------
lemming
One thing that isn't quite clear to me after a quick peruse of the website -
say I'd like to use WireGuard as a VPN for my general personal internet
security. I guess I'd need a server running somewhere with a WireGuard server,
and then the iOS client - is that correct? i.e. it's not something like a
SOCKS tunnel where I just need ssh at the other end.

~~~
cyphar
[1] gives a very good rundown of what you need to do to make it work. It is
actually very trivial (once you've got wireguard.ko). Just generate a key, and
cross-copy the public halves.

However configuration to make forwarding of all packets and thus making it
usable as a full VPN requires a few extra steps on the server:

    
    
        * net.ipv4.ip_forward = 1
        * net.ipv4.conf.all.proxy_ARP = 1
    

And on the client, especially if you're using wg-quick:

    
    
        * AllowedIPs = 0.0.0.0/0
    

But it shouldn't take that long. I got it working in tens of minutes.

[1]:
[https://www.wireguard.com/quickstart/](https://www.wireguard.com/quickstart/)

~~~
snowwolf
On the server config I also had to add some iptables rules

    
    
      PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -A FORWARD -o wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o enp2s0 -j MASQUERADE
      PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -D FORWARD -o wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o enp2s0 -j MASQUERADE

~~~
cyphar
Ah yes, I forgot about that. (It is mentioned in the documentation though.)

------
jarym
Fantastic progress!

Going to China soon and was wondering if anyone has tried if this works
through the GFW?

~~~
lrdd
From another user "reaperhulk"

>I use WireGuard (including WireGuard iOS) every day in Shanghai. It’s mostly
fast and performant but nothing escapes the occasional “drop all UDP to your
endpoint”. Typically this manifests as windows of time (typically a few
minutes) where no traffic to the VPN gets through. However, unlike an openVPN
solution WireGuard recovers without having to bounce the tunnel or constantly
reconnect. The GFW is not a monolithic entity though so be aware that
performance and blocking characteristics can vary widely between cities, ISPs,
and sometimes even between cell towers.

>VPN on demand features are on the iOS todo list. iOS supports the idea of
making a VPN on demand for cellular or WiFi so it will be able to do what you
want once that feature is merged.

~~~
tptacek
Reaperhulk, for what it's worth, is a crypto engineer and also a co-author of
Frinkiac.

------
kim0
Really wishing it would get a pluggable traffic obfuscation system, let a
thousand obfuscator Bloom and make it hard for tyrant governments

------
givinguflac
This is great news! I would love to test it out just as soon as NordVPN
finishes deploying support.

------
spurgu
I need an invitation code to install..?

------
jbverschoor
Still no word about zerotier?

~~~
yjftsjthsd-h
What about zerotier? Were they looking at supporting wireguard? That would be
cool, but a little bit surprising since I thought they pretended to be a layer
2 device rather than the layer 3 device that wg provides. But it's been a
while, so maybe I misremember.

------
donkey-hotei
Hell yes.

------
auslander
I had IPSec VPN set up on my iPhone for a year, zero problems. Native Apple
client, no apps to install, just a profile file. It is always on for all
traffic.

~~~
pi-rat
The client side story for IPSec is great, but configuring the (strongSwan)
server is far from trivial. There are many decisions to make, and mistakes to
avoid.

Yes, amazing projects like Algo exists, but you can't use these on all
platforms (ex: OpenWRT).

My hope is that wireguard will provide a much easier (and safer) setup
experience.

~~~
auslander
> server is far from trivial.

Yes, but most people will use commercial VPN providers, with added benefit of
obscure IP address, with your own server IP is still unique to you.

~~~
josteink
That's only one of many legitemate uses for a VPN.

Personally I use a VPN to connect back to my homenet when I'm out on the road,
or to connect to my company's network when out of office.

If you think the only usage of a VPN is anonymizing your IP, you have an
incredibly lacking understanding of the history and use-cases for a VPNs.

------
willio58
Don’t know what it does after reading this whole email.

~~~
zx2c4
It's an email for a mailing list of people who already know about the project,
not a press release, but somebody posted it here anyway. The main site --
[https://www.wireguard.com](https://www.wireguard.com) \-- has lots of info if
you're curious.

