I couldn't find any information on whether or not this uses wireguard-go internally? Or maybe even the Rust implementation?
p.s. the snow on https://data.zx2c4.com/wireguard-for-macos-screenshots-febru... is pretty hilarious
Comic Sans MS, we meet again!
(Happy WireGuard user; using the go version on macOS for ages, using wg-quick, using the EdgeOS port on my Ubiquity router, and using the Android userspace version. Roaming simply works. Only thing which sucks is on Android the VPN gets lost when you update the software.)
How have you set it up on your phone?
EDIT: note I am interested in doing this but I'm on Android, I was under the impression you would need to root the device
This is the one you need. You only need root if you want to install the (Linux) Kernel Mod for better performance. If this isn't present the app will automatically use the Go (Userspace) implementation.
Although slower than the kernelspace implementation it's still faster and better than OpenVPN.
If you want to install the kernel mod yourself checkout this XDA thread: https://forum.xda-developers.com/android/development/wiregua...
With Streisand, I only needed to choose some options and input a few credentials. 20 minutes later, Streisand had created a locked-down, self-updating box dedicated to hosting nothing but Wireguard. I deployed to a $5/month Digital Ocean droplet.
Streisand previously on HN: https://news.ycombinator.com/item?id=18903780, https://news.ycombinator.com/item?id=8082444
Recent enhancements to Streisand include automatic updates for Wireguard: https://github.com/StreisandEffect/streisand/issues/513#issu....
Streisand automatically installs Ubuntu security and other updates using the "unattended-upgrades" package: https://help.ubuntu.com/community/AutomaticSecurityUpdates.
Streisand's unattended-upgrades config https://github.com/StreisandEffect/streisand/blob/master/pla...
Windows 7 is currently under extended support (i.e.: critical security updates only) and that extended support ends as of January 2020. In other words: Standard end users have 11 months to migrate away from Windows 7 entirely.
There is a horrifically expensive option to purchase even further extended support from Microsoft, which a few large companies may do.
It's actually not that expensive:
"Year one (January 2020 to 2021), that add-on will cost $25 per device for that set of users. Year two (January 2021 to 2022) that price goes up to $50 per device. And Year three (January 2022 to January 2023) it goes up to $100 per device."
And while this requires a volume license agreement:
"Windows 7 ESUs will be available to all Windows 7 Professional and Windows 7 Enterprise customers in Volume Licensing, with a discount to customers with Windows software assurance, Windows 10 Enterprise or Windows 10 Education subscriptions."
it is not difficult or expensive to acquire:
"While five licenses are required to enter into a new VL agreement, they need not all be for LTSC. According to a rep I spoke with at a Microsoft Partner, this combination would work as an upgrade from a Windows OEM license (i.e., it would allow a user who bought a PC with Windows 10 preinstalled to run Windows 10 LTSC instead): 1x Windows 10 Enterprise LTSC 2019 Single Upgrade Open Business $269.04 & 4x Microsoft Identity Manager - 1 User CAL - Open Business $7.81"
> it is not difficult or expensive to acquire
For reference, these options are more than the replacement cost of many business PCs. I'd say that's pretty expensive.
And especially when you note that loss of support is often the only reason they have to change, it starts seeming a bit unreasonable.
WireGuard's creator discussing OpenVPN's TUN/TAP driver and a possible alternative back in 2017: The OpenVPN Windows kernel TUN/TAP driver is really super scary. That alone has a larger code base than all of WireGuard...
I'm looking forward to the Windows version. Thank you for taking the long and careful route with it.
I certainly hope that there are still viable workarounds at this point. But this is a step in a very dangerous direction.
"Because it uses these deep integration APIs, we're only allowed to distribute the application using the macOS App Store (whose rejections, appeals, and eventual acceptance made for quite the stressful saga over the last week and a half)"
On iOS they've always been APIs like this - they only work via Apple approval and not dev or enterprise signatures.
The limiting factor is that the "Network Extension" framework is the way these apps work as VPNs, and currently Mac App Store distribution is the only supported method if you're using that framework (see #8) .
I really really don’t recommend doing that; you’re giving up a lot of security.
A much easier alternative is to have a dev account, then you can just enable the entitlements in your provisioning profile for your dev devices (or personal devices). Most entitlements don’t require any approval for a dev profile.
I wanted to be sure the dev here is backed up that he's not making this up--this is Apple's restriction and not his.
> A much easier alternative is to have a dev account, then you can just enable the entitlements in your provisioning profile for your dev devices (or personal devices). Most entitlements don’t require any approval for a dev profile.
Yes, this is how we test on our own Macs before publishing to the app store. Although iirc those signatures have expiration timestamps, so you'll be re-signing and redistributing on some tedious interval (something like 30-90 days).
Which hosting provider is recommended for running your own wireguard server? I have tried various cloud providers like (digital ocean, google, aws etc)
I noticed that Apple ID and app store does not work when traffic exits via these cloud instances. Has anyone else faced this issue? Any solutions?
I followed the installation instructions at https://www.wireguard.com/install/
For VPN setup, the Arch Wiki is a great reference: https://wiki.archlinux.org/index.php/WireGuard#Specific_use-...
I also set up Unbound + Stubby with DNS-over-TLS.
For what it's worth, the RELATED, ESTABLISHED rule in FORWARD is a bad thing to forget; I was getting all sorts of interesting ICMP timeout errors because I didn't have it.
New connections from clients were allowed, but I didn't have a rule to allow related and established, which made some things work, but mostly not.
I am very skeptical on this point.
macOS, like all Unix systems, already limits privileges for non-root users. What do you accomplish by placing limits on root as well?
If a malicious application gets root, you are very screwed. The app can encrypt most of your hard drive, monitor most keystrokes, do nasty things with your hosts file, and steal most of your personal data. It won't be able to directly inject itself into other processes and certain critical OS files we protected, but how relevant is that?
As I see it, SIP's main purpose is to (1) prevent non-technical users from (completely) hosing their systems by copying and pasting terminal commands from the internet, and (2) to protect TCC.db so that apps can't bypass Apple's privacy system.
If you're able to turn off SIP, you have enough technical knowledge than #1 isn't necessary. I suppose #2 may have some limited value, but not much.
If I am completely off base on this, feel free to educate me—but in my several years of research I have not come across any plausible scenarios for when SIP's protection would be helpful.
Edit: One other relevant note: Apple lets you selectively disable and enable parts of SIP. So you'd likely be able to turn off sideload-blocking (or whatever it is) without disabling SIP completely, if you want to for whatever reason.
Normal users need UX to save them from owning themselves.
I'm a little frustrated by all the FUD I've seen spread in Apple enthusiast communities about how SIP is this super important security feature that should never be turned off.
My opinion is that if you have a reason to disable SIP, go ahead and do so with a clear conscious. You will continue to be protected by the privilege system that's in place for (basically) all UNIX's.
Didn’t stop apps from trying exactly that anyway.
SIP is a piece of design intended to make you less screwed when that happens.
If a thief breaks into my house, I don't particularly care if he can access the drawer where I keep pencils.
Stated better: it appears to me that the consequence of a malicious app getting root is already so incredibly catastrophic, that at that point it makes little difference whether or not SIP is enabled.
Edit: Also, security be damned, I don’t want to use an OS without a proper root account! So while not entirely relevent to the discussion, I know that I would either continue to turn off SIP or move to another platform.
Let's say you wanted an OS with better privilege control and other clever security doodads people have come up with in the years since merely having user accounts seemed like unconscionable oppression. If you don't care about backward compatibility much and start with Linux and a JVM you might end up with something like Android. If you start Linux and Chrome you might end up with something like ChromeOS. If you start with OS X you might end up with something like iOS. If you start from scratch you might end up with something like Fuchsia.
But what if you do care about backward compatibility? You then have a far more difficult, thankless and long-term job. If you start with OS X, somewhere along the line you'll have something like OS X + SIP + Sandbox + FDE. Or Windows NT + UAC + irritating autoreboots in the middle of the night. We're in the 'somewhere along the line' stage.
Can you cite a source for that?
Therefore it will become unviable for 99% of apps to be distributed outside the app store, so they won't.
I distribute an app outside the app store. It's free and open source, but not meant to be for technical users (it's art-related). I like people being able to use it, because I am a nice guy, but I also don't want to pay Apple $100/year and go through the hassle of putting it in the app store, if that would even work. My users are not going to disable SIP so if Apple continues in this way I really will be forced to put it in the app store (or more likely, abandon OSX).
Personally I'm happy to see WireGuard in the App Store, but would be concerned if Apple indeed limits the API to it. Could you elaborate on if distribution outside of the App Store is impossible?
I have tried to reproduce the issue and found that even though you can create provisioning profiles for direct distribution with the Network Extension entitlement, and the UI shows that all is fine, the provisioning profile does NOT contain the required entitlement.
After some digging I found a FAQ on network extensions by Apple . Point #8 clearly says:
> #8 — On the Mac, can Developer ID apps host Network Extension providers?
> Currently this is not possible; only Mac App Store apps can host Network Extension providers.
Thus the missing entitlement is most likely not a bug (and the cert UI is just bad). This is not a technical limitation, just Apple with questionable politics.
Is there any way around this for a user? What if SIP is off?
If there's no workaround, that makes me quite uncomfortable.
I totally understand that if Apple builds and maintains a PKI-based security model, they are going to want to check your stuff before allowing you in. If, on the other hand, the user doesn't care, they can simply turn off the security model or adjust it.
If that is now coming to the Mac as well then I will stop being Mac user and I will move away from Apple's platforms altogether.
Requiring Apple's permission to run WireGuard automatically means requring the permission of the government as well.
You don't even have to resort to China to see why that is bad. Many western governments are aggressively working towards banning various forms of encrypted communications.
The problem you are running in to is that your ideas don't match their ideas and you want them to match your ideas (which they won't because they don't live in your world, they live in their world, which at this time is mostly the USA world).
If in your country the government would enforce some law stating that companies should not block sex in their content pipelines, then Apple, just like they do in every other country, will comply. This is also the reason they censor stuff in China, it's the law over there.
So while their ideas and values might not match with you, they do still have to follow the law. If you believe companies with a large impact should not block certain information from flowing, that is something you can enforce by law.
A company has to deal with the law, and cannot go and be an anarchist whenever it feels like it (but people can) because then they cease to exist.
(This topic doesn't really apply to macOS though, just iOS.)
That's what I find so concerning. There has to be some general purpose computing device that allows me to take full responsibility in terms of security and in terms of complying with the law.
Other platforms often tend to imitate Apple. So if this is the general direction of travel then I find that very worrying
It's hard to quantify "moving in a direction", but Gatekeeper was introduced nearly a decade ago and has always been possible to disable via a quick Terminal command. Apple did remove it from the UI in Sierra, so perhaps you could say that's a sign of things to come, but I honestly doubt it.
No. I don't want them to match my ideas. I want them to respect the fact that people have different ideas and values.
To allow that diversity of ideas to exist, it is necessary to keep the separation of concerns and legal responsibilities as it has been since the invention of the Mac (and the PC).
They make the hardware and the OS. I decide what software to install and what content to store. This has always been my legal responsibilty and it is on that basis that I decided to purchase my Mac.
If they change that equation, I'm out. I'm out as user. I'm out as developer. I'm out as decision maker and as a go-to person for others who make purchasing decisions.
The notion that they supply hardware and software and you then decide how they are going to work for you is no longer valid for the Apple products as they are. By default, macOS is being more like iOS now, which diverges from the generic idea of the personal computer.
This problem is of course far wider than just computers and Apple, more devices, services and companies are headed this way in varying degrees.
I suppose that means you are out as a user, developer and decision maker etc. Apple probably won't care unless you take 10 million customers with you at the same time. Anything less than 1 million is probably not even going to register on their metrics, and anything less than 10 million is only marginal. This is both the problem (our problem as users) and the benefit (their benefit as a company at scale) of this broad customer base many companies now have. It's not really a globalisation thing, but more a combined globalisation+commercialism+scale thing that makes this kind of thing common.
It's not that they want to make things less attractive to certain users on purpose either, that would be counter to their purpose of making money; it's probably far more likely that it's a case of Hanlon's razor. Take the way PKI is used to enforce some rules on hardware (i.e. iBoot and the A-series SoCs from Apple but also Intel's BootGuard on a much larger scale); it's not that they want to block people that want to fiddle with their hardware and software, it's just that this is the best they could come up with to defend against generic attacks. And it's far from ideal.
I have ideas on different levels that shouldn't be conflated. I'm not asking Apple or anyone else to share my preferences and tastes.
But some meta ideas are a prerequisite for disagreement on preferences, tastes and beliefs. Without those ideas we are moving towards authoritarianism.
Once global companies become dominant enough, their decisions start to either facilitate or hinder liberty and authoritarianism, even under the assumption that they have to comply with the law at all times.
I don't think being seen to be on the side of oppression and authoritarianism against your own users is ultimately conducive to maximising profits.
While being totally OK with (gun) violence. Hello, double (American) standard. Keep that double standard in the US. I don't want it in the EU. Thank you.
I'd very much like to know what this involves. I'll feel better knowing how it can be done. If you have a link that would be great!
Security-wise, that can be problematic, and I suggest you turn on EFI password authentication so it's not something everyone can do to your machine. This means you can still change the SIP settings on-demand per boot using a USB stick with rEFInd on it, but doing that requires you to chain boot off of that USB drive and doing that triggers EFI protection and requires a password before you can do that. Normal boot would not require a password and lets you use the system as-is.
Since this is a topic on VPN software.
Key management and PKI in particular, not bulk encryption, is the hard part of IPSec (in so far as its hard), and Wireguard doesn't actually solve that. I wouldn't be surprised if someone eventually hacked Wireguard configuration management into an existing IKE daemon.
I wonder if I could use WireGuard to do the same, it appears to be much easier to set up.
It's also great if your government is spying on you.
Otherwise you just delegate the privacy issues from your ISP to the ISP of your output server.
Personally, there is no reason to run a VPN all time from your home connection.
(I also thought about setting something up for others, but this is currently 100% vapourware: http://digitalsnorkel.net/)
Downloaded the TunSafe Client and the very same config files work perfectly. Obviously I'd prefer to use the WireGuard app though, but I cannot get it to work at all sadly.
FWIW, I've tested the UI, and I very much like it, except that the whole public and private key are visible on the screen. The Android version only shows it partly (could be my resolution).
A minor annoyance, right now the usual option that allows to forward all traffic through the vpn is missing (the os and others put everything in an advance options pane accessible via button on the main screen) and route have to be configured manually each time... please keep this in mind for the next release ;)
Edit: Very easy, you just scan the QR!
What WireGuard does get you is a much simpler configuration format for VPNs (IPsec is notoriously overcomplicated) and a modern set of cryptography choices (most other VPN techologies are old and come with legacy baggage, or strange TLS-like connection setup that then becomes its own thing like OpenVPN).
Wireguard is the protocol/tech, not a VPN Service Provider.
also: i do have connect on demand on.
apologies if stupid question
A few rendering issues from the move to Metal but no KPs or major incompatibilities.
Sooner or later, things stop running. On the iOS side, I was surprised to learn you can’t run Netflix on an iOS 9 device.
I think the days of hanging on to old system versions are over.
Once it shows up as a previous purchase in your account, you can download it from your iPad. You don’t have to sync with iTunes.
"Extended support ends in September 2019. iTunes, in August 2020" 
And while High Sierra (10.13) had its quirks [for which I could understand your response, plus all non Retina only work with 10.13 as latest, officially), Mojave (10.14) has been smooth. If not only for the dark mode (finally!).