From: z <dzm@unexpl0.red>
To: wireguard@lists.zx2c4.com
Subject: Re: UAPI socket for the macOS sandboxed Wireguard app
Date: Thu, 23 Nov 2023 14:31:53 +0000 [thread overview]
Message-ID: <44acf7f1-3a68-4e82-bb2e-0f296490b7ce@app.fastmail.com> (raw)
In-Reply-To: <CAEqCujJ7bck6w0UiKdwXFfH6R+RWgALZg5JUxEuQupUgPRHQPg@mail.gmail.com>
Would like to see this reviewed, as it appears to accomplish #4 on the MacOS TODO list[0].
I know Jason hasn't gotten a chance to review yet, as he says in the wgctrl-go PR. If we need extra review bandwidth, I can do some testing if desired.
-dzm
[0]: https://docs.google.com/document/d/1BnzImOF8CkungFnuRlWhnEpY2OmEHSckat62aZ6LYGY/edit
On Sat, Oct 7, 2023, at 10:46 PM, Jan Noha wrote:
> Hello,
>
> I want to submit a series of patches concerning Wireguard on macOS.
>
> If it's ok, I will just link to a github PR which links to three other
> PRs (in wireguard-apple, wireguard-go and wireguard-tools).
>
> https://github.com/WireGuard/wgctrl-go/pull/143
>
> Let me explain what this is about. I've been trying to automate
> Wireguard tunnel configuration for some P2P use cases and I wanted to
> use wgctrl-go library for the task.
>
> This already works fine on Linux and Windows. On macOS, it's a bit
> more complicated. If you only use CLI for creating tun interfaces
> (using wireguard from homebrew for example), it also works.
> Specifically, wgctrl-go communicates with the wireguard user-space
> daemon via a unix domain socket located in /var/run/wireguard/ (this
> is referred to as UAPI in the code).
>
> However, if you want to use Wireguard from the App Store - which has
> some other advantages besides the UI (such as on-demand VPN and
> generally nice OS integration) - it comes as a sandboxed Network
> Extension. Currently, it does not expose any UAPI socket, so wgctrl-go
> cannot be used to configure it.
>
> The socket can be opened except it has to be inside the sandbox home
> directory. There is no problem connecting to it from "outside" using
> cli tools which are not sandboxed themselves.
>
> That's basically what I did here. Changes were needed in
> wireguard-apple and wireguard-go to open the socket in a
> macOS-specific location, then I updated wgctrl-go and wireguard-tools
> (so that wg commands work too) to look for UAPI sockets in both the
> sandbox location and the default one.
>
> If you're interested in discussing this topic further, I'll look
> forward to any feedback.
>
> Thank you,
> Jan Noha
prev parent reply other threads:[~2023-12-20 5:25 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-10-07 22:46 Jan Noha
2023-11-23 14:31 ` z [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=44acf7f1-3a68-4e82-bb2e-0f296490b7ce@app.fastmail.com \
--to=dzm@unexpl0.red \
--cc=wireguard@lists.zx2c4.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).