UAPI socket for the macOS sandboxed Wireguard app

UAPI socket for the macOS sandboxed Wireguard app

[Jan Noha]

Hello,

I want to submit a series of patches concerning Wireguard on macOS.

If it's ok, I will just link to a github PR which links to three other
PRs (in wireguard-apple, wireguard-go and wireguard-tools).

https://github.com/WireGuard/wgctrl-go/pull/143

Let me explain what this is about. I've been trying to automate
Wireguard tunnel configuration for some P2P use cases and I wanted to
use wgctrl-go library for the task.

This already works fine on Linux and Windows. On macOS, it's a bit
more complicated. If you only use CLI for creating tun interfaces
(using wireguard from homebrew for example), it also works.
Specifically, wgctrl-go communicates with the wireguard user-space
daemon via a unix domain socket located in /var/run/wireguard/ (this
is referred to as UAPI in the code).

However, if you want to use Wireguard from the App Store - which has
some other advantages besides the UI (such as on-demand VPN and
generally nice OS integration) - it comes as a sandboxed Network
Extension. Currently, it does not expose any UAPI socket, so wgctrl-go
cannot be used to configure it.

The socket can be opened except it has to be inside the sandbox home
directory. There is no problem connecting to it from "outside" using
cli tools which are not sandboxed themselves.

That's basically what I did here. Changes were needed in
wireguard-apple and wireguard-go to open the socket in a
macOS-specific location, then I updated wgctrl-go and wireguard-tools
(so that wg commands work too) to look for UAPI sockets in both the
sandbox location and the default one.

If you're interested in discussing this topic further, I'll look
forward to any feedback.

Thank you,
Jan Noha

Re: UAPI socket for the macOS sandboxed Wireguard app

[z]

Would like to see this reviewed, as it appears to accomplish #4 on the MacOS TODO list[0].

I know Jason hasn't gotten a chance to review yet, as he says in the wgctrl-go PR.  If we need extra review bandwidth, I can do some testing if desired.

-dzm

[0]: https://docs.google.com/document/d/1BnzImOF8CkungFnuRlWhnEpY2OmEHSckat62aZ6LYGY/edit

On Sat, Oct 7, 2023, at 10:46 PM, Jan Noha wrote:
> Hello,
>
> I want to submit a series of patches concerning Wireguard on macOS.
>
> If it's ok, I will just link to a github PR which links to three other
> PRs (in wireguard-apple, wireguard-go and wireguard-tools).
>
> https://github.com/WireGuard/wgctrl-go/pull/143
>
> Let me explain what this is about. I've been trying to automate
> Wireguard tunnel configuration for some P2P use cases and I wanted to
> use wgctrl-go library for the task.
>
> This already works fine on Linux and Windows. On macOS, it's a bit
> more complicated. If you only use CLI for creating tun interfaces
> (using wireguard from homebrew for example), it also works.
> Specifically, wgctrl-go communicates with the wireguard user-space
> daemon via a unix domain socket located in /var/run/wireguard/ (this
> is referred to as UAPI in the code).
>
> However, if you want to use Wireguard from the App Store - which has
> some other advantages besides the UI (such as on-demand VPN and
> generally nice OS integration) - it comes as a sandboxed Network
> Extension. Currently, it does not expose any UAPI socket, so wgctrl-go
> cannot be used to configure it.
>
> The socket can be opened except it has to be inside the sandbox home
> directory. There is no problem connecting to it from "outside" using
> cli tools which are not sandboxed themselves.
>
> That's basically what I did here. Changes were needed in
> wireguard-apple and wireguard-go to open the socket in a
> macOS-specific location, then I updated wgctrl-go and wireguard-tools
> (so that wg commands work too) to look for UAPI sockets in both the
> sandbox location and the default one.
>
> If you're interested in discussing this topic further, I'll look
> forward to any feedback.
>
> Thank you,
> Jan Noha