WireGuard on macOS stopped working after 1.0.10 update

WireGuard on macOS stopped working after 1.0.10 update

[Glenn Schmidt]

After I installed the new WireGuard update from the Mac app store, I can’t connect my tunnel. The message in the UI is "Unable to apply network settings to tunnel object."

I’m using macOS 10.15.7. I've tried rebooting, removing and re-importing tunnel configs, deleting and re-installing the WireGuard app.

Here’s a dump of possibly-relevant warnings in Console.app during a connection attempt:

error	10:47:01.801958+1100	WireGuardNetworkExtension	Bootstrapping; external subsystem UIKit_PKSubsystem refused setup
error	10:47:01.837971+1100	nehelper	-[NWPrivilegedHelper startXPCListener]_block_invoke client pid 111 does not have any known entitlement
error	10:47:01.838068+1100	configd	networkd_privileged_check_interface_settings_block_invoke received XPC_ERROR_CONNECTION_INVALID
error	10:47:06.947361+1100	WireGuardNetworkExtension	Starting tunnel failed with setTunnelNetworkSettings timing out
error	10:47:06.955318+1100	nesessionmanager	address is loopback
error	10:47:06.959919+1100	nesessionmanager	address is loopback
error	10:47:11.985280+1100	WireGuardNetworkExtension	SIOCGIFMTU failed: Device not configured
error	10:47:11.985358+1100	WireGuardNetworkExtension	NEVirtualInterfaceAdjustReadBufferSize: interface_get_mtu failed (6), defaulting to max mtu
error	10:47:11.988228+1100	neagent	[u E64DEC42-DC15-401F-8590-DAFE723FB670:m (null)] [<private>(<private>)] Connection to plugin interrupted while in use.
error	10:47:11.989727+1100	neagent	[u E64DEC42-DC15-401F-8590-DAFE723FB670:m (null)] [<private>(<private>)] Connection to plugin invalidated while in use.

Re: WireGuard on macOS stopped working after 1.0.10 update

[Jason A. Donenfeld]

I'm really very sorry about this regression. I fixed it earlier today
already here: https://git.zx2c4.com/wireguard-apple/commit/?id=20bdf46792905de8862ae7641e50e0f9f99ec946
but now we're stuck having to wait for Apple's review of the fix. This
is as frustrating for me as it is for you.

As a temporary work around, try adding a DNS server to the [Interface] section :

    [Interface]
    DNS = 8.8.8.8

Let me know if that gets things working again.

Re: WireGuard on macOS stopped working after 1.0.10 update

[Glenn Schmidt]

Yes that got it working; thanks for your help.


> On 17 Dec 2020, at 12:43 pm, Jason A. Donenfeld <Jason@zx2c4.com> wrote:
> 
> 
> I'm really very sorry about this regression. I fixed it earlier today
> already here: https://git.zx2c4.com/wireguard-apple/commit/?id=20bdf46792905de8862ae7641e50e0f9f99ec946
> but now we're stuck having to wait for Apple's review of the fix. This
> is as frustrating for me as it is for you.
> 
> As a temporary work around, try adding a DNS server to the [Interface] section :
> 
>    [Interface]
>    DNS = 8.8.8.8
> 
> Let me know if that gets things working again.

Re: WireGuard on macOS stopped working after 1.0.10 update

[Jason A. Donenfeld]

Hi list,

To provide an update on this issue:

On Thu, Dec 17, 2020 at 2:43 AM Jason A. Donenfeld <Jason@zx2c4.com> wrote:
> I'm really very sorry about this regression. I fixed it earlier today
> already here: https://git.zx2c4.com/wireguard-apple/commit/?id=20bdf46792905de8862ae7641e50e0f9f99ec946
> but now we're stuck having to wait for Apple's review of the fix. This
> is as frustrating for me as it is for you.

The macOS update went through, and version 1.0.11 is now available
from the App Store. In my tests, this fixes the issue, but some
confirmation from list subscribers is always helpful.

However, they rejected the iOS update, due to the link in the version
info window to https://www.wireguard.com/donations/ that we've had on
there for two years. You can see their rejection here:
https://data.zx2c4.com/apple-asks-me-to-remove-donation-link-from-app.png
https://data.zx2c4.com/the-screenshot-that-apple-provided.png

Not wanting to hold up getting this fix deployed, I quickly removed
the link and resubmitted to the App Store:
https://git.zx2c4.com/wireguard-apple/commit/?id=a4fc0f64b8bca8afae5abab37b81ba0b45836975

So now the process of getting that fix deployed on iOS starts from the
beginning again. It could take another 24 hours. It could take a full
month. The process is opaque, and try as I may, I don't know what else
I can do to get the fix out faster.

And again, I'm really very sorry about the regression in the code, and
that we didn't catch it earlier. I hope the update gets deployed to
you all sooner rather than later.

Jason

Re: WireGuard on macOS stopped working after 1.0.10 update

[Nicolas CAPEYRON]

It's OK for me

Thank you very much
-- 
Nicolas CAPEYRON
Conseil en hébergement, architecture infra web
06 26 12 27 17 - https://www.sysadminbadass.com

-- 
Nicolas CAPEYRON
Conseil en hébergement, architecture infra web
06 26 12 27 17 - https://www.sysadminbadass.com


Le jeu. 17 déc. 2020 à 23:06, Jason A. Donenfeld <Jason@zx2c4.com> a écrit :
>
> Hi list,
>
> To provide an update on this issue:
>
> On Thu, Dec 17, 2020 at 2:43 AM Jason A. Donenfeld <Jason@zx2c4.com> wrote:
> > I'm really very sorry about this regression. I fixed it earlier today
> > already here: https://git.zx2c4.com/wireguard-apple/commit/?id=20bdf46792905de8862ae7641e50e0f9f99ec946
> > but now we're stuck having to wait for Apple's review of the fix. This
> > is as frustrating for me as it is for you.
>
> The macOS update went through, and version 1.0.11 is now available
> from the App Store. In my tests, this fixes the issue, but some
> confirmation from list subscribers is always helpful.
>
> However, they rejected the iOS update, due to the link in the version
> info window to https://www.wireguard.com/donations/ that we've had on
> there for two years. You can see their rejection here:
> https://data.zx2c4.com/apple-asks-me-to-remove-donation-link-from-app.png
> https://data.zx2c4.com/the-screenshot-that-apple-provided.png
>
> Not wanting to hold up getting this fix deployed, I quickly removed
> the link and resubmitted to the App Store:
> https://git.zx2c4.com/wireguard-apple/commit/?id=a4fc0f64b8bca8afae5abab37b81ba0b45836975
>
> So now the process of getting that fix deployed on iOS starts from the
> beginning again. It could take another 24 hours. It could take a full
> month. The process is opaque, and try as I may, I don't know what else
> I can do to get the fix out faster.
>
> And again, I'm really very sorry about the regression in the code, and
> that we didn't catch it earlier. I hope the update gets deployed to
> you all sooner rather than later.
>
> Jason

Re: WireGuard on macOS stopped working after 1.0.10 update

[Jason A. Donenfeld]

On 12/18/20, Janne Johansson <icepic.dz@gmail.com> wrote:
> Den tors 17 dec. 2020 kl 22:56 skrev Jason A. Donenfeld <Jason@zx2c4.com>:
>> The macOS update went through, and version 1.0.11 is now available
>> from the App Store. In my tests, this fixes the issue, but some
>> confirmation from list subscribers is always helpful.
>
> So I held off updating until 1.0.11 was out (even though I already used to
> have a DNS = entry in the [Interface] section),
> but to my surprise I could not form a tunnel with my old configs. The gui
> says "I sent 186 bytes" (number not necessarily correct)
> and tcpdump showed I sent a packet to remote, it sent one back and after
> that tcpdump goes silent.
>
> The wg gui logs just went:
>
> 2020-12-18 08:48:52.045 [NET] peer(RQkh…JERY) - Failed to send handshake
> initiation no bind
> 2020-12-18 08:48:57.297 [NET] peer(RQkh…JERY) - Handshake did not complete
> after 5 seconds, retrying (try 2)
> 2020-12-18 08:48:57.297 [NET] peer(RQkh…JERY) - Sending handshake
> initiation
> 2020-12-18 08:48:57.298 [NET] peer(RQkh…JERY) - Failed to send handshake
> initiation no bind
> 2020-12-18 08:49:02.546 [NET] peer(RQkh…JERY) - Sending handshake
> initiation
> 2020-12-18 08:49:02.547 [NET] peer(RQkh…JERY) - Failed to send handshake
> initiation no bind
>
> So I tried removing my DNS entry, and now it works. So you seem to have
> made it the opposite in 1.0.11, now one can't have DNS in the [Interface]
> section, or the tunnel will not start.
> I run my own resolver on 127.0.0.1 for now, so I can work around it, but
> this seems very weird too.

Please send the complete logs along with the (redacted) configuration
file that caused the issue. I need to be able to reproduce the issue
in order to evaluate it.

Re: WireGuard on macOS stopped working after 1.0.10 update

[Jason A. Donenfeld]

Hi again,

On Thu, Dec 17, 2020 at 10:53 PM Jason A. Donenfeld <Jason@zx2c4.com> wrote:
> However, they rejected the iOS update, due to the link in the version
> info window to https://www.wireguard.com/donations/ that we've had on
> there for two years. You can see their rejection here:
> https://data.zx2c4.com/apple-asks-me-to-remove-donation-link-from-app.png
> https://data.zx2c4.com/the-screenshot-that-apple-provided.png
>
> Not wanting to hold up getting this fix deployed, I quickly removed
> the link and resubmitted to the App Store:
> https://git.zx2c4.com/wireguard-apple/commit/?id=a4fc0f64b8bca8afae5abab37b81ba0b45836975
>
> So now the process of getting that fix deployed on iOS starts from the
> beginning again. It could take another 24 hours. It could take a full
> month. The process is opaque, and try as I may, I don't know what else
> I can do to get the fix out faster.

They rejected the submission with the donation link removed, citing
the existence of the donation link in the old build and providing a
screenshot of the old build, rather than the new build. I sent them a
response pointing out that they reviewed the wrong build, looking at
the old build rather than the new build, and I sent them a photo of
the new build as installed from Test Fight. My experience with Apple
here is that if you respond to their rejection with anything at all,
you automatically get put in a bin of at least a week wait time. I
hope that doesn't happen here. But, anyway, another day has gone by,
and we're still waiting on Apple to ship the fix to you all.

My response to them was:

> Hi,
>
> Looking at that screenshot, I think you might have tested the old build. The
> one I submitted is build 21, which removes the donation link, rather than
> build 20. But in the screenshot you've attached, it shows "(20)" and it also
> shows the donation link. So that leaves me pretty confused about what's
> going on. The link is definitely gone in build 21, and I definitely
> submitted build 21, and looking again at my build submission, it says build
> 21.
>
> Attached is a photo of build 21 running from Test Flight on my iPhone.
> Notice how the build number says 21 and the donation link is gone.
>
> Could you take another look?
>
> Thanks,
> Jason

I hope this gets cleared up soon. Maybe I'll watch Terry Gilliam's
Brazil on repeat while waiting.

Jason

Re: WireGuard on macOS stopped working after 1.0.10 update

[Jacob Lambert]

Thanks for keeping us updated!  Knowing there’s a fix in the pipeline is good enough for our needs as we have a workaround solution.  We appreciate all your work, so thank you, and happy holidays!

--

-jacob

> On Dec 18, 2020, at 5:55 PM, Jason A. Donenfeld <Jason@zx2c4.com> wrote:
> 
> Hi again,
> 
>> On Thu, Dec 17, 2020 at 10:53 PM Jason A. Donenfeld <Jason@zx2c4.com> wrote:
>> However, they rejected the iOS update, due to the link in the version
>> info window to https://www.wireguard.com/donations/ that we've had on
>> there for two years. You can see their rejection here:
>> https://data.zx2c4.com/apple-asks-me-to-remove-donation-link-from-app.png
>> https://data.zx2c4.com/the-screenshot-that-apple-provided.png
>> 
>> Not wanting to hold up getting this fix deployed, I quickly removed
>> the link and resubmitted to the App Store:
>> https://git.zx2c4.com/wireguard-apple/commit/?id=a4fc0f64b8bca8afae5abab37b81ba0b45836975
>> 
>> So now the process of getting that fix deployed on iOS starts from the
>> beginning again. It could take another 24 hours. It could take a full
>> month. The process is opaque, and try as I may, I don't know what else
>> I can do to get the fix out faster.
> 
> They rejected the submission with the donation link removed, citing
> the existence of the donation link in the old build and providing a
> screenshot of the old build, rather than the new build. I sent them a
> response pointing out that they reviewed the wrong build, looking at
> the old build rather than the new build, and I sent them a photo of
> the new build as installed from Test Fight. My experience with Apple
> here is that if you respond to their rejection with anything at all,
> you automatically get put in a bin of at least a week wait time. I
> hope that doesn't happen here. But, anyway, another day has gone by,
> and we're still waiting on Apple to ship the fix to you all.
> 
> My response to them was:
> 
>> Hi,
>> 
>> Looking at that screenshot, I think you might have tested the old build. The
>> one I submitted is build 21, which removes the donation link, rather than
>> build 20. But in the screenshot you've attached, it shows "(20)" and it also
>> shows the donation link. So that leaves me pretty confused about what's
>> going on. The link is definitely gone in build 21, and I definitely
>> submitted build 21, and looking again at my build submission, it says build
>> 21.
>> 
>> Attached is a photo of build 21 running from Test Flight on my iPhone.
>> Notice how the build number says 21 and the donation link is gone.
>> 
>> Could you take another look?
>> 
>> Thanks,
>> Jason
> 
> I hope this gets cleared up soon. Maybe I'll watch Terry Gilliam's
> Brazil on repeat while waiting.
> 
> Jason

Re: WireGuard on macOS stopped working after 1.0.10 update

[Jason A. Donenfeld]

Hey folks,

On 12/19/20, Jason A. Donenfeld <Jason@zx2c4.com> wrote:
> They rejected the submission with the donation link removed, citing
> the existence of the donation link in the old build and providing a
> screenshot of the old build, rather than the new build. I sent them a
> response pointing out that they reviewed the wrong build, looking at
> the old build rather than the new build, and I sent them a photo of
> the new build as installed from Test Fight.

Looks like we got lucky this time, and things are all set! 1.0.11
should now be available in the App Store. Hopefully this concludes the
saga with the recent updates, and things will be smooth sailing from
here on out. But as usual, please don't hesitate to send new bugs,
with redacted configs and logs.

Jason

Re: WireGuard on macOS stopped working after 1.0.10 update

[Nicolas CAPEYRON]

Thanks a lot !
Save my day !

Wireguard 1.0.10 on macos is a lot faster !

-- 
Nicolas CAPEYRON
Conseil en hébergement, architecture infra web
06 26 12 27 17 - https://www.sysadminbadass.com