Development discussion of WireGuard
 help / color / mirror / Atom feed
* WireGuard Configurations Gone After iOS 15 Upgrade
@ 2021-09-22  0:23 Eddie
  2021-09-22  0:28 ` Eddie
  2021-09-22  3:14 ` Jason A. Donenfeld
  0 siblings, 2 replies; 40+ messages in thread
From: Eddie @ 2021-09-22  0:23 UTC (permalink / raw)
  To: WireGuard mailing list

Title says it all.  On both iPhone and iPad.

The configuration names still show, with the slider, but trying to 
activate gives:  Activation failure.  Unable to retrieve tunnel 
information from the saved configuration.

Selecting a tunnel name doesn't show any configuration.

Cheers.

^ permalink raw reply	[flat|nested] 40+ messages in thread

* Re: WireGuard Configurations Gone After iOS 15 Upgrade
  2021-09-22  0:23 WireGuard Configurations Gone After iOS 15 Upgrade Eddie
@ 2021-09-22  0:28 ` Eddie
  2021-09-22  0:45   ` Miguel Arroz
  2021-09-22  3:14 ` Jason A. Donenfeld
  1 sibling, 1 reply; 40+ messages in thread
From: Eddie @ 2021-09-22  0:28 UTC (permalink / raw)
  To: wireguard

On 9/21/2021 5:23 PM, Eddie wrote:
> Title says it all.  On both iPhone and iPad.
>
> The configuration names still show, with the slider, but trying to 
> activate gives:  Activation failure.  Unable to retrieve tunnel 
> information from the saved configuration.
>
> Selecting a tunnel name doesn't show any configuration.
>
> Cheers.

Quick update.

The log shows:  [APP] Unable to open config from keychain:- 25300

Cheers.

^ permalink raw reply	[flat|nested] 40+ messages in thread

* Re: WireGuard Configurations Gone After iOS 15 Upgrade
  2021-09-22  0:28 ` Eddie
@ 2021-09-22  0:45   ` Miguel Arroz
  0 siblings, 0 replies; 40+ messages in thread
From: Miguel Arroz @ 2021-09-22  0:45 UTC (permalink / raw)
  To: stunnel; +Cc: wireguard

Hi,

  I’m seeing the same problem in the app, but the tunnel does work. Its on-demand flag is set, so maybe the network extension is able to find the item in the keychain, but the app is not.

  Regards,

Miguel Arroz

  

> On Sep 21, 2021, at 5:28 PM, Eddie <stunnel@attglobal.net> wrote:
> 
> On 9/21/2021 5:23 PM, Eddie wrote:
>> Title says it all.  On both iPhone and iPad.
>> 
>> The configuration names still show, with the slider, but trying to activate gives:  Activation failure.  Unable to retrieve tunnel information from the saved configuration.
>> 
>> Selecting a tunnel name doesn't show any configuration.
>> 
>> Cheers.
> 
> Quick update.
> 
> The log shows:  [APP] Unable to open config from keychain:- 25300
> 
> Cheers.


^ permalink raw reply	[flat|nested] 40+ messages in thread

* Re: WireGuard Configurations Gone After iOS 15 Upgrade
  2021-09-22  0:23 WireGuard Configurations Gone After iOS 15 Upgrade Eddie
  2021-09-22  0:28 ` Eddie
@ 2021-09-22  3:14 ` Jason A. Donenfeld
  2021-09-22  4:04   ` Anatoli
  1 sibling, 1 reply; 40+ messages in thread
From: Jason A. Donenfeld @ 2021-09-22  3:14 UTC (permalink / raw)
  To: Eddie; +Cc: WireGuard mailing list, Roopesh Chander S

Hi Eddie,

On Tue, Sep 21, 2021 at 6:26 PM Eddie <stunnel@attglobal.net> wrote:
>
> Title says it all.  On both iPhone and iPad.
>
> The configuration names still show, with the slider, but trying to
> activate gives:  Activation failure.  Unable to retrieve tunnel
> information from the saved configuration.
>
> Selecting a tunnel name doesn't show any configuration.

Thanks for the report. I had seen murmurs of this on IRC and Reddit
too. This post [1] mentions that they just get deleted... I'm
decrustifying my Apple setup, updating phones and macOS and Xcode and
will hopefully have a patch out soon enough, and then hopefully not
too rough of a time with the dreaded app store review process. I'm
also CCing Roopesh who might be able to whip something up faster than
me.

Jason

[1] https://www.reddit.com/r/WireGuard/comments/prhb3k/ios_15_released_on_monday/

^ permalink raw reply	[flat|nested] 40+ messages in thread

* Re: WireGuard Configurations Gone After iOS 15 Upgrade
  2021-09-22  3:14 ` Jason A. Donenfeld
@ 2021-09-22  4:04   ` Anatoli
  2021-09-22  4:50     ` Jason A. Donenfeld
  0 siblings, 1 reply; 40+ messages in thread
From: Anatoli @ 2021-09-22  4:04 UTC (permalink / raw)
  To: wireguard

Hi All,

Same here.

After recreating the tunnel from scratch and activating it, the tunnel is
established, the server sees the handshake, but the iPhone doesn't have any
connectivity, can't connect to anywhere while the tunnel is activated.

After turning it off, internet starts working again.

I guess the problems is not just the configs not being re-imported.

Regards,
Anatoli

On 22/9/21 00:14, Jason A. Donenfeld wrote:
> Hi Eddie,
> 
> On Tue, Sep 21, 2021 at 6:26 PM Eddie <stunnel@attglobal.net> wrote:
>>
>> Title says it all.  On both iPhone and iPad.
>>
>> The configuration names still show, with the slider, but trying to
>> activate gives:  Activation failure.  Unable to retrieve tunnel
>> information from the saved configuration.
>>
>> Selecting a tunnel name doesn't show any configuration.
> 
> Thanks for the report. I had seen murmurs of this on IRC and Reddit
> too. This post [1] mentions that they just get deleted... I'm
> decrustifying my Apple setup, updating phones and macOS and Xcode and
> will hopefully have a patch out soon enough, and then hopefully not
> too rough of a time with the dreaded app store review process. I'm
> also CCing Roopesh who might be able to whip something up faster than
> me.
> 
> Jason
> 
> [1] https://www.reddit.com/r/WireGuard/comments/prhb3k/ios_15_released_on_monday/
> 

^ permalink raw reply	[flat|nested] 40+ messages in thread

* Re: WireGuard Configurations Gone After iOS 15 Upgrade
  2021-09-22  4:04   ` Anatoli
@ 2021-09-22  4:50     ` Jason A. Donenfeld
  2021-09-22  5:17       ` Jason A. Donenfeld
  2021-09-22 15:23       ` Eddie
  0 siblings, 2 replies; 40+ messages in thread
From: Jason A. Donenfeld @ 2021-09-22  4:50 UTC (permalink / raw)
  To: Anatoli, Eddie; +Cc: WireGuard mailing list, Roopesh Chander S

Hi,

I'm not able to reproduce the bug quite yet, but I'd like to get a
better idea of what the bug is. Can you confirm that after reimporting
configs into iOS 15, they work just fine? And the issue is just in the
14->15 flow? If this is correct, I see two issues:

1. Something goes wrong with the keychain from 14->15 and the app
loses authorization.

2. When the app can't open a keychain item, it deletes the VPN
profile? Or does it just gray it out? If it's deleting it, that's
wrong; it ought to just remain disabled until it's readable again.

Jason

^ permalink raw reply	[flat|nested] 40+ messages in thread

* Re: WireGuard Configurations Gone After iOS 15 Upgrade
  2021-09-22  4:50     ` Jason A. Donenfeld
@ 2021-09-22  5:17       ` Jason A. Donenfeld
       [not found]         ` <CAMaqUZ2dTaOJ3oPex0pQxBM9njHA7rW5Hb69MvG645n+ya_jhQ@mail.gmail.com>
  2021-09-22 14:47         ` Andrew Fried
  2021-09-22 15:23       ` Eddie
  1 sibling, 2 replies; 40+ messages in thread
From: Jason A. Donenfeld @ 2021-09-22  5:17 UTC (permalink / raw)
  To: Anatoli, Eddie; +Cc: WireGuard mailing list, Roopesh Chander S

On Tue, Sep 21, 2021 at 10:50 PM Jason A. Donenfeld <Jason@zx2c4.com> wrote:
> 2. When the app can't open a keychain item, it deletes the VPN
> profile? Or does it just gray it out? If it's deleting it, that's
> wrong; it ought to just remain disabled until it's readable again.

This is now fixed with https://w-g.pw/l/dteZ

> 1. Something goes wrong with the keychain from 14->15 and the app
> loses authorization.

This I still have no idea about, as I can't reproduce the issue. It
would be useful to know if it's transient, and so the fix to (2) above
basically handles the issue by not blowing away the VPN profile. If
somebody's got a reliable reproduction rig and can build this in
xcode, I'd be interested in feedback here on what's in the master
branch.

Jason

^ permalink raw reply	[flat|nested] 40+ messages in thread

* Re: WireGuard Configurations Gone After iOS 15 Upgrade
       [not found]         ` <CAMaqUZ2dTaOJ3oPex0pQxBM9njHA7rW5Hb69MvG645n+ya_jhQ@mail.gmail.com>
@ 2021-09-22 13:59           ` Jason A. Donenfeld
  0 siblings, 0 replies; 40+ messages in thread
From: Jason A. Donenfeld @ 2021-09-22 13:59 UTC (permalink / raw)
  To: Reid Rankin
  Cc: Anatoli, Eddie, patate.cosmique, Roopesh Chander S,
	WireGuard mailing list

Hi Reid,

Thanks for the confirmation. Do you think you (and whoever else is
experiencing this) could send me the logs from the app? You can send
them off list if you're worried about private data in there.

Thanks,
Jason

^ permalink raw reply	[flat|nested] 40+ messages in thread

* Re: WireGuard Configurations Gone After iOS 15 Upgrade
  2021-09-22  5:17       ` Jason A. Donenfeld
       [not found]         ` <CAMaqUZ2dTaOJ3oPex0pQxBM9njHA7rW5Hb69MvG645n+ya_jhQ@mail.gmail.com>
@ 2021-09-22 14:47         ` Andrew Fried
  1 sibling, 0 replies; 40+ messages in thread
From: Andrew Fried @ 2021-09-22 14:47 UTC (permalink / raw)
  To: wireguard

I ran into the same problem on my iPhone  and 4 separate iPads.

The solution: delete the wireguard app, then re-download it from the app 
store.  Problem solved.

Andrew


On 9/22/21 1:17 AM, Jason A. Donenfeld wrote:
> On Tue, Sep 21, 2021 at 10:50 PM Jason A. Donenfeld <Jason@zx2c4.com> wrote:
>> 2. When the app can't open a keychain item, it deletes the VPN
>> profile? Or does it just gray it out? If it's deleting it, that's
>> wrong; it ought to just remain disabled until it's readable again.
> 
> This is now fixed with https://w-g.pw/l/dteZ
> 
>> 1. Something goes wrong with the keychain from 14->15 and the app
>> loses authorization.
> 
> This I still have no idea about, as I can't reproduce the issue. It
> would be useful to know if it's transient, and so the fix to (2) above
> basically handles the issue by not blowing away the VPN profile. If
> somebody's got a reliable reproduction rig and can build this in
> xcode, I'd be interested in feedback here on what's in the master
> branch.
> 
> Jason
> 

-- 
Andrew Fried
afried@spamteq.com
+1.703.667.4050 Office
+1.703.362.0067 Mobile

^ permalink raw reply	[flat|nested] 40+ messages in thread

* Re: WireGuard Configurations Gone After iOS 15 Upgrade
  2021-09-22  4:50     ` Jason A. Donenfeld
  2021-09-22  5:17       ` Jason A. Donenfeld
@ 2021-09-22 15:23       ` Eddie
  2021-09-22 16:50         ` Miguel Arroz
  1 sibling, 1 reply; 40+ messages in thread
From: Eddie @ 2021-09-22 15:23 UTC (permalink / raw)
  To: Jason A. Donenfeld, Anatoli; +Cc: WireGuard mailing list, Roopesh Chander S

On 9/21/2021 9:50 PM, Jason A. Donenfeld wrote:
> Hi,
>
> I'm not able to reproduce the bug quite yet, but I'd like to get a
> better idea of what the bug is. Can you confirm that after reimporting
> configs into iOS 15, they work just fine? And the issue is just in the
> 14->15 flow? If this is correct, I see two issues:
I haven't tried re-importing anything yet, in case you needed more 
information before trying that.
> 1. Something goes wrong with the keychain from 14->15 and the app
> loses authorization.
>
> 2. When the app can't open a keychain item, it deletes the VPN
> profile? Or does it just gray it out? If it's deleting it, that's
> wrong; it ought to just remain disabled until it's readable again.
If I select one of the tunnels, all I see on the "Edit" page is the 
status slider and the on demand status.  The section under INTERFACE is 
completely missing.  Selecting Edit brings up the screen you would see 
when creating a new tunnel, with all parameters showing (in grey) 
Required, Automatic, Optional, etc.  There are no values from the 
original configuration shown.
> Jason
>

^ permalink raw reply	[flat|nested] 40+ messages in thread

* Re: WireGuard Configurations Gone After iOS 15 Upgrade
  2021-09-22 15:23       ` Eddie
@ 2021-09-22 16:50         ` Miguel Arroz
  2021-09-22 19:28           ` Jason A. Donenfeld
  0 siblings, 1 reply; 40+ messages in thread
From: Miguel Arroz @ 2021-09-22 16:50 UTC (permalink / raw)
  To: stunnel, Jason A. Donenfeld
  Cc: Anatoli, WireGuard mailing list, Roopesh Chander S

Hi,

  I have two devices upgraded to iOS 15, an iPhone and iPad. Both had a tunnel configured with on-demand set. The behaviour was the same on both: the tunnel worked, but the app couldn’t show information, the exact way Eddie described. When I click the Edit button, I see all the fields blank, and the peer is gone, just like if I was creating a new configuration from scratch.

  I tried the following on the iPhone:

  - Turned the tunnel off using the switch in the app. As soon as it tried to turn itself on again (due to the on-demand flag), it showed an error and the tunnel could not be brought back up (I don’t remember the exact wording of the error alert).
  - I deleted the tunnel configuration, and created one from scratch. Everything is working now. The tunnel works, and the app can read the configuration. I rebooted the iPhone to make sure it could reload everything afterwards, and it did.

  I still have the iPad in the original state.

  The log is essentially a repetition of the following line: "Unable to open config from keychain: -25300”.

  I’m not sure if a local build made by me would help debugging this, as if I recall correctly from the Keychain API, the app group key (kSecAttrAccessGroup) is dependent on the team and bundle IDs (enforced by the code signing and runtime verification process), so I doubt I can build something that will be able to access the keychain that is already there. The only valid test would be building and installing it on iOS 14 and then upgrading to iOS 15, or distributing a beta version using TestFlight using the official team ID.

  Regards,

Miguel Arroz


> On Sep 22, 2021, at 8:23 AM, Eddie <stunnel@attglobal.net> wrote:
> 
> On 9/21/2021 9:50 PM, Jason A. Donenfeld wrote:
>> Hi,
>> 
>> I'm not able to reproduce the bug quite yet, but I'd like to get a
>> better idea of what the bug is. Can you confirm that after reimporting
>> configs into iOS 15, they work just fine? And the issue is just in the
>> 14->15 flow? If this is correct, I see two issues:
> I haven't tried re-importing anything yet, in case you needed more information before trying that.
>> 1. Something goes wrong with the keychain from 14->15 and the app
>> loses authorization.
>> 
>> 2. When the app can't open a keychain item, it deletes the VPN
>> profile? Or does it just gray it out? If it's deleting it, that's
>> wrong; it ought to just remain disabled until it's readable again.
> If I select one of the tunnels, all I see on the "Edit" page is the status slider and the on demand status.  The section under INTERFACE is completely missing.  Selecting Edit brings up the screen you would see when creating a new tunnel, with all parameters showing (in grey) Required, Automatic, Optional, etc.  There are no values from the original configuration shown.
>> Jason
>> 


^ permalink raw reply	[flat|nested] 40+ messages in thread

* Re: WireGuard Configurations Gone After iOS 15 Upgrade
  2021-09-22 16:50         ` Miguel Arroz
@ 2021-09-22 19:28           ` Jason A. Donenfeld
  2021-09-22 19:58             ` Jeffrey Walton
                               ` (2 more replies)
  0 siblings, 3 replies; 40+ messages in thread
From: Jason A. Donenfeld @ 2021-09-22 19:28 UTC (permalink / raw)
  To: WireGuard mailing list; +Cc: Eddie, Anatoli, Roopesh Chander S, Miguel Arroz

Hi all,

I've got a new build submitted to the App Store, and so now we wait
for Apple's review.

I do not understand the root cause or how it might resolve itself yet,
because I haven't been able to reproduce. But I've removed the
ridiculous code that deletes network profiles when the keychain can't
be opened. My hope is that the open failure is transient, and so this
fix will be sufficient to unwedge it. I guess we'll see...

Jason

^ permalink raw reply	[flat|nested] 40+ messages in thread

* Re: WireGuard Configurations Gone After iOS 15 Upgrade
  2021-09-22 19:28           ` Jason A. Donenfeld
@ 2021-09-22 19:58             ` Jeffrey Walton
  2021-09-22 22:15             ` Jason A. Donenfeld
  2021-09-22 22:24             ` Anatoli
  2 siblings, 0 replies; 40+ messages in thread
From: Jeffrey Walton @ 2021-09-22 19:58 UTC (permalink / raw)
  To: Jason A. Donenfeld; +Cc: WireGuard mailing list

On Wed, Sep 22, 2021 at 3:31 PM Jason A. Donenfeld <Jason@zx2c4.com> wrote:
>
> Hi all,
>
> I've got a new build submitted to the App Store, and so now we wait
> for Apple's review.
>
> I do not understand the root cause or how it might resolve itself yet,
> because I haven't been able to reproduce. But I've removed the
> ridiculous code that deletes network profiles when the keychain can't
> be opened. My hope is that the open failure is transient, and so this
> fix will be sufficient to unwedge it. I guess we'll see...

I recall reading a report last night... An app lost access to its
keychain items after an iOS 15 upgrade. The workaround was to "Enable
iCloud Keychain".

I don't think that's a good idea, however. You don't want your secrets
leaving your security boundary and moving to Apple's cloud. In fact, I
stopped using Apple devices back around iOS 6 when Apple integrated
the keychain into their cloud services.

Jeff

^ permalink raw reply	[flat|nested] 40+ messages in thread

* Re: WireGuard Configurations Gone After iOS 15 Upgrade
  2021-09-22 19:28           ` Jason A. Donenfeld
  2021-09-22 19:58             ` Jeffrey Walton
@ 2021-09-22 22:15             ` Jason A. Donenfeld
  2021-09-22 22:31               ` Miguel Arroz
  2021-09-23  1:34               ` Jason A. Donenfeld
  2021-09-22 22:24             ` Anatoli
  2 siblings, 2 replies; 40+ messages in thread
From: Jason A. Donenfeld @ 2021-09-22 22:15 UTC (permalink / raw)
  To: WireGuard mailing list; +Cc: Eddie, Anatoli, Roopesh Chander S, Miguel Arroz

Hi again,

A new app has been released for both iOS and macOS. Please test it out
and let me know how it goes.

Jason

^ permalink raw reply	[flat|nested] 40+ messages in thread

* Re: WireGuard Configurations Gone After iOS 15 Upgrade
  2021-09-22 19:28           ` Jason A. Donenfeld
  2021-09-22 19:58             ` Jeffrey Walton
  2021-09-22 22:15             ` Jason A. Donenfeld
@ 2021-09-22 22:24             ` Anatoli
  2021-09-22 22:26               ` Jason A. Donenfeld
  2 siblings, 1 reply; 40+ messages in thread
From: Anatoli @ 2021-09-22 22:24 UTC (permalink / raw)
  To: Jason A. Donenfeld; +Cc: WireGuard mailing list

[-- Attachment #1: Type: text/plain, Size: 271 bytes --]

I can confirm that recreating the tunnel from scratch does work. So the problem is that the tunnel settings become corrupted when iOS is upgraded from 13.x / 14.x to 15.0.

Here are some printscreens of how it looks like (in Spanish):

Tunnel details look this way:

[-- Attachment #2: image0.jpeg --]
[-- Type: image/jpeg, Size: 20223 bytes --]

[-- Attachment #3: Type: text/plain, Size: 76 bytes --]



When on the previous screen you click Edit, the edit page opens this way:

[-- Attachment #4: image1.jpeg --]
[-- Type: image/jpeg, Size: 35644 bytes --]

[-- Attachment #5: Type: text/plain, Size: 181 bytes --]



When you try to activate such a tunnel, you get the error saying: “Activation failure: it wasn’t possible to recover the tunnel information from the saved configuration”

[-- Attachment #6: image2.jpeg --]
[-- Type: image/jpeg, Size: 25063 bytes --]

[-- Attachment #7: Type: text/plain, Size: 560 bytes --]




> On 22 Sep 2021, at 16:28, Jason A. Donenfeld <Jason@zx2c4.com> wrote:
> 
> Hi all,
> 
> I've got a new build submitted to the App Store, and so now we wait
> for Apple's review.
> 
> I do not understand the root cause or how it might resolve itself yet,
> because I haven't been able to reproduce. But I've removed the
> ridiculous code that deletes network profiles when the keychain can't
> be opened. My hope is that the open failure is transient, and so this
> fix will be sufficient to unwedge it. I guess we'll see...
> 
> Jason

^ permalink raw reply	[flat|nested] 40+ messages in thread

* Re: WireGuard Configurations Gone After iOS 15 Upgrade
  2021-09-22 22:24             ` Anatoli
@ 2021-09-22 22:26               ` Jason A. Donenfeld
  2021-09-22 23:12                 ` Anatoli
  0 siblings, 1 reply; 40+ messages in thread
From: Jason A. Donenfeld @ 2021-09-22 22:26 UTC (permalink / raw)
  To: Anatoli; +Cc: WireGuard mailing list

On Wed, Sep 22, 2021 at 4:24 PM Anatoli <me@anatoli.ws> wrote:
>
> I can confirm that recreating the tunnel from scratch does work. So the problem is that the tunnel settings become corrupted when iOS is upgraded from 13.x / 14.x to 15.0.

What are you testing? The new version of the app or the old one? Does
the new one corrupt settings or only the old one? Precision is
important here.

^ permalink raw reply	[flat|nested] 40+ messages in thread

* Re: WireGuard Configurations Gone After iOS 15 Upgrade
  2021-09-22 22:15             ` Jason A. Donenfeld
@ 2021-09-22 22:31               ` Miguel Arroz
  2021-09-22 22:35                 ` Jason A. Donenfeld
  2021-09-23  1:34               ` Jason A. Donenfeld
  1 sibling, 1 reply; 40+ messages in thread
From: Miguel Arroz @ 2021-09-22 22:31 UTC (permalink / raw)
  To: Jason A. Donenfeld
  Cc: WireGuard mailing list, Eddie, Anatoli, Roopesh Chander S

Hi Jason,

  After the update, when I launch the app on the iPad, the row in the tunnel list has a red background, and the first time I launched it, the switch started switching very quickly between connected and disconnected. Also, nothing at all shows on the right side when I click it (not even the empty sections that were appearing before, it’s just a blank view). The tunnel also got disconnected when I launched the app, and is not connecting any more.

  On the iPhone (where I had already recreated the tunnel), also after the update, everything seems fine.

  Regards,

Miguel Arroz


> On Sep 22, 2021, at 3:15 PM, Jason A. Donenfeld <Jason@zx2c4.com> wrote:
> 
> Hi again,
> 
> A new app has been released for both iOS and macOS. Please test it out
> and let me know how it goes.
> 
> Jason


^ permalink raw reply	[flat|nested] 40+ messages in thread

* Re: WireGuard Configurations Gone After iOS 15 Upgrade
  2021-09-22 22:31               ` Miguel Arroz
@ 2021-09-22 22:35                 ` Jason A. Donenfeld
  2021-09-22 22:42                   ` Miguel Arroz
  2021-09-22 22:45                   ` Eddie
  0 siblings, 2 replies; 40+ messages in thread
From: Jason A. Donenfeld @ 2021-09-22 22:35 UTC (permalink / raw)
  To: Miguel Arroz; +Cc: WireGuard mailing list, Eddie, Anatoli, Roopesh Chander S

Hi Miguel,

On Wed, Sep 22, 2021 at 4:31 PM Miguel Arroz <miguel.arroz@gmail.com> wrote:
>   After the update, when I launch the app on the iPad, the row in the tunnel list has a red background, and the first time I launched it, the switch started switching very quickly between connected and disconnected. Also, nothing at all shows on the right side when I click it (not even the empty sections that were appearing before, it’s just a blank view). The tunnel also got disconnected when I launched the app, and is not connecting any more.

Is this on a fresh 14->15 transition? Or had you already loaded the
old version on 15?

The row turns red when it can't open the keychain reference. I'm
curious whether that's because it was already deleted stupidly by the
old version of the app during the 14->15 transition, or whether it's
still there, but the new version of the app on 15 is unable to load
it.

Also, what happens if you twiddle the iCloud keychain setting?

Jason

^ permalink raw reply	[flat|nested] 40+ messages in thread

* Re: WireGuard Configurations Gone After iOS 15 Upgrade
  2021-09-22 22:35                 ` Jason A. Donenfeld
@ 2021-09-22 22:42                   ` Miguel Arroz
  2021-09-22 22:43                     ` Jason A. Donenfeld
  2021-09-22 22:45                   ` Eddie
  1 sibling, 1 reply; 40+ messages in thread
From: Miguel Arroz @ 2021-09-22 22:42 UTC (permalink / raw)
  To: Jason A. Donenfeld
  Cc: WireGuard mailing list, Eddie, Anatoli, Roopesh Chander S

Hey Jason,

> On Sep 22, 2021, at 3:35 PM, Jason A. Donenfeld <Jason@zx2c4.com> wrote:
> 
> Is this on a fresh 14->15 transition? Or had you already loaded the
> old version on 15?
> 
> The row turns red when it can't open the keychain reference. I'm
> curious whether that's because it was already deleted stupidly by the
> old version of the app during the 14->15 transition, or whether it's
> still there, but the new version of the app on 15 is unable to load
> it.

  I already had loaded the old version after installing iOS 15, so it probably was deleted, which is consistent with the red row. Unfortunately I don’t have any other iOS device, only those two that were upgraded to iOS 15 and ran the old Wireguard version already.

> Also, what happens if you twiddle the iCloud keychain setting?

  The behaviour didn’t change, although it probably doesn’t mean anything given the above.

  Regards,

Miguel Arroz

^ permalink raw reply	[flat|nested] 40+ messages in thread

* Re: WireGuard Configurations Gone After iOS 15 Upgrade
  2021-09-22 22:42                   ` Miguel Arroz
@ 2021-09-22 22:43                     ` Jason A. Donenfeld
  0 siblings, 0 replies; 40+ messages in thread
From: Jason A. Donenfeld @ 2021-09-22 22:43 UTC (permalink / raw)
  To: Miguel Arroz; +Cc: WireGuard mailing list, Eddie, Anatoli, Roopesh Chander S

Hi Miguel,

Gotcha. It is interesting that those red rows weren't wiped out,
though... I would think that with the old code, after two launches,
they'd be removed...

Jason

^ permalink raw reply	[flat|nested] 40+ messages in thread

* Re: WireGuard Configurations Gone After iOS 15 Upgrade
  2021-09-22 22:35                 ` Jason A. Donenfeld
  2021-09-22 22:42                   ` Miguel Arroz
@ 2021-09-22 22:45                   ` Eddie
  2021-09-22 22:55                     ` Eddie
       [not found]                     ` <814501e8-c2c8-1e0a-2f30-fd83fb7769ec@attglobal.net>
  1 sibling, 2 replies; 40+ messages in thread
From: Eddie @ 2021-09-22 22:45 UTC (permalink / raw)
  To: Jason A. Donenfeld; +Cc: WireGuard mailing list, Anatoli, Roopesh Chander S

On 9/22/2021 3:35 PM, Jason A. Donenfeld wrote:
> Hi Miguel,
>
> On Wed, Sep 22, 2021 at 4:31 PM Miguel Arroz <miguel.arroz@gmail.com> wrote:
>>    After the update, when I launch the app on the iPad, the row in the tunnel list has a red background, and the first time I launched it, the switch started switching very quickly between connected and disconnected. Also, nothing at all shows on the right side when I click it (not even the empty sections that were appearing before, it’s just a blank view). The tunnel also got disconnected when I launched the app, and is not connecting any more.
I see the same red backgrounds and empty details pane.
> Is this on a fresh 14->15 transition? Or had you already loaded the
> old version on 15?
I had already upgraded all my devices, so can't verify the 14->15 upgrade.
> The row turns red when it can't open the keychain reference. I'm
> curious whether that's because it was already deleted stupidly by the
> old version of the app during the 14->15 transition, or whether it's
> still there, but the new version of the app on 15 is unable to load
> it.
>
> Also, what happens if you twiddle the iCloud keychain setting?
Sorry, as much as I like Apple, that's one part I'm not trusting to 
their cloud.
> Jason
>
>


^ permalink raw reply	[flat|nested] 40+ messages in thread

* Re: WireGuard Configurations Gone After iOS 15 Upgrade
  2021-09-22 22:45                   ` Eddie
@ 2021-09-22 22:55                     ` Eddie
  2021-09-22 22:55                       ` Jason A. Donenfeld
       [not found]                     ` <814501e8-c2c8-1e0a-2f30-fd83fb7769ec@attglobal.net>
  1 sibling, 1 reply; 40+ messages in thread
From: Eddie @ 2021-09-22 22:55 UTC (permalink / raw)
  To: Jason A. Donenfeld, WireGuard mailing list

On 9/22/2021 3:45 PM, Eddie wrote:
> On 9/22/2021 3:35 PM, Jason A. Donenfeld wrote:
>> Hi Miguel,
>>
>> On Wed, Sep 22, 2021 at 4:31 PM Miguel Arroz <miguel.arroz@gmail.com> 
>> wrote:
>>>    After the update, when I launch the app on the iPad, the row in 
>>> the tunnel list has a red background, and the first time I launched 
>>> it, the switch started switching very quickly between connected and 
>>> disconnected. Also, nothing at all shows on the right side when I 
>>> click it (not even the empty sections that were appearing before, 
>>> it’s just a blank view). The tunnel also got disconnected when I 
>>> launched the app, and is not connecting any more.
> I see the same red backgrounds and empty details pane.

Which now means I can't delete the broken tunnels.

>> Is this on a fresh 14->15 transition? Or had you already loaded the
>> old version on 15?
> I had already upgraded all my devices, so can't verify the 14->15 upgrade.
>> The row turns red when it can't open the keychain reference. I'm
>> curious whether that's because it was already deleted stupidly by the
>> old version of the app during the 14->15 transition, or whether it's
>> still there, but the new version of the app on 15 is unable to load
>> it.
>>
>> Also, what happens if you twiddle the iCloud keychain setting?
> Sorry, as much as I like Apple, that's one part I'm not trusting to 
> their cloud.
>> Jason
>>
>>
>
>
> ----------------------------------------------------------------------
> This e-mail was checked for spam by the freeware edition of CleanMail.
> The freeware edition is restricted to personal and non-commercial use.
> You can remove this notice by purchasing a commercial license:
> http://antispam.byteplant.com/products/cleanmail/index.html



^ permalink raw reply	[flat|nested] 40+ messages in thread

* Re: WireGuard Configurations Gone After iOS 15 Upgrade
  2021-09-22 22:55                     ` Eddie
@ 2021-09-22 22:55                       ` Jason A. Donenfeld
  0 siblings, 0 replies; 40+ messages in thread
From: Jason A. Donenfeld @ 2021-09-22 22:55 UTC (permalink / raw)
  To: Eddie; +Cc: WireGuard mailing list

On Wed, Sep 22, 2021 at 4:55 PM Eddie <stunnel@attglobal.net> wrote:
> On 9/22/2021 3:45 PM, Eddie wrote:
> > I see the same red backgrounds and empty details pane.
> Which now means I can't delete the broken tunnels.

What happens when you slide the item over to reveal the delete button
and then press it?

^ permalink raw reply	[flat|nested] 40+ messages in thread

* Re: WireGuard Configurations Gone After iOS 15 Upgrade
       [not found]                       ` <CAHmME9p5C3bGT=gXV6WQ5HNOBTtitXdGwKm7EaOv_bnVVvX5vA@mail.gmail.com>
@ 2021-09-22 22:56                         ` Eddie
  0 siblings, 0 replies; 40+ messages in thread
From: Eddie @ 2021-09-22 22:56 UTC (permalink / raw)
  To: Jason A. Donenfeld, WireGuard mailing list


On 9/22/2021 3:54 PM, Jason A. Donenfeld wrote:
> On Wed, Sep 22, 2021 at 4:53 PM Eddie <stunnel@attglobal.net> wrote:
>> On 9/22/2021 3:45 PM, Eddie wrote:
>>> On 9/22/2021 3:35 PM, Jason A. Donenfeld wrote:
>>>> Hi Miguel,
>>>>
>>>> On Wed, Sep 22, 2021 at 4:31 PM Miguel Arroz <miguel.arroz@gmail.com>
>>>> wrote:
>>>>>     After the update, when I launch the app on the iPad, the row in
>>>>> the tunnel list has a red background, and the first time I launched
>>>>> it, the switch started switching very quickly between connected and
>>>>> disconnected. Also, nothing at all shows on the right side when I
>>>>> click it (not even the empty sections that were appearing before,
>>>>> it’s just a blank view). The tunnel also got disconnected when I
>>>>> launched the app, and is not connecting any more.
>>> I see the same red backgrounds and empty details pane.
>> Which now means I can't delete the broken tunnels.
> What happens when you slide the item over to reveal the delete button
> and then press it?
>
Sorry 'bout not sending that to the list, corrected.

Didn't know about that option  :-(  Which does work, thanks.


^ permalink raw reply	[flat|nested] 40+ messages in thread

* Re: WireGuard Configurations Gone After iOS 15 Upgrade
  2021-09-22 22:26               ` Jason A. Donenfeld
@ 2021-09-22 23:12                 ` Anatoli
  2021-09-22 23:53                   ` Alan Graham
  0 siblings, 1 reply; 40+ messages in thread
From: Anatoli @ 2021-09-22 23:12 UTC (permalink / raw)
  To: Jason A. Donenfeld; +Cc: WireGuard mailing list

Sorry, I replied before I've got your mail about the new version.

This is how the old version was behaving. Haven't tested yet the new version.
I'll test it and report today or tomorrow.


On 22/9/21 19:26, Jason A. Donenfeld wrote:
> On Wed, Sep 22, 2021 at 4:24 PM Anatoli <me@anatoli.ws> wrote:
>>
>> I can confirm that recreating the tunnel from scratch does work. So the problem is that the tunnel settings become corrupted when iOS is upgraded from 13.x / 14.x to 15.0.
> 
> What are you testing? The new version of the app or the old one? Does
> the new one corrupt settings or only the old one? Precision is
> important here.
> 

^ permalink raw reply	[flat|nested] 40+ messages in thread

* Re: WireGuard Configurations Gone After iOS 15 Upgrade
  2021-09-22 23:12                 ` Anatoli
@ 2021-09-22 23:53                   ` Alan Graham
  0 siblings, 0 replies; 40+ messages in thread
From: Alan Graham @ 2021-09-22 23:53 UTC (permalink / raw)
  To: Anatoli; +Cc: Jason A. Donenfeld, WireGuard mailing list

Hi,

I have an iOS 15 iPhone 12 Pro Max with three tunnels configured.  The
upgrade from 14 to 15 busted the configs as described.  I deleted and
recreated one of the tunnels and it worked fine.  I updated to today's
bits (which appear to have been released in record time).  The tunnel
that I deleted and recreated is still working fine.  The other two
tunnels now have red backgrounds and I can no longer click them to see
the (empty) details like I could in the older build.  Trying to
activate it does not work (it does not, however, rapidly switch
between on and off).  It looks like I can delete them by swiping left
to reveal a delete button, but I can leave them in their current state
for more testing.  I did not have on-demand turned on for any of the
tunnels so I cannot speak to that partially working state.  I have
iCloud keychain on, so that doesn't appear to be a fix/workaround.  I
also have an iPad that I haven't upgraded yet, so I should be able to
test the upgrade path, but I'm not sure these bits resolve the
problem.

Best regards,
Alan

On Wed, Sep 22, 2021 at 4:26 PM Anatoli <me@anatoli.ws> wrote:
>
> Sorry, I replied before I've got your mail about the new version.
>
> This is how the old version was behaving. Haven't tested yet the new version.
> I'll test it and report today or tomorrow.
>
>
> On 22/9/21 19:26, Jason A. Donenfeld wrote:
> > On Wed, Sep 22, 2021 at 4:24 PM Anatoli <me@anatoli.ws> wrote:
> >>
> >> I can confirm that recreating the tunnel from scratch does work. So the problem is that the tunnel settings become corrupted when iOS is upgraded from 13.x / 14.x to 15.0.
> >
> > What are you testing? The new version of the app or the old one? Does
> > the new one corrupt settings or only the old one? Precision is
> > important here.
> >

^ permalink raw reply	[flat|nested] 40+ messages in thread

* Re: WireGuard Configurations Gone After iOS 15 Upgrade
  2021-09-22 22:15             ` Jason A. Donenfeld
  2021-09-22 22:31               ` Miguel Arroz
@ 2021-09-23  1:34               ` Jason A. Donenfeld
  2021-09-23  2:49                 ` Jason A. Donenfeld
  2021-09-23  2:54                 ` Miguel Arroz
  1 sibling, 2 replies; 40+ messages in thread
From: Jason A. Donenfeld @ 2021-09-23  1:34 UTC (permalink / raw)
  To: WireGuard mailing list
  Cc: Eddie, Anatoli, Roopesh Chander S, Miguel Arroz, Alan Graham, oss

Hey folks,

Small update: I've managed to update a fresh 14 device to 15 using the
latest build, and things are broken still.

On the plus side:
- The new build no longer deletes VPN profiles when the corresponding
keychain references are unresolvable, so if there's any chance of
recovery in a next build, it won't ruin those chances.
- Now that I can reproduce it, I can hammer away at trying to fix this directly.

On the minus side:
- The fact that a keychain reference goes stale during an update from
14 to 15 sounds solidly like an Apple bug, rather than any sort of API
misuse.
- I'm skeptical that there'll be a workaround, and if there is, it
will probably be pretty ugly.

If anyone knows the SecItem APIs well, the file in question is:
https://git.zx2c4.com/wireguard-apple/tree/Sources/Shared/Keychain.swift

So, I guess I'll jump into this in full force now. Here we go...

Jason

^ permalink raw reply	[flat|nested] 40+ messages in thread

* Re: WireGuard Configurations Gone After iOS 15 Upgrade
  2021-09-23  1:34               ` Jason A. Donenfeld
@ 2021-09-23  2:49                 ` Jason A. Donenfeld
  2021-09-23  2:54                 ` Miguel Arroz
  1 sibling, 0 replies; 40+ messages in thread
From: Jason A. Donenfeld @ 2021-09-23  2:49 UTC (permalink / raw)
  To: WireGuard mailing list
  Cc: Eddie, Anatoli, Roopesh Chander S, Miguel Arroz, Alan Graham, oss

Hi again,

I'm afraid the situation is somewhat bad...

It appears that iOS 15 has completely deleted the iOS 14's WireGUard
keychain items, at least as far as the WireGuard app can see. I've yet
to jailbreak or look at an image dump to see if it's still hiding
somewhere, but it also doesn't matter, because from the app's
perspective, the keychain appears totally empty.

Digging in just on the surface, it looks like the keychain references
from iOS 14 are something like "67656e7000000000000000f7", with that
f7 incrementing, while the ones from iOS 15 are
"67656e700167269751a94355a004bfa75f951cec" -- same prefix, but the
suffix is longer and seemingly random. Did the migration from one
format to the other go bad on upgrade? Did something else happen? I
don't really know much yet about the guts of this bug, but it does
seem like something is going on. We've never had any issues with the
keychain being emptied between iOS versions before.

So now we need to figure out what to do. I'm still holding out a tiny
sliver of hope that there's a mistake somewhere and this can all be
fixed by the app, but so far I've come up dry when looking around for
that. What if this really is an iOS 15 bug? I'll report it to Apple,
of course, but that doesn't help the immediate issue that people's
configs are being deleted. The behavior is at least detectable, so I
could detect the migration, delete all of the orphaned network
profiles (as before), and pop up a message box (resembling a
ransomware screen!) saying "Where Have All Your Configurations Gone?",
followed by an apologetic explanation. That's kind of unsatisfactory,
though. I'm all ears on other ideas if you've got any.

And if any Apple developers are hanging out on this list and want to
try their hand at a solution, that'd be much appreciated. (Plus, my
entreaty from March [1] remains.)

Jason

[1] https://lists.zx2c4.com/pipermail/wireguard/2021-March/006455.html

^ permalink raw reply	[flat|nested] 40+ messages in thread

* Re: WireGuard Configurations Gone After iOS 15 Upgrade
  2021-09-23  1:34               ` Jason A. Donenfeld
  2021-09-23  2:49                 ` Jason A. Donenfeld
@ 2021-09-23  2:54                 ` Miguel Arroz
  2021-09-23  3:06                   ` Miguel Arroz
  2021-09-23  3:09                   ` Jason A. Donenfeld
  1 sibling, 2 replies; 40+ messages in thread
From: Miguel Arroz @ 2021-09-23  2:54 UTC (permalink / raw)
  To: Jason A. Donenfeld
  Cc: WireGuard mailing list, Eddie, Anatoli, Roopesh Chander S,
	Alan Graham, oss

Hi,

  (Now without HTML…)

  I never wrote code touching the Keychain on iOS, but did on macOS using the iOS behaviour (kSecUseDataProtectionKeychain set to true).

  There are two things in that class that I would look into:

  - Line 40: items[kSecAttrAccessGroup] = FileManager.appGroupId

  If I understand correctly, this ends up being "group.$(APP_ID_IOS)”. I’m a bit surprised this doesn’t need the Team ID before “group”, as it definitely needs that in macOS.

  - The openReference() function, because it’s not setting the same kSecAttrAccessGroup parameter when reading. The documentation mentions what happens when it’s not set (https://developer.apple.com/documentation/security/ksecattraccessgroup), I wonder if that changed (intentionally or due to a bug in iOS 15):

> If you don’t explicitly set a group, keychain services defaults to the app’s first access group, which is either the first keychain access group, or the app ID when the app has no keychain groups.

  None of these explain why the tunnel keeps working after upgrading to iOS 15 (if the on-demand flag is set), as I would expect the Network Extension to hit the same problem, as it goes through the same Keychain code. But maybe the behaviour is slightly different than when it’s running through the app for some reason. It could explain why re-building the tunnels would work from then on (although then I would expect the extension to *not* be able to read them). So all this may be just a red herring.

  Hope it helps somehow.

  Regards,

Miguel Arroz



> On Sep 22, 2021, at 6:34 PM, Jason A. Donenfeld <Jason@zx2c4.com> wrote:
> 
> Hey folks,
> 
> Small update: I've managed to update a fresh 14 device to 15 using the
> latest build, and things are broken still.
> 
> On the plus side:
> - The new build no longer deletes VPN profiles when the corresponding
> keychain references are unresolvable, so if there's any chance of
> recovery in a next build, it won't ruin those chances.
> - Now that I can reproduce it, I can hammer away at trying to fix this directly.
> 
> On the minus side:
> - The fact that a keychain reference goes stale during an update from
> 14 to 15 sounds solidly like an Apple bug, rather than any sort of API
> misuse.
> - I'm skeptical that there'll be a workaround, and if there is, it
> will probably be pretty ugly.
> 
> If anyone knows the SecItem APIs well, the file in question is:
> https://git.zx2c4.com/wireguard-apple/tree/Sources/Shared/Keychain.swift
> 
> So, I guess I'll jump into this in full force now. Here we go...
> 
> Jason


^ permalink raw reply	[flat|nested] 40+ messages in thread

* Re: WireGuard Configurations Gone After iOS 15 Upgrade
  2021-09-23  2:54                 ` Miguel Arroz
@ 2021-09-23  3:06                   ` Miguel Arroz
  2021-09-23  3:09                   ` Jason A. Donenfeld
  1 sibling, 0 replies; 40+ messages in thread
From: Miguel Arroz @ 2021-09-23  3:06 UTC (permalink / raw)
  To: Jason A. Donenfeld
  Cc: WireGuard mailing list, Eddie, Anatoli, Roopesh Chander S,
	Alan Graham, oss

Oops never mind the second one, I misread the documentation. Reading from the keychain without specifying the group should scan all groups…



> On Sep 22, 2021, at 7:54 PM, Miguel Arroz <miguel.arroz@gmail.com> wrote:
> 
> Hi,
> 
>  (Now without HTML…)
> 
>  I never wrote code touching the Keychain on iOS, but did on macOS using the iOS behaviour (kSecUseDataProtectionKeychain set to true).
> 
>  There are two things in that class that I would look into:
> 
>  - Line 40: items[kSecAttrAccessGroup] = FileManager.appGroupId
> 
>  If I understand correctly, this ends up being "group.$(APP_ID_IOS)”. I’m a bit surprised this doesn’t need the Team ID before “group”, as it definitely needs that in macOS.
> 
>  - The openReference() function, because it’s not setting the same kSecAttrAccessGroup parameter when reading. The documentation mentions what happens when it’s not set (https://developer.apple.com/documentation/security/ksecattraccessgroup), I wonder if that changed (intentionally or due to a bug in iOS 15):
> 
>> If you don’t explicitly set a group, keychain services defaults to the app’s first access group, which is either the first keychain access group, or the app ID when the app has no keychain groups.
> 
>  None of these explain why the tunnel keeps working after upgrading to iOS 15 (if the on-demand flag is set), as I would expect the Network Extension to hit the same problem, as it goes through the same Keychain code. But maybe the behaviour is slightly different than when it’s running through the app for some reason. It could explain why re-building the tunnels would work from then on (although then I would expect the extension to *not* be able to read them). So all this may be just a red herring.
> 
>  Hope it helps somehow.
> 
>  Regards,
> 
> Miguel Arroz
> 
> 
> 
>> On Sep 22, 2021, at 6:34 PM, Jason A. Donenfeld <Jason@zx2c4.com> wrote:
>> 
>> Hey folks,
>> 
>> Small update: I've managed to update a fresh 14 device to 15 using the
>> latest build, and things are broken still.
>> 
>> On the plus side:
>> - The new build no longer deletes VPN profiles when the corresponding
>> keychain references are unresolvable, so if there's any chance of
>> recovery in a next build, it won't ruin those chances.
>> - Now that I can reproduce it, I can hammer away at trying to fix this directly.
>> 
>> On the minus side:
>> - The fact that a keychain reference goes stale during an update from
>> 14 to 15 sounds solidly like an Apple bug, rather than any sort of API
>> misuse.
>> - I'm skeptical that there'll be a workaround, and if there is, it
>> will probably be pretty ugly.
>> 
>> If anyone knows the SecItem APIs well, the file in question is:
>> https://git.zx2c4.com/wireguard-apple/tree/Sources/Shared/Keychain.swift
>> 
>> So, I guess I'll jump into this in full force now. Here we go...
>> 
>> Jason
> 


^ permalink raw reply	[flat|nested] 40+ messages in thread

* Re: WireGuard Configurations Gone After iOS 15 Upgrade
  2021-09-23  2:54                 ` Miguel Arroz
  2021-09-23  3:06                   ` Miguel Arroz
@ 2021-09-23  3:09                   ` Jason A. Donenfeld
  2021-09-23  3:19                     ` Miguel Arroz
  1 sibling, 1 reply; 40+ messages in thread
From: Jason A. Donenfeld @ 2021-09-23  3:09 UTC (permalink / raw)
  To: Miguel Arroz
  Cc: WireGuard mailing list, Eddie, Anatoli, Roopesh Chander S,
	Alan Graham, oss

Hi Miguel,

On Wed, Sep 22, 2021 at 8:54 PM Miguel Arroz <miguel.arroz@gmail.com> wrote:
>   If I understand correctly, this ends up being "group.$(APP_ID_IOS)”. I’m a bit surprised this doesn’t need the Team ID before “group”, as it definitely needs that in macOS.

Indeed it's prefixed with the team on macOS, but IIRC that never worked on iOS.

>   - The openReference() function, because it’s not setting the same kSecAttrAccessGroup parameter when reading. The documentation mentions what happens when it’s not set (https://developer.apple.com/documentation/security/ksecattraccessgroup), I wonder if that changed (intentionally or due to a bug in iOS 15):
>
> > If you don’t explicitly set a group, keychain services defaults to the app’s first access group, which is either the first keychain access group, or the app ID when the app has no keychain groups.

For setting, but for reading/updating, that page says:

> By default, the SecItemUpdate, SecItemDelete, and SecItemCopyMatching
> methods search all the app’s access groups. Add the kSecAttrAccessGroup
> attribute to the query to limit the search to a particular group.

So in theory, it should be fine to omit that in openReference().
Adding it in there also doesn't cause any changes, unfortunately.

>   None of these explain why the tunnel keeps working after upgrading to iOS 15 (if the on-demand flag is set

Oh, I didn't realize that was happening. Are you *sure* about that? Is
the tunnel actually working? Or is it on, but crashing? When I go to
enable the tunnel from the system preferences view of it, it starts
and then stops, indicating the network extension couldn't open the
keychain ref either. And in the log, I see the [NET] process indeed
failing in the same spot as the [APP] process.

Jason

^ permalink raw reply	[flat|nested] 40+ messages in thread

* Re: WireGuard Configurations Gone After iOS 15 Upgrade
  2021-09-23  3:09                   ` Jason A. Donenfeld
@ 2021-09-23  3:19                     ` Miguel Arroz
  2021-09-23  3:22                       ` Jason A. Donenfeld
  0 siblings, 1 reply; 40+ messages in thread
From: Miguel Arroz @ 2021-09-23  3:19 UTC (permalink / raw)
  To: Jason A. Donenfeld
  Cc: WireGuard mailing list, Eddie, Anatoli, Roopesh Chander S,
	Alan Graham, oss

Hi,

> On Sep 22, 2021, at 8:09 PM, Jason A. Donenfeld <Jason@zx2c4.com> wrote:
> 
> Oh, I didn't realize that was happening. Are you *sure* about that? Is
> the tunnel actually working? Or is it on, but crashing? When I go to
> enable the tunnel from the system preferences view of it, it starts
> and then stops, indicating the network extension couldn't open the
> keychain ref either. And in the log, I see the [NET] process indeed
> failing in the same spot as the [APP] process.
> 
> Jason

  Yeah, I’m 100% sure they were working fine after the update but before I launched the app and touched the on/off switch there. I only noticed the problem due to the emails here, as the tunnel itself was working smoothly (I only have one per device and it’s on-demand, so I rarely interact with the app itself).

  My initial assumption was, after iOS upgrade, the network extension was able to read the data to create the tunnel, but the app corrupted it as soon as I tried to turn the tunnel off through the app.

  Regards,

Miguel Arroz 


^ permalink raw reply	[flat|nested] 40+ messages in thread

* Re: WireGuard Configurations Gone After iOS 15 Upgrade
  2021-09-23  3:19                     ` Miguel Arroz
@ 2021-09-23  3:22                       ` Jason A. Donenfeld
  2021-09-23  3:57                         ` Jason A. Donenfeld
  0 siblings, 1 reply; 40+ messages in thread
From: Jason A. Donenfeld @ 2021-09-23  3:22 UTC (permalink / raw)
  To: Miguel Arroz
  Cc: WireGuard mailing list, Eddie, Anatoli, Roopesh Chander S,
	Alan Graham, oss

Hi Miguel,

On Wed, Sep 22, 2021 at 9:19 PM Miguel Arroz <miguel.arroz@gmail.com> wrote:
>   Yeah, I’m 100% sure they were working fine after the update but before I launched the app and touched the on/off switch there.

Interesting... Alright then, new theory: the keychain references are
accessible in the old 12-byte format, but are presented when iterating
in the new 20-byte format. The deleteReferences(except: refs) function
iterates through all, removes everything in the except list, and then
deletes what remains. If the iteration reference doesn't match with
the except reference, despite pointing to the same object, then it'll
delete them incorrectly. ...restoring to iOS 14 now to test that
theory.

Jason

^ permalink raw reply	[flat|nested] 40+ messages in thread

* Re: WireGuard Configurations Gone After iOS 15 Upgrade
  2021-09-23  3:22                       ` Jason A. Donenfeld
@ 2021-09-23  3:57                         ` Jason A. Donenfeld
  2021-09-23  4:13                           ` Jason A. Donenfeld
  0 siblings, 1 reply; 40+ messages in thread
From: Jason A. Donenfeld @ 2021-09-23  3:57 UTC (permalink / raw)
  To: Miguel Arroz
  Cc: WireGuard mailing list, Eddie, Anatoli, Roopesh Chander S,
	Alan Graham, oss

Hi Miguel,

On Wed, Sep 22, 2021 at 9:22 PM Jason A. Donenfeld <Jason@zx2c4.com> wrote:
> Interesting... Alright then, new theory: the keychain references are
> accessible in the old 12-byte format, but are presented when iterating
> in the new 20-byte format. The deleteReferences(except: refs) function
> iterates through all, removes everything in the except list, and then
> deletes what remains. If the iteration reference doesn't match with
> the except reference, despite pointing to the same object, then it'll
> delete them incorrectly. ...restoring to iOS 14 now to test that
> theory.

Good news! The theory holds. Thanks for bringing that behavior to my
attention. I think this should be fixable.

iOS changing persistent keychain refs to be non-bijective I guess is a
bit of a shocker, but I'm glad we've gotten to the bottom of it.

Jason

^ permalink raw reply	[flat|nested] 40+ messages in thread

* Re: WireGuard Configurations Gone After iOS 15 Upgrade
  2021-09-23  3:57                         ` Jason A. Donenfeld
@ 2021-09-23  4:13                           ` Jason A. Donenfeld
  2021-09-23  4:21                             ` Miguel Arroz
  2021-09-23 14:41                             ` Anatoli
  0 siblings, 2 replies; 40+ messages in thread
From: Jason A. Donenfeld @ 2021-09-23  4:13 UTC (permalink / raw)
  To: Miguel Arroz
  Cc: WireGuard mailing list, Eddie, Anatoli, Roopesh Chander S,
	Alan Graham, oss

Hi,

Fixed! https://git.zx2c4.com/wireguard-apple/commit/?id=03a59ff38e96fb3bb5dde2f15fe42198d1dfb995

Thank you to everyone in this thread who helped get to the bottom of this.

Jason

^ permalink raw reply	[flat|nested] 40+ messages in thread

* Re: WireGuard Configurations Gone After iOS 15 Upgrade
  2021-09-23  4:13                           ` Jason A. Donenfeld
@ 2021-09-23  4:21                             ` Miguel Arroz
  2021-09-23 14:41                             ` Anatoli
  1 sibling, 0 replies; 40+ messages in thread
From: Miguel Arroz @ 2021-09-23  4:21 UTC (permalink / raw)
  To: Jason A. Donenfeld
  Cc: WireGuard mailing list, Eddie, Anatoli, Roopesh Chander S,
	Alan Graham, oss

Hi,

  Awesome! Thank you for the quick fix.

  Regards,

Miguel Arroz

  

> On Sep 22, 2021, at 9:13 PM, Jason A. Donenfeld <Jason@zx2c4.com> wrote:
> 
> Hi,
> 
> Fixed! https://git.zx2c4.com/wireguard-apple/commit/?id=03a59ff38e96fb3bb5dde2f15fe42198d1dfb995
> 
> Thank you to everyone in this thread who helped get to the bottom of this.
> 
> Jason


^ permalink raw reply	[flat|nested] 40+ messages in thread

* Re: WireGuard Configurations Gone After iOS 15 Upgrade
  2021-09-23  4:13                           ` Jason A. Donenfeld
  2021-09-23  4:21                             ` Miguel Arroz
@ 2021-09-23 14:41                             ` Anatoli
  2021-09-23 17:26                               ` Jason A. Donenfeld
  1 sibling, 1 reply; 40+ messages in thread
From: Anatoli @ 2021-09-23 14:41 UTC (permalink / raw)
  To: Jason A. Donenfeld; +Cc: WireGuard mailing list

Great! Thanks for a quick solution!

Please let us know in this thread when the update is in the AppStore.

> On 23 Sep 2021, at 01:14, Jason A. Donenfeld <Jason@zx2c4.com> wrote:
> 
> Hi,
> 
> Fixed! https://git.zx2c4.com/wireguard-apple/commit/?id=03a59ff38e96fb3bb5dde2f15fe42198d1dfb995
> 
> Thank you to everyone in this thread who helped get to the bottom of this.
> 
> Jason

^ permalink raw reply	[flat|nested] 40+ messages in thread

* Re: WireGuard Configurations Gone After iOS 15 Upgrade
  2021-09-23 14:41                             ` Anatoli
@ 2021-09-23 17:26                               ` Jason A. Donenfeld
  2021-09-24  2:17                                 ` Jason A. Donenfeld
  0 siblings, 1 reply; 40+ messages in thread
From: Jason A. Donenfeld @ 2021-09-23 17:26 UTC (permalink / raw)
  To: Anatoli; +Cc: WireGuard mailing list

On Thu, Sep 23, 2021 at 8:42 AM Anatoli <me@anatoli.ws> wrote:
> Please let us know in this thread when the update is in the AppStore.

Indeed I will. It's been in the "waiting for review" state for about
13 hours. So hopefully that'll change somewhat soonish.

Jason

^ permalink raw reply	[flat|nested] 40+ messages in thread

* Re: WireGuard Configurations Gone After iOS 15 Upgrade
  2021-09-23 17:26                               ` Jason A. Donenfeld
@ 2021-09-24  2:17                                 ` Jason A. Donenfeld
  2021-09-24  8:05                                   ` Alan Graham
  0 siblings, 1 reply; 40+ messages in thread
From: Jason A. Donenfeld @ 2021-09-24  2:17 UTC (permalink / raw)
  To: Anatoli; +Cc: WireGuard mailing list

On Thu, Sep 23, 2021 at 11:26 AM Jason A. Donenfeld <Jason@zx2c4.com> wrote:
>
> On Thu, Sep 23, 2021 at 8:42 AM Anatoli <me@anatoli.ws> wrote:
> > Please let us know in this thread when the update is in the AppStore.
>
> Indeed I will. It's been in the "waiting for review" state for about
> 13 hours. So hopefully that'll change somewhat soonish.

This has been released now. I'll send out an email in a new thread
announcing this.

^ permalink raw reply	[flat|nested] 40+ messages in thread

* Re: WireGuard Configurations Gone After iOS 15 Upgrade
  2021-09-24  2:17                                 ` Jason A. Donenfeld
@ 2021-09-24  8:05                                   ` Alan Graham
  0 siblings, 0 replies; 40+ messages in thread
From: Alan Graham @ 2021-09-24  8:05 UTC (permalink / raw)
  To: Jason A. Donenfeld; +Cc: Anatoli, WireGuard mailing list

I can confirm that upgrading wireguard, and then upgrading to iOS 15
works flawlessly with the released bits.

Best wishes,
Alan

On Thu, Sep 23, 2021 at 7:27 PM Jason A. Donenfeld <Jason@zx2c4.com> wrote:
>
> On Thu, Sep 23, 2021 at 11:26 AM Jason A. Donenfeld <Jason@zx2c4.com> wrote:
> >
> > On Thu, Sep 23, 2021 at 8:42 AM Anatoli <me@anatoli.ws> wrote:
> > > Please let us know in this thread when the update is in the AppStore.
> >
> > Indeed I will. It's been in the "waiting for review" state for about
> > 13 hours. So hopefully that'll change somewhat soonish.
>
> This has been released now. I'll send out an email in a new thread
> announcing this.

^ permalink raw reply	[flat|nested] 40+ messages in thread

end of thread, other threads:[~2021-09-24  8:06 UTC | newest]

Thread overview: 40+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-09-22  0:23 WireGuard Configurations Gone After iOS 15 Upgrade Eddie
2021-09-22  0:28 ` Eddie
2021-09-22  0:45   ` Miguel Arroz
2021-09-22  3:14 ` Jason A. Donenfeld
2021-09-22  4:04   ` Anatoli
2021-09-22  4:50     ` Jason A. Donenfeld
2021-09-22  5:17       ` Jason A. Donenfeld
     [not found]         ` <CAMaqUZ2dTaOJ3oPex0pQxBM9njHA7rW5Hb69MvG645n+ya_jhQ@mail.gmail.com>
2021-09-22 13:59           ` Jason A. Donenfeld
2021-09-22 14:47         ` Andrew Fried
2021-09-22 15:23       ` Eddie
2021-09-22 16:50         ` Miguel Arroz
2021-09-22 19:28           ` Jason A. Donenfeld
2021-09-22 19:58             ` Jeffrey Walton
2021-09-22 22:15             ` Jason A. Donenfeld
2021-09-22 22:31               ` Miguel Arroz
2021-09-22 22:35                 ` Jason A. Donenfeld
2021-09-22 22:42                   ` Miguel Arroz
2021-09-22 22:43                     ` Jason A. Donenfeld
2021-09-22 22:45                   ` Eddie
2021-09-22 22:55                     ` Eddie
2021-09-22 22:55                       ` Jason A. Donenfeld
     [not found]                     ` <814501e8-c2c8-1e0a-2f30-fd83fb7769ec@attglobal.net>
     [not found]                       ` <CAHmME9p5C3bGT=gXV6WQ5HNOBTtitXdGwKm7EaOv_bnVVvX5vA@mail.gmail.com>
2021-09-22 22:56                         ` Eddie
2021-09-23  1:34               ` Jason A. Donenfeld
2021-09-23  2:49                 ` Jason A. Donenfeld
2021-09-23  2:54                 ` Miguel Arroz
2021-09-23  3:06                   ` Miguel Arroz
2021-09-23  3:09                   ` Jason A. Donenfeld
2021-09-23  3:19                     ` Miguel Arroz
2021-09-23  3:22                       ` Jason A. Donenfeld
2021-09-23  3:57                         ` Jason A. Donenfeld
2021-09-23  4:13                           ` Jason A. Donenfeld
2021-09-23  4:21                             ` Miguel Arroz
2021-09-23 14:41                             ` Anatoli
2021-09-23 17:26                               ` Jason A. Donenfeld
2021-09-24  2:17                                 ` Jason A. Donenfeld
2021-09-24  8:05                                   ` Alan Graham
2021-09-22 22:24             ` Anatoli
2021-09-22 22:26               ` Jason A. Donenfeld
2021-09-22 23:12                 ` Anatoli
2021-09-22 23:53                   ` Alan Graham

Development discussion of WireGuard

This inbox may be cloned and mirrored by anyone:

	git clone --mirror https://inbox.vuxu.org/wireguard/0 wireguard/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 wireguard wireguard/ https://inbox.vuxu.org/wireguard \
		wireguard@lists.zx2c4.com
	public-inbox-index wireguard

Example config snippet for mirrors.
Newsgroup available over NNTP:
	nntp://inbox.vuxu.org/vuxu.archive.wireguard


AGPL code for this site: git clone https://public-inbox.org/public-inbox.git