Skip to content

WIP: Implement wireguard tunnel in the network extension#11236

Draft
oskirby wants to merge 31 commits into
mainfrom
naomi-macos-networkextension-boringtun
Draft

WIP: Implement wireguard tunnel in the network extension#11236
oskirby wants to merge 31 commits into
mainfrom
naomi-macos-networkextension-boringtun

Conversation

@oskirby
Copy link
Copy Markdown
Collaborator

@oskirby oskirby commented Apr 28, 2026
edited
Loading

Description

In the next iteration of the split tunneling work, we merge the daemon and network-extension together. This allows some significant improvements in how the tunneling operates. Most notably:

  • There is now only one privileged helper thing to install rather than two.
  • The network extension error handling can be correctly plumbed into the permission required state.
  • Split tunneling provider can be better coupled to interface up/down actions.
  • Routing logic is much simpler:
    • The wireguard interface sets RTF_IFSCOPE on its default route.
    • Excluded apps become a no-op (let the system do its thing).
    • Included apps get bound to the VPN interface.

Much of this work came from PR #10460 and was just updated to move it into the network extension.

Quirks and TODO items

Because the split tunneling provider only catches TCP and UDP packet flows. There might be some traffic that can sneak passed the VPN when its active now (ICMP is the obvious case here). This could be a some future research... possibly engaging with the macOS firewall to block any such traffic. Theoretically Apple might also have some secret sauce that can create traffic flows that skip the NETransparentProxyProvider so we are kind of trusting Apple a lot more with this approach.

DNS. There seems to be some contention when it comes to the DNS configuration when NETransparentProxyProvider is used (see here). So as-of now, it doesn't seem like we have a good solution to setting the DNS config.

No support for native multihop. This might be doable with some future work, but it complicates the API significantly. As a first cut, I decided to disable the feature for now.

Reference

i.e Jira or Github issue URL

Checklist

  • My code follows the style guidelines for this project
  • I have not added any packages that contain high risk or unknown licenses (GPL, LGPL, MPL, etc. consult with DevOps if in question)
  • I have performed a self review of my own code
  • I have commented my code PARTICULARLY in hard to understand areas
  • I have added thorough tests where needed

@oskirby oskirby mentioned this pull request Apr 28, 2026
Closed
5 tasks
@oskirby oskirby force-pushed the naomi-macos-networkextension-boringtun branch from 55ab4ca to e0d4e5a Compare April 28, 2026 20:33
@oskirby oskirby force-pushed the naomi-macos-networkextension-boringtun branch from a915c72 to 60e76d3 Compare May 19, 2026 16:48
oskirby added 27 commits May 19, 2026 09:51
@oskirby
Add boringtun as a 3rdparty module
897c0de
@oskirby
Add support for specifying features when building rust crates
6fb3691
@oskirby
Add boringtun library to network extension build
e851975
@oskirby
Add class to parse and validate wireguard interface config
2ba9f5b
@oskirby
Initial attempt to add tunnel bringup in the network extension
5f9b2d8
@oskirby
Split MacOS controller implementations for network extension
f2d3de3
@oskirby
Get wireguard tunnel bringup to be somewhat stable
98bec8a
@oskirby
Implement routing table setup for allowed IP ranges
b9033a1
@oskirby
Implement a parser method to the RoutePrefix class
2a13199
@oskirby
Improve the debug experience by installing dSYM into bundle
1648a0f
@oskirby
Fix double-release in socket/source cleanup
8eb278d
@oskirby
Optimize heap usage and chase down a crash during tunnel shutdown
4b6f033
@oskirby
Invert split tunneling logic - included flows are bound into VPN
ecb85ef
@oskirby
Calculate MTU dynamically
b7152eb
@oskirby
Use a dispatch queue to mutlithread the encryption workers
a04d0d7
@oskirby
More memory refinement - I think I fixed a leak too
af688b9
@oskirby
Refactor statusUpdated signal to use a ControllerStatus class
72dbe24
@oskirby
Make the ControllerStatus a Q_PROPERTY and tidy up getStatus() callbacks
8e5ece3
@oskirby
Add logger support for NSError
238f9d8
@oskirby
Implement status reporting via handleAppMessage
6f130f1
@oskirby
The RouteManager is no longer necessary
e241892
@oskirby
Fix a rebase fail in IOSController::checkStatus()
75646c3
@oskirby
Fix ConnectionHealth compile fail on MZ_MOBILE
8093028
@oskirby
Refactoring: Split wireguard tunnel and peer into separate classes
4a9cae6
@oskirby
Move packet rx and tx into their own worker threads
35920e9
@oskirby
Configure the utun packet backlog size
ad7c684
@oskirby
Move peer route setup into WireguardPeer class
51ba366
@oskirby oskirby force-pushed the naomi-macos-networkextension-boringtun branch from 60e76d3 to 038fe7d Compare May 19, 2026 16:57
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@oskirby