Wireguard Apple convert App Network Extension to System Extension Network Extension for macOS client app

WireGuard Apple VPN Client App for macOS with System Extension to Distribute Outside App Store

Checkout the source code of WireGuard Apple.

https://github.com/WireGuard/wireguard-apple

I have fixed several issues and now I can create and connect to the VPN.

This source code uses the App Network Extension (appex) which can only be distributed on the App Store. But I don't want to distribute it via the App Store. I will distribute it outside the App Store.

But for this, we need to sign the app with the Developer ID Application certificate and we also need to notarize it. So for this, the App Network Extension (appex) will not help. We need to use the System Extension Network Extension (sysex). So we need to make changes to the WireGuard Apple source code to be able to connect the VPN via the System Extension Network Extension (sysex), this means we need to migrate existing App Network Extension (appex) to System Extension Network Extension (sysex) in this source code.

I am facing this challenge, that's why I am looking for a solution here.

I have already done changes explained here https://forums.developer.apple.com/forums/thread/695550. Also done with changes for getting system extension permission and network extension permission. Real problem is, VPN client app is not getting connect to VPN and to fix this, we need to fix in WireGuard Apple Kit source code.

Please help me to solve this problem.

Answered by DTS Engineer in 801653022

There are two parts to this:

  • Changing the code.

  • Dealing with code signing.

For the second, see Exporting a Developer ID Network Extension.

In terms of changing the code, it’s hard to offer concrete advice on that front because it’s not my code. In general:

  • The core NE provider code should work just fine in both contexts.

  • The sysex needs a main function to get everything running.

  • The sysex runs as root, so sharing state via an app group won’t work. In general, it’s best to share state via XPC.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Accepted Answer

There are two parts to this:

  • Changing the code.

  • Dealing with code signing.

For the second, see Exporting a Developer ID Network Extension.

In terms of changing the code, it’s hard to offer concrete advice on that front because it’s not my code. In general:

  • The core NE provider code should work just fine in both contexts.

  • The sysex needs a main function to get everything running.

  • The sysex runs as root, so sharing state via an app group won’t work. In general, it’s best to share state via XPC.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Wireguard Apple convert App Network Extension to System Extension Network Extension for macOS client app
 
 
Q