WireGuard Client: macOS
In this tutorial, we setup a WireGuard client on macOS. Before following this tutorial, you should already have a working WireGuard server running. Install the WireGuard app for macOS.
Get the Server Public Key
From the server, print the server’s public key. We’ll need this soon.
$ sudo wg show wg0 interface: wg0 public key: 2efuG9OYmMPQpbkJ8CVxGlvQflY6p1u+o4wjcgGII0A= private key: (hidden) listening port: 51820
Configure the Client
Click the WireGuard icon in the MacOS menu bar, then click “Manage Tunnels”. Click the plus button at the bottom left corner of the “Manage WireGuard Tunnels” window, then click “Add Empty Tunnel…”
Give the tunnel a name. Something human-readable like “office” or “Raspberry Pi”.
The client public key is set for us in this dialog, and can be copy-pasted. We’ll need this soon.
Ignore “On-Demand” for this tutorial.
The text area is used to edit the client configuration. Notice the syntax of the client config is the same as the server config.
# define the local WireGuard interface (client) [Interface] # pre-populated by the WireGuard UI PrivateKey = oBkgA+KZU6mWY5p7d0PEWxnYkihBw9TmHZXEYnQkz3g= # the IP address of this client on the WireGuard network Address = 10.0.2.2/32 # define the remote WireGuard interface (server) [Peer] # contents of wg-public.key on the WireGuard server PublicKey = 2efuG9OYmMPQpbkJ8CVxGlvQflY6p1u+o4wjcgGII0A= # the IP address of the server on the WireGuard network AllowedIPs = 10.0.2.1/32 # public IP address and port of the WireGuard server Endpoint = 220.127.116.11:51820
Copy the client public key, then click “Save” to close the dialog.
Configure the Server
Edit the WireGuard service config file at
(Use a command like
sudo nano /etc/wireguard/wg0.conf.)
[Peer] section to the bottom.
# define the remote WireGuard interface (client) [Peer] # copied from the client tunnel dialog PublicKey = IVZrsrnY/9jzgdGdOdkKonwfCs2ZcopM9xC1OizE6Wo= # the IP address of the client on the WireGuard network AllowedIPs = 10.0.2.2/32
Apply the server config change.
$ sudo wg syncconf wg0 /etc/wireguard/wg0.conf
Ensure that the server config change was correctly applied.
$ sudo wg show wg0 interface: wg0 public key: 2efuG9OYmMPQpbkJ8CVxGlvQflY6p1u+o4wjcgGII0A= private key: (hidden) listening port: 51820 peer: IVZrsrnY/9jzgdGdOdkKonwfCs2ZcopM9xC1OizE6Wo= allowed ips: 10.0.2.2/32
Activate the Tunnel
Back in the macOS client tunnel manager, click the “Activate” button.
Test the Tunnel from the Server
Test the Tunnel from the Client
Are packets for the WireGuard server routed via the WireGuard tunnel
Query the routing table.
$ route get 10.0.2.1 route to: 10.0.2.1 destination: default mask: default interface: utun0 flags: <UP,DONE,CLONING,STATIC> recvpipe sendpipe ssthresh rtt,msec rttvar hopcount mtu expire 0 0 0 0 0 0 1420 0
Is the WireGuard server accessible via the tunnel? Ping the server from the client.
$ ping -c 3 10.0.2.1 PING 10.0.2.1 (10.0.2.1): 56 data bytes 64 bytes from 10.0.2.1: icmp_seq=0 ttl=64 time=45.234 ms 64 bytes from 10.0.2.1: icmp_seq=1 ttl=64 time=67.192 ms 64 bytes from 10.0.2.1: icmp_seq=2 ttl=64 time=41.907 ms --- 10.0.2.1 ping statistics --- 3 packets transmitted, 3 packets received, 0.0% packet loss round-trip min/avg/max/stddev = 41.907/51.444/67.192/11.218 ms