macOS

WireGuard Client: macOS

In this tutorial, we setup a WireGuard client on macOS. Before following this tutorial, you should already have a working WireGuard server running. Install the WireGuard app for macOS.

Get the Server Public Key

From the server, print the server’s public key. We’ll need this soon.

$ sudo wg show wg0
interface: wg0
  public key: 2efuG9OYmMPQpbkJ8CVxGlvQflY6p1u+o4wjcgGII0A=
  private key: (hidden)
  listening port: 51820

Configure the Client

Click the WireGuard icon in the MacOS menu bar, then click “Manage Tunnels”. Click the plus button at the bottom left corner of the “Manage WireGuard Tunnels” window, then click “Add Empty Tunnel…”

Give the tunnel a name. Something human-readable like “office” or “Raspberry Pi”.

The client public key is set for us in this dialog, and can be copy-pasted. We’ll need this soon.

Ignore “On-Demand” for this tutorial.

The text area is used to edit the client configuration. Notice the syntax of the client config is the same as the server config.

# define the local WireGuard interface (client)
[Interface]

# pre-populated by the WireGuard UI
PrivateKey = oBkgA+KZU6mWY5p7d0PEWxnYkihBw9TmHZXEYnQkz3g=

# the IP address of this client on the WireGuard network
Address = 10.0.2.2/32

# define the remote WireGuard interface (server)
[Peer]

# contents of wg-public.key on the WireGuard server
PublicKey = 2efuG9OYmMPQpbkJ8CVxGlvQflY6p1u+o4wjcgGII0A=

# the IP address of the server on the WireGuard network 
AllowedIPs = 10.0.2.1/32

# public IP address and port of the WireGuard server
Endpoint = 35.36.37.38:51820

Copy the client public key, then click “Save” to close the dialog.

Configure the Server

Edit the WireGuard service config file at /etc/wireguard/wg0.conf. (Use a command like sudo nano /etc/wireguard/wg0.conf.) Add a [Peer] section to the bottom.

# define the remote WireGuard interface (client)
[Peer]

# copied from the client tunnel dialog
PublicKey = IVZrsrnY/9jzgdGdOdkKonwfCs2ZcopM9xC1OizE6Wo=

# the IP address of the client on the WireGuard network
AllowedIPs = 10.0.2.2/32

Apply the server config change.

$ sudo wg syncconf wg0 /etc/wireguard/wg0.conf

Ensure that the server config change was correctly applied.

$ sudo wg show wg0
interface: wg0
  public key: 2efuG9OYmMPQpbkJ8CVxGlvQflY6p1u+o4wjcgGII0A=
  private key: (hidden)
  listening port: 51820

peer: IVZrsrnY/9jzgdGdOdkKonwfCs2ZcopM9xC1OizE6Wo=
  allowed ips: 10.0.2.2/32

Activate the Tunnel

Back in the macOS client tunnel manager, click the “Activate” button.

Test the Tunnel from the Server

Test the Tunnel from the Client

Are packets for the WireGuard server routed via the WireGuard tunnel utun0? Query the routing table.

$ route get 10.0.2.1
   route to: 10.0.2.1
destination: default
       mask: default
  interface: utun0
      flags: <UP,DONE,CLONING,STATIC>
 recvpipe  sendpipe  ssthresh  rtt,msec    rttvar  hopcount      mtu     expire
       0         0         0         0         0         0      1420         0

Is the WireGuard server accessible via the tunnel? Ping the server from the client.

$ ping -c 3 10.0.2.1
PING 10.0.2.1 (10.0.2.1): 56 data bytes
64 bytes from 10.0.2.1: icmp_seq=0 ttl=64 time=45.234 ms
64 bytes from 10.0.2.1: icmp_seq=1 ttl=64 time=67.192 ms
64 bytes from 10.0.2.1: icmp_seq=2 ttl=64 time=41.907 ms

--- 10.0.2.1 ping statistics ---
3 packets transmitted, 3 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 41.907/51.444/67.192/11.218 ms