Sep 2024 Update: I uninstalled some dependency and it doesn’t work anymore so I’ve switched to the desktop app instead of fixing the CLI- it still sucks.
Wireguard’s GUI on Apple Silicon was giving me a hard time- slow reconnects when waking my laptop from sleep or changing wifi networks, and hanging if I dare try to disable and reenable the tunnel. I decided to switch to the CLI version and see if that would make things better- it did.
Here’s the problem though, I still want a pretty way of controlling my connections- sometimes I like to switch between split tunneling, full tunneling or shutting down the VPN completely. Maybe even check on the status! All doable from the command line but come on, we know we can do better.
Enter stage: macOS Shortcuts App. Sitting conveniently in our Menu Bar, it offers a quick and easy way of executing shell scripts (yes even ones that need root privileges, which wg just happens to need!)
To set this up you’ll need:
- homebrew up and running
- wireguard-go & wireguard-tools installed
- update your PATH (technically optional but please just do it right)
- write your wg conf files to /opt/homebrew/etc/wireguard/*.conf
- create your shortcut:
/opt/homebrew/bin/wg-quick down wg0000 || true && /opt/homebrew/bin/wg-quick down wglocal || true && /opt/homebrew/bin/wg-quick up wglocal || true
Okay that command looks a little absurd. Let’s break it down.
This particular shortcut is for turning on/restarting “wglocal”. First we want to make sure “wg0000”, is off. We add “|| true” because it’s possible “wg0000” wasn’t off and we don’t want the command to fail, even with a non-zero exit code. Then we shutdown “wglocal”, same reasoning with the “|| true”, it may not have been running. Finally we bring up “wglocal”. Why did I add “|| true” at the end? Not sure, I guess it could be removed. But we love consistency, right? Right??!
Quick how to set up brew & wireguard CLI:
- Install brew: https://brew.sh/
- Add brew to your path:
echo "export PATH=/opt/homebrew/bin:$PATH" >> ~/.zprofile && source ~/.zprofile
- Install wireguard:
brew install wireguard-tools
- Correct wg-tools script to use homebrew’s updated path for Apple Silicon: (thanks Scott Lowe)
vi /opt/homebrew/bin/wg-quick
- Change the shebang line of the script to
#!/usr/bin/env -P/opt/homebrew/bin bash.
- Around line 44, the script defines a variable named CONFIG_SEARCH_PATHS. Edit this line to add /opt/homebrew/etc/wireguard to the existing list of directories that the script will search for the WireGuard configuration files.
- Save with :wq! (file is read only so you need the “!” to override that)
- Change the shebang line of the script to
- Profit!