https://github.com/aequitas/macos-menubar-wireguard
macOS menubar icon for WireGuard/wg-quick
https://github.com/aequitas/macos-menubar-wireguard
macos statusbar vpn wireguard
Last synced: 11 days ago
JSON representation
macOS menubar icon for WireGuard/wg-quick
- Host: GitHub
- URL: https://github.com/aequitas/macos-menubar-wireguard
- Owner: aequitas
- License: gpl-3.0
- Created: 2018-08-12T10:48:06.000Z (over 6 years ago)
- Default Branch: master
- Last Pushed: 2025-01-31T14:57:10.000Z (3 months ago)
- Last Synced: 2025-04-13T04:59:14.128Z (11 days ago)
- Topics: macos, statusbar, vpn, wireguard
- Language: Swift
- Homepage:
- Size: 2.86 MB
- Stars: 241
- Watchers: 9
- Forks: 40
- Open Issues: 5
-
Metadata Files:
- Readme: README.md
- Funding: .github/FUNDING.yml
Awesome Lists containing this project
- awesome-wireguard - WireGuardStatusbar - macOS menubar icon for WireGuard/wg-quick. (Projects / User Interface)
README
# WireGuardStatusbar
[](https://codeclimate.com/github/aequitas/macos-menubar-wireguard/maintainability)
[](https://travis-ci.org/aequitas/macos-menubar-wireguard)## Notice
There is now an **official** WireGuard application that supersedes this App. You can find it at: https://www.wireguard.com/install/ or directly download it from the AppStore: https://itunes.apple.com/us/app/wireguard/id1451685025?ls=1&mt=12The WireGuardStatusbar application will remain available and might get updates/bugfixes but not develop any new features. You might still want to use it if you run a macOS prior to 10.14.
## Introduction
This is a macOS statusbar item (aka menubar icon) that wraps wg-quick.

## Features
- Sit in your menubar
- Indicate if tunnels are enabled
- Bring tunnel up/down via one click
- ~~Fail miserably when brew/wg-quick is not installed or permissions on files are incorrect~~## Installation
### Manually
- Follow the instruction to [install WireGuard for macOS](https://www.wireguard.com/install/)
- Create a tunnel configuration file (eg: `/opt/homebrew/etc/wireguard/utun1.conf`)
- Download this App from [Releases](https://github.com/aequitas/macos-menubar-wireguard/releases)
- Open the .dmg and copy the Application to where you like (eg: '/Applications')
- The next bit is needed because I don't have a Apple Developer account to properly sign the binary. If you don't like it consider building and signing the application yourself.
- Start the App and get a dialog indicating the app is not signed
- Go to: Preferences->Security & Privacy->General and click "Open Anyway"#### Specify brew location
In case you have brew installed in some non-default directory [since 1.16](https://github.com/aequitas/macos-menubar-wireguard/releases/tag/1.16) you can specify `brew` or `wg-quick` path.
To set `brew` path:
`sudo defaults write WireGuardStatusbarHelper brewPrefix /opt/local/`
To set the path to `wg-quick` binary:
`sudo defaults write WireGuardStatusbarHelper wgquickBinPath /opt/local/bin/wg-quick`
## Building & Testing
Automation scripting is provided in this repository to make development a little easier. Primary development using Xcode is supported/preferred but some actions (integration testing, distribution build) are only available using `make`.
To test the project and check code quality run:
make test-unit
Integration tests require preparation and will ask for a `sudo` password to install a test configuration file in `/etc/wireguard`:
make test-integration
Code formatting should preferably by done by computers. To auto correct most violations run (this is also run before each `make test` or `make check`):
make fix
To completely verify/test the project, build a distributable `.dmg` and install to `/Applications` simply run:
make
Or explore `make` with tab completion for other options.
## Architecture/Security
- This application is split into two parts. The Application and a [Privileged Helper](https://developer.apple.com/library/archive/documentation/Security/Conceptual/SecureCodingGuide/Articles/AccessControl.html).
- The App will sit in the menubar after launching and handle all UI interaction and logic.
- Whenever the App needs to perform actions requiring Administrator privileges (eg: start/stop tunnel, read configurations) it will communicate with the Helper via XPC to have these actions performed.
- The Helper is installed as a [Privileged Launchd daemon](https://developer.apple.com/documentation/servicemanagement/1431078-smjobbless?language=objc) during the startup of the App. The user will be prompted for credentials during this action.
- Logic/responsability in the Helper is kept to a minimum and communication between the App and the Helper is in simple primitives to reduce attack surface of the Helper.
- The Helper should not allow an unprivileged attacker to perform any actions via the XPC that would not be possible to perform when using the App.
- Both the App and the Helper are signed and these signatures will be verified on Helper installation.
- The Helper will only run during the runtime of the Application.
- The Helper notifies the App on any change in the WireGuard configuration/runtime state. The App will then query the Helper to allow rebuilding its menus.## License
This software as a whole is licensed under GPL-3.0
"WireGuard" and the "WireGuard" logo are registered trademarks of Jason A. Donenfeld.
## Todo/Readmap
- Tunnel connectivity status
- Tunnel configuration editor
- Key management (via keychain)
- Tunnel configuration augmentation (groups, alt. names, etc)
- read configuration using `wg`
- More tunnel statistics (privilegedhelper)
- Recent tunnels on top option
- Active tunnels on top option
- Start tunnels at startup
- Add application to startup items
- Bundle WireGuard (wireguard-go/wg-quick/bash4)/Drop `wg-quick` for custom route creations (to drop bash4 as requirements and enable advances routing options like excluding local networks from 0.0.0.0/0).
- Help menu
- Developer ID signing
- Update checking