ANSWERED Issues w Hummingbird + Wireguard + Nix on MacOS

[hartfieldsbane 1]

I am trying to use hummingbird on macOS with wireguard. I am able to use `sudo wg-quick up conf/cali1.conf` initiate a connection just fine, but when i try to use the hummingbird binaries, i get the following error:

╭─░▒▓ ~/.hummingbird │ master ?286 ──────────────────────────────────── ✘ 1 │ 09:21:40 ▓▒░
╰─ sudo hummingbird config/cali1.conf
Hummingbird - WireGuard/OpenVPN3 Client 2.0.0 beta 1 - 13 May 2024

OpenVPN core 3.9 AirVPN mac arm64 64-bit
Copyright (C) 2012-2022 OpenVPN Inc. All rights reserved.
OpenSSL 3.3.0 9 Apr 2024
WireGuard Client 1.0.0 AirVPN MacOS arm64 64-bit

Mon Sep 23 09:23:34.954 2024 System and service manager in use is launchd
Mon Sep 23 09:23:34.955 2024 VPN type of configuration file 'config/cali1.conf' is WireGuard
.....
Mon Sep 23 09:23:34.971 2024 Network filter and lock are using pf
Mon Sep 23 09:23:34.973 2024 Private network is allowed to pass the network filter
Mon Sep 23 09:23:34.973 2024 Network filter successfully initialized
Mon Sep 23 09:23:34.980 2024 WireGuard's wg tool not found. WireGuard support is not available.
╭─░▒▓ ~/.hummingbird │ master ?286 ──────────────────────────────────── ✘ 1 │ 09:23:35 ▓▒░
╰─ which wg
/Users/xxxxxx/.nix-profile/bin/wg

It seems to work fine for the homebrew installation -- i'm guessing the checks in hummingbird for the wireguard binaries aren't checking the .nix-profile dir. Is there anyway to configure this?

Also -- out of curiosity, do you have a writeup somewhere on the benefits / drawbacks of using the hummingbird client vs wireguard tools directly?
  Edited 09/23/2024 by hartfieldsbane

[Staff 10118]

  On 9/23/2024 at 2:36 PM, hartfieldsbane said:

t seems to work fine for the homebrew installation -- i'm guessing the checks in hummingbird for the wireguard binaries aren't checking the .nix-profile dir. Is there anyway to configure this?

Hello!

Currently not, Hummingbird searches in "/bin:/usr/bin:/sbin:/usr/sbin:/usr/local/bin:/usr/local/sbin:/opt/homebrew/bin:/opt/homebrew/sbin". Reading the $PATH variable and add it to the search paths is an option we will consider for sure. Should WireGuard library become available for macOS too we will of course use it.

As a momentary patch you can consider a symlink for wg and wireguard-go - both are used by Hummingbird.
 

  On 9/23/2024 at 2:36 PM, hartfieldsbane said:

do you have a writeup somewhere on the benefits / drawbacks of using the hummingbird client vs wireguard tools directly?

No, we don't, sorry. Hummingbird makes the OpenVPN3-AirVPN library available to macOS users in a single comfortable binary, to boost performance remarkably over OpenVPN 2 or the OpenVPN3 mainline library, but for WireGuard it is just a wrapper of the tools as we don't have the library in this environment.

Since in macOS WireGuard does not run in the kernel space (no kernel module) this core feature for performance is lost and running wg tools or Hummingbird is most probably equivalent. We can't even design a kernel extension (not even if we had the time to plan it) because kexts are no longer allowed.

However, with Hummingbird you have a built-in Network Lock (through pf) which wg tools don't offer and that may come very handy to prevent any possible traffic leak outside the VPN tunnel.

Kind regards
 

[hartfieldsbane 1]

Thanks, appreciate your prompt and detailed response. 

Wrt to performance on mac, would you expect wireguard or openvpn (using hummingbird) to be "better"? Idk enough to know what the best way to measure performance would be, but would love to get your perspective. Have been drawn to wireguard for its simplicity and performance, but I didn't realize I wasn't getting the full benefit on a mac due to the kernel restrictions. 

In reality none of this matters for my typical use, I'm just curious and enjoy trying to tweak things to get best performance. I have really appreciated how Airvpn allows users to look behind the hood and dig into the technical details of what's going on, if they are so inclined.