Wireguard Server on macOS

Change Log

July 16th, 2023

Updated the guide to start the Wirguard daemon on system boot instead of user login, as suggested by @[email protected].

June 19th, 2023

Added warning that starting with macOS Ventura the DNS directive prevents the VPN from functioning when set in the server’s config and should be disabled for users running this version or newer until fixed, as reported by Glenn F. Schreiber (a.k.a “theweatherguy”).

January 17th, 2023

Added caveat that the AllowedIPs value may require adjustment to not interfere with HomeKit video feeds, along with a suggested replacement should that occur, as noticed & suggested by Donavon Buchanan.

January 16th, 2023

Moved the “Update” admonition to the very top of the article (now even about the eye-catch banner image).

January 15th, 2023

Re-added PostDown script accidentally deleted from previous change.

January 14th, 2023

Updated the guide to support IPv6 connections, thanks entirely to a thorough email and sensible reference repo shared by Donavon Buchanan.

May 28th, 2022

Updated the PostDown script to now properly remove the pfSense rule set in the PostUp script instead of just removing the enable reference. This issue was detected thanks to a report by Alessio Nossa, which remains publicly available on GitHub

May 1st, 2022

Confirmed support on macOS Monterey

June 6th, 2021

Converted all remaining ASCII single and double quotes to proper, “curly” equivalents.

May 3rd, 2021

  • Added clarification that the guide as written will obfuscate client IP traffic to appear as if it’s coming from the VPN server’s IP, as suggested by Luke Sandoval.
  • Added comment in the daemon plist file to raise awareness that brew’s default executable directory on Apple Silicon Macs is /opt/homebrew/bin instead of /usr/local/bin, as suggested by Corey Watson.
  • Some grammatical and spelling corrections
  • Updated notice to ask the community for help on IPv6 support.

January 14st, 2021

  • Removed the unhelpful LaunchOnlyOnce flag from the plist as suggested by Olivier Mathieu, since with it set the service would not be restarted if the daemon ever exited unexpectedly.
  • Finally added the recognition / “Many Thanks To…” section to give proper credit to the guide’s past and future contributors.
  • Converted some ASCII single and double quotes to proper, “curly” equivalents.

December 31st, 2020

Confirmed support for macOS Big Sur.

November 29th, 2020

Fixed misspelled daemon plist label (I had incorrectly typed org.wireguard.server instead of com.wireguard.server).

May 12th, 2020

Added notice that guide (at the time) only supported IPv4 connections.

May 11th, 2020

Clarified that the command to generate the private/public key pairs will dump them into the current working directory, as suggested by @charlie_thebird.

March 15th, 2020

A complete rewrite of the guide to address countless bugs and bad practices (too many to individually list here). Informed entirely by lifepillar’s brilliant and constructive feedback (his entire writeup remains publicly available on GitHub).

The guide changed so much that I preserved the original (bad) guide in a separate page to remain an historical example of what not to do.

November 16th, 2019

  • No longer incorrectly suggest making the pfSense changes to /etc/pf.conf, since that’s a protected system file that gets overridden during operating system upgrades. Switched to instead suggest making changes in a separate pfSense config file so it doesn’t get blown out during upgrades.
  • Confirmed compatibility with macOS Catalina.

For an even more granular change log, click here to browse the file’s history on GitHub.