mozilla-mobile · oskirby · Apr 24, 2025 · Apr 25, 2025 · Apr 25, 2025 · Apr 25, 2025
diff --git a/.gitmodules b/.gitmodules
@@ -6,10 +6,6 @@
 	path = 3rdparty/wireguard-apple
 	url = https://github.com/mozilla/wireguard-apple.git
 	shallow = true
-[submodule "3rdparty/wireguard-go"]
-	path = 3rdparty/wireguard-go
-	url = https://github.com/WireGuard/wireguard-go
-	shallow = true
 [submodule "3rdparty/adjust-ios-sdk"]
 	path = 3rdparty/adjust-ios-sdk
 	url = https://github.com/adjust/ios_sdk.git
@@ -35,3 +31,7 @@
 [submodule "3rdparty/c-ares"]
 	path = 3rdparty/c-ares
 	url = https://github.com/c-ares/c-ares
+[submodule "3rdparty/boringtun"]
+	path = 3rdparty/boringtun
+	url = https://github.com/cloudflare/boringtun
+	shallow = true
diff --git a/3rdparty/boringtun b/3rdparty/boringtun
diff --git a/3rdparty/wireguard-go b/3rdparty/wireguard-go
diff --git a/scripts/cmake/rustlang.cmake b/scripts/cmake/rustlang.cmake
@@ -160,6 +160,7 @@ endfunction()
 #   LIBRARY_FILE: Filename of the expected library to be built.
 #   CARGO_ENV: Environment variables to pass to cargo
 #   SHARED: Whether or not we are building a shared library. Defaults to "false".
+#   EXTRA_ARGS: Additional arguments to pass when building the crate.
 #
 # This function generates commands necessary to build static archives
 # in ${BINARY_DIR}/${ARCH}/debug/ and ${BINARY_DIR}/${ARCH}/release/
@@ -173,7 +174,7 @@ function(build_rust_archives)
     cmake_parse_arguments(RUST_BUILD
         ""
         "ARCH;BINARY_DIR;PACKAGE_DIR;CRATE_NAME"
-        "CARGO_ENV;SHARED"
+        "CARGO_ENV;SHARED;EXTRA_ARGS"
         ${ARGN})
 
     list(APPEND RUST_BUILD_CARGO_ENV CARGO_HOME=${CMAKE_BINARY_DIR}/cargo_home)
@@ -233,7 +234,7 @@ function(build_rust_archives)
             JOB_POOL cargo
             WORKING_DIRECTORY ${RUST_BUILD_PACKAGE_DIR}
             COMMAND ${CMAKE_COMMAND} -E env ${RUST_BUILD_CARGO_ENV}
-                    ${CARGO_BUILD_TOOL} build --lib --release --target ${ARCH} --target-dir ${RUST_BUILD_BINARY_DIR}
+                    ${CARGO_BUILD_TOOL} build --lib --release --target ${ARCH} --target-dir ${RUST_BUILD_BINARY_DIR} ${RUST_BUILD_EXTRA_ARGS}
         )
 
         ## Outputs for the debug build
@@ -243,7 +244,7 @@ function(build_rust_archives)
             JOB_POOL cargo
             WORKING_DIRECTORY ${RUST_BUILD_PACKAGE_DIR}
             COMMAND ${CMAKE_COMMAND} -E env ${RUST_BUILD_CARGO_ENV}
-                    ${CARGO_BUILD_TOOL} build --lib --target ${ARCH} --target-dir ${RUST_BUILD_BINARY_DIR}
+                    ${CARGO_BUILD_TOOL} build --lib --target ${ARCH} --target-dir ${RUST_BUILD_BINARY_DIR} ${RUST_BUILD_EXTRA_ARGS}
         )
 
         ## Reset our policy changes
@@ -261,7 +262,7 @@ function(build_rust_archives)
                 ${RUST_BUILD_BINARY_DIR}/${ARCH}/release/.noexist
             WORKING_DIRECTORY ${RUST_BUILD_PACKAGE_DIR}
             COMMAND ${CMAKE_COMMAND} -E env ${RUST_BUILD_CARGO_ENV}
-                    ${CARGO_BUILD_TOOL} build --lib --release --target ${ARCH} --target-dir ${RUST_BUILD_BINARY_DIR}
+                    ${CARGO_BUILD_TOOL} build --lib --release --target ${ARCH} --target-dir ${RUST_BUILD_BINARY_DIR} ${RUST_BUILD_EXTRA_ARGS}
         )
 
         ## Outputs for the debug build
@@ -271,7 +272,7 @@ function(build_rust_archives)
                 ${RUST_BUILD_BINARY_DIR}/${ARCH}/debug/.noexist
             WORKING_DIRECTORY ${RUST_BUILD_PACKAGE_DIR}
             COMMAND ${CMAKE_COMMAND} -E env ${RUST_BUILD_CARGO_ENV}
-                    ${CARGO_BUILD_TOOL} build --lib --target ${ARCH} --target-dir ${RUST_BUILD_BINARY_DIR}
+                    ${CARGO_BUILD_TOOL} build --lib --target ${ARCH} --target-dir ${RUST_BUILD_BINARY_DIR} ${RUST_BUILD_EXTRA_ARGS}
         )
     endif()
 endfunction()
@@ -290,12 +291,13 @@ endfunction()
 #   DEPENDS: Additional files on which the target depends.
 #   SHARED: Whether or not we are building a shared library. Defaults to "false".
 #   FW_NAME: Standalone dylibs need to be wrapped in a framework for distribtuion. Required when building shared lib for iOS.
+#   FEATURES: Additional features to enable when building the crate.
 #
 function(add_rust_library TARGET_NAME)
     cmake_parse_arguments(RUST_TARGET
         ""
         "BINARY_DIR;PACKAGE_DIR;CRATE_NAME"
-        "ARCH;CARGO_ENV;DEPENDS;SHARED;FW_NAME"
+        "ARCH;CARGO_ENV;DEPENDS;SHARED;FW_NAME;FEATURES"
         ${ARGN})
 
     if(NOT RUST_TARGET_SHARED)
@@ -347,6 +349,12 @@ function(add_rust_library TARGET_NAME)
         endif()
     endif()
 
+    set(RUST_TARGET_EXTRA_ARGS)
+    if(RUST_TARGET_FEATURES)
+        list(JOIN RUST_TARGET_FEATURES "," RUST_TARGET_FEATURES_JOINED)
+        list(APPEND RUST_TARGET_EXTRA_ARGS --features ${RUST_TARGET_FEATURES_JOINED})
+    endif()
+
     get_rust_library_filename(${RUST_TARGET_SHARED} ${RUST_TARGET_CRATE_NAME})
 
     ## Build the rust library file(s)
@@ -358,6 +366,7 @@ function(add_rust_library TARGET_NAME)
             CRATE_NAME ${RUST_TARGET_CRATE_NAME}
             CARGO_ENV ${RUST_TARGET_CARGO_ENV}
             SHARED ${RUST_TARGET_SHARED}
+            EXTRA_ARGS ${RUST_TARGET_EXTRA_ARGS}
         )
 
         if(RUST_TARGET_DEPENDS)

diff --git a/src/cmake/macos-daemon.cmake b/src/cmake/macos-daemon.cmake
@@ -51,13 +51,27 @@ target_sources(daemon PRIVATE
     ${CMAKE_CURRENT_SOURCE_DIR}/platforms/macos/daemon/macosdnsmanager.h
     ${CMAKE_CURRENT_SOURCE_DIR}/platforms/macos/daemon/macosroutemonitor.cpp
     ${CMAKE_CURRENT_SOURCE_DIR}/platforms/macos/daemon/macosroutemonitor.h
-    ${CMAKE_CURRENT_SOURCE_DIR}/platforms/macos/daemon/wireguardutilsmacos.cpp
-    ${CMAKE_CURRENT_SOURCE_DIR}/platforms/macos/daemon/wireguardutilsmacos.h
+    ${CMAKE_CURRENT_SOURCE_DIR}/platforms/macos/daemon/wgsessionmacos.cpp
+    ${CMAKE_CURRENT_SOURCE_DIR}/platforms/macos/daemon/wgsessionmacos.h
+    ${CMAKE_CURRENT_SOURCE_DIR}/platforms/macos/daemon/wgsessionworker.cpp
+    ${CMAKE_CURRENT_SOURCE_DIR}/platforms/macos/daemon/wgsessionworker.h
+    ${CMAKE_CURRENT_SOURCE_DIR}/platforms/macos/daemon/wgutilsmacos.cpp
+    ${CMAKE_CURRENT_SOURCE_DIR}/platforms/macos/daemon/wgutilsmacos.h
     ${CMAKE_CURRENT_SOURCE_DIR}/platforms/macos/daemon/xpcdaemonserver.h
     ${CMAKE_CURRENT_SOURCE_DIR}/platforms/macos/daemon/xpcdaemonserver.mm
     ${CMAKE_CURRENT_SOURCE_DIR}/platforms/macos/xpcdaemonprotocol.h
 )
 
+# Build and link boringtun
+add_rust_library(boringtun
+    PACKAGE_DIR ${CMAKE_SOURCE_DIR}/3rdparty/boringtun/boringtun
+    BINARY_DIR ${CMAKE_CURRENT_BINARY_DIR}
+    FEATURES ffi-bindings
+    CRATE_NAME boringtun
+)
+target_include_directories(daemon PRIVATE ${CMAKE_SOURCE_DIR}/3rdparty/boringtun/boringtun/src)
+target_link_libraries(daemon PRIVATE boringtun)
+
 # Embed the daemon property list.
 configure_file(${CMAKE_SOURCE_DIR}/macos/app/daemon.plist.in daemon.plist)
 if(XCODE)

diff --git a/src/cmake/macos.cmake b/src/cmake/macos.cmake
@@ -83,70 +83,6 @@ target_sources(mozillavpn PRIVATE
     ${CMAKE_CURRENT_SOURCE_DIR}/update/balrog.h
 )
 
-# Build the Wireguard Go tunnel
-file(GLOB_RECURSE WIREGUARD_GO_DEPS ${CMAKE_SOURCE_DIR}/3rdparty/wireguard-go/*.go)
-set(WIREGUARD_GO_ENV
-    GOCACHE=${CMAKE_BINARY_DIR}/go-cache
-    CC=${CMAKE_C_COMPILER}
-    CXX=${CMAKE_CXX_COMPILER}
-    GOROOT=${GOLANG_GOROOT}
-    SDKROOT=${OSX_SDK_PATH}
-    MACOSX_DEPLOYMENT_TARGET=${CMAKE_OSX_DEPLOYMENT_TARGET}
-    GOOS=darwin
-    CGO_ENABLED=1
-    GO111MODULE=on
-)
-if (CMAKE_CROSSCOMPILING)
-    list(APPEND WIREGUARD_GO_ENV
-        CGO_CFLAGS='-target ${CMAKE_SYSTEM_PROCESSOR}-apple-darwin${CMAKE_SYSTEM_VERSION}'
-        CGO_LDFLAGS='-target ${CMAKE_SYSTEM_PROCESSOR}-apple-darwin${CMAKE_SYSTEM_VERSION}'
-    )
-endif()
-
-if(CMAKE_OSX_ARCHITECTURES)
-    foreach(OSXARCH ${CMAKE_OSX_ARCHITECTURES})
-        string(REPLACE "x86_64" "amd64" GOARCH ${OSXARCH})
-        add_custom_command(
-            OUTPUT ${CMAKE_CURRENT_BINARY_DIR}/wireguard-go-${OSXARCH}
-            COMMENT "Building wireguard-go for ${OSXARCH}"
-            WORKING_DIRECTORY ${CMAKE_SOURCE_DIR}/3rdparty/wireguard-go
-            DEPENDS
-                ${WIREGUARD_GO_DEPS}
-                ${CMAKE_SOURCE_DIR}/3rdparty/wireguard-go/go.mod
-                ${CMAKE_SOURCE_DIR}/3rdparty/wireguard-go/go.sum
-            COMMAND ${CMAKE_COMMAND} -E env ${WIREGUARD_GO_ENV} GOARCH=${GOARCH}
-                    ${GOLANG_BUILD_TOOL} build -buildmode exe -buildvcs=false -trimpath -v -ldflags='-s -w'
-                        -o ${CMAKE_CURRENT_BINARY_DIR}/wireguard-go-${OSXARCH}
-        )
-        list(APPEND WG_GO_ARCH_BUILDS ${CMAKE_CURRENT_BINARY_DIR}/wireguard-go-${OSXARCH})
-    endforeach()
-
-    add_custom_target(build_wireguard_go
-        COMMENT "Building wireguard-go"
-        DEPENDS ${WG_GO_ARCH_BUILDS}
-        COMMAND ${LIPO_BUILD_TOOL} -create -output ${CMAKE_CURRENT_BINARY_DIR}/wireguard-go ${WG_GO_ARCH_BUILDS}
-    )
-else()
-    # This only builds for the host architecture.
-    add_custom_target(build_wireguard_go
-        COMMENT "Building wireguard-go"
-        WORKING_DIRECTORY ${CMAKE_SOURCE_DIR}/3rdparty/wireguard-go
-        DEPENDS
-            ${WIREGUARD_GO_DEPS}
-            ${CMAKE_SOURCE_DIR}/3rdparty/wireguard-go/go.mod
-            ${CMAKE_SOURCE_DIR}/3rdparty/wireguard-go/go.sum
-        COMMAND ${CMAKE_COMMAND} -E env ${WIREGUARD_GO_ENV}
-                ${GOLANG_BUILD_TOOL} build -buildmode exe -buildvcs=false -trimpath -v -ldflags='-s -w'
-                    -o ${CMAKE_CURRENT_BINARY_DIR}/wireguard-go
-    )
-endif()
-add_dependencies(mozillavpn build_wireguard_go)
-osx_codesign_target(build_wireguard_go FILES ${CMAKE_CURRENT_BINARY_DIR}/wireguard-go)
-osx_bundle_files(mozillavpn
-    FILES ${CMAKE_CURRENT_BINARY_DIR}/wireguard-go
-    DESTINATION Resources/utils
-)
-
 # Install the daemon into the bundle.
 add_dependencies(mozillavpn daemon)
 osx_bundle_files(mozillavpn

diff --git a/src/platforms/macos/daemon/iputilsmacos.cpp b/src/platforms/macos/daemon/iputilsmacos.cpp
@@ -20,9 +20,6 @@
 #include "logger.h"
 #include "macosdaemon.h"
 
-constexpr uint32_t ETH_MTU = 1500;
-constexpr uint32_t WG_MTU_OVERHEAD = 80;
-
 namespace {
 Logger logger("IPUtilsMacos");
 }
@@ -42,43 +39,8 @@ bool IPUtilsMacos::addInterfaceIPs(const InterfaceConfig& config) {
 }
 
 bool IPUtilsMacos::setMTUAndUp(const InterfaceConfig& config) {
+  // Not implemented - this is handled by WgUtilsMacos
   Q_UNUSED(config);
-  QString ifname = MacOSDaemon::instance()->m_wgutils->interfaceName();
-  struct ifreq ifr;
-
-  // Create socket file descriptor to perform the ioctl operations on
-  int sockfd = socket(AF_INET, SOCK_DGRAM, IPPROTO_IP);
-  if (sockfd < 0) {
-    logger.error() << "Failed to create ioctl socket.";
-    return false;
-  }
-  auto guard = qScopeGuard([&] { close(sockfd); });
-
-  // MTU
-  strncpy(ifr.ifr_name, qPrintable(ifname), IFNAMSIZ);
-  ifr.ifr_mtu = ETH_MTU - WG_MTU_OVERHEAD;
-  int ret = ioctl(sockfd, SIOCSIFMTU, &ifr);
-  if (ret) {
-    logger.error() << "Failed to set MTU:" << strerror(errno);
-    return false;
-  }
-
-  // Get the interface flags
-  strncpy(ifr.ifr_name, qPrintable(ifname), IFNAMSIZ);
-  ret = ioctl(sockfd, SIOCGIFFLAGS, &ifr);
-  if (ret) {
-    logger.error() << "Failed to get interface flags:" << strerror(errno);
-    return false;
-  }
-
-  // Up
-  ifr.ifr_flags |= (IFF_UP | IFF_RUNNING);
-  ret = ioctl(sockfd, SIOCSIFFLAGS, &ifr);
-  if (ret) {
-    logger.error() << "Failed to set device up:" << strerror(errno);
-    return false;
-  }
-
   return true;
 }
 

diff --git a/src/platforms/macos/daemon/macosdaemon.cpp b/src/platforms/macos/daemon/macosdaemon.cpp
@@ -28,7 +28,7 @@ MacOSDaemon::MacOSDaemon(QObject* parent) : Daemon(parent) {
 
   logger.debug() << "Daemon created";
 
-  m_wgutils = new WireguardUtilsMacos(this);
+  m_wgutils = new WgUtilsMacos(this);
   m_dnsutils = new DnsUtilsMacos(this);
   m_iputils = new IPUtilsMacos(this);
 

diff --git a/src/platforms/macos/daemon/macosdaemon.h b/src/platforms/macos/daemon/macosdaemon.h
@@ -8,7 +8,7 @@
 #include "daemon/daemon.h"
 #include "dnsutilsmacos.h"
 #include "iputilsmacos.h"
-#include "wireguardutilsmacos.h"
+#include "wgutilsmacos.h"
 
 class MacOSDaemon final : public Daemon {
   friend class IPUtilsMacos;
@@ -26,7 +26,7 @@ class MacOSDaemon final : public Daemon {
   IPUtils* iputils() override { return m_iputils; }
 
  private:
-  WireguardUtilsMacos* m_wgutils = nullptr;
+  WgUtilsMacos* m_wgutils = nullptr;
   DnsUtilsMacos* m_dnsutils = nullptr;
   IPUtilsMacos* m_iputils = nullptr;
 };

diff --git a/src/platforms/macos/daemon/macosroutemonitor.cpp b/src/platforms/macos/daemon/macosroutemonitor.cpp
@@ -253,6 +253,11 @@ void MacosRouteMonitor::handleRtmUpdate(const struct rt_msghdr* rtm,
     return;
   }
 
+  // Emit a signal that the default route has changed.
+  QHostAddress gateway(
+      reinterpret_cast<const struct sockaddr*>(addrlist[1].constData()));
+  emit defaultRouteUpdated(protocol, gateway, ifindex, rtm->rtm_rmx.rmx_mtu);
+
   // Update the exclusion routes with the new default route.
   logger.debug() << "Updating default route via" << ifname
                  << addrToString(addrlist[1]);

diff --git a/src/platforms/macos/daemon/macosroutemonitor.h b/src/platforms/macos/daemon/macosroutemonitor.h
@@ -43,6 +43,10 @@ class MacosRouteMonitor final : public QObject {
                             const void* sa);
   static QList<QByteArray> parseAddrList(const QByteArray& data);
 
+ signals:
+  void defaultRouteUpdated(int proto, QHostAddress& gateway, int ifindex,
+                           int mtu);
+
  private slots:
   void rtsockReady();