Response to “WireGuard: great protocol, but skip the Mac app”

&gt; <i>We faced rejections in submitting the app, because they decided to change their policy on the app having a link in the &quot;About WireGuard&quot; tool window to www.wireguard.com&#x2F;donations&#x2F; (which they previously had allowed explicitly; now they want 30% or something)</i><p>Last year Google started to ban donation links in FOSS apps, WireGuard was one of the first victims [0], completely removed from the store. I didn&#x27;t know that Apple also started doing the same and hit WireGuard again. Extending the definition of an &quot;in-app payment&quot; to a link to the project homepage in the &quot;About&quot; window that doesn&#x27;t buy any good or service related to the app is an overzealous restriction. Especially so when that button is clicked by, perhaps, only 10% of the users. This is just evil.<p>[0] Open-source apps removed from Google Play Store due to donation links<p><a href="https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=21268389" rel="nofollow">https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=21268389</a>

FOSS developers should simply stop developing good software for Apple devices.<p>The absolute opacity of Apple&#x27;s technical policies and their arrogant i-dont-care&#x2F;its-your-problem approach against developers are quite renewed in the community. This ends up costing a lot of development time to developers who mostly work for free, who struggle to reverse engineer or debug what happens on MacOS&#x2F;iOS, and (like Wireguard&#x27;s case shows) it harms the reputation of their software because people tend to blame the application rather than the OS when things don&#x27;t work as intended.<p>If people want to use FOSS software, then they should be able to do so on systems that support the FOSS ecosystem, that provide developers with appropriate tools to debug what&#x27;s going on (ON ANY PLATFORM) and sufficient documentation for them to understand how a certain component of the OS is supposed to behave.<p>I know that in the past 15 years lots of tech-savvy people have opted for Apple products because &quot;they&#x27;re still UNIX under the hood, and unlike Linux they just work out of the box&quot;. But being Unix-like DOES NOT mean to be developer-friendly! Apple is still an opaque developer-unfriendly company even if it provides you with a native bash!

The iOS and macOS apps have been the biggest point of stress and frustration when building EteSync[1]. The API is buggy as hell and very limited (if at all available) and the review process is arbitrary and can cause updates to be rejected. You can never know if your workarounds will be accepted or rejected. Sometimes they can even get rejected in future app updates.<p>The EteSync experience is subpar on Apple devices, and there&#x27;s almost nothing we can do about it. We already spent countless of hours trying to fix things, but Apple just make it impossible. We have more ideas on how to fix things, and we will keep on trying, but it&#x27;s beyond me why would anyone willingly use an Apple product.<p>Edit (adding one more point): that&#x27;s one of the more annoying parts about Apple being the gatekeeper to 40% of the US population and in effect, to 100% of businesses (because one bad Apple in the org is enough to spoil the whole bunch). As a developer, you are just stuck with no way out.<p>[1] <a href="https:&#x2F;&#x2F;www.etesync.com" rel="nofollow">https:&#x2F;&#x2F;www.etesync.com</a>

First off, what a level-headed friendly response from a developer who is clearly frustrated by Apple&#x27;s bugs and policies. As someone who has had to support commercial software this is not easy to do consistently.<p>Second, this has significantly tempered my lusting over the new M1 macs. I think I can be content with my ThinkPad&#x27;s running Linux.

I&#x27;m going to bookmark this reply as an example of how to take feedback and respond appropriately. Jason&#x27;s explanations both take responsibility for the issues at hand and provide adequate information to understand the difficulty in resolving them. He takes responsibility for a failure in review, which is a common problem I see in engineering orgs. I&#x27;m not an Apple user but I have a lot of love for the wireguard project (our company has donated) and the commitment shown here makes me confident that my feelings are not misplaced.

Honestly, I don&#x27;t get it.<p>Apple makes big money from their ecosystem. Wireguard developer provides high-quality solution for free, helping to grow proprietary ecosystem, essentially helping Apple to make more money indirectly and directly (by giving 30% from donations).<p>In return developer gets tons of hate from users and from Apple itself in the form of delayed reviews, rejects and constant threat of violating some rule and getting dev account banned.<p>In my opinion, the only solution for this is to stop providing services for free and put a price tag on the app.<p>I understand, that developer is a kind, not-yet-burnt-out person who wants to be the world a better place by providing the free way to exchange information securely, but doing so for free for corporate ecosystem is clearly not sustainable, neither financially nor emotionally.

This appears to be a very typical response from an Apple user who doesn&#x27;t understand the lengths and hoops developers have to jump through to work around Apple&#x27;s many, many restrictions, bugs and limitations.<p>In my day job, our Apple developers have spent years finding solutions to iOS restrictions around CallKit, Push Notifications and NSTodaysProblem, and those are just the things Apple has intentionally restricted, once you get into the bugs and poor documentation for some APIs it&#x27;s another story.<p>If our users knew the half of what our Apple Developers have to do, the meetings, discussions, concessions and re-design that has to be done to make things just work, even on par with the Android equivalent, they might be a little bit more understanding.<p>WireGuard has been excellent, and as a Linux user, I haven&#x27;t needed an app, I have a couple of aliases in my shell to start and stop my tunnels. I&#x27;ve used WireGuard daily for work since lockdown and I used it daily for personal use, while commuting to work before lockdown. In all of that time, I&#x27;ve never had a single issue due to WireGuard (and there isn&#x27;t even a Linux app to be seen). The expectation is often different between Linux and Apple users though.<p>When I was setting up for the first time, Jason even found time to help me himself on the IRC channel, something I&#x27;ve never expected, and for which I am eternally grateful.<p>I made a donation to WireGuard last year, I&#x27;ll be doing the same this year and I encourage others to &quot;put their money where their mouth is&quot; and show a little support for the people making and sharing this software for free. I expect an Apple user can afford a small cut of their or their employer&#x27;s money to do so.

This is a response to the Rachel by the bay blog post<p><a href="https:&#x2F;&#x2F;rachelbythebay.com&#x2F;w&#x2F;2020&#x2F;12&#x2F;24&#x2F;wg&#x2F;" rel="nofollow">https:&#x2F;&#x2F;rachelbythebay.com&#x2F;w&#x2F;2020&#x2F;12&#x2F;24&#x2F;wg&#x2F;</a><p>Personally I rarely use a mac, and don&#x27;t do wg on demand, but one thing that did annoy me was being unable to set dns search domain, which wasn&#x27;t mentioned in the blog post, but I believe is also caused by OSX deficiencies.

As an iOS developer I can relate, Apple makes amazing hardware, but their software development is often meh. I don&#x27;t think it&#x27;s malicious, its just they have so many thousands of teams, often working independently of each other, and your experience with them is like dealing with sightless people describing an elephant. Some teams do amazing things, some mediocre, some downright awful, like any company, but exaggerated because of their central importance in so many other peoples&#x2F;companies lives. Some of this could be fixed but even there Apple is a huge operation and executives are of all kinds. I work for a F50 company (non tech) with an infinite set of teams and execs and its another mix of amazing&#x2F;stupid.<p>No one company can uniformly manage so much code and hardware to boot and do it perfectly. There are things Apple could do to make it less irritating—the hard problem is picking which subset of horrifically irritating things to fix.

In case the author is reading this, I recently started using Wireguard in Mac OS with the Mac app and the experience has been great.<p>Not only is it much faster other VPNs that I used in the past, but compared to other clients (Forticlient and Tunnelblick), the overall experience feels much nicer, IMO.<p>Thank you so much for your work!

That is a fantastic showcase how to respond to negative criticism in a friendly, constructive and polite manner. Good work, Jason.

Incredible that people are so wired and ready to be outraged that they&#x27;d send off angry emails on christmas eve after reading someone else&#x27;s problems with a piece of software.

&gt; I woke up this morning with my inbox lit up by netizens outraged at me for having allowed the WireGuard Project to produce such terribly subpar and dysfunctional software for the Mac. That was a weird way to wake up on Christmas, considering how much I really do care about delivering polished software.<p>The response is much nicer than deserved. I would not have blamed him for a less friendly reaction.

I know that people say this all the time, and usually nothing comes from it, but it really feels like Apple is playing with fire here. Over just the past year I&#x27;ve gone from &quot;I don&#x27;t see why I wouldn&#x27;t support Mac&quot; to &quot;I&#x27;m not even going to try and build my software for Mac, life is too short to deal with Apple&#x27;s crap.&quot;<p>It&#x27;s been kind of a weird transition. I was talking to someone recently about accessibility between multiple GUI frameworks (QT&#x2F;Electron&#x2F;GTK&#x2F;Swift&#x2F;etc...) and they brought up Mac accessibility differences. And immediately my brain jumped to, &quot;well, who cares if those frameworks are accessible on Mac, because it&#x27;s not like my software is going to be on there. Only the Linux&#x2F;Windows&#x2F;mobile experiences matter.&quot; It was a very strange feeling to have that be the first thing that instinctively popped into my head.<p>And I&#x27;m only one developer, and probably no one&#x27;s really going to notice or care about my decisions, and historically as long as users demand Mac software&#x2F;releases, developers have had to just put up with it, so I don&#x27;t have strong evidence that this is going to be different.<p>But I wonder how long that can hold out before eventually something snaps. Realistically, there&#x27;s no way that Wireguard can refuse to release for MacOS. But everyone else? If you&#x27;re making a game, why would you ever target a Mac build if you&#x27;re worried about running into issues like this? Is the gaming marketshare on Mac really big enough to justify this kind of annoyance and time commitment?<p>I&#x27;m probably naive, but it just seems like at some point developers are going to decide that the only reason to support Mac is if it&#x27;s their primary market. Maybe Apple doesn&#x27;t care, maybe they&#x27;d like us all to move to iOS anyway.

As a Mac admin VPP&#x2F;App Store distribution is still quite finicky. I don’t understand why Apple has to flex and restrict NetworkExtension&#x2F;VPN apps to Mac App Store. More iOS-ification of the OS.

I don&#x27;t think I&#x27;d have had the same patience with a response on Christmas morning to a project I&#x27;d sunk endless time into. Well done OP. Can&#x27;t wait to see more Wireguard.

In the developer documentation for Network extensions they describe how to enable them for Apps outside the App store:<p><a href="https:&#x2F;&#x2F;developer.apple.com&#x2F;documentation&#x2F;bundleresources&#x2F;entitlements&#x2F;com_apple_developer_networking_networkextension" rel="nofollow">https:&#x2F;&#x2F;developer.apple.com&#x2F;documentation&#x2F;bundleresources&#x2F;en...</a><p>It&#x27;s under &quot;Discussion&quot;.<p>Haven&#x27;t tried out if it works though, but the link in [6] that the developer refers to is 3 years old, so maybe check again?

&gt; Because as far as I know, Apple only allows NetworkExtension-based apps to be distributed via the App Store,<p>No, not so. Plenty of VPN apps based on network extensions are delivered outside the Mac App Store. In fact, most commercial VPNs are done this way. My company uses GlobalProtect for example, and I can install it any number of ways, and it’s been NE based for over a year now...

Apple doesn&#x27;t deserve to have such careful and detail-oriented FOSS developers like Jason, developing for their platform. He is genuinely wasting time in order to work around Apple&#x27;s developer-unfriendly platform. Not that I should be telling devs where they should spend their time... but I feel like so much effort is being devoted to fix Apple&#x27;s issues.<p>&gt; <i>When I&#x27;m debugging these issues, I&#x27;ll often times spend a few hours in IDA Pro (Apple doesn&#x27;t provide debug symbols, unlike Microsoft, which makes this process even more miserable than it already is), and after identifying the issue I&#x27;ll often have several ideas for &quot;clever&quot; workarounds. Which of them are acceptable for the App Store? Usually none!</i><p>Really, why we need to have very talented people spending their time in dealing with this, instead of contributing actual value on other parts of the project? Apple should be losing devs in favor of other better platforms, not the other way around. With less and worse products at their disposal, Apple users would then be well aware that they are choosing a platform that alienates developers.

dang: What was the purpose of removing &quot;Developer&#x27;s&quot; from the title? Previously it was &#x27;Developer&#x27;s response to “WireGuard: great protocol, but skip the Mac app”&#x27;.<p>Neither of these are the actual title, so that can&#x27;t be the rule it was operating under, and the fact that it&#x27;s a developer (as opposed to some other user or Apple&#x2F;Wireguard fanboy&#x2F;hater) does change the context, at least for me.

Maybe dumb question but why are they distributing through the Mac App Store? Seems like a lot of these problems are due to the review process. It is possible to just do direct downloads on the Mac.

Couldn&#x27;t a lot of the Apple pain be avoided simply by ditching the Mac App Store? It&#x27;s not a requirement for distributing software on the Mac, so why deal with the pain, the limitations, the 30% cut, the slow approvals, if you don&#x27;t really have to? The Windows Installer is distributed as an MSI, there&#x27;s no reason the WireGuard installer for Mac couldn&#x27;t just be distributed as a self-hosted .pkg.<p>Cisco doesn&#x27;t host their VPN packages on the MAS either.

One problematic thing about App Store reviews as a developer is on each submission, Apple does a cursory review of the whole app. This means a one-line bug fix that is an improvement in anyone’s eyes can get caught on a detail that has been present for years.<p>It would be fine if these complaints about old details were reported to developers as “blocking any future app releases”, but blocking immediate bug fixes really hurts.

The following suggests a technical solution and expresses no opinion on the policy issues of supporting the Mac App Store:<p>Jason implies that Mac apps that use the Network Extension can only be distributed through the App Store, but this appears to be a misunderstanding. This page at Apple purports to document a way to build an app for distribution outside the App Store:<p><a href="https:&#x2F;&#x2F;developer.apple.com&#x2F;documentation&#x2F;bundleresources&#x2F;entitlements&#x2F;com_apple_developer_networking_networkextension" rel="nofollow">https:&#x2F;&#x2F;developer.apple.com&#x2F;documentation&#x2F;bundleresources&#x2F;en...</a><p>Perhaps this would allow WireGuard to support the Mac more easily without having to rely on the App Store. (It still requires an Apple Developer account, but that&#x27;s already a requirement for the App Store.)

I for one think the Mac app is awesome. I much, much, much, SO much prefer telling people to install from the App Store as opposed to, well, anything else. Especially I would never, ever tell anyone to use Macports. It&#x27;s just not the way forward.<p>Do not skip the Mac app. It&#x27;s pretty good.

I didn&#x27;t know about WireGuard before the initial post on HN, since then it&#x27;s replaced my OpenVPN solution to access things on my home network stuck behind a 5G mobile CGNAT (no wired service available)<p>I haven&#x27;t had any issues with the Mac app, but for where the app may be lacking because of the circus that is developing with Apples frameworks and app store it makes up in being absolutely amazing behind the scenes.<p>All the other solutions I&#x27;ve tried have taken weeks of learning and tweaking configs. Had the entire WireGuard solution going end to end in a few hours.<p>It&#x27;s super simple, lightweight, reliable and easy to understand.<p>It&#x27;s a shame Apples app store policies and being forced to work with buggy frameworks is holding back developers abilities to write first class native software for MacOS.

<i>Dumb question 1:</i> Why not do what Apollo for Reddit (and many other apps) does and add in-app &quot;tips&quot; and&#x2F;or other purchases? With minimal UI support it&#x27;d be orders-of-magnitude more effective at raising money for WireGuard than a web link, regardless of Apple&#x27;s markup.<p><i>Dumb question 2:</i> Why isn&#x27;t it a good idea to create a non-profit, or distribute via a partner non-profit, to reduce the App Store take to 0%? (Even without that, Apple&#x27;s take would be 15% until the app hits $1 million in annual net sales there.)<p>I see people in the thread asking for special treatment for this (important and worthy, of course) project, which Apple obviously can&#x27;t do that without creating a thousand other problems.

My, what a very polite maintainer! It makes me a bit sad that I couldn&#x27;t ever figure out how to submit my bug report to the WireGuard project (if I recall I had to sign up for a mailing list? but I just want to submit one bug, not become a maintainer). Although, perhaps that added friction is what saves Jason the energy to be so polite when a nasty blog article hits the front page :)<p>On the off chance this post is read, the bug report is simple: WireGuard for Mac doesn&#x27;t respect &#x2F;etc&#x2F;hosts.

Cloudflare WARP beta works somehow. And it isn&#x27;t distributed through the App Store on Mac. So, it is definitely possible for WireGuard.

In an alternative universe, one could imagine macOS developers being so frustrated that they only bother with updating their windows&#x2F;linux versions.<p>In which case, only apps like parallels would have to be working, then the bugs of macOS could be bypassed for many and focused for a set of well-funded developers.<p>All apps would have a translation layer, but that seems to not be an issue with the m1.

Couldn’t you just change the url to &#x2F;about instead of &#x2F;donations? Seems sort of the thing sketchy sites do to say one thing and link to another.<p>If I want to donate to a project I want to browse the site and learn more about rather than straight to the donation page. Seems like a money grab to take me to the donation page.

App Store gatekeeping needs to burn. It may be helpful for the tech-illiterate who want simple and safe apps, but it&#x27;s not a viable for a healthy ecosystem of broad ranging applications. It&#x27;s crazy to think I can&#x27;t install an app from a developer I trust from their website.

&gt; I woke up this morning with my inbox lit up by netizens outraged<p>Wait, are there people reading random blog post about piece of software and deciding it would be a good idea to nag author of the software by retranslating someone other&#x27;s opinion? Isn&#x27;t that, how to say, inadequate?

Related previous Christmas-present thread: <a href="https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=25533263" rel="nofollow">https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=25533263</a>

How fast is wireguard on windows? OpenVPN is fast on linux but disastrous on windows, you really have to tweak the settings to go beyond 5 MB&#x2F;s and usually not much more.

This was very interesting to read. It contributes to my sense that MacOS is not really a top priority at Apple any more. Recent OS upgrades there have been quite painful.

Wow, shame on Apple...

It sure feels like we&#x27;re swinging back to the pre-PC days where code portability and interoperability was sacrificed at the altar of vendor lock-in.

There are bugs of course, but let&#x27;s not loose scope of the fact that &quot;Apple has restricted&quot; usually means Apple is preventing bad actors from doing the wrong thing.<p>As a developer, I usually find it rewarding to work with the Sandbox and not against it. Making this part of the product conception very early on results in much smoother experience at the end. Of course, if submitting to the store is an afterthought there are surely some challenges to tackle.

why isn&#x27;t Apple building the Wireguard protocol into the OS directly as Linux is doing?

Our team really likes the mac app!

WireGuard is a spectacular gift to the community and I am grateful to have it.

&gt; a developer new to the codebase didn&#x27;t realize that he was removing a workaround to yet-another-Apple-bug.<p>Isn&#x27;t this what code comments should be good for preventing?

Also, skip the Mac.<p>Apple is predatory white-washed garbage.

Mac client WFM. No complaints. So there...

Is tunsafe.com&#x2F;osx any better?

Can you not release it as a .dmg, without going through the Apple Store? Love WireGuard btw

May I suggest to @dang to update the title with something just a little bit more informative without much editorialization, like:<p><i>WireGuard Developer Response to &quot;Great protocol, skip the Mac app&quot; blogpost</i>

I don&#x27;t get it. You cannot write a VPN app for MacOs and let people just download the executable from your website? Pretty sure I&#x27;ve never opened the app store on my laptop and still have a VPN installed.