WireGuard LaunchD Startup

no.corporate.wireguard.plist

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>Label</key>
    <string>no.corporate.wireguard</string>
    <key>RunAtLoad</key><true/>
    <key>OnDemand</key><false/>
    <key>Disabled</key><false/>
    <key>WatchPaths</key>
    <array>
        <string>/usr/local/etc/wireguard</string>
    </array>
    <key>WorkingDirectory</key>
    <string>/usr/local/etc/wireguard</string>
    <key>ProgramArguments</key>
    <array>
        <string>/usr/local/bin/wg-quick</string>
        <string>up</string>
        <string>/usr/local/etc/wireguard/wg0.conf</string>
    </array>
    <key>EnvironmentVariables</key>
    <dict>
        <key>PATH</key>
        <string>/usr/local/sbin:/usr/local/bin:/usr/bin:/bin:/usr/sbin:/sbin</string>
    </dict>
</dict>
</plist>

In general, you should not be using load and unload at all with this script. It starts on boot and runs forever. If you're interested in a more interactive experience, there is a GUI client.

You can read up on everything related to start, stop, load, unload in the Operation section of launchd.info.

<key>OnDemand</key><false/>
<key>Disabled</key><false/>

What are the purpose of these? man launchd.plist says that OnDemand shouldn't be used, and that your usage is the equivalent to setting KeepAlive to true. I would think that KeepAlive would be set to false since the job needs to only be run once at startup or on config change.

Disabled doesn't have an entry in man launchd.plist.

Still, I really appreciate the example config :)))

OnDemand
Disabled

First, launchd is one of the most maddening pieces of junk ever. A real study in how to make something that Unix has done in a million different ways, forever, hard. Also, the documentation is just terrible. https://www.launchd.info is a good resource and so is the LaunchControl app in the AppStore.

OnDemand is set to false - so that means it isn't being used - it is just explicitly set false, which is fine. Also, the disabled flag is just there for the purposes of quick disabling of the script if I don't want to start - which is rare, but sometimes needed.

@palmerc why load/unload and not start/stop?

Mostly years of habit? Under Operation, there is something of a description of the loading process, starting.

A job cannot be started unless it is loaded. Normally this loading happens during boot. General understanding of launchd loading is that the entry for your job is loaded automatically unless otherwise specified and starting/stopping the job happens given certain conditions like time, or some other trigger. What do I want? Load and start, continue running indefinitely. Stop at shutdown or in the rare instance I want it to go away. Load/Unload and the 'RunAtLoad' key have been working to achieve my goals.

Wireguard CLI on macos is not 100% compatible with macOS. Requires Go and a newer Bash than Apple will ship due to GPL. Wireguard offers the GUI version of the client that is macOS compatible, but then it doesn't run the way you want it to if you want a 'daemon'.