35 lines
1.5 KiB
Markdown
35 lines
1.5 KiB
Markdown
# NordVPN macOS WireGuard Backend Design
|
|
|
|
## Goal
|
|
Replace the current macOS app-manual fallback in `nordvpn-client` with a scripted WireGuard/NordLynx backend inspired by `wg-nord` and `wgnord`, while preserving the official Linux `nordvpn` CLI backend.
|
|
|
|
## Key decisions
|
|
- Keep Linux on the official `nordvpn` CLI.
|
|
- Prefer a native macOS WireGuard backend over the GUI app.
|
|
- Do not vendor third-party scripts directly; reimplement the needed logic in our own JSON-based Node skill.
|
|
- Do not require uninstalling the Homebrew `nordvpn` app. The new backend can coexist with it.
|
|
|
|
## macOS backend model
|
|
- Bootstrap via Homebrew:
|
|
- `wireguard-tools`
|
|
- `wireguard-go`
|
|
- Read NordVPN token from existing env/file inputs.
|
|
- Discover a WireGuard-capable NordVPN server via the public Nord API.
|
|
- Generate a private key locally.
|
|
- Exchange the private key for Nord-provided interface credentials using the token.
|
|
- Materialize a temporary WireGuard config under a skill-owned state directory.
|
|
- Connect and disconnect via `wg-quick`.
|
|
- Verify with public IP/geolocation after connect.
|
|
|
|
## Data/state
|
|
- Keep state under a skill-owned directory in the user's home, not `/etc`.
|
|
- Persist only what is needed for reconnect/disconnect/status.
|
|
- Never store secrets in docs.
|
|
|
|
## Rollout
|
|
1. Implement the macOS WireGuard backend in the skill.
|
|
2. Update status output so backend selection is explicit.
|
|
3. Update skill docs and repo docs.
|
|
4. Verify non-destructive flows on this host.
|
|
5. Commit, push, and then decide whether to run a live connect test.
|