Skip to content

macOS: Is full AmneziaWG tunnel rebuild necessary on same-SSID WiFi AP roams? #307

Open
#310
Open
macOS: Is full AmneziaWG tunnel rebuild necessary on same-SSID WiFi AP roams?#307
#310
@Safibulae

Description

@Safibulae
Safibulae
opened on Mar 23, 2026

Context

On enterprise WiFi with multiple access points (same SSID, FT_PSK, DHCP lease retained), macOS roams between APs periodically. Each roam triggers a full AmneziaWG tunnel teardown and rebuild - the utun interface is destroyed and recreated, causing 15-20 seconds of connectivity loss per event.

In a 47-minute window I observed 12 tunnel rebuilds while connected to the same SSID with the same IP address throughout.

Code path traced (v2.21.6)

  1. networkdetectionmanager_mac.cpp: onNetworkStateChanged() compares the current NetworkInterface against the cached one using operator!=, which checks 11 fields. During a same-SSID AP roam, the SSID and interface name stay the same, but a field like active, metric, or physicalAddress may change briefly. This triggers the networkChanged signal, including via the "Unidentified interface change" path.

  2. engine.cpp: onNetworkChange() calls connectionManager_->updateConnectionSettings() with per-SSID connection settings looked up by networkOrSsid (which hasn't changed).

  3. connectionmanager.cpp: updateConnectionSettings() checks connection state - if STATE_CONNECTED, calls connector_->startDisconnect() and reconnects without comparing old vs new connection settings.

Question

Does AmneziaWG's obfuscation layer require a full tunnel re-establishment when the network path changes but SSID and IP are retained? Standard WireGuard handles endpoint roaming natively without tunnel rebuild.

If the rebuild is not strictly necessary, would it be feasible to:

  • Skip the reconnect in updateConnectionSettings() when the resolved connection settings (protocol, port, server) are identical to the active connection, or
  • Not emit networkChanged for the "Unidentified interface change" case where SSID is unchanged

utun420 attach/detach log

All on the same SSID with retained DHCP lease:

09:22:41 attach -> 09:22:45 detach  (3s)
09:23:29 attach -> 09:23:45 detach  (16s)
09:23:45 attach -> 09:24:01 detach  (16s)
09:25:09 attach -> 09:25:21 detach  (12s)
09:25:21 attach -> 09:25:33 detach  (12s)
09:25:36 attach -> 10:06:48 detach  (41min stable)
10:06:48 attach -> 10:07:09 detach  (21s)
10:07:10 attach -> 10:07:30 detach  (20s)
10:08:49 attach -> 10:09:09 detach  (20s)
10:09:09 attach -> 10:09:11 detach  (2s)
10:09:17 attach -> 10:09:33 detach  (16s)
10:09:48 attach -> still up

Environment

  • Windscribe 2.21.6 beta
  • amneziawg-go v0.2.16
  • macOS 26.4 Tahoe (Build 25E241), Apple M4 Max
  • WiFi: Enterprise WPA2/FT_PSK, multiple APs, same SSID

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions