boringtun VS quiche

Maybe https://github.com/cloudflare/boringtun or https://github.com/WireGuard/wireguard-go ?

Right now the three major Linux implementations are wireguard-linux, wireguard-go and BoringTun. With some recent improvements to wireguard-go I decided to benchmark each one of them with ping and iPerf 3 over TCP and UDP.

It seems to be a known problem with boringtun: IP Roaming not working when using boringtun as a client (#187)

They’ve been on the Rust train since at least 2019. Just look at projects like quiche, wrangler, and boringtun

I assume since Wiresock is using BoringTun(https://github.com/cloudflare/boringtun) under the hood, it works similar to other userspace implementations of wireguard, (e.g. wireguard-go, wireguard-rs) in that it uses a TUN device to deliver packets to the userspace implementation, and back out to the network. So, no driver installation required, but CAP_NET_ADMIN is required to create the TUN device.

It's using some sort of a custom installer that also downloads Cloudflare's BoringTun (https://github.com/cloudflare/boringtun) directly from the author's website (nyr[.]be), since Cloudflare doesn't seem to offer it as a binary release. Example:

    { wget -qO- https://wg.nyr[.]be/1/latest/download 2>/dev/null || curl -sL https://wg.nyr.be/1/latest/download ; } | tar xz -C /usr/local/sbin/ --wildcards 'boringtun-*/boringtun' --strip-components 1

https://github.com/cloudflare/boringtun https://github.com/WireGuard/wireguard-go

The title of this post puts emphasis on "written in C", making me wonder when this would ever be a desirable feature, given that more secure implementations are available, and can be integrated into old C projects just as easily.

No need to rewrite everything from the ground up: https://github.com/cloudflare/quiche#curl

The issue is dead silent too!

https://github.com/cloudflare/quiche/issues/1115

Even though Oxy is a proprietary project, we try to give back some love to the open-source community without which the project wouldn’t be possible by open-sourcing some of the building blocks such as https://github.com/cloudflare/boring and https://github.com/cloudflare/quiche.

They’ve been on the Rust train since at least 2019. Just look at projects like quiche, wrangler, and boringtun

It's more like Cloudflare forked nginx a long time ago, and is meanwhile in the very slow (like, decade-long) process of replacing it entirely.

The Cloudflare Workers Runtime, for instance, is built directly around V8; it does not use nginx or any other existing web server stack. Many new features of Cloudflare are in turn built on Workers, and much of the old stack build on nginx is gradually being migrated to Workers. https://workers.dev https://github.com/cloudflare/workerd

In another part of the stack, there is Pingora, another built-from-scratch web server focused on high-performance proxying and caching: https://blog.cloudflare.com/how-we-built-pingora-the-proxy-t...

Even when using nginx, Cloudflare has rewritten or added big chunks of code, such as implementing HTTP/3: https://github.com/cloudflare/quiche And of course there is a ton of business logic written in Lua on top of that nginx base.

Though arguably, Cloudflare's biggest piece of magic is the layer 3 network. It's so magical that people don't even think about it, it just works. Seamlessly balancing traffic across hundreds of locations without even varying IP addresses is, well, not easy.

I could go on... automatic SSL provisioning? DDoS protection? etc. These aren't nginx features.

So while Cloudflare may have gotten started being more-or-less nginx-as-a-service I don't think you can really call it that anymore.

(I'm the tech lead for Cloudflare Workers.)

Ask Cloudflare why they use HTTP/3 and QUIC https://github.com/cloudflare/quiche.

Cloudflare has used rust for multiple projects in the past such as their QUIC/HTTP3 implementation Quiche and a WireGuard implementation BoringTun.