A userspace WireGuard client that exposes itself as a proxy

This page summarizes the projects mentioned and recommended in the original post on news.ycombinator.com
Wireguard wireguard-tunnel Configuration Systemd wireguard-vpn

WorkOS
Our great sponsors
  • WorkOS - The modern identity platform for B2B SaaS
  • InfluxDB - Power Real-Time Data Analytics at Scale
  • SaaSHub - Software Alternatives and Reviews
Our great sponsors

  • onetun

    User space WireGuard port-forward in Rust

    • Sure, essentially it's a TCP and UDP server that:

    - receives connections and assigns a random internal port for it

    - wraps the data packets in a transport packet (TCP/UDP)

    - wraps the transport in an IP packet that's routed from the internal port and to the remote WireGuard address

    - wraps that with WireGuard's protocol (encryption)

    - sends off the encrypted packet to the WireGuard UDP endpoint

    The packet-wrapping and state machine for the connection is implemented using smoltcp in Rust, which is similar to netstack in Go

    The WireGuard encapsulation and state machine is implemented with boringtun, Cloudflare's implementation of the WireGuard client in Rust.

    I do have a more thorough architecture explanation in the Readme: https://github.com/aramperes/onetun#architecture

  • systemd

    The systemd System and Service Manager

    • > You have to give it routing information through an out of band mechanism “AllowedIPs.” One downside is that you can’t have two peers that act as general routers on the same wireguard network

    This is a common misconception, due to that this is the way wg-quick works (presumably to make it easier). On a lower level, AllowedIPs is really just "allowed IPs", and does no routing. You can have multiple active peers with overlapping AllowedIPs.

    If you set up the tunnel through other means, you can make your own routes.

    For example in systemd-networkd, see `RouteTable` under the `[WireguardPeer]` section of systemd.netdev(5).

    (This was unfortunately broken for a brief while in systemd in Jan, but should now be fixed again: https://github.com/systemd/systemd/pull/22136. If it's not clear from the link, old and current behavior are that no routes are added unless RouteTable is explicitly set)

  • WorkOS

    The modern identity platform for B2B SaaS. The APIs are flexible and easy-to-use, supporting authentication, user identity, and complex enterprise features like SSO and SCIM provisioning.

    WorkOS logo

  • wireproxy

    Wireguard client that exposes itself as a socks5 proxy

  • esp_wireguard

    WireGuard Implementation for ESP-IDF

  • tunsocks

    User-level IP forwarding, SOCKS proxy, and HTTP proxy for VPNs that provide tun-like interface

  • wireguard-vyatta-ubnt

    WireGuard for Ubiquiti Devices

    • I'm not sure how you conclude that AllowedIPs does no routing.

    > On a lower level, AllowedIPs is really just "allowed IPs", and does no routing.

    This is contrary to what the official documentation says https://www.wireguard.com/#cryptokey-routing

    > You can have multiple active peers with overlapping AllowedIPs.

    You can, but the most specific CIDR wins route selection, which is exactly what *routing* does.

  • ini

    Package ini provides INI file read and write functionality in Go

  • InfluxDB

    Power Real-Time Data Analytics at Scale. Get real-time insights from all types of time series data with InfluxDB. Ingest, query, and analyze billions of data points in real-time with unbounded cardinality.

    InfluxDB logo
NOTE: The number of mentions on this list indicates mentions on common posts plus user suggested alternatives. Hence, a higher number means a more popular project.

Suggest a related project

Related posts