A userspace WireGuard client that exposes itself as a proxy

This page summarizes the projects mentioned and recommended in the original post on news.ycombinator.com

Our great sponsors
  • Scout APM - Less time debugging, more time building
  • SonarQube - Static code analysis for 29 languages.
  • SaaSHub - Software Alternatives and Reviews
  • onetun

    User space WireGuard proxy in Rust

    Sure, essentially it's a TCP and UDP server that:

    - receives connections and assigns a random internal port for it

    - wraps the data packets in a transport packet (TCP/UDP)

    - wraps the transport in an IP packet that's routed from the internal port and to the remote WireGuard address

    - wraps that with WireGuard's protocol (encryption)

    - sends off the encrypted packet to the WireGuard UDP endpoint

    The packet-wrapping and state machine for the connection is implemented using smoltcp in Rust, which is similar to netstack in Go

    The WireGuard encapsulation and state machine is implemented with boringtun, Cloudflare's implementation of the WireGuard client in Rust.

    I do have a more thorough architecture explanation in the Readme: https://github.com/aramperes/onetun#architecture

  • systemd

    The systemd System and Service Manager

    > You have to give it routing information through an out of band mechanism “AllowedIPs.” One downside is that you can’t have two peers that act as general routers on the same wireguard network

    This is a common misconception, due to that this is the way wg-quick works (presumably to make it easier). On a lower level, AllowedIPs is really just "allowed IPs", and does no routing. You can have multiple active peers with overlapping AllowedIPs.

    If you set up the tunnel through other means, you can make your own routes.

    For example in systemd-networkd, see `RouteTable` under the `[WireguardPeer]` section of systemd.netdev(5).

    (This was unfortunately broken for a brief while in systemd in Jan, but should now be fixed again: https://github.com/systemd/systemd/pull/22136. If it's not clear from the link, old and current behavior are that no routes are added unless RouteTable is explicitly set)

  • Scout APM

    Less time debugging, more time building. Scout APM allows you to find and fix performance issues with no hassle. Now with error monitoring and external services monitoring, Scout is a developer's best friend when it comes to application development.

  • wireproxy

    Wireguard client that exposes itself as a socks5 proxy

  • esp_wireguard

    WireGuard Implementation for ESP-IDF

  • tunsocks

    User-level IP forwarding, SOCKS proxy, and HTTP proxy for VPNs that provide tun-like interface

  • wireguard-vyatta-ubnt

    WireGuard for Ubiquiti Devices

    I'm not sure how you conclude that AllowedIPs does no routing.

    > On a lower level, AllowedIPs is really just "allowed IPs", and does no routing.

    This is contrary to what the official documentation says https://www.wireguard.com/#cryptokey-routing

    > You can have multiple active peers with overlapping AllowedIPs.

    You can, but the most specific CIDR wins route selection, which is exactly what *routing* does.

  • ini

    Package ini provides INI file read and write functionality in Go

  • SonarQube

    Static code analysis for 29 languages.. Your projects are multi-language. So is SonarQube analysis. Find Bugs, Vulnerabilities, Security Hotspots, and Code Smells so you can release quality code every time. Get started analyzing your projects today for free.

NOTE: The number of mentions on this list indicates mentions on common posts plus user suggested alternatives. Hence, a higher number means a more popular project.

Suggest a related project

Related posts