boringtun

Userspace WireGuard® Implementation in Rust

6,003

403

6,003

View on GitHub

Top Related Projects

wireguard-go

3,028

Mirror only. Official repository is at https://git.zx2c4.com/wireguard-go

Streisand sets up a new server running your choice of WireGuard, OpenConnect, OpenSSH, OpenVPN, Shadowsocks, sslh, Stunnel, or a Tor bridge. It also generates custom instructions for all of these services. At the end of the run you are given an HTML file with instructions that can be shared with friends, family members, and fellow activists.

algo

28,648

Set up a personal VPN in the cloud

setup-ipsec-vpn

24,907

Scripts to build your own IPsec VPN server, with IPsec/L2TP, Cisco IPsec and IKEv2

SoftEtherVPN

11,470

Cross-platform multi-protocol VPN software. Pull requests are welcome. The stable version is available at https://github.com/SoftEtherVPN/SoftEtherVPN_Stable.

Quick Overview

BoringTun is a Rust implementation of the WireGuard® protocol, designed for high-performance and cross-platform compatibility. It provides a userspace WireGuard implementation that can be easily integrated into various applications and systems, offering secure and efficient VPN functionality.

Pros

Written in Rust, ensuring memory safety and thread safety
Cross-platform compatibility (Linux, macOS, Windows, iOS, Android)
High performance and low resource usage
Easy integration into existing applications

Cons

Relatively new compared to the original WireGuard implementation
May lack some advanced features found in the kernel implementation
Requires Rust knowledge for deep customization or contribution
Documentation could be more comprehensive for newcomers

Code Examples

Creating a WireGuard tunnel:

use boringtun::noise::Tunn;
use boringtun::crypto::X25519PublicKey;

let private_key = [0u8; 32]; // Replace with actual private key
let peer_public_key = X25519PublicKey::from([0u8; 32]); // Replace with peer's public key
let preshared_key = None; // Optional preshared key

let tunnel = Tunn::new(private_key, peer_public_key, preshared_key, None, 0, None).unwrap();

Encrypting and sending a packet:

let src_packet = vec![0u8; 1500]; // Replace with actual packet data
let mut dst_packet = vec![0u8; 1500 + 32]; // Buffer for encrypted packet

let (packet_type, len) = tunnel.encapsulate(&src_packet, &mut dst_packet).unwrap();
// Send dst_packet[..len] to the network

Receiving and decrypting a packet:

let received_packet = vec![0u8; 1500]; // Replace with received packet data
let mut decrypted_packet = vec![0u8; 1500];

let (packet_type, len) = tunnel.decapsulate(None, &received_packet, &mut decrypted_packet).unwrap();
// Process decrypted_packet[..len]

Getting Started

To use BoringTun in your Rust project:

Add the dependency to your Cargo.toml:
```
[dependencies]
boringtun = "0.5.2"
```

Import and use BoringTun in your code:

use boringtun::noise::Tunn;
use boringtun::crypto::X25519PublicKey;

// Create a tunnel and use it for encryption/decryption
// (See code examples above for more details)

Build and run your project:
```
cargo build
cargo run
```

Competitor Comparisons

wireguard-go

3,028

Mirror only. Official repository is at https://git.zx2c4.com/wireguard-go

Pros of wireguard-go

Native Go implementation, offering better integration with Go ecosystems
Potentially easier to extend and modify due to Go's simplicity
Closer to the original WireGuard implementation, ensuring compatibility

Cons of wireguard-go

May have lower performance compared to BoringTun's Rust implementation
Less focus on enterprise-level features and optimizations
Potentially higher memory usage due to Go's garbage collection

Code Comparison

wireguard-go:

func (device *Device) RoutineHandshake() {
    for {
        select {
        case <-device.signals.stop:
            return
        default:
        }
        device.RoutineHandshakeIteration()
    }
}

BoringTun:

pub fn update(&mut self) -> Result<(), WireGuardError> {
    self.timers.update_timers();
    self.handshake.update(&mut self.timers)?;
    self.keypair.update(&mut self.timers)?;
    Ok(())
}

The code snippets show different approaches to handling handshake routines. wireguard-go uses a continuous loop with a select statement, while BoringTun employs a more structured update method. BoringTun's implementation appears more modular and potentially easier to maintain.

streisand

23,174

Pros of Streisand

Comprehensive VPN solution with multiple protocol support (OpenVPN, WireGuard, etc.)
Automated setup process for various cloud providers
Includes additional privacy-enhancing tools like Tor and DNS encryption

Cons of Streisand

More complex setup and maintenance due to its comprehensive nature
Potentially higher resource usage on the server
Less focused on a single VPN protocol, which may impact performance optimization

Code Comparison

BoringTun (Rust):

pub fn new(sk: &X25519SecretKey) -> Self {
    let public = sk.public_key();
    Self {
        secret: *sk,
        public,
    }
}

Streisand (Python):

def generate_rsa_key(bits):
    key = RSA.generate(bits)
    private_key = key.exportKey()
    public_key = key.publickey().exportKey()
    return private_key, public_key

While BoringTun focuses on WireGuard implementation in Rust, Streisand uses Python for its automation scripts and supports multiple VPN protocols. BoringTun's code is more specialized for WireGuard, while Streisand's code handles various aspects of VPN setup and key generation for different protocols.

algo

28,648

Set up a personal VPN in the cloud

Pros of algo

Comprehensive VPN solution with automated setup scripts
Supports multiple cloud providers (AWS, DigitalOcean, etc.)
Includes additional security features like DNS-based ad blocking

Cons of algo

More complex setup process compared to boringtun
Requires cloud infrastructure, potentially increasing costs
Less flexible for custom implementations

Code comparison

algo (setup script excerpt):

def deploy_algo(args):
    update_users(args)
    client = get_cloud_provider(args)
    deploy_server(args, client)
    configure_vpn(args)

boringtun (WireGuard implementation):

pub fn create_device(name: &str, port: u16) -> Result<Device, Error> {
    let tun = tun::create_as_non_blocking(name)?;
    let udp = UdpSocket::bind(("0.0.0.0", port))?;
    Ok(Device::new(tun, udp))
}

Summary

algo offers a more comprehensive VPN solution with automated setup across multiple cloud providers, while boringtun focuses on providing a lightweight, high-performance WireGuard implementation. algo includes additional security features but requires more complex setup and cloud infrastructure. boringtun is more flexible for custom implementations but requires more manual configuration. The code comparison highlights algo's focus on deployment automation versus boringtun's low-level networking implementation.

setup-ipsec-vpn

24,907

Scripts to build your own IPsec VPN server, with IPsec/L2TP, Cisco IPsec and IKEv2

Pros of setup-ipsec-vpn

Easy to set up and use, with automated scripts for various platforms
Supports a wide range of devices and operating systems
Well-documented with detailed instructions and troubleshooting guides

Cons of setup-ipsec-vpn

Limited to IPsec/L2TP and Cisco IPsec protocols
May have performance limitations compared to WireGuard-based solutions
Requires more system resources and may be slower to establish connections

Code Comparison

setup-ipsec-vpn (shell script):

#!/bin/sh
# Configure IPsec VPN connections
# ...
ipsec auto --add L2TP-PSK
ipsec auto --add XAUTH-PSK

boringtun (Rust):

pub struct Tunn {
    handshake: Handshake,
    keypair: KeyPair,
    // ...
}

impl Tunn {
    pub fn new(static_private: &X25519StaticSecret, // ...

The code snippets highlight the different approaches: setup-ipsec-vpn uses shell scripts for configuration, while boringtun implements WireGuard protocol in Rust, offering potentially better performance and security.

SoftEtherVPN

11,470

Cross-platform multi-protocol VPN software. Pull requests are welcome. The stable version is available at https://github.com/SoftEtherVPN/SoftEtherVPN_Stable.

Pros of SoftEtherVPN

Multi-protocol support (OpenVPN, IPsec, L2TP, MS-SSTP)
Cross-platform compatibility (Windows, Linux, macOS, FreeBSD, Solaris)
User-friendly GUI for configuration and management

Cons of SoftEtherVPN

Larger codebase, potentially more complex to maintain
May have higher resource usage due to multiple protocol support
Less focused on WireGuard protocol specifically

Code Comparison

SoftEtherVPN (C):

UINT SysLog(char *format, ...)
{
    va_list args;
    va_start(args, format);
    SysLogEx(format, args);
    va_end(args);
    return 0;
}

BoringTun (Rust):

pub fn log(level: log::Level, message: &str) {
    if let Some(logger) = LOGGER.get() {
        logger.log(level, message);
    }
}

SoftEtherVPN offers a more comprehensive VPN solution with multi-protocol support and a user-friendly interface. BoringTun, on the other hand, is a focused WireGuard implementation in Rust, prioritizing performance and security for this specific protocol. The code comparison shows different approaches to logging, with SoftEtherVPN using C and BoringTun using Rust, reflecting their respective language choices and design philosophies.

Convert designs to code with AI

Introducing Visual Copilot: A new AI model to turn Figma designs to high quality code using your components.

Try Visual Copilot

README

BoringTun

Warning

Boringtun is currently undergoing a restructuring. You should probably not rely on or link to the master branch right now. Instead you should use the crates.io page.

boringtun:
boringtun-cli

BoringTun is an implementation of the WireGuard^Â® protocol designed for portability and speed.

BoringTun is successfully deployed on millions of iOS and Android consumer devices as well as thousands of Cloudflare Linux servers.

The project consists of two parts:

The executable boringtun-cli, a userspace WireGuard implementation for Linux and macOS.
The library boringtun that can be used to implement fast and efficient WireGuard client apps on various platforms, including iOS and Android. It implements the underlying WireGuard protocol, without the network or tunnel stacks, those can be implemented in a platform idiomatic way.

Installation

You can install this project using cargo:

cargo install boringtun-cli

Building

Library only: cargo build --lib --no-default-features --release [--target $(TARGET_TRIPLE)]
Executable: cargo build --bin boringtun-cli --release [--target $(TARGET_TRIPLE)]

By default the executable is placed in the ./target/release folder. You can copy it to a desired location manually, or install it using cargo install --bin boringtun --path ..

Running

As per the specification, to start a tunnel use:

boringtun-cli [-f/--foreground] INTERFACE-NAME

The tunnel can then be configured using wg, as a regular WireGuard tunnel, or any other tool.

It is also possible to use with wg-quick by setting the environment variable WG_QUICK_USERSPACE_IMPLEMENTATION to boringtun. For example:

sudo WG_QUICK_USERSPACE_IMPLEMENTATION=boringtun-cli WG_SUDO=1 wg-quick up CONFIGURATION

Testing

Testing this project has a few requirements:

sudo: required to create tunnels. When you run cargo test you'll be prompted for your password.
Docker: you can install it here. If you are on Ubuntu/Debian you can run apt-get install docker.io.

Supported platforms

Target triple	Binary	Library
x86_64-unknown-linux-gnu	â	â
aarch64-unknown-linux-gnu	â	â
armv7-unknown-linux-gnueabihf	â	â
x86_64-apple-darwin	â	â
x86_64-pc-windows-msvc		â
aarch64-apple-ios		â
armv7-apple-ios		â
armv7s-apple-ios		â
aarch64-linux-android		â
arm-linux-androideabi		â

_{Other platforms may be added in the future}

Linux

x86-64, aarch64 and armv7 architectures are supported. The behaviour should be identical to that of wireguard-go, with the following difference:

boringtun will drop privileges when started. When privileges are dropped it is not possible to set fwmark. If fwmark is required, such as when using wg-quick, run with --disable-drop-privileges or set the environment variable WG_SUDO=1.

You will need to give the executable the CAP_NET_ADMIN capability using: sudo setcap cap_net_admin+epi boringtun. sudo is not needed.

macOS

The behaviour is similar to that of wireguard-go. Specifically the interface name must be utun[0-9]+ for an explicit interface name or utun to have the kernel select the lowest available. If you choose utun as the interface name, and the environment variable WG_TUN_NAME_FILE is defined, then the actual name of the interface chosen by the kernel is written to the file specified by that variable.

FFI bindings

The library exposes a set of C ABI bindings, those are defined in the wireguard_ffi.h header file. The C bindings can be used with C/C++, Swift (using a bridging header) or C# (using DLLImport with CallingConvention set to Cdecl).

JNI bindings

The library exposes a set of Java Native Interface bindings, those are defined in src/jni.rs.

License

The project is licensed under the 3-Clause BSD License.

Contribution

Unless you explicitly state otherwise, any contribution intentionally submitted for inclusion in the work by you, as defined in the 3-Clause BSD License, shall be licensed as above, without any additional terms or conditions.

If you want to contribute to this project, please read our CONTRIBUTING.md.

_{_{_{_{WireGuard is a registered trademark of Jason A. Donenfeld. BoringTun is not sponsored or endorsed by Jason A. Donenfeld.}}}}

Top Related Projects

Convert designs to code with AI

Introducing Visual Copilot: A new AI model to turn Figma designs to high quality code using your components.

Try Visual Copilot