GitHub - cloudflare/boringtun: Userspace WireGuard® Implementation in Rust
source link: https://github.com/cloudflare/boringtun
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.
README.md
BoringTun
BoringTun is an implementation of the WireGuard® protocol designed for portability and speed.
The project consists of two parts:
- The executable
boringtun
, a userspace WireGuard implementation for Linux and macOS. - The library
boringtun
that can be used to implement fast and efficient WireGuard client apps on various platforms, including iOS and Android. It implements the underlying WireGuard protocol, without the network or tunnel stacks, those can be implemented in a platform idiomatic way.
⚠️NOTE: This crate is still undergoing review for security concerns. Therefore, we recommend that you take caution before using it in a production application.
Building
- Library only:
cargo build --lib --release [--target $(TARGET_TRIPLE)]
- Executable:
cargo build --bin boringtun --release [--target $(TARGET_TRIPLE)]
By default the executable is placed in the ./target/release
folder. You can copy it to a desired location manually, or install it using cargo install --bin boringtun --path .
.
Running
As per the specification, to start a tunnel use:
boringtun [-f/--foreground] INTERFACE-NAME
The tunnel can then be configured using wg, as a regular WireGuard tunnel, or any other tool.
It is also possible to use with wg-quick by setting the environment variable WG_QUICK_USERSPACE_IMPLEMENTATION
to boringtun
. For example:
sudo WG_QUICK_USERSPACE_IMPLEMENTATION=boringtun wg-quick up CONFIGURATION
Testing
Testing this project has a few requirements:
sudo
: required to create tunnels. When you runcargo test
you'll be prompted for your password.- Docker: you can install it here. If you are on Ubuntu/Debian you can run
apt-get install docker.io
.
Benchmarking
To benchmark this project you can run this command:
cargo +nightly bench
This command depends on the unstable test
feature of the Rust compiler. As a result, you'll need to use the nightly
channel of Rust when you run it. You can tell rustup
to use the nightly channel when running the bench mark command like this:
Supported platforms
Target triple Binary Library
x86_64-unknown-linux-gnu ✓ ✓ aarch64-unknown-linux-gnu ✓ ✓ armv7-unknown-linux-gnueabihf ✓ ✓ x86_64-apple-darwin ✓ ✓ x86_64-pc-windows-msvc
✓ FFI bindings armv7-apple-ios
✓ FFI bindings armv7s-apple-ios
✓ FFI bindings aarch64-linux-android
✓ JNI bindings arm-linux-androideabi
✓ JNI bindings
Other platforms may be added in the future
Linux
x86-64
, aarch64
and armv7
architecures are supported. The behaviour should be identical to that of wireguard-go, with the following difference:
boringtun
will drop priviliges when started. When priviliges are dropped it is not possible to set fwmark
. If fwmark
is required, instead running with sudo
, give the executable the CAP_NET_ADMIN
capability using: sudo setcap cap_net_admin+epi boringtun
. Alternatively run with --disable-drop-priviliges
.
macOS
The behaviour is similar to that of wireguard-go. Specifically the interface name must be utun[0-9]+
for an explicit interface name or utun
to have the kernel select the lowest available. If you choose utun
as the interface name, and the environment variable WG_TUN_NAME_FILE
is defined, then the actual name of the interface chosen by the kernel is written to the file specified by that variable.
FFI bindings
The library exposes a set of C ABI bindings, those are defined in the wireguard_ffi.h
header file. The C bindings can be used with C/C++, Swift (using a bridging header) or C# (using DLLImport with CallingConvention set to Cdecl
).
JNI bindings
The library exposes a set of Java Native Interface bindings, those are defined in src/cfjni/mod.rs
.
License
The project is licensed under the 3-Clause BSD License.
Contribution
Unless you explicitly state otherwise, any contribution intentionally submitted for inclusion in the work by you, as defined in the 3-Clause BSD License, shall licensed as above, without any additional terms or conditions.
If you want to contribute to this project, please read our CONTRIBUTING.md
.
WireGuard is a registered trademark of Jason A. Donenfeld. BoringTun is not sponsored or endorsed by Jason A. Donenfeld.
Recommend
About Joyk
Aggregate valuable and interesting links.
Joyk means Joy of geeK