A userspace WireGuard® implementation, and a fork of BoringTun.
- Library only:
cargo build --lib --no-default-features --release [--target $(TARGET_TRIPLE)] - Executable:
cargo build --bin gotatun --release [--target $(TARGET_TRIPLE)]
By default the executable is placed in the ./target/release folder. You can copy it to a desired location manually, or install it using cargo install --bin gotatun --path ..
To build the executable, simply run nix build .#gotatun. The final binary will be located in result/bin/gotatun.
As per the specification, to start a tunnel use:
gotatun [-f/--foreground] INTERFACE-NAME
The tunnel can then be configured using wg, as a regular WireGuard tunnel, or any other tool.
It is also possible to use with wg-quick by setting the environment variable WG_QUICK_USERSPACE_IMPLEMENTATION to gotatun. For example:
sudo WG_QUICK_USERSPACE_IMPLEMENTATION=gotatun WG_SUDO=1 wg-quick up CONFIGURATION
Testing this project has a few requirements:
sudo: required to create tunnels. When you runcargo testyou'll be prompted for your password.- Docker: you can install it here. If you are on Ubuntu/Debian you can run
apt-get install docker.io.
| Target triple | Binary | Library |
|---|---|---|
| x86_64-unknown-linux-gnu | ✓ | ✓ |
| aarch64-unknown-linux-gnu | ✓ | ✓ |
| armv7-unknown-linux-gnueabihf | ✓ | ✓ |
| x86_64-apple-darwin | ✓ | ✓ |
| x86_64-pc-windows-msvc | ✓ | |
| aarch64-apple-ios | ✓ | |
| armv7-apple-ios | ✓ | |
| armv7s-apple-ios | ✓ | |
| aarch64-linux-android | ✓ | |
| arm-linux-androideabi | ✓ |
Other platforms may be added in the future
x86-64, aarch64 and armv7 architectures are supported. The behaviour should be identical to that of wireguard-go, with the following difference:
gotatun will drop privileges when started. When privileges are dropped it is not possible to set fwmark. If fwmark is required, such as when using wg-quick, run with --disable-drop-privileges or set the environment variable WG_SUDO=1.
You will need to give the executable the CAP_NET_ADMIN capability using: sudo setcap cap_net_admin+epi gotatun. sudo is not needed.
The behaviour is similar to that of wireguard-go. Specifically the interface name must be utun[0-9]+ for an explicit interface name or utun to have the kernel select the lowest available. If you choose utun as the interface name, and the environment variable WG_TUN_NAME_FILE is defined, then the actual name of the interface chosen by the kernel is written to the file specified by that variable.
The project is licensed under the 3-Clause BSD License.
Unless you explicitly state otherwise, any contribution intentionally submitted for inclusion in the work by you, as defined in the 3-Clause BSD License, shall be licensed as above, without any additional terms or conditions.
WireGuard is a registered trademark of Jason A. Donenfeld. GotaTun is not sponsored or endorsed by Jason A. Donenfeld.