WireGuard® implementation written in Rust

90 points by runxiyu

JulianWgs

If now Tailscale creates a fork of GotaTun I am gonna scream. Could they please just maintain one version together.

Also I am looking forward to Tailscale adopting WireGuard written in Rust :)

jtdowney

The Tailscale folks are pretty big Go people so I am not sure they would jump so quickly to a Rust based WireGuard.
- pb
  
  Also it seemed a lot of the issues mullvad folks had with the go implementation were the go -> rust FFI interface. For all go binaries wireguard-go likely has significantly less downsides.
- xyproto
  
  Comment removed by author
kevincox

The reason for the fragmentation is that BoringTun is abandoned. And people can't agree on the replacement.

At work when we abandoned BoringTun we ended up evaluating most of the forks and switching to https://github.com/NordSecurity/NepTUN. But there are a handful of other forks that are being maintained.

It would be nice to consulate, but it can be hard to set up the politics for maintainership.

nadim

A funny thing about WireGuard is its author’s legendary insistence that everyone add a “®” and a trademark sentence mentioning his personal full name on any page that has the word WireGuard, to the point of chasing down random personal blog posts and sending legal threats to personal open source projects for not doing so.

It establishes a crummy precedent in open source — imagine if Linus behaved the same way with Linux, and you had to have Linux® and “Linux is a registered trademark of Linus Torvalds” at the bottom of every single page that ever used the word, lest an irate Linus Torvalds hunt you down. Luckily, Linus did the non-narcissistic thing of just setting up a foundation for the trademark and forgetting about it except in cases of necessity.

toothrot

I can't imagine what it feels like to have companies constantly trying to monitize my free labor without credit (other than every tech job I've ever had), but even still, it seems that your use of "narcissistic" here isn't in good faith.
- calvin
  
  Donenfeld's gone after non-commercial implementations. The NetBSD implementation of WireGuard never actually calls it WireGuard; there was a spat on the mailing list.
  - jclulow
    
    I think there are some aspects of WireGuard that are, I guess, technically interesting. The massive baggage of Captain WireGuard® believing he has creative control over other people's projects is a non-starter for me. An illumos community member put up with him doing PR reviews on a port of the Go version for quite a long time, until his majesty pulled the rug out one day.
    
    I am lead to believe that if we decided to add native support to illumos, for example, that we would probably not be allowed to provide configuration tools that fit alongside all our other native IP interface and tunnel configuration, because that's "not WireGuard".
    
    The motivation to engage is, at this point, extremely low. If we do ever decide to implement it, I expect it will end up being compatible at the protocol level but called something different to avoid the Kool-Aid guy busting through the wall as a result.
- lonjil
  
  Nadim mentioned random personal blog posts, but you jumped to large corporations using his work without credit. That seems disingenuous.
  - nadim
    
    Yeah, to be clear if, I don't know, Cisco ends up deploying WireGuard, I absolutely would want them to credit Jason and help him protect the trademark. My problem is chasing down random GitHub projects and blog posts, or things funded by public research grants.
    
    yossarian
    
    Do you have an example of him doing this unreasonably? The examples given downthread strike me as pretty reasonable: the Windows one for example used his logo and implied affiliation to a degree that could easily be mitigated by not calling your project “WireGuard for X”.
    
    (One thing that’s notable in the Windows issue you linked downthread is that Donenfeld didn’t ask them to remove references to WireGuard in the documentation, only seemly where it could cause confusion around affiliation. That strikes me as a pretty reasonable balance.)
  - Foxboron
    
    This is how trademark enforcement works. There is nothing weird about this at all.
    
    hauleth
    
    IANAL, but from my knowledge, such active protection of trademark as mentioned there is required only by USA legislation. In EU you need to fight only factual infringement, not just someone talking about a product.
    
    fanf
    
    Talking about Wireguard in a blog post is nominative fair use so there are no grounds for complaint. For this announcement, Mullvad needs to be clear about the relationship between their implementation and Donenfeld’s to avoid trademark infringement, but they don’t need to add the ® at all. In fact I think they are using it incorrectly since they don’t make it clear who is the registrant of the trademark.
    
    lonjil
    
    Mentioning something is not trademark infringement. Trademark law requires you to go after misuse of your trademark that dilutes its meaning.
    
    habibalamin
    
    If this is how trademark enforcement works, trademark law is weird.
  - ssokolow
    
    I was not aware of that... it puts a bad taste in my mouth at the idea of using WireGuard®©™ as an end-user and I suspect I'll wind up only using it in places where the vendor treats it as an internal implementation detail and buries mention of it rather than surfacing it. (Which is a shame. I'm told it's less hassle than OpenVPN and was looking forward to that.)
    
    (Who remembers the time and communities where over-sigil-ing with that exact ®©™ sequence in that exact order to mock companies that were overly sensitive about leaving them out was a minor meme for a short time?)
  - ksynwa
    
    I would have to see the degree to which he enforces this trademark to find out if its an extreme measure. Expecting a decently sized company like mullvad that relies on his tech to respect the trademark is fair game in my book.
    
    nadim
    
    Many such cases, but one that comes to mind is https://github.com/micahmo/WgServerforWindows/issues/48
    
    I wonder how Linux is able to fare well without resorting to Jason being a one-man legal machine against anyone who ever says the word WireGuard.
    
    Foxboron
    
    What is weird here? The developer was using the logo of the Wireguard project and using "Wireguard Server for Windows" as the project name.
    
    swehren
    
    imagine if Linus behaved the same way with Linux, and you had to have Linux® and “Linux is a registered trademark of Linus Torvalds” at the bottom of every single page that ever used the word, lest an irate Linus Torvalds hunt you down
    
    Do you mean GNU/Linux?
    
    bdesham
    
    Actually, GNU/Linux is the monster’s name. You’re thinking of GNU/Linus.
    
    a4rbay4mnv
    
    I'm genuinely trying to tell if you mean that sarcastically or seriously. I know the history, at least somewhat, but feel like it's become a phrase whose usage can mean one thing or it's opposite - i.e., someone who is taking a stab at it or not.
    
    WeetHet
    
    A third-party security audit will take place early next year
    
    I don't exactly love that the Android rollout happened before that. I don't use mullvad so it doesn't affect me but this leaves a big enough window for bad actors to find and abuse security issues that will inevitably be there
    
    ThatsInteresting
    
    A third-party security audit will take place early next year
    
    I don't exactly love that the Android rollout happened before that. I don't use mullvad so it doesn't affect me but this leaves a big enough window for bad actors to find and abuse security issues that will inevitably be there
    
    Maybe but I suspect the advantage of being based on a reasonably battle-tested implementation is worth it. It might be just my circle but I only know of one person (other than myself) who is even aware of security let alone uses a VPN regularly.
    
    Halkcyon
    
    My understanding is that the referenced CloudFlare BoringTun is already a wireguard implementation in Rust? So is this GotaTun a fork/extension of that project?
    
    bkhl
    
    If you read just a little bit further in the linked article that should be clear. ;-)
    
    Halkcyon
    
    I guess I didn't comprehend well enough pre-coffee. I'll give it another read.
    
    Mordo
    
    Why not contribute it? It seems like a neat enhancement.
    
    msfjarvis
    
    (Disclosure: am a Cloudflare employee but don't speak for the organisation)
    
    Boringtun currently does not have an active, dedicated maintainer. A lot of the WARP-related usage of Boringtun has been trending down as new customers are encouraged to use the newer MASQUE transport instead. There are still internal users of Boringtun so it's not abandonware but the org does not maintain it at a pace suitable for Mullvad to continuously upstream their work.
    
    cve
    
    We have integrated privacy enhancing features like DAITA & Multihop, added first-class support for Android and used Rust to achieve great performance by using safe multi-threading and zero-copy memory strategies.
    
    ClashTheBunny
    
    Can anyone explain how multihop is configured from a server side? It seems like it's just port forwarding, but to require a client implementation, it would have to have something changing packets on the servers, but the encryption key is for the exit node, so it seems like it's not "smart".