Schachte / blog-comments

used for utteranc.es

0 stars 0 forks source link

Wireguard tunneling in user space with Netstack's virtualized TCP/IP stack #7

Open utterances-bot opened 1 month ago

utterances-bot commented 1 month ago

Wireguard tunneling in user space with Netstack's virtualized TCP/IP stack

Fun with HTTP proxies and user space tunnels with Wireguard

https://ryan-schachte.com/blog/userspace_wireguard_tunnels/

muvaf commented 1 month ago

Looking great! Wonder how the performance would look like compared to kernel TCP + wireguard-go and kernel TCP + kernel wireguard.

Schachte commented 1 month ago

Looking great! Wonder how the performance would look like compared to kernel TCP + wireguard-go and kernel TCP + kernel wireguard.

I think Cloudflare has some blogs that discuss this... or maybe it was fly.io. Let me try and find and I will post below. From what I remember, the perf was negligible. I assume if you need to squeeze out every last drop of perf from the machine for mission critical applications, then maybe userland isn't the best option.

I think the big selling point would be embedded VPN-esque applications where you can tunnel to some relay within your app without needing root privs. Just a thought.

Schachte commented 1 month ago

@muvaf

Source I probably would not trust, but interesting: https://nordsecurity.com/blog/wireguard-kernel-module-vs-user-space
Source I would trust: https://tailscale.com/blog/throughput-improvements

muvaf commented 1 month ago

@Schachte Thanks! I had read the Tailscale one, which is really good, but I guess it's hard to test every combination.

I think the big selling point would be embedded VPN-esque applications where you can tunnel to some relay within your app without needing root privs.

I think I have a use case for this where the user wants a container running in the cloud to access their VPNs but the container isn't privileged or has NET_ADMIN. In such cases, a wireguard tunnel to the user's device where both sides are unprivileged could make sense.

Schachte commented 1 month ago

@muvaf Seems like a good use-case for userspace impl IMO.

If they just want a relay server to access their intranet, Wireguard would be a perfect solution and if it's for accessing business-related applications, etc. then I feel this would be great.

The wireguard-go implementation of the Wireguard protocol is fun to read and is implemented in userspace. You could probably just install that on the jump server and be good to go. (Probably vastly simplifying your requirements, but you get the idea)