PitchHut logo
Log in / Sign up
Seamlessly route network traffic through a WireGuard VPN.
Preview url
Visit project
Pitch

WrapGuard simplifies the integration of WireGuard VPN into any application by transparently routing all network traffic without requiring container privileges or kernel modules. With pure userspace operation and standard configuration files, it offers an efficient and accessible solution for achieving secure networking.

Description

WrapGuard is a userspace proxy designed to seamlessly route all network traffic through a WireGuard VPN without the need for container privileges or kernel modules. This solution simplifies the process of securing network connections for any application leveraging the robust WireGuard protocol.

Key Features

  • Pure Userspace Operation: Eliminate the need for TUN interface creation and NET_ADMIN capabilities, ensuring ease of use and security.
  • Transparent Interception: Utilizes LD_PRELOAD to transparently intercept all network calls, providing a smooth integration with existing applications.
  • Bidirectional Support: Supports both incoming and outgoing network connections, making it versatile for various use cases.
  • Standard Configuration: Leverages standard WireGuard configuration files, ensuring compatibility and familiarity.

Example Usage

You can easily route outgoing connections through WireGuard with the following command:

wrapguard --config=~/wg0.conf -- curl https://icanhazip.com

For incoming connections, use:

wrapguard --config=~/wg0.conf -- node -e 'http.createServer().listen(8080)'

Configuration Details

WrapGuard utilizes standard WireGuard config files, which follow this format:

[Interface]
PrivateKey = <your-private-key>
Address = 10.0.0.2/24

[Peer]
PublicKey = <server-public-key>
Endpoint = server.example.com:51820
AllowedIPs = 0.0.0.0/0
PersistentKeepalive = 25

How It Works

  1. Main Process Initialization: Parses the configuration files and initializes the WireGuard userspace implementation.
  2. LD_PRELOAD Library Usage: Intercepts network system calls like socket, connect, send, and receive.
  3. Virtual Network Stack Routing: Facilitates routing of packets between the intercepted connections and the WireGuard tunnel.
  4. Memory-Based TUN Management: Processes packets entirely in memory, negating the need for a kernel interface.

Limitations

  • Currently supports only IPv4.
  • Supports TCP and UDP protocols exclusively.
  • Performance may be impacted due to userspace packet processing.

Testing Examples

To test outgoing connections, execute:

wrapguard --config=example-wg0.conf -- curl https://example.com

For testing incoming connections, you can run:

wrapguard --config=example-wg0.conf -- python3 -m http.server 8080

WrapGuard offers a straightforward and efficient way to encrypt network traffic across applications, enhancing security without complicated setups.

0 comments

No comments yet.

Sign in to be the first to comment.