Hacker News new | past | comments | ask | show | jobs | submit login
Show HN: Onetun – Access your WireGuard network from anywhere (github.com/aramperes)
92 points by momothereal on Oct 18, 2021 | hide | past | favorite | 16 comments



Hey everyone, I wrote this tool because I wanted to be able to access ports running on peers in my WireGuard network from any computer/server; without having to install WireGuard locally and without having root access (no iptables configs).

So as long as you have a private key & peer IP dedicated for your roaming needs, you'll be able to forward a local port to a port on a secured peer.

This can be useful for a few other use-cases, like exposing services to the Internet from a separate server that doesn't have root access (like a non-privileged container).

I've also gotten feedback to enable reverse-tunneling (making a port accessible on a peer that forwards to a port running locally), which enables a few more use-cases. I'm looking for any more ideas or feedback that would fit in this tool!

I've described how the internals work in the README. It's still a proof-of-concept right now but I listed my little roadmap in the issues: reverse-tunneling, UDP support, multi-port-forwarding, etc. Happy to answer any questions.


A note: wireguard-go (the official userspace impl in golang) can do this since several months back. It uses gVisor's netstack as a tcp/udp provider to forward connections to its peer (compared to whitequark's smoltcp in case of onetun).

Here's a demonstration of both a http-client and a http-server running over wireguard (a poor man's QUIC, if you will): https://github.com/WireGuard/wireguard-go/tree/master/tun/ne...

fly.io wrote about such a setup not long ago too: https://news.ycombinator.com/item?id=26315695

And tailscale.com similarly uses wireguard with netstack to impl functionality unavailable on non-Linux/xBSD platforms: https://news.ycombinator.com/item?id=28261683


Can I just put another word in for how bananas this is? WireGuard and Netstack allows you to run an entire TCP/IP stack in your userland program with no cooperation from your kernel. You can an interface to write raw packets (as an unprivileged user) and the whole TCP, integrated into the standard Go networking code. It is very, very cool to play with.


This reminds me a lot of lwIP[0] and uIP[1]. I did some projects 15 years ago with lwIP where we were able to work around a very lossy wireless network link when controlling PTZ cameras by building what was essentially a proxy with lwIP that allowed us to do some hack-ish things like transmitting 2 copies of all TCP packets immediately to increase resiliency. As I recall it exposed the BSD socket API so it was shockingly easy to relink a project to use lwIP instead of the host OS. All that was needed then on the other end was hooking up lwIP to a raw network interface.

[0] https://savannah.nongnu.org/projects/lwip/ [1] https://en.wikipedia.org/wiki/UIP_(micro_IP)


Yeah! In Orchid, we have a similar setup to these, letting me layer lwIP on top of Wireguard, OpenVPN, or our WebRTC-based VPN protocol, even in multi-hop configurations.


Hi Saurik: Since LwIP only provides handlers for TCP and UDP, doesn't that reduce Orchid's VPN to a TCP/UDP proxy? For ex, can Orchid handle (or intends to handle) SCTP, say?

Or, is LwIP more capable than what I it give credit for?

(by the way, thank you for building orchid in the open! looking forward to the eventual team-up between orchid and helium :)


> transmitting 2 copies of all TCP packets immediately

U wot m8?

In a thread about bananas userland TCP this Cat got a whole sundae.


Yup! This is how onetun works as well (but :%s/Netstack/smoltcp/g in Rust)


Thanks for the links, I'll have to take some inspiration from wireguard-go!


The name cries out for an icon derived from a 'won ton' (americans usually pronounce it wahn tawn but the canto pronunciation is exactly like 'one tun').

https://www.google.com/search?q=won%20ton&tbm=isch&tbs=itp:c...


Yup, it's a play on word with "won ton" and "one tun[nel]" ;)

I have some illustrator and designer friends, I'll see if they want to cook up something!


Curious - why an extra program when ssh already does this? (ssh -J, -g, -R, -L, et cetera)


There's a few drawbacks to SSH tunneling:

- SSH uses TCP for transport, and tunneling TCP-over-TCP has considerable performance issues: http://sites.inka.de/~bigred/devel/tcp-tcp.html

- SSH doesn't support tunneling UDP out of the box (you need to either wrap UDP with TCP, or use SSH's -w option for creating a TUN interface, which requires root access).

WireGuard being a very simple UDP protocol has its advantages for things like this. The downside is you can't use onetun with the same private-key/assigned IP on multiple devices, since WG only supports 1 UDP endpoint per peer at a time.

Note: my tool doesn't support UDP in it's current state, but there's no technical reason it shouldn't be feasible (unlike SSH). I have a draft PR for it right now.


Thanks for building this, very cool. Like UPnP for your wireguard network.


Ah I was initially hoping this would help me expose peers to each other from behind NAT or restrictive firewalls ala tailscale.





Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: