A userspace WireGuard® implementation, and a fork of BoringTun.
All source code in this repository is subject to the terms of the Mozilla Public License, version 2.0 unless stated otherwise. A copy of this license can be found in the file "LICENSE" or at https://www.mozilla.org/MPL/2.0/.
Contributions made prior to March 5, 2026 are licensed under the old BSD 3-clause license. A copy of this license can be found in the file "LICENSE-CLOUDFLARE".
Unless you explicitly state otherwise, any contribution intentionally submitted for inclusion in the work by you, as defined in the MPL-2.0 License, shall be licensed as above, without any additional terms or conditions.
- Library only:
cargo build --lib --no-default-features --release [--target $(TARGET_TRIPLE)] - Executable:
cargo build --bin gotatun --release [--target $(TARGET_TRIPLE)]
By default the executable is placed in the ./target/release folder. You can copy it to a desired location manually, or install it using cargo install --bin gotatun --path ..
To build the executable, simply run nix build .#gotatun. The final binary will be located in result/bin/gotatun.
As per the specification, to start a tunnel use:
gotatun [-f/--foreground] INTERFACE-NAME
The tunnel can then be configured using wg, as a regular WireGuard tunnel, or any other tool.
It is also possible to use with wg-quick by setting the environment variable WG_QUICK_USERSPACE_IMPLEMENTATION to gotatun. For example:
sudo WG_QUICK_USERSPACE_IMPLEMENTATION=gotatun WG_SUDO=1 wg-quick up CONFIGURATION
Please note that wg-quick will ignore WG_QUICK_USERSPACE_IMPLEMENTATION on Linux if you have the wireguard kernel module installed.
Testing this project has a few requirements:
sudo: required to create tunnels. When you runcargo testyou'll be prompted for your password.- Docker: you can install it here. If you are on Ubuntu/Debian you can run
apt-get install docker.io.
| Target triple | Binary | Library |
|---|---|---|
| x86_64-unknown-linux-gnu | ✓ | ✓ |
| aarch64-unknown-linux-gnu | ✓ | ✓ |
| aarch64-apple-darwin | ✓ | ✓ |
| x86_64-pc-windows-msvc | ✓ | |
| x86_64-pc-windows-gnullvm | ✓ | |
| aarch64-pc-windows-msvc | ✓ | |
| aarch64-pc-windows-gnullvm | ✓ | |
| x86_64-linux-android | ✓ | |
| aarch64-linux-android | ✓ | |
| aarch64-apple-ios | ✓ |
Other targets may work, but we only test for these
x86-64, and aarch64 architectures are supported. The behaviour should be identical to that of wireguard-go, with the following difference:
gotatun will drop privileges when started. When privileges are dropped it is not possible to set fwmark. If fwmark is required, such as when using wg-quick, run with --disable-drop-privileges or set the environment variable WG_SUDO=1.
You will need to give the executable the CAP_NET_ADMIN capability using: sudo setcap cap_net_admin+epi gotatun. sudo is not needed.
The behaviour is similar to that of wireguard-go. Specifically the interface name must be utun[0-9]+ for an explicit interface name or utun to have the kernel select the lowest available. If you choose utun as the interface name, and the environment variable WG_TUN_NAME_FILE is defined, then the actual name of the interface chosen by the kernel is written to the file specified by that variable.
See UAPI for extensions to the wg configuration protocol.
Independent security audits have been conducted on the project. See the audit directory.
WireGuard is a registered trademark of Jason A. Donenfeld. GotaTun is not sponsored or endorsed by Jason A. Donenfeld.
