BoringTun is an implementation of the WireGuard® protocol designed for portability and speed.
BoringTun is successfully deployed on millions of iOS and Android consumer devices as well as thousands of Cloudflare Linux servers.
The project consists of two parts:
- The executable
boringtun, a userspace WireGuard implementation for Linux and macOS.
- The library
boringtunthat can be used to implement fast and efficient WireGuard client apps on various platforms, including iOS and Android. It implements the underlying WireGuard protocol, without the network or tunnel stacks, those can be implemented in a platform idiomatic way.
You can install this project using
cargo install boringtun
- Library only:
cargo build --lib --release [--target $(TARGET_TRIPLE)]
cargo build --bin boringtun --release [--target $(TARGET_TRIPLE)]
By default the executable is placed in the
./target/release folder. You can copy it to a desired location manually, or install it using
cargo install --bin boringtun --path ..
As per the specification, to start a tunnel use:
boringtun [-f/--foreground] INTERFACE-NAME
The tunnel can then be configured using wg, as a regular WireGuard tunnel, or any other tool.
It is also possible to use with wg-quick by setting the environment variable
boringtun. For example:
sudo WG_QUICK_USERSPACE_IMPLEMENTATION=boringtun WG_SUDO=1 wg-quick up CONFIGURATION
Testing this project has a few requirements:
sudo: required to create tunnels. When you run
cargo testyou'll be prompted for your password.
- Docker: you can install it here. If you are on Ubuntu/Debian you can run
apt-get install docker.io.
To benchmark this project you can run this command:
cargo +nightly bench
This command depends on the unstable
test feature of the Rust compiler. As a result, you'll need to use the
nightly channel of Rust when you run it.
Other platforms may be added in the future
armv7 architectures are supported. The behaviour should be identical to that of wireguard-go, with the following difference:
boringtun will drop privileges when started. When privileges are dropped it is not possible to set
fwmark is required, such as when using
wg-quick, instead running with
sudo, give the executable the
CAP_NET_ADMIN capability using:
sudo setcap cap_net_admin+epi boringtun. Alternatively run with
--disable-drop-privileges or set the environment variable
The behaviour is similar to that of wireguard-go. Specifically the interface name must be
utun[0-9]+ for an explicit interface name or
utun to have the kernel select the lowest available. If you choose
utun as the interface name, and the environment variable
WG_TUN_NAME_FILE is defined, then the actual name of the interface chosen by the kernel is written to the file specified by that variable.
The library exposes a set of C ABI bindings, those are defined in the
wireguard_ffi.h header file. The C bindings can be used with C/C++, Swift (using a bridging header) or C# (using DLLImport with CallingConvention set to
The library exposes a set of Java Native Interface bindings, those are defined in
The project is licensed under the 3-Clause BSD License.
Unless you explicitly state otherwise, any contribution intentionally submitted for inclusion in the work by you, as defined in the 3-Clause BSD License, shall licensed as above, without any additional terms or conditions.
If you want to contribute to this project, please read our
WireGuard is a registered trademark of Jason A. Donenfeld. BoringTun is not sponsored or endorsed by Jason A. Donenfeld.