One comment I'll make because it's kind of buried in the first paragraph and not really called out: this project is one of the very early adopters of Trevor Perrin's state-of-the-art Noise protocol framework design <a href="https://noiseprotocol.org/" rel="nofollow">https://noiseprotocol.org/</a>, so you're looking at something <i>dramatically</i> more modern, auditable and (potentially) secure than older, hairier protocols like IPsec, TLSv1.2, OpenVPN, etc.<p>Best of luck, Jason!
If you want a reliable VPN you can use today on nearly every platform, try Algo VPN. It uses simplifies using IPSEC so that anyone who can run a few command line scripts can use it.<p><a href="https://github.com/trailofbits/algo" rel="nofollow">https://github.com/trailofbits/algo</a><p>It's great that someone is working on what comes next after IPSEC, but the platform support for everyone won't come any time soon. If you need a VPN today, Algo is your best answer.
It's not clear to me that this really solves any of the UI and management problems associated with VPNs. I'm sure the new crypto-design is interesting, but exchanging SSH public keys is actually a huge logistical hassle which scales very poorly.<p>The other thing is "container-ready" ... well it just isn't. I can use OpenVPN to do the same interface migration trick with a container today. That's not the challenge - the challenge is things like managing what happens when the VPN interface goes down and I need to recycle and reconfigure that interface (at which point you end up back at "allocate a private address space, stick the VPN container in a new address space, play with IPTables there to make sure losing the VPN routes doesn't mean you start routing over the regular NIC".
Speaking of VPNs....<p>Is there a guide somewhere on how to partition applications on Linux so different apps use different VPNs?<p>Obviously the easier way is SSH SOCKS tunnels if the app supports it, but I'd like a more general method.<p>I believe it is possible by namespacing the apps (or I guess going all the way and containerizing them) and then setting the routing on a per-namespace basis.<p>Is there anywhere this is written down so I don't have to spent 6 hours trying to work out how to do it?
It seems worrying to me to put something so complicated in the kernel. Perhaps, not even that, but it feels to me as though the fact that this requires in tree changes seems wrong, given the way that networking is going is to enable these network functions via mechanisms such as BPF.