Show HN: Onetun – Access your WireGuard network from anywhere

Hey everyone, I wrote this tool because I wanted to be able to access ports running on peers in my WireGuard network from any computer&#x2F;server; without having to install WireGuard locally and without having root access (no iptables configs).<p>So as long as you have a private key &amp; peer IP dedicated for your roaming needs, you&#x27;ll be able to forward a local port to a port on a secured peer.<p>This can be useful for a few other use-cases, like exposing services to the Internet from a separate server that doesn&#x27;t have root access (like a non-privileged container).<p>I&#x27;ve also gotten feedback to enable reverse-tunneling (making a port accessible on a peer that forwards to a port running locally), which enables a few more use-cases. I&#x27;m looking for any more ideas or feedback that would fit in this tool!<p>I&#x27;ve described how the internals work in the README. It&#x27;s still a proof-of-concept right now but I listed my little roadmap in the issues: reverse-tunneling, UDP support, multi-port-forwarding, etc. Happy to answer any questions.

A note: wireguard-go (the official userspace impl in golang) can do this since several months back. It uses gVisor&#x27;s netstack as a tcp&#x2F;udp provider to forward connections to its peer (compared to whitequark&#x27;s smoltcp in case of onetun).<p>Here&#x27;s a demonstration of both a http-client and a http-server running over wireguard (a poor man&#x27;s QUIC, if you will): <a href="https:&#x2F;&#x2F;github.com&#x2F;WireGuard&#x2F;wireguard-go&#x2F;tree&#x2F;master&#x2F;tun&#x2F;netstack&#x2F;examples" rel="nofollow">https:&#x2F;&#x2F;github.com&#x2F;WireGuard&#x2F;wireguard-go&#x2F;tree&#x2F;master&#x2F;tun&#x2F;ne...</a><p>fly.io wrote about such a setup not long ago too: <a href="https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=26315695" rel="nofollow">https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=26315695</a><p>And tailscale.com similarly uses wireguard with netstack to impl functionality unavailable on non-Linux&#x2F;xBSD platforms: <a href="https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=28261683" rel="nofollow">https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=28261683</a>

The name cries out for an icon derived from a &#x27;won ton&#x27; (americans usually pronounce it wahn tawn but the canto pronunciation is exactly like &#x27;one tun&#x27;).<p><a href="https:&#x2F;&#x2F;www.google.com&#x2F;search?q=won%20ton&amp;tbm=isch&amp;tbs=itp:clipart" rel="nofollow">https:&#x2F;&#x2F;www.google.com&#x2F;search?q=won%20ton&amp;tbm=isch&amp;tbs=itp:c...</a>

Curious - why an extra program when ssh already does this? (ssh -J, -g, -R, -L, et cetera)

Thanks for building this, very cool. Like UPnP for your wireguard network.

Ah I was initially hoping this would help me expose peers to each other from behind NAT or restrictive firewalls ala tailscale.