Show HN: SafeHaven – A Minimal VPN Implementation in Go

Nice. This does some things very similarly to Hyprspace[1]. The core idea is the same: Receive some bytes from a TUN device, shove them into a network socket, and vice versa. Hyprspace uses libp2p to manage the outer connections between VPN nodes instead of plain UDP, which takes care of addressing, hole punching and encryption.<p>BTW: You can also use the netlink library to configure the routing table without external processes[2]. The &#x2F;1 trick isn&#x27;t necessary either, you can just create a route for 0.0.0.0&#x2F;0 and set its metric lower than the existing default route. That won&#x27;t replace the old route in the table, the new one will just take precedence as long as it exists.<p>[1] <a href="https:&#x2F;&#x2F;github.com&#x2F;hyprspace&#x2F;hyprspace">https:&#x2F;&#x2F;github.com&#x2F;hyprspace&#x2F;hyprspace</a><p>[2] <a href="https:&#x2F;&#x2F;github.com&#x2F;hyprspace&#x2F;hyprspace&#x2F;blob&#x2F;a5957e485ff0c2e9133e7da5408ec1273681688e&#x2F;tun&#x2F;tun_linux.go#L73-L77">https:&#x2F;&#x2F;github.com&#x2F;hyprspace&#x2F;hyprspace&#x2F;blob&#x2F;a5957e485ff0c2e9...</a>

Since people are apparently interested in minimal VPNs, here&#x27;s one I built in Rust recently: <a href="https:&#x2F;&#x2F;github.com&#x2F;atereshkin&#x2F;nanovpn">https:&#x2F;&#x2F;github.com&#x2F;atereshkin&#x2F;nanovpn</a><p>My goal there was to have as little code as possible so that one could look at it and immediately grasp what goes into establishing a VPN.

Awesome, thanks for sharing. Did you use anything particular to help direct the implementation? I&#x27;ve been on a streak of building things in Go for the same reason (learning), and a VPN is one of the items on my list.

pretty cool and thanks for the details about TUN devices!<p>I believe wireguard runs over UDP and while you still need a TUN device, it has kernel implementations to handle encrypting the traffic.

From the article:<p>&gt; Currently, packets are not being encrypted within the UDP tunnel so packet sniffing over the internet is possible. It is encouraged to use this over a protocol like SSH<p>No encryption takes the P out of VPN. Also, if you are going to need SSH to make it secure, then you can just use OpenSSH&#x27;s built-in support for the tun device using the -w option.