onetun

onetun is a cross-platform, user-space WireGuard port-forwarder that requires no root access and no system network configurations.

It allows you to access TCP or UDP services running on your WireGuard network from devices that cannot have WireGuard installed at the system level, or where you lack the privileges to modify network interfaces.

Why onetun?

Traditional WireGuard clients create a system-level network interface (e.g., wg0). This requires:

  1. Root/Administrator privileges.
  2. Modifying the host operating system's routing table.

onetun bypasses these requirements by implementing a user-space TCP/IP stack (via smoltcp) and a user-space WireGuard implementation (via boringtun). It acts as a bridge:

  • It opens a standard TCP/UDP socket on your local machine.
  • It encapsulates traffic from that socket into WireGuard packets.
  • It sends them to the remote WireGuard endpoint.

Use Cases

  • Restricted Environments: Access private services from shared computers or corporate laptops where you can't install VPN drivers.
  • IoT & Mobile: Run on lightweight devices or mobile environments (via Termux, etc.) without rooting.
  • Serverless/Containers: Run inside root-less Docker containers (e.g., on Fargate, Cloud Run) to connect to a private WireGuard network.
  • Development: Quickly port-forward a service from a production VPC to your localhost without setting up a full VPN.

Key Features

  • Zero-Config: No interfaces created, no routing tables modified.
  • Cross-Platform: Works on Linux, macOS, and Windows.
  • Protocol Support: Supports both IPv4 and IPv6, and TCP and UDP forwarding.
  • Multi-Tunnel: Forward multiple ports to different peers simultaneously.
  • Packet Capture: Built-in support for capturing traffic to .pcap files for debugging.