Rust Implementation of WireGuard
Most Linux kernel WireGuard users are used to adding an interface with
ip link add wg0 type wireguard.
With wireguard-rs, instead simply run:
$ wireguard-rs wg0
This will create an interface and fork into the background. To remove the interface, use the usual
ip link del wg0,
or if your system does not support removing interfaces directly, you may instead remove the control socket via
rm -f /var/run/wireguard/wg0.sock, which will result in wireguard-rs shutting down.
When an interface is running, you may use
wg(8) to configure it, as well as the usual
This will run on Linux; however YOU SHOULD NOT RUN THIS ON LINUX. Instead use the kernel module; see the installation page for instructions.
The wireguard-rs project is targeting the current nightly (although it should also build with stable Rust).
To build wireguard-rs (on supported platforms):
- Obtain nightly
- Clone the repository:
git clone https://git.zx2c4.com/wireguard-rs.
cargo build --releasefrom inside the
This section is intended for those wishing to read/contribute to the code.
WireGuard Rust has a similar separation of concerns as many other implementations of various cryptographic transports: separating the handshake code from the packet protector. The handshake module implements an authenticated key-exchange (NoiseIK), which provides key-material, which is then consumed by the router module (packet protector) responsible for the actual encapsulation of transport messages (IP packets). This is illustrated below: