- receives connections and assigns a random internal port for it
- wraps the data packets in a transport(TCP/UDP) packet that's routed from the internal port to the remote
- wraps the transport in an IP packet that's routed from the address assigned the the proxy, and to the remote WireGuard address
- wraps that with WireGuard's protocol (encryption)
- sends off the encrypted packet to the public WireGuard UDP endpoint
The packet-wrapping and TCP state machine is implemented using smoltcp in Rust, which is similar to netstack in Go
The WireGuard encapsulation and state machine is implemented with boringtun, Cloudflare's implementation of the WireGuard client in Rust.
I do have a more thorough architecture explanation in the Readme: https://github.com/aramperes/onetun#architecture
- receives connections and assigns a random internal port for it
- wraps the data packets in a transport(TCP/UDP) packet that's routed from the internal port to the remote
- wraps the transport in an IP packet that's routed from the address assigned the the proxy, and to the remote WireGuard address
- wraps that with WireGuard's protocol (encryption)
- sends off the encrypted packet to the public WireGuard UDP endpoint
The packet-wrapping and TCP state machine is implemented using smoltcp in Rust, which is similar to netstack in Go
The WireGuard encapsulation and state machine is implemented with boringtun, Cloudflare's implementation of the WireGuard client in Rust.
I do have a more thorough architecture explanation in the Readme: https://github.com/aramperes/onetun#architecture