Show HN: TunnlTo – Windows WireGuard split tunnel client built with Rust, Tauri

Show HN: TunnlTo – Windows WireGuard split tunnel client built with Rust, Tauri github.com/TunnlTo/deskto...

Hi Everyone,

TunnlTo is a tool for controlling which Windows applications, processes, and IP addresses can use a WireGuard VPN tunnel. Here are some examples of how it could be used:

- Route only FireFox through a privacy VPN - Route Slack and Microsoft Office through a work VPN - Route a game through a gaming VPN - Stop a game from routing through a privacy VPN - Stop a browser from routing through a work VPN - Route a specific IP address range through a privacy VPN - Route all traffic through a privacy VPN except a specific IP address range

I have been collaborating on this project with the creator of WireSock - Vadim Smirnov.

"WireSock VPN Client is a lightweight command line WireGuard VPN client for Windows that has advanced features not available in the official WireGuard for Windows such as selective application tunneling and disallowed IP addresses.

WireSock VPN Client combines the power of Windows Packet Filter and BoringTun (user space WireGuard implementation in Rust) to provide exceptional performance, security and scalability."

The TunnlTo app is built with Tauri and I've used boring old HTML, CSS (bootstrap) and JavaScript as I had major JS framework fatigue. I have previously built a production app with Electron and Vue. Tauri appealed to me for its use of Rust and its small installation sizes. I tried Tauri pre version 1.0 and had a bit of trouble but this time around its been a positive experience. The docs and the Discord community have come a long way.

I would appreciate any feedback about the project so I can get an idea of what direction to take it in next. Vadim will be around a little later if anyone is curious about the WireGuard implementation and wants to know more.

Thanks for reading!

I'm not complaining about Tauri/Electron usage normally, I'm happy using vscode and a few other app using this tech, but... Why? This app uses a few buttons and text fields. It can be done using literally any available toolkit. Or even with imgui-rust if you want matching look.

brndnbuilds · 3 years ago

> This app uses a few buttons and text fields

Well it's not finished yet :)

The reasons for choosing Tauri:

- With new projects I try to learn something new but not everything all at once. This helps to not get overwhelmed and ship something in a reasonable timeframe.

- I'm comfortable with HTML, CS, JS and I wanted to learn Rust which Tauri uses.

- I figured the UI is going to change a lot in the early days and I wanted to be able to iterate on it quickly, so choosing something I know already for the UI made sense to me.

- If the project gets bigger, I can move to a JS framework easily enough and will have access to all the ecosystem it provides.

- I thought it would be easier to attract contributors with a web framework UI and Rust.

- While I want it to be as lightweight as possible, it is not going to be run on low spec machines so I feel like the tech stack is fit for purpose.

l-albertovich · 3 years ago

I'm glad you used it, even if to some your application doesn't need it, it's good for the toolkit and I personally like how it looks.

Additionally, I think that your project might be useful to people and the only reason it exists is because you invested your own time on it so if using tauri was something that motivated you or gave you any type of satisfaction then I'm happy for you.

Thank you!

cute_boi · 3 years ago

Actually, I think many apps don't even require Tauri, Electron etc. They can use localhost:unique port and open the ui in browser when we click from tray?

japanuspus · 3 years ago

This is exactly what Tauri does: unlike Electron it relies on the system web engine.

viraptor · 3 years ago

Thaxll · 3 years ago

This is app is just a wrapper starting an exe with args, it's not doing much ...

I would actually say it's pretty dangerous to have something installing .msi from git, touching registry etc ...

https://github.com/TunnlTo/desktop-app/blob/main/src-tauri/s...

https://github.com/TunnlTo/desktop-app/tree/main/src-tauri/w...

> This is app is just a wrapper starting an exe with args, it's not doing much ...

You're free to run WireSock in the terminal. It's linked to in this post and in the github repo. TunnlTo aims to make WireSock more accessible and to add some quality of life features. I'm collaborating with the WireSock creator and while it may seem simple at the moment it is early days... we had to start somewhere.

> I would actually say it's pretty dangerous to have something installing .msi from git, touching registry etc ...

Did you look at this code?: https://github.com/TunnlTo/desktop-app/blob/main/dist/setup....

It tells the user why it needs to install the msi, explains what it is, and gives them the option to proceed. The msi is signed by the same EV code signing certificate as the TunnlTo app. There is also information about WireSock and links in the GitHub readme.

> installing .msi from git

The .msi doesn't come from "git", it is included in the TunnlTo installer which is standard practice.

> touching registry etc ...

I'm not sure why there would be a concern if a msi interacts with the registry? That is pretty standard stuff.

jchw · 3 years ago

This is cool, although tbh my biggest challenge with Wireguard is that I'd really like to be able to run Tailscale and another VPN at the same time.

Another trick: if you are using Firefox with Multi-account container tabs, you can use a Wireguard client that exposes a SOCKS5 interface (like Wireproxy) and use setup your tabs to use different Wireguard connections. You could even use this in addition to split tunnelling.

I think things could get pretty messy running TailScale and another VPN at the same time. I suppose you could do it with IP ranges but process level split tunneling... that needs some thought on what is happening there. Maybe Vadim will have some thoughts on that later.

That is a cool trick. Can you actually define which Firefox tabs use the proxy? Does it highlight the tab in some way to show you which connection you're on?

Yeah, with Firefox container tabs you can create new tabs on a given profile, and with the Multi-account extension those profiles can each be associated with a proxy. Profiles themselves have a color associated that shows up on the tab. So tabs in the same window can use different proxies.

chaxor · 3 years ago

I haven't used tail scale, but I'm confused. I thought wireguard had a simple config where you can just place a range of IPs and it basically just sends anything to those IPs over wg - effectively split tunneling.

So why couldn't you just have a different range for another subnet? Is it just because tail scale made everything needlessly complex? Or is it a base wireguard problem?

Tailscale isn't Wireguard, it uses Wireguard under the hood but it doesn't do what wireguard does.

rfoo · 3 years ago

It would be helpful if you can also bundle a dnsmasq-like (dnsmasq is not available for Windows :( ) thing for split-tunnel DNS.

For example I would like *.work.example.com goes through the DNS in work VPN.

PreInternet01 · 3 years ago

No need for additional software for that. In PowerShell, run:

    Add-DnsClientNrptRule -Namespace ".work.example.com" -NameServers "10.1.2.3","10.4.5.6"

hrez · 3 years ago

dnscrypt-proxy, it's also good for dns crypting

Severian · 3 years ago

I've been using it for the last two weeks and I've been pretty happy with it. One thing I wish it had is to display possibly some information regarding the connection. I usually use icanhazip to verify my IP is different from my local net. I think displaying what exclusions and such are active during an active connection would be good too.

Typing on phone, so please excuse the slightly abrupt tone.

Good to hear that its working out for you. I'm actually having a bit of trouble keeping in contact with the active users. I put a post in the discussion area of the repo but didn't get much response. If anyone has any ideas on how to better keep in touch with the users I would appreciate it.

I agree, it needs better visibility of what is happening with the active connection. Its easy enough to use icanhazip etc. in a browser to see the active IP but that's not possible in apps like a torrent downloader or game. Someone suggested a feature to monitor data input/output in the repo discussion area so I'll tag onto that with your suggestions.

psd1 · 3 years ago

Reaching your users is even difficult for me, building internal tools. We use a multi-pronged strategy. The only way to be sure is to have a popup in the app, although tbf this annoys people so care should be taken to minimise the nuisance.

zakki · 3 years ago

Awesome. Just yesterday I used Wireguard in my Windows laptop. The one acting as the gateway is using a dynamic public IP. So I used Dynamic DNS service for the client to connect to. The problem is when Public IP is changed by the ISP, Wireguard VPN tunnel failed because it keeps the old IP.

Do you have/plan this kind of feature? I mean Wireguard Client will check the Public IP of the Wireguard Server from time to time?

Another user brought up this feature request a little while ago and I discussed it with the WireSock creator (WireSock is the underlying network driver). Unfortunately we never decided on an implementation plan. I'll add it as a feature request in the repo discussions area.

I think this captures the issue? https://github.com/TunnlTo/desktop-app/discussions/47

ementally · 3 years ago

Does it fix the well known DNS problem? https://mullvad.net/en/blog/2021/9/2/limitations-split-tunne...

I've been taking to the WireSock creator about this question and will get back to you. It's not a straightforward yes or no and I want to get the answer right.

gigel82 · 3 years ago

Selective application tunneling is very interesting, I didn't know APIs were available for that (or do you have a custom network driver for it?).

Is it bullet-proof enough for a killswitch or would the apps go through the normal route if I forgot to open your application, or if the vpn server is down?

I think selective application tunneling for windows is an incredibly useful thing and I wondered for a long time why it wasn't more popular until I realized how difficult it is to implement.

TunnlTo uses WireSock https://www.wiresock.net/ which is a custom network driver built by Vadim Smirnov. He'll be on later to answer any technical questions. He is the expert in networking and kernel level drivers.

I wouldn't call it bullet-proof enough for a killswitch yet but certainly is something we're working towards. The response so far from HN is encouraging so it looks like it will be worthwhile dedicating more time to the project to get it to that level.

hexmiles · 3 years ago

I also would love to know how it was able to do it. I tried implemented something similar for an application, but I wasn't able to tunnel only selected application in the end I use a SOCKS proxy and manually configured the application that I wanted to use it, but it would love a less "hacky" way to do it (not all app support SOCKS proxy).

muststopmyths · 3 years ago

You keep saying driver, but wiresock says it’s usermode. Can you clarify ?

Not trying to be a jerk, just that I’d be more inclined to try out a purely usermode application than install a driver.