cunīcu is a user-space daemon managing WireGuard® interfaces to establish a mesh of peer-to-peer VPN connections in harsh network environments.
To achieve this, cunīcu utilizes a signaling layer to exchange peer information such as public encryption keys, hostname, advertised networks and reachability information to automate the configuration of the networking links. From a user perspective, cunīcu alleviates the need of manual configuration such as exchange of public keys, IP addresses, endpoints, etc.. Hence, it adopts the design goals of the WireGuard project, to be simple and easy to use.
Thanks to Interactive Connectivity Establishment (ICE), cunīcu is capable to establish direct connections between peers which are located behind NAT firewalls such as home routers. In situations where ICE fails, or direct UDP connectivity is not available, cunīcu falls back to using TURN relays to reroute traffic over an intermediate hop or encapsulate the WireGuard traffic via TURN-TCP.
It relies on the awesome pion/ice package for ICE as well as bundles the a Go user-space implementation of WireGuard in a single binary for systems in which WireGuard kernel support has not landed yet.
With these features, cunīcu can be used to quickly build multi-agent systems or connect field devices such as power grid monitoring infrastructure into a fully connected mesh. Within the ERIGrid 2.0 project, cunīcu is used to interconnect smart grid laboratories for geographically distributed simulation of energy systems.
The project is currently actively developed by Steffen Vogel at the Institute for Automation of Complex Power Systems (ACS) of RWTH Aachen University
To use cunīcu follow these steps on each host:
- Install cunīcu
- Configure your WireGuard interfaces using
- Start the cunīcu daemon by running:
sudo cunicu daemon
Make sure that in step 2. you have created WireGuard keys and exchanged them by hand between the hosts. cunīcu does not (yet) discover available peers. You are responsible to add the peers to the WireGuard interface by yourself.
After the cunīcu daemons have been started, they will attempt to discover valid endpoint addresses using the ICE protocol (e.g. contacting STUN servers).
These ICE candidates are then exchanged via the signaling server and cunīcu will update the endpoint addresses of the WireGuard peers accordingly.
Once this has been done, the cunīcu logs should show a line
- Steffen Vogel (@stv0g, Institute for Automation of Complex Power Systems, RWTH Aachen University)
Please feel free to join our Slack channel
#cunicu in the Gophers workspace and say 👋.
The project name cunīcu [kʊˈniːkʊ] is derived from the latin noun cunīculus which means rabbit, a rabbit burrow or underground tunnel. We have choosen it as a name for this project as cunīcu builds tunnels between otherwise hard to reach network locations. It has been changed from the former name wice in order to broaden the scope of the project and avoid any potential trademark violations.
cunīcu is licensed under the Apache 2.0 license.
Copyright 2022 Institute for Automation of Complex Power Systems, RWTH Aachen University
The project is currently actively developed by Steffen Vogel at the Institute for Automation of Complex Power Systems (ACS) of RWTH Aachen UniversityThe development of cunīcu has been supported by the ERIGrid 2.0 project of the H2020 Programme under Grant Agreement No. 870620
WireGuard and the WireGuard logo are registered trademarks of Jason A. Donenfeld.