var img = document.createElement('img'); img.src = "https://matomo.0l.de/piwik.php?idsite=5&rec=1&url=https://cunicu.li" + location.pathname; img.style = "border:0"; img.alt = "tracker"; var s = document.getElementsByTagName('script')[0]; s.parentNode.insertBefore(img,s);
Skip to main content

Design

Architecture

Objectives

  • Encrypt all signaling messages

  • Plug-able signaling backends:

    • GRPC
    • Kubernetes API-server
    • WebSocket
  • Support Trickle ICE

  • Support ICE restart

  • Support ICE-TCP

  • Encrypt exchanged ICE offers with WireGuard keys

  • Seamless switch between ICE candidates and relays

  • Zero configuration

    • Alleviate users of exchanging endpoint IPs & ports
  • Enables direct communication of WireGuard peers behind NAT / UDP-blocking firewalls

  • Single-binary, zero dependency installation

  • Support for user and kernel-space WireGuard implementations

  • Zero performance impact

    • Kernel-side filtering / redirection of WireGuard traffic
    • Fallback to user-space proxying only if no Kernel features are available
  • Minimized attack surface

    • Drop privileges after initial configuration
  • Compatible with existing WireGuard configuration utilities like:

  • Monitoring for new WireGuard interfaces and peers

    • Inotify for new UAPI sockets in /var/run/wireguard
    • Netlink subscription for link updates (patch is pending)
  • RFC6544 TCP Candidates with Interactive Connectivity Establishment (ICE)
  • RFC8838 Trickle ICE: Incremental Provisioning of Candidates for the Interactive Connectivity Establishment (ICE) Protocol
  • RFC8445 Interactive Connectivity Establishment (ICE): A Protocol for Network Address Translator (NAT) Traversal
  • RFC8863 Interactive Connectivity Establishment Patiently Awaiting Connectivity (ICE PAC)
  • RFC8839 Session Description Protocol (SDP) Offer/Answer Procedures for Interactive Connectivity Establishment (ICE)
  • RFC6062 Traversal Using Relays around NAT (TURN) Extensions for TCP Allocations
  • RFC8656 Traversal Using Relays around NAT (TURN): Relay Extensions to Session Traversal Utilities for NAT (STUN)
  • RFC8489 Session Traversal Utilities for NAT (STUN)
  • RFC8866 SDP: Session Description Protocol
  • RFC3264 An Offer/Answer Model with the Session Description Protocol (SDP)
  • RFC7064 URI Scheme for the Session Traversal Utilities for NAT (STUN) Protocol
  • RFC7065 Traversal Using Relays around NAT (TURN) Uniform Resource Identifiers