Gotatun WireGuard Backend¶
Overview¶
NymVPN uses mullvad/gotatun, a pure Rust userspace WireGuard implementation, for its tunnel backend. This replaces both wireguard-go (Go FFI) and kernel WireGuard modules.
Location: nym-vpn-core/crates/nym-wg-gotatun/
Why Gotatun?¶
| Approach | Problem |
|---|---|
Kernel WireGuard (kmod-wireguard) |
Not available on all devices, requires kernel module management |
wireguard-go (nym-wg-go) |
Go cross-compilation with MUSL is painful, especially for MIPS |
| gotatun | Pure Rust, single toolchain, works everywhere with kmod-tun |
Modules¶
lib.rs— Public API:PrivateKey,PublicKey,PresharedKey,PeerConfig,PeerEndpointUpdatewireguard_go.rs—Tunnelstruct wrapping gotatun;start(),stop(),update_peers()amnezia.rs—AmneziaConfigwith 9 obfuscation parametersamnezia_udp.rs— UDP transport layer obfuscation (504 lines)
Key Design Decisions¶
PrivateKeyderivesZeroize, ZeroizeOnDropfor secure key handlingAmneziaConfig::rand()returnsResultinstead of panicking- Feature-gated:
nym-vpn-libenables theamneziafeature
AmneziaWG Obfuscation¶
AmneziaWG defeats deep packet inspection that identifies and blocks standard WireGuard traffic.
How it works:
The obfuscation layer wraps gotatun's UDP socket factory:
AmneziaUdpFactory<F>— wraps the socket factoryAmneziaSend<S>— remaps WireGuard message headers and prepends junk packets during handshakesAmneziaRecv<R>— strips junk and reverses header remapping on receive
When the config is OFF or absent, the layer operates in passthrough mode with zero overhead.
Obfuscation Parameters¶
| Parameter | Field | Description |
|---|---|---|
| Jc | junk_pkt_count |
Number of junk packets before handshake |
| Jmin | junk_pkt_min_size |
Minimum junk packet size |
| Jmax | junk_pkt_max_size |
Maximum junk packet size |
| S1 | init_pkt_junk_size |
Junk padding on handshake init |
| S2 | response_pkt_junk_size |
Junk padding on handshake response |
| H1 | init_pkt_magic_header |
Header remap for init messages |
| H2 | response_pkt_magic_header |
Header remap for response messages |
| H3 | under_load_pkt_magic_header |
Header remap for under-load messages |
| H4 | transport_pkt_magic_header |
Header remap for transport data |