Tried with 1.2, 1.3, and 1.4. It gets stuck on sending handshake when attempting to connect over a cellular connection (built into my laptop). When I put that same sim in a portable hotspot and connect to that, tunsafe connects fine.

The TunSafe Android client from the Play Store won't connect to an IPv6 Wireguard/TunSafe endpoint (tried both):

There is a bug in

When the number of bits in the IPv6 prefix is divisible by 8, an extra octet is masked off at the end of the significant part of the IPv6 network address when generating the gateway address.

Say ipv6_cidr = 64, then n = 8 and ipv6_cidr & 7 = 0, leading to default_route_v6[7] &= 0.

Steps to reproduce

TunSafe 1.4.1, Windows 10 x64

[Interface]
Address = fdcf:cafe:babe:1337::b0b/64

[Peer]
AllowedIPs = fdcf:cafe:babe:1337::1/128,fdd1:feed:face:c0de::/64

Actual results

Added Route fdd1:feed:face:c0de::/64  =>  fdcf:cafe:babe:1300::1

Expected results

The route should have gone through fdcf:cafe:babe:1337::1

I set mtu in my client config file, if the value is bigger than 1400 , I can't connect network, i don't know why . I set up wireguard server on google cloud , the mtu of wg0 is 1420

maybe u can add a function to support frontend socks5 proxy like OpenVPN.

国内被和谐了喵?

Tunsafe uses "PresharedKey" and WireGuard officially uses "PreSharedKey", which causes the two profiles to be incompatible.

Hello,
Can I build as a cli application for Windows just like I can for unix systems?

UdpSocketWin32::Write error 0xC00000BE

Hello,

I just compiled the latest build and I have been trying to use TunSafe in tcp mode, but I am just unable to get it to work. I am using the iOS client which seems to not support tcp just yet.

When I switch exclusively to UDP, it works like a charm, when I switch to exclusively TCP or both TCP & UDP in disparate ports, UDP always works, but I am just unable to connect to the TCP port at all.

There are no iptables blocks etc, I stood up a fresh ubuntu 18 server with nothing in it and I am still running into this issue. My set up is very simple. Unfortunately as there isn't much logging I am unable to debug anything :(.

Please let me know what else you need from me.

Thanks!

Hey. Two things

1. thanks for your hard work.
2. With auto start problems. In the client, the items marked as work as a service and start the tunnel at system startup are marked.

[15:24:20] Connecting to the TunSafe Service...
[15:22:46] Loading file: C:\Program Files\TunSafe\Config\wg.conf
[15:22:46] TAP is not compatible CIDR /31 or /32. Changing to /24
[15:22:46] TAP Driver Version 9.21
[15:22:46] Blocking standard DNS on all adapters
[15:22:47] Added Route 0.0.0.0/1 => 10.192.122.1
[15:22:47] Added Route 128.0.0.0/1 => 10.192.122.1
[15:22:47] Unable to read old ipv4 default gateway
[15:22:47] Sending handshake...
[15:22:47] UdpSocketWin32::Write error 0xC000023D
[15:22:53] Retrying handshake, attempt 2...
[15:22:58] Retrying handshake, attempt 3...

build:
sudo sh ./build_osx.sh adding: tunsafe (deflated 58%) adding: readme_osx.txt (deflated 29%)
run with sudo
sudo tunsafe start -d TunSafe.conf sudo: tunsafe: command not found
run

tunsafe start -d TunSafe.conf Loading file: TunSafe.conf Error opening tun device

(Apologies in advance if this is the wrong place for this discussion)

There was a lot of... ummm... controversy whenever this project was announced, as far as I can tell mostly because the WireGuard people really disliked that this was closed source (e.g. a reddit thread, a mailing list thread), and a Hacker News thread). I was wondering if someone has followed up since the source code was released? The author of WireGuard indicated that he would be willing to look over the source when it was available, which it is now.

On WireGuard's install page, they warn:

you are strongly advised to stay away from Windows clients that are not released from this site, as they may be dangerous to use, despite marketing efforts.

To me, that seems like a veiled reference to TunSafe, and I scoured the internet for a chunk of time before convincing myself I trusted TunSafe. I imagine others are steering clear of TunSafe for the same reason.

Now that the source is released, I wonder if they would consider removing that line from their website if they were asked about it. The line has been their since June 4, 2018 at least.

。。。。。。。。。。。。。。。。。。。。。。。。。。。

It would be great to have a GUI client for Linux just like there is already for Windows.

After a 5 hour power failure last night at the site of my Linux wireguard server, I noticed all the remote Linux clients (using wg kernel module) connected back automatically to the server when power was restored. However, the two Windows clients using TunSafe did not reconnect. The logs indicated "Expiring all keys for peer". Pressing the "Recconnect" button on each Windows TunSafe instance imediately re-established the wireguard connection.

I'm curious as to the reason why the TIMER_ZERO_KEYS timeout is present, and to ask whether the timeout could be considered for a future gui option to enable/disable/set to a value.

问题事件名称: APPCRASH
应用程序名: TunSafe.exe
应用程序版本: 0.0.0.0
应用程序时间戳: 5bccfe87
故障模块名称: TunSafe.exe
故障模块版本: 0.0.0.0
故障模块时间戳: 5bccfe87
异常代码: c000001d
异常偏移: 000000000000f9bd
OS 版本: 6.1.7600.2.0.0.768.2
区域设置 ID: 2052
其他信息 1: 725f
其他信息 2: 725f5faf7c6eb7e2b7a4b746faf9227f
其他信息 3: bcb8
其他信息 4: bcb8210b316321fb4f8289743370c113

Dear friend,
I really like tunsafe's Internet kill switch function, which solves the problem that the network is completely exchanged by the vpn server. Then, when I need to disconnect the vpn and continue to use tunsafe to build the previous network, I have to restart the computer. And you must use tunsafe to use the local network. I sincerely hope that I can switch the Internet kill switch more flexibly, and I can easily and flexibly restore the original network environment without restarting the computer.
Thank you very much, I wish you all the best in life and work!

Tried to follow and execute instructions at: https://tunsafe.com/user-guide/linux
On Fedora-29. Installed clang on it which got me the clang-7.0.1-4

Also modified build_linux.sh to supposedly work on this version of clang by changing "clang++-6.0" to just "clang"

After executing make, I got a hugeass log of errors and I attached it to this issue for your analysis.
compile errors.txt

I suppose I'll try to get and use the version 6 of clang for the sake of making it work, and hopefully it does work. If ever it also doesn't work, I suppose I'll reply to this issue thread along with errors/problems that I'll get.

I tried to switch to another .conf file and then my app said it doesn't respond and it froze.

I switched to an official config from the website, so there's no problem with configs. App has a bug.
Here's the screenshot:

My laptop stats:

OS: Windows 8.1 x64
TunSafe version: 1.4.1

build fiaild when i try run build.py

python ./build.py
Traceback (most recent call last):
File "./build.py", line 12, in
CONFIG = json.loads(open('../misc/config/build_py_conf.json', 'r').read())
FileNotFoundError: [Errno 2] No such file or directory: '../misc/config/build_py_conf.json'

please give us a explain file~~
i can not found the file from anywhere~~ please fix it

Running ./build_linux.sh: line 3: clang++-6.0: command not found
clang is installed on my Arch Linux system.

And trying build:

make
sh ./build_linux.sh
./build_linux.sh: line 3: clang++-6.0: command not found
make: *** [Makefile:7: tunsafe] Error 127

is it possible to port to openwrt?

Hello,

I'm loving TunSafe so far. Replaced OpenVPN since TunSafe is much easier to configure, has better performance and supports 2FA. The only thing I'd like to see is the ability to use the numpad to enter the 2FA code. Only the numeric keys above my letters work. The numpad keys don't seem to work at all even though my numlock is enabled.

Is there a way to create multiple independent wireguard connections?

Running multiple TunSafe applications would be fine with me.

I assume this requires installing multiple TAP drivers. But how to specify which one to use in config file? This is probably also required if running OpenVPN in parallel.

Are there any commandline parameters to trigger an auto-connnect on startup?

If not, do you plan to implement something like this?

This would be helpful to e.g. connect to the vpn host automatically on Windows logon.
It also would be nice if there would be a /hidden parameter to automatically start the application hidden in the task-bar.

Thank you in advance!
Kind regards, Marcus Wichelmann.

vpn除了可以用路由来分流，还有可以指定少量的ip走vpn代理，不知能不能加入规则文件，这样用户可以自己编辑文件，使程序或者ip走代理…但愿能实现这一功能吧！

If I put the following in .conf file

DNS = 8.8.8.8  # won't work

it results in:

[21:13:23] Unable to resolve 8.8.8.8  # won't work. Trying again in 1 second(s)

TunSafe 1.4-rc1 x64 on Windows.
It would be nice if TunSafe can ignore the comments properly.

I have a notebook with two adapter, a Ethernet connection and a WIFI.

The Ethernet's IP is 192.168.1.28/24 with gateway at 192.168.1.126. The Ethernet has 192.168.0.106 with gateway at 192.168.0.1.

When I connect to the peer with only WIFI plug in, everything work. But when I plug in Ethernet and turn off wifi the connection failed. From the debug log Tunsafe still use wifi's gateway without change to Ethernet's gateway.

Here is the log:

Wifi:

[14:47:23] Loading file: C:\Program Files\TunSafe\Config\all.conf
[14:47:23] TAP Driver Version 9.21 
[14:47:23] Added Route 222.xx.47.196/32  =>  192.168.0.1
[14:47:23] Added Route 0.0.0.0/1  =>  10.2.253.1
[14:47:23] Added Route 128.0.0.0/1  =>  10.2.253.1
[14:47:23] Added Route 10.2.0.0/16  =>  10.2.253.1
[14:47:23] Sending handshake...
[14:47:23] Connection established. IP 10.2.253.3

Ethernet:

[14:48:12] Loading file: C:\Program Files\TunSafe\Config\all.conf
[14:48:12] TAP Driver Version 9.21 
[14:48:12] Added Route 222.xx.47.196/32  =>  192.168.0.1
[14:48:12] Added Route 0.0.0.0/1  =>  10.2.253.1
[14:48:12] Added Route 128.0.0.0/1  =>  10.2.253.1
[14:48:12] Added Route 10.2.0.0/16  =>  10.2.253.1
[14:48:12] Sending handshake...

TunSafe for Linux does not bind to IPv6 interfaces. This is the output of netstat -tulpn on a dual-stack server:

tcp        0      0 127.0.0.53:53           0.0.0.0:*               LISTEN      11108/systemd-resol
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      1193/sshd
tcp6       0      0 :::22                   :::*                    LISTEN      1193/sshd
udp        0      0 127.0.0.53:53           0.0.0.0:*                           11108/systemd-resol
udp        0      0 0.0.0.0:68              0.0.0.0:*                           785/dhclient
udp        0      0 0.0.0.0:51820           0.0.0.0:*                           8269/tunsafe

TunSafe is listening on IPv4 port 51820, but not on IPv6 port 51820.

The issue has been confirmed by another user (see forum thread)

Type:

• build error

OS:

• Win7

Compiler:

• VS2015

Code:

• code1
• code2
• code3

Issue:

• parameter type doesn't match

Solution:

• (void *) should be added for the second param

btw, the stable version TunSafe 1.2 on the website doesn't support command line options while newest source code version supports.

i try to use the config file on openwrt by wireguard. but failed. i t works on my mac. so is it different with wireguard ? how can i compile tunsafe for openwrt. i don't want to set the interface for wireguard on openwrt. Thank you .Waiting for your reply.

Hello,

i am interested to try to install TunSafe on my internet server with public IPv4 (unsure where i will download and if possible), but then i want such server to forward certain port range or all ports except defined ones thru the VPN tunnel to the TunSafe client which is the home computer inside LAN.

Please how can i open port on TunSafe server and enable upnp so the port appears open and forwards traffic thru the tunnel tot he TunSafe client?

Hey,

it might make more sense when you create a TunSafe organisation instead of using an account for that. So you can manage easily multiple repositories in a cleaner way. Or when other people want to contribute its much more easier to handle.

Required steps:

• Rename your TunSafe account to whatever e.g. TunSafeBot
• Create a TunSafe org
• Move the TunSafe main repository into the TunSafe org

Good Job, continue the Good Work btw!

Hello, I have the client connected using Windows 7 and Tunsafe 1.4.1, added my LAN DNS servers in the config but I am unable to resolve/ping unqualified domains such as: "DC01" or "FILESERVER" (can ping IP's and FQDN's). I am able to ping UQDN's on server running wireguard. Is this possible with the client? Any feedback would be appreciated.

On Windows, the sample configuration file (TunSafe.conf) contains a hard-coded private key. The config file doesn't warn the user to change it, and the comment next to the key calls it "The private key of this computer" which users might interpret as the installer having created a secure random key for them.

As the security of WireGuard depends on secret keys, this default is insecure. I would suggest one of the following, in order of preference:

• Generate cryptographically secure random keys on installation and use them in the sample configuration file.
• Remove the example keys from the config file and instruct users on how to use the key generation feature.
• Refuse to start if a key matches the hard-coded default.
• Add scary warning text in the sample config comments informing users that they must replace the key for security.

hi,
my dhcp client was closed.how to open it in code.thanks.

thanks.

TunSafe doesn't restore interface's previous IPv6 settings after disconnecting from server:
(images found on the net)

The original settings was "Obtain an IPv6 address automatically" & "Obtain DNS server address automatically" & "Automatic metric".

Added Route 38.132.98.3/32 => 192.168.0.1 failed.

[15:35:35] Loading file: C:\Program Files\TunSafe\Config\tunsafe.conf
[15:35:35] Resolved us-ny1.tunsafe.com to 38.132.98.3
[15:35:35] TAP Driver Version 9.21 
[15:35:35] Blocking standard DNS on all adapters
[15:35:35] Added Route 38.132.98.3/32  =>  192.168.0.1
[15:35:35] Added Route 0.0.0.0/1  =>  10.0.0.1
[15:35:35] Added Route 128.0.0.0/1  =>  10.0.0.1
[15:35:35] Sending handshake...
[15:35:40] Retrying handshake, attempt 2...
[15:35:46] Retrying handshake, attempt 3...

It works after I run this command(Administrator required):

route add 38.132.98.3/32 192.168.0.1

This command can fix that error. I can't tell what happened. it's magic:joy:

Windows 10 64-bit, TunSafe 1.4-rc.

Issue name.
For example, you got blockinternet=route in your config.
Before connecting you had your direct connection to the network.
Connected - kill switch activated.
Disconnected - kill switch stays activated. Should switch back to previous state (disable if it was disabled and such)
Tested on RC1, gonna try on 1.4 release

Hello, I want to try the tcp mode,but wireguard only support the udp mode, Can TunSafe be used as an server? And how to build the TunSafe as a client for openwrt? Thanks.

why are you forcing use of clang... default in Fedora is gcc
cc -v
Using built-in specs.
COLLECT_GCC=/bin/cc
COLLECT_LTO_WRAPPER=/usr/libexec/gcc/x86_64-redhat-linux/8/lto-wrapper
OFFLOAD_TARGET_NAMES=nvptx-none
OFFLOAD_TARGET_DEFAULT=1
Target: x86_64-redhat-linux
Configured with: ../configure --enable-bootstrap --enable-languages=c,c++,fortran,objc,obj-c++,ada,go,lto --prefix=/usr --mandir=/usr/share/man --infodir=/usr/share/info --with-bugurl=http://bugzilla.redhat.com/bugzilla --enable-shared --enable-threads=posix --enable-checking=release --enable-multilib --with-system-zlib --enable-__cxa_atexit --disable-libunwind-exceptions --enable-gnu-unique-object --enable-linker-build-id --with-gcc-major-version-only --with-linker-hash-style=gnu --enable-plugin --enable-initfini-array --with-isl --enable-libmpx --enable-offload-targets=nvptx-none --without-cuda-driver --enable-gnu-indirect-function --enable-cet --with-tune=generic --with-arch_32=i686 --build=x86_64-redhat-linux
Thread model: posix
gcc version 8.3.1 20190223 (Red Hat 8.3.1-2) (GCC)
[root@localhost TunSafe]# cat build_linux.sh
#!/bin/sh
set -e

RELARGS="-O3 -DNDEBUG"
DBGARGS="-g -D_DEBUG"
CURARGS="$RELARGS"

c++ -c -march=skylake-avx512 crypto/poly1305/poly1305-x64-linux.s crypto/chacha20/chacha20-x64-linux.s
c++ -I . $CURARGS -DWITH_NETWORK_BSD=1 -mssse3 -pthread -lrt -o tunsafe
tunsafe_amalgam.cpp
crypto/aesgcm/aesni_gcm-x64-linux.s
crypto/aesgcm/aesni-x64-linux.s
crypto/aesgcm/ghash-x64-linux.s
chacha20-x64-linux.o
poly1305-x64-linux.o
[root@localhost TunSafe]# gmake clean
gmake: *** No rule to make target 'clean'. Stop.
[root@localhost TunSafe]# make clean
make: *** No rule to make target 'clean'. Stop.
[root@localhost TunSafe]# make
sh ./build_linux.sh
ls -al tunsafe
-rwxr-xr-x. 1 root root 340728 Mar 28 12:09 tunsafe

works fine......

as does the default C++ in FreeBSD as it is already clang by default, why revert to gcc 7

Endpoint = [2a01:4f8::1]:9999

Can't connect. Handshake failed.
But works if Endpoint is IPv4.

In advanced tab endpoint looks as "Endpoint: :9999".

Version: 1.4-rc1

Hi Sir, is it possible to add an obfuscation feature just like ShadowsocksR / Shadowsocks-libev where user can use thier preferred hostname for obfuscation like play.google.com.

In ShadowsocksR there is a feature for this like one below ,

In Shadowsocks-libev,

Reference;
https://shadowsocks.be/11.html
https://github.com/shadowsocks/simple-obfs

I'm using another way to manually add routes, based on Pre/Post commands. But some bugs will make these script could not start.

So could you add this feature into the Client?

The TCP.txt seems to suggest it's possible to run TCP mode with an existing wireguard deployment, if I'm reading it correctly it sounds like the tunsafe process acts like a kind of TCP proxy to wireguard is this the case and are there instructions for setting it up that way?

That may be useful for situations like Wi-Fi hotspots that block/filter outgoing traffic.

Also it would be nice client side to support both TCP and UDP in the same config, I.e you could specify both and the client would first try on UDP and then if it doesn't get a response from the server attempt fallback to TCP.

The windows client seem to assume that the next hop is .1 when adding a default route if you are using a /24 network for wireguard, ideally this should be configurable as in my cause it's actually .254 which is the machine that's setup as a router.

Oddly .1 seems to work but I'm not sure if it's causing some network oddities at the remote end of the tunnel as .1 is actually owned by another peer on my wg0 interface on the Linux end (The windows client does not know about this peer).

Error parsing [Interface].DNS = 2606:4700:4700::1001

But in wg-quick man DNS — a comma-separated list of IP (v4 or v6) addresses to be set as the interface's DNS servers.

Version: 1.4-rc1