Show HN: SafeHaven – A Minimal VPN Implementation in Go

Nice. This does some things very similarly to Hyprspace[1]. The core idea is the same: Receive some bytes from a TUN device, shove them into a network socket, and vice versa. Hyprspace uses libp2p to manage the outer connections between VPN nodes instead of plain UDP, which takes care of addressing, hole punching and encryption.

BTW: You can also use the netlink library to configure the routing table without external processes[2]. The /1 trick isn't necessary either, you can just create a route for 0.0.0.0/0 and set its metric lower than the existing default route. That won't replace the old route in the table, the new one will just take precedence as long as it exists.

[1] https://github.com/hyprspace/hyprspace

[2] https://github.com/hyprspace/hyprspace/blob/a5957e485ff0c2e9...

Since people are apparently interested in minimal VPNs, here's one I built in Rust recently: https://github.com/atereshkin/nanovpn

My goal there was to have as little code as possible so that one could look at it and immediately grasp what goes into establishing a VPN.

Awesome, thanks for sharing. Did you use anything particular to help direct the implementation? I've been on a streak of building things in Go for the same reason (learning), and a VPN is one of the items on my list.

pretty cool and thanks for the details about TUN devices!

I believe wireguard runs over UDP and while you still need a TUN device, it has kernel implementations to handle encrypting the traffic.

From the article:

> Currently, packets are not being encrypted within the UDP tunnel so packet sniffing over the internet is possible. It is encouraged to use this over a protocol like SSH

No encryption takes the P out of VPN. Also, if you are going to need SSH to make it secure, then you can just use OpenSSH's built-in support for the tun device using the -w option.