gutd — WireGuard traffic obfuscator via TC/XDP eBPF (no kernel patches)
Toke Høiland-Jørgensen
toke at toke.dk
Tue Mar 24 10:42:23 UTC 2026
> Would appreciate any feedback - especially on the BPF approach,
Cool project! A couple of comments on the BPF side:
- It looks like you're using libbpf_rs to load the BPF programs. Have
you considered using the (pure rust) Aya library instead
(https://github.com/aya-rs/aya)? If so, what was the reason for
choosing the libbpf wrapper instead?
- From a quick look at the architecture doc, I don't understand why you
need the veth pair? You're just rewriting packet contents, this could
just as well be done in the TC hook (egress and ingress) of the
physical NIC, and from the wireguard PoV it would just look like wg
itself is speaking directly to the other tunnel peer?
-Toke
More information about the WireGuard
mailing list