An eBPF-based Wireguard mesh VPN in Rust using Aya.

The idea is to rely on kernel Wireguard, and process packets in kernel space (via eBPF) for maximum performance and minimal CPU overhead. I plan to use egress and ingress TC to “apply” the policy at both sides. XDP is faster, but only works on ingress, which is not sufficient for a mesh VPN imo.

Netbird already exists in this space, so this is mostly a learning exercise, and maybe a reference implementation for those learning eBPF in Rust.

Goals and constraints:

1. Single digit CPU overhead for multi Gbps bandwidth (probably a bit too ambitious, but we’ll see)

2. Linux only

3. No hole punching or complex NAT handling

4. Basic policy language for L3 and L4 traffic (L7 requires punting packets to a userspace proxy)