cloudflare
webassembly platform
Wow, amazing stuff. Why can't we create a webassembly based virtual nic which runs in the browser? Route the packets over websocket. Doesn't Rust compile to webassembly?
My intention in submitting this issue is to figure out if I'm crazy or not.
Eventually, it should also be possible to route packets over the QUIC RTCDataChannel getting added to Chrome.
This would also create the need for a webassembly implementation of the HTTP2, HTTP3(QUIC), and websocket protocols. Initially, I think websocket protocol (over wireguard) should be pretty quick/simple. The others could follow later.
That doesn't sound crazy at all. There is also a Rust implementation of QUIC https://github.com/cloudflare/quiche So yeah, that is definitely doable, with a simple NAT.
Yes! Let's do it! Does this need to be approved as a feature or something? Once we have a webassembly build, I'm thinking another repo could be dedicated to the layers on top of wasm-boringtun-client, such as http-vpn, ws-vpn, etc. In addition there would be the ws-wireguard-vpn proxy (which forwards wireguard packets) for the wasm-boringtun-client to connect with.
If we get this thing working, and it catches on, it will beg a very large question. Browsers might be forced to introduce a vpn_wireguard_url w/ a vpn client embedded in the browser. Exciting times.
Wow, the future is starting to look a LOT simpler from a security perspective.
Ha, your excitement is contagious! Yeah it doesn’t seem super complicated, definitely doable. Obviously if you want to send the packets over ws you need a server that can accept them, but this is almost trivial.
I guess this will be the first VPN client over wasm since no other VPN protocol implemented to wasm. Is there any hope or its forgotten ?
This issue was largely forgotten, but if there is interest, this can be pursued. I do not have the bandwidth to pursue this sadly, but contributions are welcome. If someone wants to look into what would be required to make this work, that would be a good first step here.
I think the CheerpX guys have something working internally over RTCDatachannel. Wouldn't this effort be best served by webtransport? Does cloudflare support webtransport yet? I think webtransport just went GA in chrome recently?
This would be interesting with webtransport. I don't have the bandwidth to do this right now, but I would welcome any PRs.
I hear that WebAssembly is going to support 'components' i.e. a secure way for different webassembly applications to securely talk to each other in the browser. Not sure if that would kill the need for a virtual nic.
@XChikuX That's not quite what Wasm Components are for, and they don't obviate the need for a virtual NIC. If anything, a virtual VPN-integrated NIC would be implemented as a Wasm Component, and could be inserted at link time between an "application component" and the underlying runtime without the application component needing to have any knowledge of this.
(EDIT: you could think of this use case as LD_PRELOAD on steroids.)
Wondering if there are any updates on this?? Would porting boringtun to webassembly be too much of a technical effort given scope of the project?
