GotaTun – Mullvad's WireGuard Implementation in Rust

Original Article ↗ Hacker News Discussion ↗

Why GotaTun instead of (Rust) BoringTun forks?

  • BoringTun is described as effectively unmaintained and in long-term “restructuring.”
  • Several independent forks (e.g., NepTUN, Firezone’s fork) already exist; some providers have migrated to these.
  • Commenters speculate Mullvad wanted full control, clear maintenance, and security posture rather than depending on a stalled or fragmented upstream.
  • Some wish for consolidation around fewer Rust implementations, but recognize the ecosystem is already split.

Multiple Implementations & Security

  • Many argue diversity of implementations strengthens protocol security:
    • Different codebases expose bugs and spec ambiguities.
    • Implementation bugs are isolated to subsets of users, reducing impact of any single vulnerability.
  • Others worry about duplicated effort, reintroducing already-solved mistakes, and higher global attack surface.
  • Consensus leans toward multiple, well-audited implementations being beneficial if specs are clear.

Rust vs Go for WireGuard/User-Space VPNs

  • Rust is seen as better suited for:
    • Embedded/firmware (no GC, tighter control, better FFI as a library).
    • Performance-critical networking (aggressive optimization, no GC pauses).
    • Strong typing/typestate patterns for protocol state machines and low-copy buffer handling.
  • Go remains “good enough” and attractive for developer productivity when constraints are looser.

WireGuard Protocol Limitations & Obfuscation

  • Some criticize WireGuard’s lack of built-in resistance to government/ISP blocking and DPI.
  • Others respond that WireGuard deliberately focuses on a simple L3-over-UDP tunnel; obfuscation should be layered on top (e.g., Shadowsocks, AmneziaWG, Mullvad’s obfuscation modes).
  • There’s a counter-argument that separating routing and obfuscation forces higher layers to reimplement routing logic, undermining simplicity.

Performance, MTU, and Mobile/Battery

  • Users report substantial performance boosts on Android (Pixel phones) and other ARM devices with GotaTun versus wireguard-go.
  • One user notes a new deep-sleep/battery drain bug on Pixel, suggesting Android-side or integration issues.
  • Discussion emphasizes that VPN performance on small devices can be CPU-bound and crypto-heavy, though ChaCha20 is relatively efficient.
  • Several comments dive into MTU tuning (e.g., 1320–1360 bytes) and how broken Path MTU discovery, UDP fragmentation handling, and middleboxes can selectively break WireGuard traffic.

Mullvad vs Other VPN Providers

  • Many praise Mullvad’s privacy and technical choices but note trade-offs:
    • No port forwarding anymore; competitors still offer it.
    • Mullvad largely ignores streaming/geolocation evasion, leading to widespread IP blocks, while services like Nord focus on unblocking.
  • Thread highlights that most mainstream VPN users prioritize streaming/geobypass over strict privacy.