A minimal Layer-3 VPN implementation for Windows using Wintun and UDP tunneling, secured with X25519 key exchange and ChaCha20-Poly1305 encryption.
MiniGuard demonstrates core VPN concepts through a clean implementation using:
- Wintun: High-performance Layer-3 TUN driver for Windows
- X25519: Elliptic curve Diffie-Hellman for key exchange
- ChaCha20-Poly1305: AEAD cipher for authenticated encryption
- HKDF-SHA256: Key derivation from shared secrets
- UDP: Fast transport with custom ACK mechanism
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β Client (Windows) β
β β
β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β
β β Wintun Virtual Interface β β
β β (10.0.0.2/24) β β
β ββββββββββββββββββββββββ¬βββββββββββββββββββββββββββββββββββ β
β β IP Packets β
β β β
β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β
β β Packet Processing Layer β β
β β β β
β β 1. Read IP packet from Wintun β β
β β 2. Generate random 12-byte nonce β β
β β 3. Encrypt with ChaCha20-Poly1305 β β
β β 4. Prepend nonce to ciphertext β β
β ββββββββββββββββββββββββ¬βββββββββββββββββββββββββββββββββββ β
β β β
β β β
β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β
β β X25519 Key Exchange Layer β β
β β β β
β β β’ Generate ephemeral keypair β β
β β β’ Exchange public keys β β
β β β’ Compute shared secret β β
β β β’ Derive encryption key (HKDF-SHA256) β β
β ββββββββββββββββββββββββ¬βββββββββββββββββββββββββββββββββββ β
β β β
β β β
β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β
β β UDP Transport Layer β β
β β β β
β β β’ Send encrypted packets over UDP β β
β β β’ Retry with 400ms timeout until ACK β β
β β β’ Handle acknowledgments β β
β ββββββββββββββββββββββββ¬βββββββββββββββββββββββββββββββββββ β
β β β
βββββββββββββββββββββββββββΌββββββββββββββββββββββββββββββββββββββββ
β
β UDP Tunnel
β (Encrypted Traffic)
β
βββββββββββββββββββββββββββΌββββββββββββββββββββββββββββββββββββββββ
β β Server β
β β β
β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β
β β UDP Transport Layer β β
β β β β
β β β’ Receive encrypted packets β β
β β β’ Send ACK responses β β
β ββββββββββββββββββββββββ¬βββββββββββββββββββββββββββββββββββ β
β β β
β β β
β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β
β β X25519 Key Exchange Layer β β
β β β β
β β β’ Generate ephemeral keypair β β
β β β’ Exchange public keys β β
β β β’ Compute shared secret β β
β β β’ Derive encryption key (HKDF-SHA256) β β
β ββββββββββββββββββββββββ¬βββββββββββββββββββββββββββββββββββ β
β β β
β β β
β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β
β β Packet Processing Layer β β
β β β β
β β 1. Extract nonce (first 12 bytes) β β
β β 2. Extract ciphertext β β
β β 3. Decrypt with ChaCha20-Poly1305 β β
β β 4. Log decrypted packet contents β β
β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β
β β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
- π Modern cryptography (X25519 + ChaCha20-Poly1305 + HKDF)
- π UDP-based transport with retry logic
- πͺ Windows-native using Wintun driver
- π§ Ephemeral keys for forward secrecy
- π¦ Clean Rust implementation (~300 lines)
- Rust (latest stable version)
- Windows OS
- Administrator privileges (required for network interface creation)
git clone https://github.com/chahat-101/MiniGuard.git
cd MiniGuard
cargo build --releaseStart the server to listen for incoming connections:
cargo run --bin server -- --listen 0.0.0.0:4000 --salt "your-secret-salt"Arguments:
--listen, -l: Bind address and port (default:0.0.0.0:4000)--salt, -s: Shared salt for key derivation (must match client)
cargo run --bin client -- --data "client1" --target 192.168.1.100:4000 --salt "your-secret-salt"Arguments:
--data: Local data identifier--target: Server address and port--salt: Shared salt for key derivation (must match server)
The client automatically creates a Wintun adapter with:
- IP Address:
10.0.0.2 - Netmask:
255.255.255.0 - Gateway:
10.0.0.1
Test the connection:
ping 203.0.113.10Client Server
β β
βββββ X25519 Public Key βββββββββββββββββββ 1. Handshake
βββββ X25519 Public Key βββββββββββββββββββ€
βββββ ACK βββββββββββββββββββββββββββββββββ
β β
β (Both derive shared key via HKDF) β 2. Key Derivation
β β
βββββ [Nonce || Encrypted Packet] βββββββ β 3. Data Transfer
βββββ ACK βββββββββββββββββββββββββββββββ β€
- Handshake: Client and server exchange ephemeral X25519 public keys over UDP
- Key Derivation: Both compute shared secret and derive ChaCha20 key using HKDF with the shared salt
- Encryption: Client reads IP packets from Wintun, encrypts with ChaCha20-Poly1305 (random nonce per packet)
- Transmission: Encrypted packets sent over UDP with retry logic until ACK received
- Decryption: Server decrypts packets and logs contents (no forwarding implemented)
Cryptographic Primitives:
- X25519: Curve25519 ECDH providing ~128-bit security
- ChaCha20-Poly1305: AEAD providing both confidentiality and authenticity
- HKDF-SHA256: Cryptographically strong key derivation
- Random Nonces: 12-byte nonce generated per packet using OsRng
Security Properties:
- Ephemeral key exchange (new keys per connection)
- Forward secrecy enabled
- Authenticated encryption prevents tampering
- Salt-based key derivation prevents rainbow table attacks
Note: Salt must be kept secret and shared between client and server.
Client automatically configures:
IP Address: 10.0.0.2
Netmask: 255.255.255.0
Gateway: 10.0.0.1
Adapter Name: minguard
- Handshake retry: 400ms
- ACK timeout: 400-500ms
- Retries: Infinite until success
Current limitations:
- Windows only (Wintun driver dependency)
- No packet forwarding or routing implementation
- Server only decrypts and logs packets
- No concurrent connection handling
- No reconnection mechanism
- No key rotation (reconnect for new keys)
- No authentication beyond shared salt
- No rate limiting or DoS protection
Core dependencies:
tokio- Async runtimewintun- Windows TUN driverx25519-dalek- X25519 key exchangechacha20poly1305- AEAD encryptionhkdf+sha2- Key derivationclap- CLI parsing
This project is built on the shoulders of these excellent Rust crates:
Networking & System:
Cryptography:
- x25519-dalek - X25519 elliptic curve Diffie-Hellman
- chacha20poly1305 - ChaCha20-Poly1305 AEAD cipher
- hkdf - HMAC-based Key Derivation Function
- sha2 - SHA-2 hash functions
Utilities:
- clap - Command Line Argument Parser
- rand - Random number generation
- hex - Hexadecimal encoding/decoding
A huge thank you to all the maintainers and contributors of these crates! π
"Access Denied" error:
- Run client as Administrator
- Right-click PowerShell/CMD β "Run as administrator"
Connection timeouts:
- Verify server is running
- Check firewall allows UDP on specified port
- Ensure salt matches exactly between client and server
Wintun adapter issues:
- Check Windows Device Manager for adapter status
- Review Windows Event Viewer for driver errors
- Try deleting existing "minguard" adapter
Contributions welcome! Feel free to open issues or submit pull requests.
See repository for license details.
MiniGuard is for educational purposes only. It demonstrates VPN concepts but lacks features needed for production use. For real-world VPN needs, use established solutions like WireGuard, OpenVPN, or IPsec.
Inspired by WireGuard's minimalist design philosophy and modern cryptographic choices.
Project Stats: ~300 lines of Rust demonstrating X25519 key exchange, HKDF key derivation, and ChaCha20-Poly1305 AEAD encryption in a VPN context.