About BoreasTUN
Performance, Resilience, Control
BoreasTUN is a modern VPN protocol designed for environments where throughput, resilience against traffic analysis, and operational control matter.
What BoreasTUN Is
A user-space focused implementation built for the modern internet.
- A userspace VPN protocol implemented in Rust, focused on high throughput and low latency
- A security-first tunnel with strong authentication and forward secrecy
- A DPI-resistant transport that reduces protocol fingerprinting signals
- A flexible system that supports server hub-and-spoke and optional peer-to-peer data paths
- A deployable stack for Linux, macOS, Windows, FreeBSD, pfSense, OpenWRT, iOS, Android, and more
Core Capabilities
Built-in performance, privacy, and control primitives for enterprise networks.
Performance Without Fragility
UDP-first transport with automatic TCP fallback, multi-core scaling, and optional Linux accelerators. Compliant with RFC 768 (UDP) and RFC 793 (TCP).
Privacy-Resilient by Design
Obfuscated on-wire envelope to reduce easy classification, configurable traffic shaping, and minimal cleartext metadata surface. Built on industry-standard cryptographic protocols.
Standards-Based Cryptography
Uses well-established protocols including the Noise Protocol Framework for handshakes, FIPS 203 compliant post-quantum algorithms, and hardware-accelerated AES for maximum compatibility and security.
Forward Error Correction (FEC)
Recovers lost packets without retransmission using Reed-Solomon erasure coding (RFC 6865 compliant), with adaptive modes to balance bandwidth vs. reliability.
P2P & NAT Traversal
Automatic peer-to-peer connectivity using STUN (RFC 5389), TURN (RFC 5766), and ICE (RFC 8445) for seamless NAT traversal with intelligent relay fallback.
Advanced Policy Routing
Source-based routing for complex topologies with flexible rules based on source IP, input interface, or firewall marks. Uses direct kernel integration for millisecond-level rule updates with automatic loop prevention.
Smart Path MTU Discovery
RFC 8899 compliant packetization layer PMTU discovery eliminates IP fragmentation. Dynamically adjusts packet sizes to fit the network path using efficient binary search with automatic re-calibration on path changes.
Built-In Control Plane (BICP)
Control channel inside the encrypted tunnel for safe management operations and capability-based authorization, keeping management traffic secure and isolated.
Ideal Use Cases
Solving real-world networking problems.
Low-Latency Gaming & VoIP
Problem:Packet loss on WiFi/LTE destroys real-time experiences (lag/jitter).
Solution:Forward Error Correction (FEC) recovers lost packets instantly without retransmission delays.
Stealth Remote Access
Problem:Corporate firewalls and ISPs block standard VPN protocols via DPI.
Solution:Scrambled headers and traffic shaping look like random noise, penetrating restrictive networks.
High-Throughput Gateways
Problem:Traditional user-space VPNs bottleneck at 1-2 Gbps.
Solution:Multi-worker architecture and io_uring/AF_XDP backends saturate 10Gbps+ links on commodity hardware.
Peer-to-Peer Mesh
Problem:Routing local traffic through a central cloud server adds latency and cost.
Solution:BICE automatically negotiates direct P2P paths between clients (NAT traversal).
Comparison with Other Protocols
See how BoreasTUN stacks up against consumer and enterprise standards.
Consumer / Open Source Protocols
| Protocol | Structure / Header | DPI Detectability | Verdict |
|---|---|---|---|
| WireGuard | 4-byte type field | Easily identified by message type | |
| OpenVPN (UDP) | Fixed opcode + session ID | Identified by P_CONTROL headers | |
| OpenVPN (TCP/TLS) | TLS record layer | Identified by TLS patterns | |
| IPsec IKEv2 | 28-byte IKE header | Fixed header structure | |
| BoreasTUN | None | Indistinguishable from random noise |
Enterprise VPN Protocols
| Protocol | Header Structure | DPI Detectability | Verdict |
|---|---|---|---|
| FortiGate SSL-VPN | TLS with custom extensions | Medium - TLS fingerprint | |
| FortiGate IPsec | Standard IPsec headers | High - Standard ESP | |
| Check Point VPN | Custom tunnel headers | High - Vendor ID payloads | |
| GlobalProtect | SSL-VPN or IPsec | Medium - TLS/ESP patterns | |
| Cisco AnyConnect | DTLS record layer | Medium - DTLS fingerprint | |
| Juniper Pulse/Ivanti | Custom application data | Medium - TLS extensions | |
| F5 BIG-IP Edge | Proprietary over TLS | Medium - TLS patterns | |
| Zscaler Private Access | Cloud-based tunneling | Medium - Domain/IP fingerprint | |
| BoreasTUN | No fixed structure | Very Low - No fixed structure |
Architecture at a Glance
Clear separation of the data, control, and peer layers.
- Data Plane: userspace packet processing with optional acceleration features
- Control Plane: secure in-tunnel management protocol with explicit scope limits
- P2P Layer: optional direct path selection with safe fallback
- Transport: UDP-first with TCP fallback and platform-specific tuning options
- Platform Integrations: TUN handling and routing for supported OS targets
Design Principles
The operating philosophy.
Performance is a feature
Throughput and latency are treated as first-class goals.
Security over novelty
Modern, well-studied primitives for both streaming and handshake; no custom crypto.
Operational clarity
Explicit boundaries between data, control, and P2P.
Configurable, not fragile
Safe defaults with opt-in advanced features.