> I mean I suppose it requires elevated permissions but frankly it doesn't require any more permissions than most software, so this feels like a weird point to pick on. You need elevated permissions to bind 80 and 443, etc., right?
I think maybe you're misunderstanding what my goal is. If I have a local webserver running on my laptop on port 8080, I want to expose that via HTTPS on a public domain. The server that terminates the HTTPS connection needs root to run on port 443, but my laptop doesn't need root to start the upstream webserver on 8080, and it shouldn't need root to tunnel it to the public server either.
[Tailscale founder here] If you're using a mac, you can just install Tailscale from the app store, which does not require root (thanks to the "magic" of Apple's extension signing).
I haven't dug into the WireGuard spec yet, so this might be an ignorant question: Do you think it would be possible to create a client that can talk with WG servers normally, but on the local side it forwards to a specific port, rather than a network interface? That would avoid the root requirement. I'm guessing the answer is no since it sounds like you guys are working on integrating a custom non-WG solution.
I think maybe you're misunderstanding what my goal is. If I have a local webserver running on my laptop on port 8080, I want to expose that via HTTPS on a public domain. The server that terminates the HTTPS connection needs root to run on port 443, but my laptop doesn't need root to start the upstream webserver on 8080, and it shouldn't need root to tunnel it to the public server either.