I'm not complaining about Tauri/Electron usage normally, I'm happy using vscode and a few other app using this tech, but... Why? This app uses a few buttons and text fields. It can be done using literally any available toolkit. Or even with imgui-rust if you want matching look.

> This app uses a few buttons and text fields

Well it's not finished yet :)

The reasons for choosing Tauri:

- With new projects I try to learn something new but not everything all at once. This helps to not get overwhelmed and ship something in a reasonable timeframe.

- I'm comfortable with HTML, CS, JS and I wanted to learn Rust which Tauri uses.

- I figured the UI is going to change a lot in the early days and I wanted to be able to iterate on it quickly, so choosing something I know already for the UI made sense to me.

- If the project gets bigger, I can move to a JS framework easily enough and will have access to all the ecosystem it provides.

- I thought it would be easier to attract contributors with a web framework UI and Rust.

- While I want it to be as lightweight as possible, it is not going to be run on low spec machines so I feel like the tech stack is fit for purpose.

I'm glad you used it, even if to some your application doesn't need it, it's good for the toolkit and I personally like how it looks.

Additionally, I think that your project might be useful to people and the only reason it exists is because you invested your own time on it so if using tauri was something that motivated you or gave you any type of satisfaction then I'm happy for you.

Thank you!

Appreciate your kind comment!

Actually, I think many apps don't even require Tauri, Electron etc. They can use localhost:unique port and open the ui in browser when we click from tray?

This is exactly what Tauri does: unlike Electron it relies on the system web engine.

Do it uses extra memory? In browser I can open ui in multiple tabs. But, I suspect tauri creates another browser window with different process which consume similar memory that we see in electron.

This is app is just a wrapper starting an exe with args, it's not doing much ...

I would actually say it's pretty dangerous to have something installing .msi from git, touching registry etc ...

https://github.com/TunnlTo/desktop-app/blob/main/src-tauri/s...

https://github.com/TunnlTo/desktop-app/tree/main/src-tauri/w...

> This is app is just a wrapper starting an exe with args, it's not doing much ...

You're free to run WireSock in the terminal. It's linked to in this post and in the github repo. TunnlTo aims to make WireSock more accessible and to add some quality of life features. I'm collaborating with the WireSock creator and while it may seem simple at the moment it is early days... we had to start somewhere.

> I would actually say it's pretty dangerous to have something installing .msi from git, touching registry etc ...

Did you look at this code?: https://github.com/TunnlTo/desktop-app/blob/main/dist/setup....

It tells the user why it needs to install the msi, explains what it is, and gives them the option to proceed. The msi is signed by the same EV code signing certificate as the TunnlTo app. There is also information about WireSock and links in the GitHub readme.

> installing .msi from git

The .msi doesn't come from "git", it is included in the TunnlTo installer which is standard practice.

> touching registry etc ...

I'm not sure why there would be a concern if a msi interacts with the registry? That is pretty standard stuff.

This is cool, although tbh my biggest challenge with Wireguard is that I'd really like to be able to run Tailscale and another VPN at the same time.

Another trick: if you are using Firefox with Multi-account container tabs, you can use a Wireguard client that exposes a SOCKS5 interface (like Wireproxy) and use setup your tabs to use different Wireguard connections. You could even use this in addition to split tunnelling.

I think things could get pretty messy running TailScale and another VPN at the same time. I suppose you could do it with IP ranges but process level split tunneling... that needs some thought on what is happening there. Maybe Vadim will have some thoughts on that later.

That is a cool trick. Can you actually define which Firefox tabs use the proxy? Does it highlight the tab in some way to show you which connection you're on?

Yeah, with Firefox container tabs you can create new tabs on a given profile, and with the Multi-account extension those profiles can each be associated with a proxy. Profiles themselves have a color associated that shows up on the tab. So tabs in the same window can use different proxies.

TIL! Thanks for the explanation

I haven't used tail scale, but I'm confused. I thought wireguard had a simple config where you can just place a range of IPs and it basically just sends anything to those IPs over wg - effectively split tunneling.

So why couldn't you just have a different range for another subnet? Is it just because tail scale made everything needlessly complex? Or is it a base wireguard problem?

Tailscale isn't Wireguard, it uses Wireguard under the hood but it doesn't do what wireguard does.

It would be helpful if you can also bundle a dnsmasq-like (dnsmasq is not available for Windows :( ) thing for split-tunnel DNS.

For example I would like *.work.example.com goes through the DNS in work VPN.

No need for additional software for that. In PowerShell, run:

    Add-DnsClientNrptRule -Namespace ".work.example.com" -NameServers "10.1.2.3","10.4.5.6"

dnscrypt-proxy, it's also good for dns crypting

I've been using it for the last two weeks and I've been pretty happy with it. One thing I wish it had is to display possibly some information regarding the connection. I usually use icanhazip to verify my IP is different from my local net. I think displaying what exclusions and such are active during an active connection would be good too.

Typing on phone, so please excuse the slightly abrupt tone.

Good to hear that its working out for you. I'm actually having a bit of trouble keeping in contact with the active users. I put a post in the discussion area of the repo but didn't get much response. If anyone has any ideas on how to better keep in touch with the users I would appreciate it.

I agree, it needs better visibility of what is happening with the active connection. Its easy enough to use icanhazip etc. in a browser to see the active IP but that's not possible in apps like a torrent downloader or game. Someone suggested a feature to monitor data input/output in the repo discussion area so I'll tag onto that with your suggestions.

Reaching your users is even difficult for me, building internal tools. We use a multi-pronged strategy. The only way to be sure is to have a popup in the app, although tbf this annoys people so care should be taken to minimise the nuisance.

Awesome. Just yesterday I used Wireguard in my Windows laptop. The one acting as the gateway is using a dynamic public IP. So I used Dynamic DNS service for the client to connect to. The problem is when Public IP is changed by the ISP, Wireguard VPN tunnel failed because it keeps the old IP.

Do you have/plan this kind of feature? I mean Wireguard Client will check the Public IP of the Wireguard Server from time to time?

Another user brought up this feature request a little while ago and I discussed it with the WireSock creator (WireSock is the underlying network driver). Unfortunately we never decided on an implementation plan. I'll add it as a feature request in the repo discussions area.

I think this captures the issue? https://github.com/TunnlTo/desktop-app/discussions/47

thanks

Does it fix the well known DNS problem? https://mullvad.net/en/blog/2021/9/2/limitations-split-tunne...

I've been taking to the WireSock creator about this question and will get back to you. It's not a straightforward yes or no and I want to get the answer right.

Selective application tunneling is very interesting, I didn't know APIs were available for that (or do you have a custom network driver for it?).

Is it bullet-proof enough for a killswitch or would the apps go through the normal route if I forgot to open your application, or if the vpn server is down?

I think selective application tunneling for windows is an incredibly useful thing and I wondered for a long time why it wasn't more popular until I realized how difficult it is to implement.

TunnlTo uses WireSock https://www.wiresock.net/ which is a custom network driver built by Vadim Smirnov. He'll be on later to answer any technical questions. He is the expert in networking and kernel level drivers.

I wouldn't call it bullet-proof enough for a killswitch yet but certainly is something we're working towards. The response so far from HN is encouraging so it looks like it will be worthwhile dedicating more time to the project to get it to that level.

I also would love to know how it was able to do it. I tried implemented something similar for an application, but I wasn't able to tunnel only selected application in the end I use a SOCKS proxy and manually configured the application that I wanted to use it, but it would love a less "hacky" way to do it (not all app support SOCKS proxy).

You keep saying driver, but wiresock says it’s usermode. Can you clarify ?

Not trying to be a jerk, just that I’d be more inclined to try out a purely usermode application than install a driver.

I assume since Wiresock is using BoringTun(https://github.com/cloudflare/boringtun) under the hood, it works similar to other userspace implementations of wireguard, (e.g. wireguard-go, wireguard-rs) in that it uses a TUN device to deliver packets to the userspace implementation, and back out to the network. So, no driver installation required, but CAP_NET_ADMIN is required to create the TUN device.

Why does this (and quite a few other articles here) always mention 'rust' in the headline? Are there other split-tunnel solutions that are not written in rust? Is this one better feature-wise or does rust somehow make it better, that people would choose this instead of <some other> software? If it's the only software that does this, why is rust important then, if there are no non-rust alternatives?

There have been literal "text editor written in rust" articles here, and instead of mentioning why I should use the text editor (why is it better than vi, emacs, notepad++,...), the only feature is "written in rust"... why?

Well, the same thing is true for other languages too. Some languages used to be popular to mention, because they were new and shiny (like Ruby, was a period of time when "X written in Ruby" was popular on HN), and others are seemingly always worth mentioning, like Common Lisp or Clojure.

Bunch of language nerds on here (both world and programming languages), so kind of makes sense to share a bit about the language.

I suppose we're all here to discuss new things and ideas and Rust is "new". So with that in mind, people may be interested to know how others are experimenting and building with it.

Not only that, sometimes when I want to know more about a particular tech I search HN and Reddit and other places for it. Having it in the title makes it easier to know it's in the stack.

Awesome and a cool choice of tools. Reminds me of https://safing.io/spn/ . Is it possible to split tunnel two different chrome profiles?

Thanks! I hadn't though of splitting chrome profiles before. I don't believe it would be possible as the app stands now but something to consider in future.

nice name! I created https://tunnelto.dev (https://github.com/agrinman/tunnelto) -- also an open source Rust tunneling program.

hah very cool! I settled on the name after I realized I could get this cool domain for it: https://tunnl.to/ :)

This is such a fantastic solution I have always wanted. Thank You. It would be nice if UI could display how many bytes etc. are flowing from each apps etc..., including ip address etc..

Pleased to hear it will be useful for you! That feature will probably need to be done in WireSock (the network driver TunnlTo uses). Someone requested it in the repo's discussion area https://github.com/TunnlTo/desktop-app/discussions/39 so I'll keep track of it.

Thankyou to everyone that has contributed to the discussion. I'm logging off for the night but will reply to any questions first thing tomorrow

Can I chain VPNs like I can proxies in Proxifier?

Not at the moment, but the creator of WireSock (which TunnlTo wraps) has looked at implementing a chaining feature. He'll be logging on a little later (it's the middle of the night for him) so hopefully he can provide a bit more info on how that might work.