TunSafe is a new application and thus might have bugs or incompatibilities with certain systems or configurations. If you are unable to solve a problem yourself, please take a moment to write an e-mail to and we look forward to assisting you.

You can also visit our IRC channel #tunsafe on the Freenode IRC network.

We also have a Community Forum where questions and discussions are welcome.

Questions and Answers

Q: What is WireGuard?
A: WireGuard is the next generation high-speed VPN protocol. With high throughput, low latency, low resource usage and increased security, it is the successor to the older protocols used today, such as OpenVPN and IPSec.

Q: What is TunSafe?
A: TunSafe is the first VPN software for Windows that has implemented the WireGuard protocol.

Q: Why should I use TunSafe/WireGuard instead of OpenVPN?
A: It has much higher performance and take less resources from the system. While TunSafe will have the ability to reach 10Gbit/s wire-speed with a modern cpu, OpenVPN have problems to reach 200Mbit/s, see benchmark.

Q: Does TunSafe use encryption?
A: Yes, TunSafe uses modern proven cryptography - Curve25519, ChaCha20, Poly1305, BLAKE2 and HKDF. These are the latest generation industry standard protocols for maximum security.

Q: What about DNS or data leaks?
A: There are situations that can cause Windows to bypass VPN clients and cause leaks. On Windows, TunSafe has implemented a feature that blocks the Internet both through zero routing and / or firewall rules (if enabled by user) so traffic can not bypass the VPN client.

Q: Does TunSafe support Windows XP, Windows Vista or earlier Windows versions?
A: No, TunSafe currently requires Windows 7 or later.

Q: Does TunSafe support OSX/Linux/FreeBSD?
A: TunSafe builds on Linux, FreeBSD, and OSX and is executed in userland. Get it here.

Q: Does TunSafe support Android/iOS?
A: Not yet. But it's in the pipeline. Meanwhile, check out the WireGuard homepage for Android/iOS support.

Q: I want to use TunSafe to host a VPN Service. Where should I start?
A: Currently your best alternative is to use a kernel implementation for maximal performance, check the WireGuard homepage.

Q: Why can't I use TunSafe to host a VPN Service?
A: If you plan to use Windows as a host, you can use our Windows version. However, we recommend using a kernel implementation in Linux if you plan to serve thousands of clients. We have developed one that serves our experimental VPN Service. This version will be released when we are comfortable with its stability.

Q: Does TunSafe support IPv6?
A: Yes, TunSafe supports IPv6, both for connecting to IPv6 hosts, and for tunneling IPv6 traffic across the VPN link. In order to let Windows successfully route IPv6 packets to the TAP-Windows driver, TunSafe will answer the IPv6 Neighbor Discovery packets targeted to the other side of the VPN link with a special hand-crafted IPv6 Neighbor Advertisement packet.

Q: Can I route all network traffic throgh TunSafe?
A: Yes, TunSafe configures the computer to route all traffic through the peer with AllowedIPs= If you don't want this, set Table=off in the [Interface] section. TunSafe does this by adding two new /1 routes both pointing at the VPN server.

Q: Can I route my DNS traffic throgh TunSafe?
A: Yes, TunSafe for Windows supports switching DNS servers while being connected to the server. This is configured with the DNS=<server> setting in the config file. When using this, TunSafe will let Windows know about the new server through the same DHCP request used to configure the IPv4 IP, while for IPv6 it configures the IP through netsh.

Q: How does TunSafe ensure outgoing packets won't be fragmented because of the overhead of protocol headers?
A: By default TunSafe will set the MTU of the network interface to 1420. This means the packet plus the overhead of the protocol headers will still fit inside the standard 1500 Ethernet MTU. The value can be configured through the MTU setting in the config file.