TunSafe is a new application and thus might have bugs or incompatibilities with certain systems or configurations. If you are unable to solve a problem yourself, please take a moment to write an e-mail to email@example.com and we look forward to assisting you.
You can also visit our IRC channel #tunsafe on the EFNet IRC network.
We also have a Community Forum where questions and discussions are welcome.
Q: The author of WireGuard warns about using TunSafe?
A: That is correct. Both WireGuard and especially TunSafe are relatively new software applications and may contain security vulnerabilities. The WireGuard homepage also warns that WireGuard could contain security flaws, so we are in the same boat until the software has undergone more critical testing. With that said, we try to help WireGuard to find vulnerabilities in their software and the WireGuard author and founder of Edge Security recently mentioned that he is checking the TunSafe application for vulnerabilities. We are still waiting the results of this research and will publish it on our website when available.
Q: How secure is TunSafe?
A: Because the official WireGuard protocol is not yet complete, you should not rely on this protocol for mission critical data. It has not undergone proper degrees of security auditing and the protocol is still subject to change. Since TunSafe implements the current WireGuard protocol it shares the same security issues that may be present in the WireGuard protocol.
Q: Does TunSafe support Windows XP, Windows Vista or earlier Windows versions?
A: No, TunSafe requires Windows 7 or later.
Q: Does TunSafe use encryption?
A: Yes, TunSafe uses the same modern proven cryptography as WireGuard - Curve25519, ChaCha20, Poly1305, BLAKE2 and HKDF. These are the latest generation industry standard protocols for maximum security.
Q: Does TunSafe support IPv6?
A: Yes, TunSafe supports IPv6, both for connecting to IPv6 hosts, and for tunneling IPv6 traffic across the VPN link. In order to let Windows successfully route IPv6 packets to the TAP-Windows driver, TunSafe will answer the IPv6 Neighbor Discovery packets targeted to the other side of the VPN link with a special hand-crafted IPv6 Neighbor Advertisement packet.
Q: Can I route all network traffic throgh TunSafe?
A: Yes, TunSafe configures the computer to route all traffic through the peer with
Address=0.0.0.0/0. If you don't want this, set
Table=off in the
[Interface] section. TunSafe does this by adding two new /1 routes both pointing at the VPN server.
Q: Can I route my DNS traffic throgh TunSafe?
A: Yes, TunSafe supports switching DNS servers while being connected to the server. This is configured with the
DNS=<server> setting in the config file. When using this, TunSafe will let Windows know about the new server through the same DHCP request used to configure the IPv4 IP, while for IPv6 it configures the IP through
Q: How does TunSafe ensure outgoing packets won't be fragmented because of the overhead of protocol headers?
A: By default TunSafe will set the MTU of the network interface to 1420. This means the packet plus the overhead of the protocol headers will still fit inside the standard 1500 Ethernet MTU. The value can be configured through the
MTU setting in the config file.