TunGo is a lightweight VPN designed for modern needs: fast, secure, and open-source.
- 🧩 Easy to deploy & configure.
- 🚀 High Performance — near-zero allocations on the hot path (benchmarked).
- 📦 Tiny Memory Footprint — ≈5–15 MB RSS under load, ≈5–8 MB idle.
- 🔒 End-to-End Encryption — Noise IK handshake for mutual authentication; X25519 (Curve25519 ECDH) for key agreement; ChaCha20-Poly1305 (AEAD) for traffic encryption.
- ⚡ Built from Scratch — no legacy, no bloat. Clean, readable Go code.
- 🌐 IoT & Embedded Ready — optimized for small devices and constrained environments.
- 🛡️ Open Source — AGPL-3.0-only; commercial licenses available.
TunGo includes in-memory full-cycle dataplane benchmarks for both UDP and TCP. These benchmarks measure userspace packet-processing throughput only: encryption, routing/lookup, validation, decryption, and handoff to an in-memory sink.
Example single-run results for 1400-byte packets on Apple M4 Pro:
| Path | ns/op | Throughput | Allocs/op |
|---|---|---|---|
| UDP client -> server | ~2.7 us | ~4.3 Gbit/s | 0 |
| UDP server -> client | ~2.6 us | ~4.3 Gbit/s | 0 |
| TCP client -> server | ~2.6 us | ~4.3 Gbit/s | 0 |
| TCP server -> client | ~2.6 us | ~4.3 Gbit/s | 0 |
These numbers do not include TUN device, socket, kernel, firewall/NAT, or real network overhead. Treat them as dataplane-core benchmarks, not end-to-end VPN throughput claims.
To reproduce:
cd src
go test ./infrastructure/tunnel/dataplane/server/udp_chacha20 ./infrastructure/tunnel/dataplane/client/udp_chacha20 ./infrastructure/tunnel/dataplane/server/tcp_chacha20 ./infrastructure/tunnel/dataplane/client/tcp_chacha20 -run ^$ -bench FullCycle -benchmemRefer to: QuickStart
See more use cases at https://tungo.ethacore.com, for example:
- How to run the server in a Docker container
- How to set up a server systemd unit (auto-start on boot)
- How to set up a client systemd unit (auto-start on boot)
TL;DR: You can use TunGo privately or commercially.
If users interact with your (modified or unmodified) TunGo over a network (SaaS/hosted), you must provide them the complete corresponding source code of TunGo, including your changes and the scripts used to control compilation and installation.
Independent services that only communicate with TunGo over standard protocols (HTTP/gRPC, queues, etc.) do not have to be open-sourced (unless they are part of a derivative work).
If you need to embed/link TunGo into a proprietary product without sharing source, contact mailto:6stringsohei@gmail.com for a commercial license.
- Run TunGo for personal or commercial use.
- Modify it and keep changes private as long as no users access it over a network.
- Host it as a paid service (SaaS).
- Combine it with separate services via clean network boundaries.
- For hosted/SaaS use: offer users a link to download the source of the TunGo version you run, incl. your patches and build/install scripts.
- For binary distribution: ship or offer the source for the distributed TunGo parts.
- Keep copyright notices and the AGPL-3.0 license text.
- Open-source unrelated services, databases, infra, or monitoring—unless they become a derivative work of TunGo.