A small, simple and secure VPN
Clone or download
angt Update mud and show status in path
Signed-off-by: Adrien Gallouët <adrien@gallouet.fr>
Latest commit 6bcc46c Nov 9, 2018



Glorytun is a small, simple and secure VPN over mud.


Glorytun only depends on libsodium version >= 1.0.4. Which can be installed on a wide variety of systems. Linux is the platform of choice but the code is standard so it should be easily ported on other posix systems. It was successfully tested on OpenBSD, FreeBSD and MacOS.


Work still in progress, wait for version 1.0.0 for stability.


The key features of Glorytun come directly from mud:

  • Fast and highly secure

    The use of UDP and libsodium allows you to secure your communications without impacting performance. Glorytun uses AES only if AES-NI is available otherwise ChaCha20 is used. You can force the use of ChaCha20 for higher security. All messages are encrypted, authenticated and marked with a timestamp. Perfect forward secrecy is also implemented with ECDH over Curve25519.

  • Multipath and active failover

    This is the main feature of Glorytun that allows to build an SD-WAN like service. This allows a TCP connection to explore and exploit multiple links without being disconnected.

  • Path MTU discovery without ICMP

    Bad MTU configuration is a very common problem in the world of VPN. As it is critical, Glorytun will try to setup it correctly by guessing its value. It doesn't rely on ICMP Next-hop MTU to avoid black holes.

Build and Install

We recommend the use of meson for building instead of the more classical autotools suite (also available for old systems).

On Ubuntu, the following command should be sufficient to get all the necessary build dependencies:

$ sudo apt-get install meson libsodium-dev pkg-config

To build and install the latest release from github:

$ git clone https://github.com/angt/glorytun --recursive
$ meson glorytun glorytun/build
$ sudo ninja -C glorytun/build install

This will install all binaries in /usr/local/bin by default.

You can easily customize your setup with meson (see meson help).


Just run glorytun with no arguments to view the list of available commands:

$ glorytun
available commands:

  show     show all running tunnels
  bench    start a crypto bench
  bind     start a new tunnel
  set      change tunnel properties
  sync     re-sync tunnels
  keygen   generate a new secret key
  path     manage paths
  version  show version

Use the keyword help after a command to show its usage.

Mini HowTo

Glorytun does not touch the configuration of its network interface (except for the MTU), It is up to the user to do it according to the tools available on his system (systemd-networkd, netifd, ...). This also allows a wide variety of configurations.

To start a server:

# (umask 066; glorytun keygen > my_secret_key)
# glorytun bind keyfile my_secret_key &

You should now have an unconfigured network interface (let's say tun0). For exemple, the simplest setup with ifconfig:

# ifconfig tun0 pointopoint up

To check if the server is running, simply call glorytun show. It will show you all the running tunnels.

To start a new client, you need to get the secret key generated for the server. Then simply call:

# glorytun bind to SERVER_IP keyfile my_secret_key &
# ifconfig tun0 pointopoint up

Here the tricky part... You need to specify your paths or glorytun will not send anything, it's easy:

# glorytun path LOCAL_IPADDR up

Again, to check if your path is working, you can watch its status with glorytun path. You should now be able to ping your server with ping

If you use systemd-networkd, you can easily setup your tunnels with the helper program glorytun-setup.


  • @jedisct1 for all his help and the code for MacOS/BSD.
  • The team OTB (@bessa, @gregdel, @pouulet, @sduponch and @simon) for all tests and discussions.
  • OVH to support this soft :)

For feature requests and bug reports, please create an issue.