展示HN:MintFlow NetStack – 基于fd.io VPP构建的新型WireGuard iOS客户端
嗨,HN,
我刚刚获得了苹果对 MintFlow NetStack 1.1.0 的批准,该版本引入了应用级路由功能。我觉得这是一个分享项目及其开发背后技术背景的好时机。
在过去的两年里,我基于 Tailscale 构建了两个 iOS VPN 应用。我非常欣赏它们出色的文档和高质量的代码。然而,我希望在客户端方面有更多的灵活性,特别是在本地路由和分流方面。虽然 Tailscale 现在提供了应用连接器功能,但我的使用案例要求一切都在本地运行,而不需要中央协调器来分发 DNS 路由。
由于我已经与 fd.io VPP 工作了一段时间,并且非常喜欢它的架构,我决定尝试在其基础上构建一个基于 WireGuard 的 VPN 应用。VPP 有一个 WireGuard 插件,基于 FreeBSD 的实现(尽管并未积极维护)。我面临的第一个挑战是将 VPP 核心移植到 Darwin(iOS/macOS 的底层操作系统)。得益于最近通过 epoll-shim 提供的 FreeBSD 支持,这虽然复杂但可行,最终我成功地在 macOS 上运行了 VPP。
从那里,我将苹果的 utun 接口与 VPP 的主机栈进行了桥接,处理 BSD 套接字的输入/输出,最终得到了一个可工作的应用。版本 1.0.0 以基于 CIDR 前缀的基本分流功能发布,但这感觉太有限了。
因此,上个月,我添加了一个使用 hickory-dns(基于 Rust 的)内部存根 DNS 解析器,并启用了 VPP 的主机栈,以从苹果的隧道接口重建 TCP/UDP 连接,并通过本地接口(Wi-Fi/蜂窝网络)转发它们。这解锁了更细粒度的路由功能——例如选择性地通过 WireGuard 发送特定流量,保持其他流量在本地,或者完全使用 VPP 的黑洞功能阻止路由。
我很乐意讨论技术细节。没想到我在 2025 年仍然会为 iOS 应用核心编写 C 代码——尽管 Rust 现在也是技术栈的一部分。我最初尝试使用 c-ares 进行 DNS 解析,但选择了 Rust,以便更快地推进并学习一些新东西。
构建这个项目非常有趣。目前,MintFlow 是一款一次性购买的付费应用。我计划继续扩展它——VPP 的积极开发意味着我可以在未来的版本中添加基于 MITM 的 HTTPS 捕获和更高级的路由等功能。
以下是链接:
App Store: [https://apps.apple.com/us/app/mintflow-netstack/id6742394218](https://apps.apple.com/us/app/mintflow-netstack/id6742394218)
网站: [https://mintflow.643216.xyz](https://mintflow.643216.xyz)
谢谢!
查看原文
Hi HN,<p>I just got MintFlow NetStack 1.1.0 approved by Apple, which introduces app-level routing capabilities. I thought this would be a good time to share the project and some of the technical background behind its development.<p>Over the past two years, I’ve built two iOS VPN apps based on Tailscale. I appreciate their excellent documentation and high-quality code. However, I wanted more flexibility on the client side—particularly around local routing and split tunneling. While Tailscale now offers an App Connector feature, my use case required everything to run locally, without needing a central coordinator to distribute DNS routes.<p>Since I’ve been working with fd.io VPP for a while and really like its architecture, I decided to try building a WireGuard-based VPN app on top of it. VPP has a WireGuard plugin modeled after FreeBSD’s implementation (though not actively maintained). My first challenge was porting the VPP core to Darwin (the underlying OS for iOS/macOS). Thanks to recent FreeBSD support via epoll-shim, it turned out to be complex but feasible—and I eventually got VPP running on macOS.<p>From there, I bridged Apple’s utun interface with VPP’s host stack, handling BSD socket I/O and eventually getting a working app. Version 1.0.0 shipped with basic split tunneling based on CIDR prefixes, but that felt too limited.<p>So last month, I added an internal stub DNS resolver using hickory-dns (Rust-based), and enabled VPP's host stack to reconstruct TCP/UDP connections from the Apple tunnel interface and forward them via local interfaces (Wi-Fi/Cellular). This unlocks much more granular routing—like selectively sending specific traffic through WireGuard, keeping others local, or blocking routes entirely using VPP’s blackhole.<p>I'm happy to discuss the technical details. Never thought I’d still be writing C in 2025 for an iOS app core—though Rust is now part of the stack too. I initially tried using c-ares for DNS but opted for Rust to move faster and learn something new.<p>It’s been a lot of fun building this. Right now, MintFlow is a paid app with a one-time purchase. I plan to keep expanding it—VPP’s active development means I can add features like MITM-based HTTPS capture and more advanced routing in future releases.<p>Here are the links:<p>App Store: <a href="https://apps.apple.com/us/app/mintflow-netstack/id6742394218">https://apps.apple.com/us/app/mintflow-netstack/id6742394218</a><p>Website: <a href="https://mintflow.643216.xyz" rel="nofollow">https://mintflow.643216.xyz</a><p>Thanks!