Back to projects

Custom VPN

Systems Programming

Layer 3 VPN tunnel built from scratch using C, raw sockets, and Linux TUN/TAP interfaces with a Docker-based client-server architecture for network isolation.

CRaw SocketsLinux/TUN/TAPDocker
View on GitHub

Project highlights

  • Raw C implementation of tun-device packet IO and UDP tunnel transport.
  • Containerized client topology that mirrors real remote endpoint behavior.
  • Manual IP and peer route setup for full control over path semantics.
  • Clear baseline architecture for later encryption, NAT, and multi-client expansion.

What it is

Custom VPN is a from-scratch Layer-3 tunnel implementation in C that uses raw UDP encapsulation with Linux TUN interfaces to demonstrate core VPN internals without relying on OpenVPN or WireGuard frameworks.

Problem it solves

Most production VPN stacks hide low-level packet lifecycle details. This project solves the learning gap by exposing tun interface setup, IP packet capture, UDP encapsulation, decapsulation, and route control in a minimal and inspectable codebase.

How it works

  • Run the server on the host namespace with a dedicated tun interface and UDP listener on port 5555.
  • Run the client inside a Docker container to simulate remote isolation and avoid local routing-loop artifacts.
  • Read Layer-3 packets from tun0/tun1, encapsulate payloads in UDP datagrams, and forward through the host-container path.
  • Decapsulate packets at the opposite endpoint and hand them back to the kernel networking stack via the tun device.
  • Verify connectivity with tunnel IP ping tests and monitor encrypted-tunnel transport behavior using tcpdump on docker0.

Key capabilities

  • Raw C implementation of tun-device packet IO and UDP tunnel transport.
  • Containerized client topology that mirrors real remote endpoint behavior.
  • Manual IP and peer route setup for full control over path semantics.
  • Clear baseline architecture for later encryption, NAT, and multi-client expansion.
  • Hands-on debugging workflow using packet capture and namespace-aware testing.

Impact and outcomes

  • Validates an end-to-end software tunnel from packet capture to remote forwarding.
  • Demonstrates strong systems knowledge in networking, sockets, and Linux virtual interfaces.
  • Provides a practical educational baseline for evolving toward production-grade VPN capabilities.
Custom VPN - Project Documentation