Skip to content

wave-cl/squic-rust

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

23 Commits
examples
examples
 
 
src
src
 
 
tests
tests
 
 
Cargo.lock
Cargo.lock
 
 
Cargo.toml
Cargo.toml
 
 
README.md
README.md
 
 

Repository files navigation

sQUIC — Shielded QUIC (Rust)

Rust implementation of sQUIC, wrapping Quinn. Wire-compatible with squic-go.

Features

  1. Pre-handshake authentication — clients must prove knowledge of the server's public key before the QUIC handshake begins. Invalid packets are silently discarded.
  2. No CA/PKI — identity is a pinned Ed25519 public key (32 bytes). No certificate authorities.
  3. Client whitelisting — runtime-manageable set of allowed client keys. Non-whitelisted clients are silently dropped at the MAC layer.
  4. Persistent client identity — optional client_key config for stable client identity across reconnects, enabling server-side whitelisting.
  5. Replay protection — 120-second timestamp window + 8-byte cryptographic nonce per packet.
  6. DDoS resistance — WireGuard-style MAC2 + cookie mechanism. Under load, the server requires proof-of-address before performing expensive DH operations.
  7. Interoperable — same wire format as squic-go. Go server + Rust client (and vice versa) work together.

Connection Modes

Mode Server config Client config Behaviour
Open No allowed_keys No client_key Any client with the server's public key can connect. Default.
Whitelisted allowed_keys set client_key set Only clients whose keys are in the whitelist can connect. Silently dropped before any QUIC processing.

In all three modes, the server is silent to anyone who does not possess the server's public key.

Connection String

A server's address and public key can be shared as a single string, for example:

sqc://example.com:443/EFj2YJzH6MwVfPnbLdR4SjrUkA9QpXhgK7CcTx31Wm5

Install

[dependencies]
squic = { git = "https://github.com/wave-cl/squic-rust" }

Performance

Mode macOS M4 Pro Cheapest Linux VPS
Upload 2,023 Mbps 2,510 Mbps
Download 1,918 Mbps 2,287 Mbps
Bidirectional 2,571 Mbps total 4,797 Mbps total

Cross-implementation (Rust↔Go, same wire format):

Mode macOS M4 Pro Cheapest Linux VPS
Go client → Rust server 1,679 Mbps 1,849 Mbps
Rust server → Go client 1,662 Mbps 1,791 Mbps

Measured with the included sqperf tool over loopback, 30-second runs.

Examples

sqperf

Throughput benchmark:

# Server
cargo run --release --example sqperf -- -s -p 5000

# Upload
cargo run --release --example sqperf -- -c 127.0.0.1 -p 5000 --key <hex> -t 30

# Download
cargo run --release --example sqperf -- -c 127.0.0.1 -p 5000 --key <hex> -t 30 -R

# Bidirectional
cargo run --release --example sqperf -- -c 127.0.0.1 -p 5000 --key <hex> -t 30 -d

http3

HTTP/3 server and client:

# Server
cargo run --release --example http3 -- -s -p 443

# Client
cargo run --release --example http3 -- -c 127.0.0.1 -p 443 --key <hex>
cargo run --release --example http3 -- -c 127.0.0.1 -p 443 --key <hex> /health

License

MIT

About

Shielded QUIC: MAC shielding for better privacy. Wraps Quinn with near-zero overhead.

Topics

rust socket protocol quic sovereign-tech squic

Resources

Readme
Activity

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

3 tags

Packages

 
 
 

Contributors

Languages