I would like to share an experimental FreeBSD port of usque:
https://github.com/Diniboy1123/usque
The original project is an open-source reimplementation of the Cloudflare WARP client's MASQUE mode, using Connect-IP over QUIC/HTTP/3. It supports several operating modes, including proxy modes and a native TUN mode.
My fork adds initial FreeBSD native TUN support for the nativetun mode. The goal is to make it possible to run usque on FreeBSD/OPNsense and expose a normal tunnel interface, which can then be used manually with routes, firewall rules, gateways, etc.
At this stage this is not an OPNsense plugin yet, only a working FreeBSD-oriented code experiment. Routing, NAT, DNS and firewall integration are intentionally left to the administrator / OPNsense configuration. I am sharing it here in case others are interested in testing, improving, or eventually helping turn this into a proper OPNsense plugin.
Please note that this is not optimized yet, neither on the Go implementation side nor on the FreeBSD TUN handling side. It should be considered a proof of concept / possible implementation approach rather than a polished or production-ready solution. The current goal is mainly to demonstrate that native TUN mode can work on FreeBSD and to provide a starting point for further testing and optimization.
Current status / what works so far:
- Successful connection to Cloudflare WARP, including Zero Trust enrollment/configuration.
- Basic usque functions, such as registration and configuration handling, also work on FreeBSD.
- Native TUN mode successfully creates a FreeBSD tunnel interface.
- Communication through the tunnel works both towards the public Internet and towards another device/server connected through the same Cloudflare Zero Trust environment.
- Manual routing through the created TUN interface has been tested successfully.
In these issue, you found my modified fork: https://github.com/Diniboy1123/usque/issues/106