udp2raw icon indicating copy to clipboard operation
udp2raw copied to clipboard
verified publisher icon wangyu-

Add --wireguard mode

Open HouQiming opened this issue 2 years ago • 4 comments

Added an option --wireguard triggering two small changes to address wireguard quirks:

  • Clear DF bit: wireguard MTU is quite small already and adding udp2raw on top breaks a lot of stuff. Allow fragmenting udp2raw's own raw packets in --wireguard. Can be enabled individually with --do-fragment.
  • Wireguard allows endpoint IP changes but rejects port-only endpoint changes. By default, udp2raw -s connects from a different port on 127.0.0.1 for each client, which will start getting rejected by wireguard from the 2nd attempt. As a workaround, when --wireguard is enabled and udp2raw tries to connect to a link-local address, the patch generates a different link-local source IP for each connection. Can be enabled individually with --rand-addr.

HouQiming avatar Feb 14 '23 09:02 HouQiming

I am fine to add an option to set DF bit, but it's is unlikely solving real problem (i think)

        if (g_should_fragment) {
            iph->frag_off = htons(0x0000);  //DF cleared,others are zero
        } else {
            iph->frag_off = htons(0x4000);  // DF set,others are zero
        }

We are sending/receive packet with raw socket (level 2 or 3 for sending (depends on setting), always level2 for receiving), on your machine, the OS can't do IP fragment even if you clear the DF bit. Raw socket bypasses the OS's fragment and defragment.

wangyu- avatar Jul 22 '23 21:07 wangyu-

Wireguard allows endpoint IP changes but rejects port-only endpoint changes

I am not aware of this problem before. Could anyone help confirm?

wangyu- avatar Jul 22 '23 21:07 wangyu-

More context:

I'm trying to make my rig more robust with bad MTU settings. I have other hops on the link with uncontrolled / frequently changing MTUs and they may need to fragment udp2raw's output packet. I cleared the DF bit for that.

As for the port-only endpoint change thing, changing link-local IPs every time was a quick hack and it did fix my wireguard connection. But I didn't check wireguard code to confirm. Message ID: @.***>

HouQiming avatar Jul 24 '23 06:07 HouQiming

Wireguard allows endpoint IP changes but rejects port-only endpoint changes. By default, udp2raw -s connects from a different port on 127.0.0.1 for each client, which will start getting rejected by wireguard from the 2nd attempt.

I personally think this might be some mis-understanding.

If this is true, the same applies for wireguard client behind a router. 2nd attempt behind a router will also be rejected.

But i might be wrong. Hope someone else can help confirm.

wangyu- avatar Jul 24 '23 07:07 wangyu-