Most of the fields in the WireGuard protocol are encrypted. This implementation parses & uses only the clear text part, which includes:
message_type
reserved_zero
sender_index
receiver_index
len(packet)
The sender_index and receiver_index themselves are useless for the ruleset, but we can use them to track WireGuard states, which reduces false positives.
Notes for testers: When matching WireGuard traffic using handshake_* or receiver_index_matched in the expr, an existing WireGuard connection prior to OpenGFW startup might not be blocked until the next handshake (no more than 2 minutes). Restarting the WireGuard interface can trigger a handshake immediately.
Most of the fields in the WireGuard protocol are encrypted. This implementation parses & uses only the clear text part, which includes:
message_type
reserved_zero
sender_index
receiver_index
len(packet)
The
sender_index
andreceiver_index
themselves are useless for the ruleset, but we can use them to track WireGuard states, which reduces false positives.Notes for testers: When matching WireGuard traffic using
handshake_*
orreceiver_index_matched
in the expr, an existing WireGuard connection prior to OpenGFW startup might not be blocked until the next handshake (no more than 2 minutes). Restarting the WireGuard interface can trigger a handshake immediately.