Most of the fields in the WireGuard protocol are encrypted. This implementation parses & uses only the clear text part, which includes:
message_type
reserved_zero
sender_index
receiver_index
len(packet)
The sender_index and receiver_index themselves are useless for the ruleset, but we can use them to track WireGuard states, which reduces false positives.
Notes for testers: When matching WireGuard traffic using handshake_* or receiver_index_matched in the expr, an existing WireGuard connection prior to OpenGFW startup might not be blocked until the next handshake (no more than 2 minutes). Restarting the WireGuard interface can trigger a handshake immediately.
Most of the fields in the WireGuard protocol are encrypted. This implementation parses & uses only the clear text part, which includes:
message_typereserved_zerosender_indexreceiver_indexlen(packet)The
sender_indexandreceiver_indexthemselves are useless for the ruleset, but we can use them to track WireGuard states, which reduces false positives.Notes for testers: When matching WireGuard traffic using
handshake_*orreceiver_index_matchedin the expr, an existing WireGuard connection prior to OpenGFW startup might not be blocked until the next handshake (no more than 2 minutes). Restarting the WireGuard interface can trigger a handshake immediately.