Tried to use WGOBFS on tunnel going through an another, tun device vpn, but it didn't work, packets were dropped between the mangle INPUT chain and the application (on kernel Arch Linux 6.1 LTS).
After research, it turns out that in these packets skb->ip_summed is equals to CHECKSUM_COMPLETE.
Not sure why they were dropped, looks like kernel rechecks that skb->csum is still valid.
Setting skb->ip_summed to CHECKSUM_NONE helped (leave packet size unchanged also helps).
In xt_TCPMSS.c checksum changes is handled by using inet_proto_csum_replace*, csum_replace*. Function inet_proto_csum_replace4is changingskb->csum if skb->ip_summed == CHECKSUM_COMPLETE. On practice skb->csum is modified only on len change (so that explains why it helps to leave packet size unchanged).
Maybe this is right way to dial with checksums, without recalculating whole checksum.
Tried to use WGOBFS on tunnel going through an another, tun device vpn, but it didn't work, packets were dropped between the mangle INPUT chain and the application (on kernel Arch Linux 6.1 LTS). After research, it turns out that in these packets
skb->ip_summed
is equals toCHECKSUM_COMPLETE
. Not sure why they were dropped, looks like kernel rechecks thatskb->csum
is still valid. Settingskb->ip_summed
toCHECKSUM_NONE
helped (leave packet size unchanged also helps).In xt_TCPMSS.c checksum changes is handled by using
inet_proto_csum_replace*
,csum_replace*
. Functioninet_proto_csum_replace4
is changingskb->csum
ifskb->ip_summed == CHECKSUM_COMPLETE
. On practiceskb->csum
is modified only on len change (so that explains why it helps to leave packet size unchanged). Maybe this is right way to dial with checksums, without recalculating whole checksum.