Add --wireguard mode - Githubissues

wangyu- / udp2raw

A Tunnel which Turns UDP Traffic into Encrypted UDP/FakeTCP/ICMP Traffic by using Raw Socket,helps you Bypass UDP FireWalls(or Unstable UDP Environment)

MIT License

7.16k stars 1.16k forks source link

Add --wireguard mode #458

Open HouQiming opened 1 year ago

HouQiming commented 1 year ago

Added an option --wireguard triggering two small changes to address wireguard quirks:

Clear DF bit: wireguard MTU is quite small already and adding udp2raw on top breaks a lot of stuff. Allow fragmenting udp2raw's own raw packets in --wireguard. Can be enabled individually with --do-fragment.
Wireguard allows endpoint IP changes but rejects port-only endpoint changes. By default, udp2raw -s connects from a different port on 127.0.0.1 for each client, which will start getting rejected by wireguard from the 2nd attempt. As a workaround, when --wireguard is enabled and udp2raw tries to connect to a link-local address, the patch generates a different link-local source IP for each connection. Can be enabled individually with --rand-addr.

wangyu- commented 1 year ago

I am fine to add an option to set DF bit, but it's is unlikely solving real problem (i think)

        if (g_should_fragment) {
            iph->frag_off = htons(0x0000);  //DF cleared,others are zero
        } else {
            iph->frag_off = htons(0x4000);  // DF set,others are zero
        }

We are sending/receive packet with raw socket (level 2 or 3 for sending (depends on setting), always level2 for receiving), on your machine, the OS can't do IP fragment even if you clear the DF bit. Raw socket bypasses the OS's fragment and defragment.

wangyu- commented 1 year ago

Wireguard allows endpoint IP changes but rejects port-only endpoint changes

I am not aware of this problem before. Could anyone help confirm?

HouQiming commented 1 year ago

More context:

I'm trying to make my rig more robust with bad MTU settings. I have other hops on the link with uncontrolled / frequently changing MTUs and they may need to fragment udp2raw's output packet. I cleared the DF bit for that.

As for the port-only endpoint change thing, changing link-local IPs every time was a quick hack and it did fix my wireguard connection. But I didn't check wireguard code to confirm. Message ID: @.***>

wangyu- commented 1 year ago

Wireguard allows endpoint IP changes but rejects port-only endpoint changes. By default, udp2raw -s connects from a different port on 127.0.0.1 for each client, which will start getting rejected by wireguard from the 2nd attempt.

I personally think this might be some mis-understanding.

If this is true, the same applies for wireguard client behind a router. 2nd attempt behind a router will also be rejected.

But i might be wrong. Hope someone else can help confirm.