passtos patch

Kalin KOZHUHAROV me.kalin at
Thu Jan 18 12:56:55 CET 2018

On Thu, Jan 18, 2018 at 12:30 PM, Vadim Zotov <z at> wrote:
> in some circumstances it is important to set the TOS field in tunnel packet equivalent to payload packet TOS.
> for example, our provider supports three different SLAs, depending on packet TOS field, with different jitter,
> packet loss and service availability. In current release wireguard always set tos to 0.
Yep, I completely agree to "in some circumstances" :-D

I am not sure how copying the TOS field can be exploited, I guess it
is one of those things "potential hazard, use KISS, avoid till needed
AND assessment can be made"...
Copying the field straight (in plain-text in a way), will provide some
see-through-the-tunnel, which WG is designed NOT to allow, AFAIK.

There are no optional parameters/options in wireguard (well, except
fwmark), but I guess that one should be implemented as an option, at
least at first.
But again, that contradict KISS principle...

Since this is not a common scenario, IMHO, and there are only a
handful TOS worth doing something, a workaround would be to bunch a
few wg tunnels (even bridge them at both ends?), use fwmark and mangle
the TOS with iptables/ift...
Just a suggestion, not tried obviously.


More information about the WireGuard mailing list