Is udp data corruption over wireguard possible?

David Anderson dave at
Wed Jan 2 20:46:31 CET 2019

It's not possible within the tunnel, but it's still possible anywhere else
in the path.

That said, you should never rely on the IP/TCP/UDP checksums at the
application layer. Most modern router ASICs unconditionally recalculate the
checksum right before transmission (to account for any packet mangling that
happened in the ASIC pipeline), so it's very common for routers with faulty
RAM or a faulty ASIC to corrupt a packet and then recalculate all the L3/L4
checksums to be "correct" before transmitting the broken packet.

If you need to verify traffic integrity, you need your own integrity check
at L7 - ideally bound to a cryptographic exchange so you can be certain
that it's an e2e integrity check that cannot be tampered with even by
"smart" proxies. Wireguard can provide you some "integrity by proxy" if
you're not routing traffic on either end of the tunnel, but that won't save
you in any other cases :)

- Dave

On Wed, Jan 2, 2019 at 11:37 AM Matt Avery <matthewaveryusa at>

> It dawned to me today that if I write an application that sends udp
> datagrams through the wireguard interface that corruption of the data
> within the datagram is not possible even if I decide to zero-out my
> datagram checksums (assuming the datagram doesn't get intentionally
> corrupted within the kernel.)
> Is that assumption correct?
> Thanks,
> -Matt
> _______________________________________________
> WireGuard mailing list
> WireGuard at
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the WireGuard mailing list