passing-through TOS/DSCP marking

Florent Daigniere nextgens at
Tue Jul 6 07:00:14 UTC 2021

On Wed, 2021-06-16 at 18:28 +0200, Jason A. Donenfeld wrote:
> WireGuard does not copy the inner DSCP mark to the outside, aside from
> the ECN bits, in order to avoid a data leak.
> Jason

Hi Jason,

Is there any room for revisiting this design decision? We are talking
about 6 bits of metadata per packet here...

Which realistic threats are we trying to protect against?

The solutions that don't involve code changes all have significant
- awesome BPF-based magic will be Linux only
- multiple tunnels are not always practical and arguably worse traffic

I still use a patched wireguard to protect traffic from a voip app on an
android handset using wifi here... and while I have a solution that's
good enough for my requirements, I do think that the community would
benefit from having something that works better out of the box (and on
all platforms).


More information about the WireGuard mailing list