passing-through TOS/DSCP marking

Toke Høiland-Jørgensen toke at
Wed Jun 16 23:33:12 UTC 2021

Daniel Golle <daniel at> writes:

> Hi Jason,
> On Wed, Jun 16, 2021 at 06:28:12PM +0200, Jason A. Donenfeld wrote:
>> WireGuard does not copy the inner DSCP mark to the outside, aside from
>> the ECN bits, in order to avoid a data leak.
> That's a very valid argument.
> However, from my experience now, Wireguard is not suitable for VoIP/RTP
> data (minimize-delay) being sent through the same tunnel as TCP bulk
> (maximize-throughput) traffic in bandwidth constraint and/or high-latency
> environments, as that ruins the VoIP calls to the degree of not being
> understandable. ECN helps quite a bit when it comes to avoid packet drops
> for TCP traffic, but that's not enough to avoid high jitter and drops for
> RTP/UDP traffic at the same time.
> I thought about ways to improve that and wonder what you would suggest.
> My ideas are:
>  * have different tunnels depending on inner DSCP bits and mark them
>    accordingly on the outside.
>    => we already got multiple tunnels and that would double the number.
>  * mark outer packets with DSCP bits based on their size.
>    VoIP RTP/UDP packets are typically "medium sized" while TCP packets
>    typically max out the MTU.
>    => we would not leak information, but that assumption may not always
>       be true
>  * patch wireguard kernel code to allow preserving inner DSCP bits.
>    => even only having 2 differentl classes of traffic (critical vs.
>       bulk) would already help a lot...
> What do you think? Any other ideas?

Can you share a few more details about the network setup? I.e., where is
the bottleneck link that requires this special treatment? If the
bottleneck router is the same one that does the wireguard encapsulation
(e.g., a home router with a slow uplink), you should be able to just use
flow queueing (fq_codel or sch_cake) in place of your diffserv-based
prioritisation and get most of the benefit: wireguard will save the
packet hash before encapsulation, so any qdisc running on the same box
can actually distinguish flows even on the encapsulated packets...


More information about the WireGuard mailing list