On Wed, 2021-06-16 at 18:28 +0200, Jason A. Donenfeld wrote: > WireGuard does not copy the inner DSCP mark to the outside, aside from > the ECN bits, in order to avoid a data leak. > > Jason
Hi Jason, Is there any room for revisiting this design decision? We are talking about 6 bits of metadata per packet here... Which realistic threats are we trying to protect against? The solutions that don't involve code changes all have significant drawbacks: - awesome BPF-based magic will be Linux only - multiple tunnels are not always practical and arguably worse traffic correlation-wise. I still use a patched wireguard to protect traffic from a voip app on an android handset using wifi here... and while I have a solution that's good enough for my requirements, I do think that the community would benefit from having something that works better out of the box (and on all platforms). Florent
