OpenGFW icon indicating copy to clipboard operation
OpenGFW copied to clipboard
verified publisher icon apernet

Add WireGuard analyzer

Open haruue opened this issue 2 years ago • 0 comments

Most of the fields in the WireGuard protocol are encrypted. This implementation parses & uses only the clear text part, which includes:

  • message_type
  • reserved_zero
  • sender_index
  • receiver_index
  • len(packet)

The sender_index and receiver_index themselves are useless for the ruleset, but we can use them to track WireGuard states, which reduces false positives.

Notes for testers: When matching WireGuard traffic using handshake_* or receiver_index_matched in the expr, an existing WireGuard connection prior to OpenGFW startup might not be blocked until the next handshake (no more than 2 minutes). Restarting the WireGuard interface can trigger a handshake immediately.

haruue avatar Jan 30 '24 11:01 haruue