zrm, I'm not a programmer (or a very good one) and I'm not really looking to write something, I'm more hoping I can just use iptables to apply FEC on any packet that goes out an interface and 'unFEC' anything coming in from that interface. Fine to assume the same on the other side. I want the FEC *inside* the tunnel, ie I want any flaws in the like to show up on the regular interface so I can monitor it. Packets going over wireguard would be 'FEC'd. Is this something that's doable without write code? On Mon, Feb 25, 2019 at 8:03 PM zrm <zrm@xxxxxxxxxxxxxxx> wrote: > > On 2/25/19 18:19, dan wrote: > > I'm wanting to apply FEC to packets on a specific interface. > > > > I'm using wireguard as a VPN and would like to FEC packets crossing > > that interface (specifically UDP SIP and RTP packets). > > > > I'm no guru on netfilter and I can't seem to google may way through this. > > > > Thanks. > > > > I assume your intent is to write some code to FEC the packets on one end > and then reconstruct them on the other, and what you're asking is how to > get the packets. There are multiple ways to do this. > > When you're using FEC the original packets can be sent as-is followed by > some separate erasure coded packets. That means you don't need to touch > the original packets, only observe them and then send the erasure coded > packets to the FEC process on the other end, which can use the same > method to observe which ones actually arrived and then use the erasure > coded ones to reinject any missing packets as necessary. This can be > done using libpcap, SOCK_RAW sockets, etc. > > But if you're using WireGuard you have another option, which is to tell > WireGuard on each device that the other endpoint is the FEC process on > the local machine. Then WireGuard sends the encrypted UDP packets to > you, you FEC them and send them to the FEC process on the other machine > which handles FEC before sending them to its local WireGuard. This may > actually be faster (you don't have to encrypt/decrypt the erasure > packets) and in some ways more secure (your process never sees plaintext > and requires no special privileges and if anything goes sideways > WireGuard should reject the packets), but note that it would make it > obvious to an observer that you're using FEC. You would also have to FEC > all the packets going to that peer with no way to distinguish between them.
