Browse Source
Adds a small server-side capability: when a DTLS payload starts with the 4-byte magic prefix 0xff 'P' 'N' 'G', the server echoes the entire packet back to the client through the same DTLS conn. Otherwise the packet is forwarded to WireGuard as before. Whether any client *uses* this echo is up to the client. The server just provides the capability. Backward compatibility: the echo branch is gated on the magic-prefix check. Without that prefix nothing fires — every existing client sees identical behaviour. New clients sending probes to an unpatched server see no echo and degrade gracefully (the bytes flow through to WG which drops them as message type 0xff, outside WG's 1..4 range). Use case that motivated this: detecting zombie TURN allocations — sessions where pion's Refresh and VK's NAT-keepalive Binding both succeed (control plane "healthy") but the actual data path through VK's relay is broken because the client's NAT mapping shifted after a network handover and VK's relay state is stale. Without an end-to-end signal the client can't tell. With ping/pong the client can periodically ping and tear down conns whose echoes have stopped arriving. Reference client implementation: anton48/vk-turn-proxy-ios commit 8c430f3 (141 lines in pkg/proxy/proxy.go, a refactored extraction of client/main.go). Empirically tuned over a month of production: 30s ping interval, 120s stale threshold, latched "server is echoing" flag so clients never kill conns when talking to an unpatched server. Cost: one byte-prefix comparison per inbound DTLS packet, no allocation, no parsing. When echoing, one DTLS write per ping. With 30 conns at 30s interval that's ~1 packet/sec total.pull/168/head
1 changed files with 27 additions and 0 deletions
Loading…
Reference in new issue