Adds a small server-side capability: when a DTLS payload starts with
the 4-byte magic prefix 0xff 'P' 'N' 'G', the server echoes the entire
packet back to the client through the same DTLS conn. Otherwise the
packet is forwarded to WireGuard as before.
Whether any client *uses* this echo is up to the client. The server
just provides the capability.
Backward compatibility: the echo branch is gated on the magic-prefix
check. Without that prefix nothing fires — every existing client sees
identical behaviour. New clients sending probes to an unpatched server
see no echo and degrade gracefully (the bytes flow through to WG which
drops them as message type 0xff, outside WG's 1..4 range).
Use case that motivated this: detecting zombie TURN allocations —
sessions where pion's Refresh and VK's NAT-keepalive Binding both
succeed (control plane "healthy") but the actual data path through VK's
relay is broken because the client's NAT mapping shifted after a
network handover and VK's relay state is stale. Without an end-to-end
signal the client can't tell. With ping/pong the client can periodically
ping and tear down conns whose echoes have stopped arriving.
Reference client implementation: anton48/vk-turn-proxy-ios commit
8c430f3 (141 lines in pkg/proxy/proxy.go, a refactored extraction of
client/main.go). Empirically tuned over a month of production: 30s
ping interval, 120s stale threshold, latched "server is echoing" flag
so clients never kill conns when talking to an unpatched server.
Cost: one byte-prefix comparison per inbound DTLS packet, no allocation,
no parsing. When echoing, one DTLS write per ping. With 30 conns at
30s interval that's ~1 packet/sec total.