Hi, I have been testing the Wireguard implementation on OpenBSD and noticed that the ToS field is not being copied from the inner unencrypted header to the outer Wireguard header, resulting in ALL packets going into the same PF Prio / Queue.
For example, ACKs (for Wireguard encrypted packets) end up in the first queue (not the priority queue) despite PF rules; queue ext_iface on $extif bandwidth 1000M max 1000M queue pri on $extif parent ext_iface flows 1000 bandwidth 25M min 5M queue data on $extif parent ext_iface flows 1000 bandwidth 100M default match on $extif proto tcp set prio (3, 6) set queue (data, pri) All unencrypted SYNs and ACKs etc correctly go into the 'pri' queue, and payload packets go into 'data' queue. However for Wireguard encrypted packets, _all_ packets (including SYNs and ACKs) go into the 'data' queue. I thought maybe you need to force the ToS/prio/queue values, so I also tried sledgehammer approach; match proto tcp flags A/A set tos lowdelay set prio 7 set queue pri match proto tcp flags S/S set tos lowdelay set prio 7 set queue pri But sadly all encrypted SYNs and ACKs etc still only go into the data queue no matter what. This can be confirmed with wireshark that all ToS bits are lost This results in poor Wireguard performance on OpenBSD. OpenVPN has the --passtos directive to copy the ToS Bits, which means OpenVPN is faster than Wireguard on OpenBSD. Thanks, Andy.
