Add --wireguard mode

[HouQiming]

Added an option --wireguard triggering two small changes to address wireguard quirks:

• Clear DF bit: wireguard MTU is quite small already and adding udp2raw on top breaks a lot of stuff. Allow fragmenting udp2raw's own raw packets in --wireguard. Can be enabled individually with --do-fragment.
• Wireguard allows endpoint IP changes but rejects port-only endpoint changes. By default, udp2raw -s connects from a different port on 127.0.0.1 for each client, which will start getting rejected by wireguard from the 2nd attempt. As a workaround, when --wireguard is enabled and udp2raw tries to connect to a link-local address, the patch generates a different link-local source IP for each connection. Can be enabled individually with --rand-addr.

[wangyu-]

I am fine to add an option to set DF bit, but it's is unlikely solving real problem (i think)

        if (g_should_fragment) {
            iph->frag_off = htons(0x0000);  //DF cleared,others are zero
        } else {
            iph->frag_off = htons(0x4000);  // DF set,others are zero
        }

We are sending/receive packet with raw socket (level 2 or 3 for sending (depends on setting), always level2 for receiving), on your machine, the OS can't do IP fragment even if you clear the DF bit. Raw socket bypasses the OS's fragment and defragment.

[wangyu-]

Wireguard allows endpoint IP changes but rejects port-only endpoint changes

I am not aware of this problem before. Could anyone help confirm?

[HouQiming]

More context: I'm trying to make my rig more robust with bad MTU settings. I have other hops on the link with uncontrolled / frequently changing MTUs and they may need to fragment udp2raw's output packet. I cleared the DF bit for that. As for the port-only endpoint change thing, changing link-local IPs every time was a quick hack and it did fix my wireguard connection. But I didn't check wireguard code to confirm. Message ID: ***@***.***>

…

[wangyu-]

Wireguard allows endpoint IP changes but rejects port-only endpoint changes. By default, udp2raw -s connects from a different port on 127.0.0.1 for each client, which will start getting rejected by wireguard from the 2nd attempt.

I personally think this might be some mis-understanding.

If this is true, the same applies for wireguard client behind a router. 2nd attempt behind a router will also be rejected.

But i might be wrong. Hope someone else can help confirm.