# ---------------------------------------------
# gutd -- TC/XDP tunnel configuration
# ---------------------------------------------
#
# Architecture: TC egress (encap+mask) on veth -> XDP ingress (unmask+decap) on NIC
# Masking: ChaCha4 stream cipher (compile-time, 2 double-rounds)
#
# Overhead per packet:
# IPv4: IP(20) + UDP(8) + PMTU(20) = 48 bytes
# IPv6: IP(40) + UDP(8) + PMTU(20) = 68 bytes
#
# Recommended inner MTU: outer_mtu - overhead
# IPv4: 1500 - 48 = 1452 (conservative: 1420)
# IPv6: 1500 - 68 = 1432 (conservative: 1400)
# MTU base precedence at runtime:
# 1) route PMTU to peer (`ip route get <peer_ip>`)
# 2) ingress interface MTU
# 3) configured outer_mtu
#
# inner MTU here is full inner L3 packet size (complete IP packet).
#
# Key management:
# gutd genkey # random 256-bit key
# gutd genkey --passphrase "my secret" # HKDF-SHA256 derived
# -- Global settings ----------------------------------------------
[global]
# outer_mtu = 1500 # Managed automatically
stats_interval = 5 # stats dump to stat_file, seconds (0 = off)
stat_file = /run/gutd.stat # periodic counters dump path
# -- Peer (one peer = one veth pair + TC egress + XDP ingress) ----
[peer]
name = gut0 # veth pair name (gut0 <-> gut0_xdp)
# mtu = 1492 # Managed automatically
# nic = eth0 # physical NIC for XDP ingress (auto-detected if omitted)
# responder = true # QUIC server role; inferred from dynamic_peer if not set
# bind_ip = 0.0.0.0 # local bind address [default: 0.0.0.0]
peer_ip = 203.0.113.10 # remote peer IP (or "dynamic" — server-side NAT traversal)
ports = 41000,41001,41002,41003 # UDP port list (1..16). In current payload-only mode these must match WG UDP endpoint ports on wire.
keepalive_drop_percent = 30 # drop probability for WG keepalive (type=4, payload=0)
# obfs = quic # obfuscation mode: quic (default) or noise (random UDP)
# Key -- choose ONE method (uncomment exactly one line):
# key = <replace with output of: gutd genkey>
# passphrase = <replace with your passphrase (key derived via HKDF-SHA256)>