From 0905936c45b6380d65d347e3cb9037f64991b8f4 Mon Sep 17 00:00:00 2001
From: Jordan Whited <jordan@tailscale.com>
Date: Sat, 21 Jun 2025 21:14:42 -0700
Subject: [PATCH] wgengine/magicsock: set Geneve header protocol for WireGuard
 (#16350)

Otherwise receives interpret as naked WireGuard.

Updates tailscale/corp#27502

Signed-off-by: Jordan Whited <jordan@tailscale.com>
---
 wgengine/magicsock/batching_conn_linux.go | 2 ++
 wgengine/magicsock/rebinding_conn.go      | 3 ++-
 2 files changed, 4 insertions(+), 1 deletion(-)

diff --git a/wgengine/magicsock/batching_conn_linux.go b/wgengine/magicsock/batching_conn_linux.go
index c9aaff168..a0607c624 100644
--- a/wgengine/magicsock/batching_conn_linux.go
+++ b/wgengine/magicsock/batching_conn_linux.go
@@ -114,6 +114,7 @@ func (c *linuxBatchingConn) coalesceMessages(addr *net.UDPAddr, vni virtualNetwo
 	vniIsSet := vni.isSet()
 	var gh packet.GeneveHeader
 	if vniIsSet {
+		gh.Protocol = packet.GeneveProtocolWireGuard
 		gh.VNI = vni.get()
 	}
 	for i, buff := range buffs {
@@ -202,6 +203,7 @@ retry:
 		vniIsSet := addr.vni.isSet()
 		var gh packet.GeneveHeader
 		if vniIsSet {
+			gh.Protocol = packet.GeneveProtocolWireGuard
 			gh.VNI = addr.vni.get()
 			offset -= packet.GeneveFixedHeaderLength
 		}
diff --git a/wgengine/magicsock/rebinding_conn.go b/wgengine/magicsock/rebinding_conn.go
index 51e97c8cc..8b9ad4bb0 100644
--- a/wgengine/magicsock/rebinding_conn.go
+++ b/wgengine/magicsock/rebinding_conn.go
@@ -85,7 +85,8 @@ func (c *RebindingUDPConn) WriteBatchTo(buffs [][]byte, addr epAddr, offset int)
 			var gh packet.GeneveHeader
 			if vniIsSet {
 				gh = packet.GeneveHeader{
-					VNI: addr.vni.get(),
+					Protocol: packet.GeneveProtocolWireGuard,
+					VNI:      addr.vni.get(),
 				}
 			}
 			for _, buf := range buffs {