Hacking WireGuard: Embedding 25KB of Metrics in Custom Message Type 5
How we abused the WireGuard protocol to transmit rich device telemetry without opening a sidebar TCP connection.
The Problem with Sidecars
Most remote management agents work like this:
- Control Channel: A persistent TCP/WebSocket connection for commands.
- Data Channel: A separate stream for logs and metrics.
- Tunnel: A VPN interface (WireGuard/OpenVPN) for actual traffic.
This is bloated. We wanted one connection to rule them all.
Enter WireGuard Message Types
WireGuard is elegant because it is simple. It exchanges a few message types:
- Type 1: Handshake Initiation
- Type 2: Handshake Response
- Type 3: Cookie Reply
- Type 4: Transport Data (The actual encrypted packets)
But what if we added Type 5?
The "Wantasticd" Custom Protocol
We modified the WireGuard implementation in wantasticd to support a custom message type: Type 5 (Telemetry).
Instead of opening a separate HTTP/gRPC stream to report CPU usage, RAM, and WiFi signal strength, the agent packs this data directly into the WireGuard UDP stream.
Compression Magic
Sending JSON over UDP is wasteful. We use a custom binary format and Zstandard (zstd) compression to squash huge datasets into tiny packets.
- Raw Metrics: ~25KB (Full interface list, WiFi scan results, LTE signal stats)
- Compressed Payload: ~1.2KB
This payload fits comfortably inside a standard MTU (or slightly fragemented), meaning we can transmit rich, high-fidelity telemetry inline with the tunnel traffic.
Why This Matters for WISPs & IoT
- Zero Overhead: No keep-alive TCP packets waking up the radio on LTE devices.
- Atomic State: If the tunnel is up, the metrics are flowing. If the tunnel is down, we know the device is offline. No "zombie" states where the API is reachable but the VPN is dead.
- Scalability: Our collectors ingest millions of these Type 5 packets per second with almost zero CPU load, as they are handled by the same kernel threads processing the VPN traffic.
The Result
You get real-time graphs of your device's health (Interface traffic, collected Wifi neighbors, LTE cell assertions) updated every second, with less bandwidth usage than a single ICMP ping.