// taken from https://git.zx2c4.com/wireguard-go/tree/tun/netstack/tun.go
// rev 2b73054b299aec80cbb064954001810d30ee2e3c
...
func CreateNetTUN(localAddresses, dnsServers []netip.Addr, mtu int) (tun.Device, *Net, error) {
    opts := stack.Options{
        NetworkProtocols:   []stack.NetworkProtocolFactory{ipv4.NewProtocol, ipv6.NewProtocol},
        TransportProtocols: []stack.TransportProtocolFactory{tcp.NewProtocol, udp.NewProtocol, icmp.NewProtocol6, icmp.NewProtocol4},
        HandleLocal:        true,
    }
    dev := &netTun{
        ep:             channel.New(1024, uint32(mtu), ""),
        stack:          stack.New(opts),
        ...
    }
    sackEnabledOpt := tcpip.TCPSACKEnabled(true) // TCP SACK is disabled by default
    tcpipErr := dev.stack.SetTransportProtocolOption(tcp.ProtocolNumber, &sackEnabledOpt)
    if tcpipErr != nil {
        return nil, nil, fmt.Errorf("could not enable TCP SACK: %v", tcpipErr)
    }
    ...
}