Checksum calculating

Hi all.
Who can say?
I have an NDIS filter driver installed between the network card driver and the protocol driver in the driver stack.
When I receive the next packet from the network card driver (incoming traffic) and after making some changes to it, do I need to calculate a new checksum of the IP header. Whether it is checked after me in the protocol driver or in user mode programs.
In other words, - where the checksum of the IP header in incoming network traffic is checked.

Second question.
Is it possible any changes in the transport layer header (TCP,UDP,ARP…) when a packet travels between two hosts through routers. (May be because of pseudo checksum)

More general question.
We have a private network with routers, switches and etc. between our computers.
I want to make some changes to the traffic, we can call it private encryption. Which headers I can’t involve in my encryption.
For example, the Ethernet and IP headers are used by routers, so I shouldn’t change them.
Are there any rules to know what I can encrypt and which headers I should not touch

You’re talking about a VPN. There are hundreds of such products available today.

Classic VPN encapsulates the entire IP packet with a new IP header, checksum etc. None of the parts of the ‘real’ packet are modified (besides being encrypted). It works this way precisely because then the code doing the encryption and encapsulation doesn’t have to know anything about the higher level protocols - which is entirely consistent with the OSI model

Thank you very much.