Skip to content

Instantly share code, notes, and snippets.

@diyism
Last active February 13, 2023 11:26
  • Star 12 You must be signed in to star a gist
  • Fork 6 You must be signed in to fork a gist
Star You must be signed in to star a gist
Save diyism/1b80903a83776675031c73ae499438d8 to your computer and use it in GitHub Desktop.
wireguard config
$ sudo apt-get install linux-headers-$(uname -r)
$ sudo add-apt-repository ppa:wireguard/wireguard
$ sudo apt-get update
$ sudo apt-get install wireguard
$ sudo modprobe wireguard
$ sudo mkdir /etc/wireguard
$ (umask 077 && printf "[Interface]\nPrivateKey = " | sudo tee /etc/wireguard/wg0.conf > /dev/null)
$ wg genkey | sudo tee -a /etc/wireguard/wg0.conf | wg pubkey | sudo tee /etc/wireguard/publickey
$ sudo nano /etc/wireguard/wg0.conf
=====server side /etc/wireguard/wg0.conf:
[Interface]
PrivateKey = <server privkey>
ListenPort = 24444
SaveConfig = false
Address = 10.0.0.1/32
PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
[Peer]
PublicKey = <get client pubkey from sudo wg>
AllowedIPs = 10.0.0.2/32
[Peer]
PublicKey = <get client pubkey from sudo wg>
AllowedIPs = 10.0.0.3/32
======clientA side /etc/wireguard/wg0.conf:
[Interface]
PrivateKey = <clientA privkey>
Address = 10.0.0.3/32
[Peer]
PublicKey = <get server pubkey from sudo wg>
Endpoint = <server ip>:24444
AllowedIPs = 0.0.0.0/0
======clientB side /etc/wireguard/wg0.conf:
[Interface]
PrivateKey = <clientB privkey>
Address = 10.0.0.2/32
[Peer]
PublicKey = <get server pubkey from server sudo wg>
Endpoint = <server ip>:24444
AllowedIPs = 0.0.0.0/0
======test:
====from cellphone a:
ping 10.0.0.1
64 bytes from 10.0.0.1: icmp_seq=4 ttl=64 time=163 ms
64 bytes from 10.0.0.1: icmp_seq=4 ttl=64 time=172 ms
ping 10.0.0.2
64 bytes from 10.0.0.2: icmp_seq=3 ttl=63 time=351 ms
64 bytes from 10.0.0.2: icmp_seq=4 ttl=63 time=349 ms
====from vps:
ping 10.0.0.2
64 bytes from 10.0.0.2: icmp_seq=1 ttl=64 time=187 ms
64 bytes from 10.0.0.2: icmp_seq=2 ttl=64 time=185 ms
ping 10.0.0.3
64 bytes from 10.0.0.3: icmp_seq=1 ttl=64 time=172 ms
64 bytes from 10.0.0.3: icmp_seq=2 ttl=64 time=179 ms
==========================split china traffic and non-china traffic with wireguard and ip route:
======client side /etc/wireguard/wg0.conf:
[Interface]
PrivateKey = <client privkey>
Address = 10.0.0.3/32
PostUp = ip route add 10.0.0.0/24 dev wg0 && wg set wg0 peer <get server pubkey from server sudo wg> allowed-ips 0.0.0.0/0
PostDown = ip route del 10.0.0.0/24 dev wg0
[Peer]
PublicKey = <get server pubkey from server sudo wg>
Endpoint = <server ip>:24444
#AllowedIPs = 0.0.0.0/0
======dns2https.php script:
resolve domain name and check if the IP is in china ip ranges database,
if not in china and the first 2 nodes not equals <server ip>, then exec: "ip route add xxx.xxx.0.0/16 dev wg0"
============================nat traverse between office and home, and x11vnc connection:
=====office ubuntu:
$cat /etc/wireguard/wg0.conf
[Interface]
PrivateKey = <office privkey>
Address = 10.0.0.3/32
PostUp = ip route add 10.0.0.0/24 dev wg0 && wg set wg0 peer <vps pubkey> allowed-ips 0.0.0.0/0
PostDown = ip route del 10.0.0.0/24
[Peer]
#10.0.0.1
PublicKey = <vps pubkey>
Endpoint = <vps ip>:24444
#AllowedIPs = 0.0.0.0/0
[Peer]
#10.0.0.5 home
PublicKey = <home pubkey>
Endpoint = <home wan ip>:<home wan port get from stun command below>
AllowedIPs = 10.0.0.5/32
$sudo wg-quick down wg0 ; sudo wg-quick up wg0
#apt install tigervnc-scraping-server
#sudo -u <current user> x0vncserver -display :0 -SecurityTypes none
#apt install x11vnc
$nohup sudo -u <desktop user> /usr/local/bin/x11vnc -repeat -multiptr -loop -display :0 >/dev/null 2>&1 &
#if use fullscreen mode on home ubuntu, should remove "-multiptr" param
#if exit session, start x11vnc with lightdm session once:
sudo service lightdm restart
sudo killall x11vnc
sudo x11vnc -display :0 -auth /var/run/lightdm/root/:0
xrandr -d :0 --fb 1920x1080 #after change, to stop and run xtightvncviewer again
xrandr --output HDMI-2 --scale 1x1
tightvnc doesn't support hardware accelleration(tigervnc supports)
firefox default layers.acceleration.force-enabled=false, it's very fast
chrome and brave browser should disable hardware acceleration in chrome://settings/system
=====home ubuntu:
$stun stun.counterpath.net:3478
Primary: Independent Mapping, Address Dependendent Filter
...
(Independent Mapping, Independent Filter = Full Cone
Independent Mapping, Address Dependendent Filter = Restricted Cone
Independent Mapping, Port Dependent Filter = Port Restricted Cone
Dependent Mapping = Symmetric
)
$cat /etc/wireguard/wg0.conf
[Interface]
PrivateKey = <home privkey>
Address = 10.0.0.5/32
ListenPort = 24447
PostUp = ip route add 10.0.0.0/24 dev wg0 && wg set wg0 peer <vps pubkey> allowed-ips 0.0.0.0/0
PostDown = ip route del 10.0.0.0/24 dev wg0
[Peer]
PublicKey = <vps pubkey>
Endpoint = <vps ip>:24444
#AllowedIPs = 0.0.0.0/0
[Peer]
PublicKey = <office pubkey>
Endpoint = <office wan ip>:10000
AllowedIPs = 10.0.0.3/32
PersistentKeepalive = 60 #send packets to invite office wireguard to enter my home network, or use: ping 10.0.0.3
$sudo wg-quick down wg0
$stun -v -p 24447 stun.counterpath.net:3478 2>&1 | grep MappedAddress | head -n 1
MappedAddress = <home wan ip>:<home wan port>
$stun -p 24447 <office wan ip>:10000
#send the init packet to invite office wireguard to enter my home network
$sudo wg-quick up wg0
$ping 10.0.0.3
64 bytes from 10.0.0.3: icmp_seq=1 ttl=64 time=7.51 ms
64 bytes from 10.0.0.3: icmp_seq=2 ttl=64 time=7.73 ms
#before the traverse operation, the time is 351 ms
$xtightvncviewer 10.0.0.3:0
#now i can visit my office ubuntu desktop(x11vnc server)
#fastest:
#xtightvncviewer -fullscreen -nojpeg -bgr233 -compresslevel 9 10.0.0.3:0
#prepare:
#sudo bash -c 'echo "Vncviewer*grabKeyboard: true" > /etc/X11/Xresources/xtightvncviewer'
#xrdb -merge /etc/X11/Xresources/xtightvncviewer
#press F8 to quit fullscreen
#tigervncviewer for x0vncserver(tigervnc-scraping-server) or x11vnc
#tigervncviewer -fullscreen -nojpeg -lowcolorlevel 0 -compresslevel 6 10.1.0.3:0
#but it seems "lowcolorlevel 0" not work
#if you wanna access office lan, for example 192.168.1.0/24:
#10.1.0.5(home) should set wg1.conf PostUp "wg set wg1 peer <10.1.0.3 pubkey> allowed-ips 0.0.0.0/0"
#10.1.0.5(home) should set "ip route add 192.168.1.0/24 via 10.1.0.3 dev wg1"
#10.1.0.3(office) should set "echo 'net.ipv4.ip_forward=1' >> /etc/sysctl.conf ; sysctl -p"
#10.1.0.3(office) should set "iptables -t nat -A POSTROUTING -s 10.1.0.5 -j MASQUERADE"
#10.1.0.3(office) doesn't need "allowed-ips 0.0.0.0/0"
===============================wireguard over udp2raw:
========client A:
$wget https://github.com/wangyu-/udp2raw-tunnel/releases/download/20180830.2/udp2raw_binaries.tar.gz
$tar xzvf udp2raw_binaries.tar.gz
$sudo cp udp2raw_amd64 /usr/bin/
$sudo udp2raw_amd64 -c -l127.0.0.2:24448 -r<server ip>:24447 -a
$cat /etc/wireguard/wg0.conf
[Interface]
PrivateKey = <client privkey>
Address = 10.0.0.3/32
ListenPort = 24447
MTU = 1300
PostUp = ip route add 10.0.0.0/24 dev wg0 && ip route add <server_ip> via $(ip route | awk '$1=="default" {print $3}')
PostDown = ip route del 10.0.0.0/24
[Peer]
#10.0.0.1
PublicKey = <server pubkey>
Endpoint = 127.0.0.2:24448
AllowedIPs = 0.0.0.0/0 #proxy all traffic, so "ip route add <server_ip> ..." must be added into PostUp, or else infinite loop
$sudo wg-quick down wg0 ; sudo wg-quick up wg0
$ping 10.0.0.1
64 bytes from 10.0.0.1: icmp_seq=2113 ttl=64 time=183 ms
$sudo ip route add 104.24.0.0/16 dev wg0
$ping myip.ipip.net
PING myip.ipip.net (104.24.20.50) 56(84) bytes of data.
64 bytes from 104.24.20.50 (104.24.20.50): icmp_seq=1 ttl=60 time=185 ms
$curl http://myip.ipip.net
IP:<server ip>
#take care, "MTU = 1300" in wg0.conf is needed when wireguard over udp2raw, or else most https requests will be blocked because of mtu problem.
#for "client B without wireguard"(LAN ip 192.168.1.3) to connect:
#in /etc/sysctl.conf:
net.ipv4.ip_forward=1
$sudo sysctl -p
$sudo iptables -t nat -A POSTROUTING -o eth0 -s 192.168.1.0/24 -j MASQUERADE
========client B without wireguard:
#in /etc/network/interfaces:
auto eth0
iface eth0 inet static
address 192.168.1.4
broadcast 192.168.1.255
netmask 255.255.255.0
gateway 192.168.1.3
mtu 1300
===========wireguard over erebe wstunnel(udp over websocket):
on vps:
./wstunnel_linux_x64 -u --server wss://0.0.0.0:24447 -r 127.0.0.1:24448
on pc(home or office):
./wstunnel_linux_x64 -u -L 127.0.0.2:24448:127.0.0.1:24448 wss://[vps_ip]:24447
$ ping 10.0.0.1
PING 10.0.0.1 (10.0.0.1) 56(84) bytes of data.
64 bytes from 10.0.0.1: icmp_seq=1 ttl=64 time=143 ms
64 bytes from 10.0.0.1: icmp_seq=2 ttl=64 time=141 ms
64 bytes from 10.0.0.1: icmp_seq=3 ttl=64 time=132 ms
It seems that erebe wstunnel is very effecient, but it must listen on port 443 or else will be GFWed.
===========wireguard over tws-rust+nginx(udp over websocket):
#on vps:
./tws-rust server -l 127.0.0.1:8443 -p <password>
#/etc/nginx/nginx.conf on vps:
server {
listen 443 ssl;
server_name mydomain.com;
ssl_certificate /etc/ssl/certs/mydomain.com.crt;
ssl_certificate_key /etc/ssl/private/myserver.key;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers HIGH:!aNULL:!MD5;
location / {
root html;
index index.html index.htm;
}
location /tws {
if ($http_upgrade !~* ^WebSocket$) {
return 404;
}
proxy_pass http://127.0.0.1:8443/;
proxy_http_version 1.1;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "Upgrade";
}
}
#on pc(home or office):
./tws-rust client -l 127.0.0.2:24448 -r 127.0.0.1:24448 -s wss://[vps_ip]/tws -p <password>
@terrywang
Copy link

terrywang commented Sep 3, 2018

Thanks for sharing. However, you may need to specify source CIDRs for the PostUp and PostDown hook iptables rules so that clients can access Internet properly.

For example, if subnet 172.16.77.0/24 WireGuard is dedicated for this WireGuard use case, specify it in the NAT rule ->
iptables -t nat -A POSTROUTING -o eth0 -s 172.16.77.0/24 -j MASQUERADE.

@butterl
Copy link

butterl commented Dec 24, 2018

tried with udp2raw config

Server side:
udp2raw -s -l0.0.0.0:8888 -r127.0.0.1:443 -k "passwd" --raw-mode faketcp -a

Client side:
udp2raw -c -rserverip:8888 -l0.0.0.0:8887 --raw-mode faketcp -a -k"passwd"

and could got server and client ready

[2018-12-24 09:53:45][INFO][45.249.212.49:2293]received syn,sent syn ack back
[2018-12-24 09:53:45][INFO][45.249.212.49:2293]got packet from a new ip
[2018-12-24 09:53:45][INFO][45.249.212.49:2293]created new conn,state: server_handshake1,my_id is d5339b09
[2018-12-24 09:53:45][INFO][45.249.212.49:2293]changed state to server_handshake1,my_id is d5339b09
[2018-12-24 09:53:45][INFO][45.249.212.49:2293]received handshake oppsite_id:5c78d937  my_id:d5339b09
[2018-12-24 09:53:45][INFO][45.249.212.49:2293]oppsite const_id:e5b9e7db 
[2018-12-24 09:53:45][INFO][45.249.212.49:2293]changed state to server_ready

but when I wg-quick up wg0 it just failed with connection ping 10.0.0.1 loss 100% packets
wg0 configure is as below

[Interface]
PrivateKey = <client privatekey>
Address = 10.0.0.3/24
DNS = 8.8.8.8
MTU = 1300
[Peer]
PublicKey = <server pubkey>
Endpoint = 127.0.0.1:8887
AllowedIPs = 0.0.0.0/0, ::0/0
PersistentKeepalive = 25

server wg0 config

[Interface]
Address = 10.0.0.1/24
MTU = 1420
PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -A FORWARD -o wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -D FORWARD -o wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
ListenPort = 443
PrivateKey = <server private key>

[Peer]
PublicKey = <client pubkey>
AllowedIPs = 10.0.0.3/32

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment