Skip to content

Instantly share code, notes, and snippets.

@diyism
Last active February 13, 2023 11:26
Show Gist options
  • Save diyism/1b80903a83776675031c73ae499438d8 to your computer and use it in GitHub Desktop.
Save diyism/1b80903a83776675031c73ae499438d8 to your computer and use it in GitHub Desktop.
wireguard config
$ sudo apt-get install linux-headers-$(uname -r)
$ sudo add-apt-repository ppa:wireguard/wireguard
$ sudo apt-get update
$ sudo apt-get install wireguard
$ sudo modprobe wireguard
$ sudo mkdir /etc/wireguard
$ (umask 077 && printf "[Interface]\nPrivateKey = " | sudo tee /etc/wireguard/wg0.conf > /dev/null)
$ wg genkey | sudo tee -a /etc/wireguard/wg0.conf | wg pubkey | sudo tee /etc/wireguard/publickey
$ sudo nano /etc/wireguard/wg0.conf
=====server side /etc/wireguard/wg0.conf:
[Interface]
PrivateKey = <server privkey>
ListenPort = 24444
SaveConfig = false
Address = 10.0.0.1/32
PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
[Peer]
PublicKey = <get client pubkey from sudo wg>
AllowedIPs = 10.0.0.2/32
[Peer]
PublicKey = <get client pubkey from sudo wg>
AllowedIPs = 10.0.0.3/32
======clientA side /etc/wireguard/wg0.conf:
[Interface]
PrivateKey = <clientA privkey>
Address = 10.0.0.3/32
[Peer]
PublicKey = <get server pubkey from sudo wg>
Endpoint = <server ip>:24444
AllowedIPs = 0.0.0.0/0
======clientB side /etc/wireguard/wg0.conf:
[Interface]
PrivateKey = <clientB privkey>
Address = 10.0.0.2/32
[Peer]
PublicKey = <get server pubkey from server sudo wg>
Endpoint = <server ip>:24444
AllowedIPs = 0.0.0.0/0
======test:
====from cellphone a:
ping 10.0.0.1
64 bytes from 10.0.0.1: icmp_seq=4 ttl=64 time=163 ms
64 bytes from 10.0.0.1: icmp_seq=4 ttl=64 time=172 ms
ping 10.0.0.2
64 bytes from 10.0.0.2: icmp_seq=3 ttl=63 time=351 ms
64 bytes from 10.0.0.2: icmp_seq=4 ttl=63 time=349 ms
====from vps:
ping 10.0.0.2
64 bytes from 10.0.0.2: icmp_seq=1 ttl=64 time=187 ms
64 bytes from 10.0.0.2: icmp_seq=2 ttl=64 time=185 ms
ping 10.0.0.3
64 bytes from 10.0.0.3: icmp_seq=1 ttl=64 time=172 ms
64 bytes from 10.0.0.3: icmp_seq=2 ttl=64 time=179 ms
==========================split china traffic and non-china traffic with wireguard and ip route:
======client side /etc/wireguard/wg0.conf:
[Interface]
PrivateKey = <client privkey>
Address = 10.0.0.3/32
PostUp = ip route add 10.0.0.0/24 dev wg0 && wg set wg0 peer <get server pubkey from server sudo wg> allowed-ips 0.0.0.0/0
PostDown = ip route del 10.0.0.0/24 dev wg0
[Peer]
PublicKey = <get server pubkey from server sudo wg>
Endpoint = <server ip>:24444
#AllowedIPs = 0.0.0.0/0
======dns2https.php script:
resolve domain name and check if the IP is in china ip ranges database,
if not in china and the first 2 nodes not equals <server ip>, then exec: "ip route add xxx.xxx.0.0/16 dev wg0"
============================nat traverse between office and home, and x11vnc connection:
=====office ubuntu:
$cat /etc/wireguard/wg0.conf
[Interface]
PrivateKey = <office privkey>
Address = 10.0.0.3/32
PostUp = ip route add 10.0.0.0/24 dev wg0 && wg set wg0 peer <vps pubkey> allowed-ips 0.0.0.0/0
PostDown = ip route del 10.0.0.0/24
[Peer]
#10.0.0.1
PublicKey = <vps pubkey>
Endpoint = <vps ip>:24444
#AllowedIPs = 0.0.0.0/0
[Peer]
#10.0.0.5 home
PublicKey = <home pubkey>
Endpoint = <home wan ip>:<home wan port get from stun command below>
AllowedIPs = 10.0.0.5/32
$sudo wg-quick down wg0 ; sudo wg-quick up wg0
#apt install tigervnc-scraping-server
#sudo -u <current user> x0vncserver -display :0 -SecurityTypes none
#apt install x11vnc
$nohup sudo -u <desktop user> /usr/local/bin/x11vnc -repeat -multiptr -loop -display :0 >/dev/null 2>&1 &
#if use fullscreen mode on home ubuntu, should remove "-multiptr" param
#if exit session, start x11vnc with lightdm session once:
sudo service lightdm restart
sudo killall x11vnc
sudo x11vnc -display :0 -auth /var/run/lightdm/root/:0
xrandr -d :0 --fb 1920x1080 #after change, to stop and run xtightvncviewer again
xrandr --output HDMI-2 --scale 1x1
tightvnc doesn't support hardware accelleration(tigervnc supports)
firefox default layers.acceleration.force-enabled=false, it's very fast
chrome and brave browser should disable hardware acceleration in chrome://settings/system
=====home ubuntu:
$stun stun.counterpath.net:3478
Primary: Independent Mapping, Address Dependendent Filter
...
(Independent Mapping, Independent Filter = Full Cone
Independent Mapping, Address Dependendent Filter = Restricted Cone
Independent Mapping, Port Dependent Filter = Port Restricted Cone
Dependent Mapping = Symmetric
)
$cat /etc/wireguard/wg0.conf
[Interface]
PrivateKey = <home privkey>
Address = 10.0.0.5/32
ListenPort = 24447
PostUp = ip route add 10.0.0.0/24 dev wg0 && wg set wg0 peer <vps pubkey> allowed-ips 0.0.0.0/0
PostDown = ip route del 10.0.0.0/24 dev wg0
[Peer]
PublicKey = <vps pubkey>
Endpoint = <vps ip>:24444
#AllowedIPs = 0.0.0.0/0
[Peer]
PublicKey = <office pubkey>
Endpoint = <office wan ip>:10000
AllowedIPs = 10.0.0.3/32
PersistentKeepalive = 60 #send packets to invite office wireguard to enter my home network, or use: ping 10.0.0.3
$sudo wg-quick down wg0
$stun -v -p 24447 stun.counterpath.net:3478 2>&1 | grep MappedAddress | head -n 1
MappedAddress = <home wan ip>:<home wan port>
$stun -p 24447 <office wan ip>:10000
#send the init packet to invite office wireguard to enter my home network
$sudo wg-quick up wg0
$ping 10.0.0.3
64 bytes from 10.0.0.3: icmp_seq=1 ttl=64 time=7.51 ms
64 bytes from 10.0.0.3: icmp_seq=2 ttl=64 time=7.73 ms
#before the traverse operation, the time is 351 ms
$xtightvncviewer 10.0.0.3:0
#now i can visit my office ubuntu desktop(x11vnc server)
#fastest:
#xtightvncviewer -fullscreen -nojpeg -bgr233 -compresslevel 9 10.0.0.3:0
#prepare:
#sudo bash -c 'echo "Vncviewer*grabKeyboard: true" > /etc/X11/Xresources/xtightvncviewer'
#xrdb -merge /etc/X11/Xresources/xtightvncviewer
#press F8 to quit fullscreen
#tigervncviewer for x0vncserver(tigervnc-scraping-server) or x11vnc
#tigervncviewer -fullscreen -nojpeg -lowcolorlevel 0 -compresslevel 6 10.1.0.3:0
#but it seems "lowcolorlevel 0" not work
#if you wanna access office lan, for example 192.168.1.0/24:
#10.1.0.5(home) should set wg1.conf PostUp "wg set wg1 peer <10.1.0.3 pubkey> allowed-ips 0.0.0.0/0"
#10.1.0.5(home) should set "ip route add 192.168.1.0/24 via 10.1.0.3 dev wg1"
#10.1.0.3(office) should set "echo 'net.ipv4.ip_forward=1' >> /etc/sysctl.conf ; sysctl -p"
#10.1.0.3(office) should set "iptables -t nat -A POSTROUTING -s 10.1.0.5 -j MASQUERADE"
#10.1.0.3(office) doesn't need "allowed-ips 0.0.0.0/0"
===============================wireguard over udp2raw:
========client A:
$wget https://github.com/wangyu-/udp2raw-tunnel/releases/download/20180830.2/udp2raw_binaries.tar.gz
$tar xzvf udp2raw_binaries.tar.gz
$sudo cp udp2raw_amd64 /usr/bin/
$sudo udp2raw_amd64 -c -l127.0.0.2:24448 -r<server ip>:24447 -a
$cat /etc/wireguard/wg0.conf
[Interface]
PrivateKey = <client privkey>
Address = 10.0.0.3/32
ListenPort = 24447
MTU = 1300
PostUp = ip route add 10.0.0.0/24 dev wg0 && ip route add <server_ip> via $(ip route | awk '$1=="default" {print $3}')
PostDown = ip route del 10.0.0.0/24
[Peer]
#10.0.0.1
PublicKey = <server pubkey>
Endpoint = 127.0.0.2:24448
AllowedIPs = 0.0.0.0/0 #proxy all traffic, so "ip route add <server_ip> ..." must be added into PostUp, or else infinite loop
$sudo wg-quick down wg0 ; sudo wg-quick up wg0
$ping 10.0.0.1
64 bytes from 10.0.0.1: icmp_seq=2113 ttl=64 time=183 ms
$sudo ip route add 104.24.0.0/16 dev wg0
$ping myip.ipip.net
PING myip.ipip.net (104.24.20.50) 56(84) bytes of data.
64 bytes from 104.24.20.50 (104.24.20.50): icmp_seq=1 ttl=60 time=185 ms
$curl http://myip.ipip.net
IP:<server ip>
#take care, "MTU = 1300" in wg0.conf is needed when wireguard over udp2raw, or else most https requests will be blocked because of mtu problem.
#for "client B without wireguard"(LAN ip 192.168.1.3) to connect:
#in /etc/sysctl.conf:
net.ipv4.ip_forward=1
$sudo sysctl -p
$sudo iptables -t nat -A POSTROUTING -o eth0 -s 192.168.1.0/24 -j MASQUERADE
========client B without wireguard:
#in /etc/network/interfaces:
auto eth0
iface eth0 inet static
address 192.168.1.4
broadcast 192.168.1.255
netmask 255.255.255.0
gateway 192.168.1.3
mtu 1300
===========wireguard over erebe wstunnel(udp over websocket):
on vps:
./wstunnel_linux_x64 -u --server wss://0.0.0.0:24447 -r 127.0.0.1:24448
on pc(home or office):
./wstunnel_linux_x64 -u -L 127.0.0.2:24448:127.0.0.1:24448 wss://[vps_ip]:24447
$ ping 10.0.0.1
PING 10.0.0.1 (10.0.0.1) 56(84) bytes of data.
64 bytes from 10.0.0.1: icmp_seq=1 ttl=64 time=143 ms
64 bytes from 10.0.0.1: icmp_seq=2 ttl=64 time=141 ms
64 bytes from 10.0.0.1: icmp_seq=3 ttl=64 time=132 ms
It seems that erebe wstunnel is very effecient, but it must listen on port 443 or else will be GFWed.
===========wireguard over tws-rust+nginx(udp over websocket):
#on vps:
./tws-rust server -l 127.0.0.1:8443 -p <password>
#/etc/nginx/nginx.conf on vps:
server {
listen 443 ssl;
server_name mydomain.com;
ssl_certificate /etc/ssl/certs/mydomain.com.crt;
ssl_certificate_key /etc/ssl/private/myserver.key;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers HIGH:!aNULL:!MD5;
location / {
root html;
index index.html index.htm;
}
location /tws {
if ($http_upgrade !~* ^WebSocket$) {
return 404;
}
proxy_pass http://127.0.0.1:8443/;
proxy_http_version 1.1;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "Upgrade";
}
}
#on pc(home or office):
./tws-rust client -l 127.0.0.2:24448 -r 127.0.0.1:24448 -s wss://[vps_ip]/tws -p <password>
@butterl
Copy link

butterl commented Dec 24, 2018

tried with udp2raw config

Server side:
udp2raw -s -l0.0.0.0:8888 -r127.0.0.1:443 -k "passwd" --raw-mode faketcp -a

Client side:
udp2raw -c -rserverip:8888 -l0.0.0.0:8887 --raw-mode faketcp -a -k"passwd"

and could got server and client ready

[2018-12-24 09:53:45][INFO][45.249.212.49:2293]received syn,sent syn ack back
[2018-12-24 09:53:45][INFO][45.249.212.49:2293]got packet from a new ip
[2018-12-24 09:53:45][INFO][45.249.212.49:2293]created new conn,state: server_handshake1,my_id is d5339b09
[2018-12-24 09:53:45][INFO][45.249.212.49:2293]changed state to server_handshake1,my_id is d5339b09
[2018-12-24 09:53:45][INFO][45.249.212.49:2293]received handshake oppsite_id:5c78d937  my_id:d5339b09
[2018-12-24 09:53:45][INFO][45.249.212.49:2293]oppsite const_id:e5b9e7db 
[2018-12-24 09:53:45][INFO][45.249.212.49:2293]changed state to server_ready

but when I wg-quick up wg0 it just failed with connection ping 10.0.0.1 loss 100% packets
wg0 configure is as below

[Interface]
PrivateKey = <client privatekey>
Address = 10.0.0.3/24
DNS = 8.8.8.8
MTU = 1300
[Peer]
PublicKey = <server pubkey>
Endpoint = 127.0.0.1:8887
AllowedIPs = 0.0.0.0/0, ::0/0
PersistentKeepalive = 25

server wg0 config

[Interface]
Address = 10.0.0.1/24
MTU = 1420
PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -A FORWARD -o wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -D FORWARD -o wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
ListenPort = 443
PrivateKey = <server private key>

[Peer]
PublicKey = <client pubkey>
AllowedIPs = 10.0.0.3/32

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment