Add wg_shadowsocks.rst

2 files changed, 90 insertions, 0 deletions

diff --git a/source/index.rst b/source/index.rst
index d9c9dd8..ad8221e 100644
--- a/source/index.rst
+++ b/source/index.rst
@@ -14,3 +14,4 @@ that's why this site exist.
     c-calling-conventions
     radare2-tips
     qemu
+    wg_shadowsocks
diff --git a/source/wg_shadowsocks.rst b/source/wg_shadowsocks.rst
new file mode 100644
index 0000000..00b981f
--- /dev/null
+++ b/source/wg_shadowsocks.rst
@@ -0,0 +1,89 @@
+##########################
+Wireguard over Shadowsocks
+##########################
+
+.. admonition:: WIP
+
+   This article is a draft. I hope some day I will get the mental energy needed
+   to finish this article.
+
+Useful article to understand what is going on: https://web.archive.org/web/20220522072432/https://www.oilandfish.com/posts/wireguard-shadowsocks.html
+
+``sslocal`` configuration
+=========================
+
+Run::
+
+  sslocal -c config.json
+
+``config.json``:
+
+.. code:: JSON
+
+  {
+    "server": "11.11.11.11",
+    "server_port": 51823,
+    "password": "SecretPassword1234",
+    "method": "chacha20-ietf-poly1305",
+    "timeout": 300,
+    "mode": "tcp_and_udp",
+    "locals": [
+      {
+        "mode": "tcp_and_udp",
+        "protocol": "tunnel",
+        "local_address": "127.0.0.1",
+        "local_port": 1080,
+        "forward_address": "127.0.0.1",
+        "forward_port": 51822
+      }
+    ]
+  }
+
+Where
+
+- ``seiver`` and ``server_port`` - address on the remote machine where
+  ``ssserver`` the Shadowsocks sever is listening.
+
+- ``local_address`` and ``local_port`` - address on the machine where you run
+  Wireguard client and ``sslocal`` binary. ``sslocal`` will bind to
+  ``local_port`` on ``local_address``, so the Wireguard client must use it as
+  the endpoint - see Wireguard client configuration below.
+
+- ``forward_address`` and ``forward_port`` - address on the remote machine. It
+  is supposed that remote Wireguard peer and remote Shadowsocks server are
+  located on the same remote machine. Basically ``forward_port`` is the port
+  that the remote Wireguard peer (essentially a Wireguard server) is bound to.
+
+Wireguard client configuration
+==============================
+
+``/etc/wireguard/wg0.conf``::
+
+  [Interface]
+  PrivateKey = kkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkk
+  # The "Address" and "MTU" are only relevant for wg-quick
+  # Address = 10.200.200.2
+  # MTU = 1376
+
+  [Peer]
+  PublicKey = KKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKK
+  AllowedIPs = 0.0.0.0/0 # Routing irrelevant here
+  # Yeah, seriously, don't put 10.200.200.0/24 in AllowedIPs, because otherwise
+  # you will fuck up ipset based routing of some IP addresses that should go
+  # through wg0 too
+  Endpoint = 127.0.0.1:1080 # shadowsocks forwarded port
+  PersistentKeepalive = 60
+
+``/etc/conf.d/net``::
+
+  wireguard_wg0="/etc/wireguard/wg0.conf"
+  config_wg0="10.200.200.2/24"
+  rules_wg0="fwmark 51822 table wg0"
+  routes_wg0="table wg0 0.0.0.0/0 dev wg0 proto kernel scope link"
+  mtu_wg0="1376"
+
+I found that SSH does not work when MTU is larger then 1376.
+
+On Gentoo the line ``mtu_wg0="1376"`` does not work out of the box. The possible
+fix can be found here:
+https://forums.gentoo.org/viewtopic-t-1152029-start-0.html.