##########################
Wireguard over Shadowsocks
##########################

.. admonition:: WIP

   This article is a draft. I hope some day I will get the mental energy needed
   to finish this article.

Useful article to understand what is going on: https://web.archive.org/web/20220522072432/https://www.oilandfish.com/posts/wireguard-shadowsocks.html

For Shadowsocks proxy `shadowsocks-rust <https://github.com/shadowsocks/shadowsocks-rust>`_ is used.

``sslocal`` configuration
=========================

Run::

  sslocal -c config.json

``config.json``:

.. code:: JSON

  {
    "server": "11.11.11.11",
    "server_port": 51823,
    "password": "SecretPassword1234",
    "method": "chacha20-ietf-poly1305",
    "timeout": 300,
    "mode": "tcp_and_udp",
    "locals": [
      {
        "mode": "tcp_and_udp",
        "protocol": "tunnel",
        "local_address": "127.0.0.1",
        "local_port": 1080,
        "forward_address": "127.0.0.1",
        "forward_port": 51822
      }
    ]
  }

Where

- ``server`` and ``server_port`` - address on the remote machine where
  ``ssserver`` the Shadowsocks sever is listening.

- ``local_address`` and ``local_port`` - address on the machine where you run
  Wireguard client and ``sslocal`` binary. ``sslocal`` will bind to
  ``local_port`` on ``local_address``, so the Wireguard client must use it as
  the endpoint - see Wireguard client configuration below.

- ``forward_address`` and ``forward_port`` - address on the remote machine. It
  is supposed that remote Wireguard peer and remote Shadowsocks server are
  located on the same remote machine. Basically ``forward_port`` is the port
  that the remote Wireguard peer (essentially a Wireguard server) is bound to.

Wireguard client configuration
==============================

``/etc/wireguard/wg0.conf``::

  [Interface]
  PrivateKey = kkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkk
  # The "Address" and "MTU" are only relevant for wg-quick
  # Address = 10.200.200.2
  # MTU = 1376

  [Peer]
  PublicKey = KKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKK
  AllowedIPs = 0.0.0.0/0 # Routing irrelevant here
  # Yeah, seriously, don't put 10.200.200.0/24 in AllowedIPs, because otherwise
  # you will fuck up ipset based routing of some IP addresses that should go
  # through wg0 too
  Endpoint = 127.0.0.1:1080 # shadowsocks forwarded port
  PersistentKeepalive = 60

``/etc/conf.d/net``::

  wireguard_wg0="/etc/wireguard/wg0.conf"
  config_wg0="10.200.200.2/24"
  rules_wg0="fwmark 51822 table wg0"
  routes_wg0="table wg0 0.0.0.0/0 dev wg0 proto kernel scope link"
  mtu_wg0="1376"

I found that SSH does not work with Wireguard over Shadowsocks when MTU is
larger than 1376.

On Gentoo the line ``mtu_wg0="1376"`` does not work out of the box. The possible
fix can be found here:
https://forums.gentoo.org/viewtopic-t-1152029-start-0.html.

On ``systemd`` system like Arch you can install ``extra/shadowsocks-rust``
package, place ``config.json`` file as ``/etc/shadowsocks/mysocks.json`` and run
it like this::

  systemctl enable shadowsocks-rust@mysocks.service
  systemctl start shadowsocks-rust@mysocks.service