1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
|
##########################
Wireguard over Shadowsocks
##########################
.. admonition:: WIP
This article is a draft. I hope some day I will get the mental energy needed
to finish this article.
Useful article to understand what is going on: https://web.archive.org/web/20220522072432/https://www.oilandfish.com/posts/wireguard-shadowsocks.html
For Shadowsocks proxy `shadowsocks-rust <https://github.com/shadowsocks/shadowsocks-rust>`_ is used.
``sslocal`` configuration
=========================
Run::
sslocal -c config.json
``config.json``:
.. code:: JSON
{
"server": "11.11.11.11",
"server_port": 51823,
"password": "SecretPassword1234",
"method": "chacha20-ietf-poly1305",
"timeout": 300,
"mode": "tcp_and_udp",
"locals": [
{
"mode": "tcp_and_udp",
"protocol": "tunnel",
"local_address": "127.0.0.1",
"local_port": 1080,
"forward_address": "127.0.0.1",
"forward_port": 51822
}
]
}
Where
- ``server`` and ``server_port`` - address on the remote machine where
``ssserver`` the Shadowsocks sever is listening.
- ``local_address`` and ``local_port`` - address on the machine where you run
Wireguard client and ``sslocal`` binary. ``sslocal`` will bind to
``local_port`` on ``local_address``, so the Wireguard client must use it as
the endpoint - see Wireguard client configuration below.
- ``forward_address`` and ``forward_port`` - address on the remote machine. It
is supposed that remote Wireguard peer and remote Shadowsocks server are
located on the same remote machine. Basically ``forward_port`` is the port
that the remote Wireguard peer (essentially a Wireguard server) is bound to.
Wireguard client configuration
==============================
``/etc/wireguard/wg0.conf``::
[Interface]
PrivateKey = kkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkk
# The "Address" and "MTU" are only relevant for wg-quick
# Address = 10.200.200.2
# MTU = 1376
[Peer]
PublicKey = KKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKK
AllowedIPs = 0.0.0.0/0 # Routing irrelevant here
# Yeah, seriously, don't put 10.200.200.0/24 in AllowedIPs, because otherwise
# you will fuck up ipset based routing of some IP addresses that should go
# through wg0 too
Endpoint = 127.0.0.1:1080 # shadowsocks forwarded port
PersistentKeepalive = 60
``/etc/conf.d/net``::
wireguard_wg0="/etc/wireguard/wg0.conf"
config_wg0="10.200.200.2/24"
rules_wg0="fwmark 51822 table wg0"
routes_wg0="table wg0 0.0.0.0/0 dev wg0 proto kernel scope link"
mtu_wg0="1376"
I found that SSH does not work when MTU is larger then 1376.
On Gentoo the line ``mtu_wg0="1376"`` does not work out of the box. The possible
fix can be found here:
https://forums.gentoo.org/viewtopic-t-1152029-start-0.html.
|
