Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

WireGuard Inbound (User-space WireGuard server) #2477

Merged
merged 18 commits into from
Nov 18, 2023
Merged

WireGuard Inbound (User-space WireGuard server) #2477

merged 18 commits into from
Nov 18, 2023

Conversation

hax0r31337
Copy link
Contributor

WireGuard is one of the most commonly used VPN protocols. I believe it's essential to implement a server for Xray in order to introduce advanced routing features to WireGuard.

Example Xray server config

{
    "port": 31337,
    "protocol": "wireguard",
    "settings": {
        "secretKey": "EGs4lTSJPmgELx6YiJAmPR2meWi6bY+e9rTdCipSj10=",
        "peers": [
            {
                "publicKey": "osAMIyil18HeZXGGBDC9KpZoM+L2iGyXWVSYivuM9B0=",
                "allowedIPs": [
                    "192.168.0.0/16",
                    "fe81:0000:0000:0000:0000:0000:0000:0000/16"
                ]
            }
        ],
        "mtu": 1300
    },
    "tag": "server"
}

Corresponding WireGuard client config

[Interface]
Address = 192.168.6.2/24
DNS = 9.9.9.9
MTU = 1300
PrivateKey = CPQSpgxgdQRZa5SUbT3HLv+mmDVHLW5YR/rQlzum/2I=

[Peer]
AllowedIPs = 0.0.0.0/0
Endpoint = 10.0.13.37:31337
PublicKey = MmLJ5iHFVVBp7VsB0hxfpQ0wEzAbT2KQnpQpj0+RtBw=

@yuhan6665
Copy link
Member

what do you think @RPRX

@master88wi
Copy link

+1

@RPRX
Copy link
Member

RPRX commented Aug 26, 2023

我觉得可以有,让我们把 WireGuard 相关的 PR 放到 v1.8.5 后处理

@yuhan6665
Copy link
Member

wg 这块重新实现了 @hax0r31337 能麻烦佬更新到最新的 main 吗?

@hax0r31337 hax0r31337 marked this pull request as draft November 13, 2023 02:50
@hax0r31337
Copy link
Contributor Author

hax0r31337 commented Nov 13, 2023

I need assistance using Linux Tun device with WireGuard server, as I have limited knowledge of the Linux netstack.

@hax0r31337 hax0r31337 marked this pull request as ready for review November 13, 2023 07:04
@yuhan6665
Copy link
Member

感谢高速更新 我抽空测一下。。

@yuhan6665
Copy link
Member

嗯。。看起来 5ae3791 至少在安卓上 wg 坏掉了。。

11:28:43.990  W  type=1400 audit(0.0:181984): avc:  denied  { getattr } for  path="/proc/sys/net/ipv4/conf/all/rp_filter" dev="proc" ino=2617254 scontext=u:r:untrusted_app_32:s0:c247,c256,c512,c768 tcontext=u:object_r:proc_net:s0 tclass=file permissive=0 app=com.v2ray.ang
11:28:43.998  I  [Info] [2266353430] app/proxyman/outbound: failed to process outbound traffic > proxy/wireguard: failed to create virtual tun interface > failed to disable ipv4 rp_filter for all: stat /proc/sys/net/ipv4/conf/all/rp_filter: permission denied

CC @kunsonx

@hax0r31337
Copy link
Contributor Author

嗯。。看起来 5ae3791 至少在安卓上 wg 坏掉了。。

11:28:43.990  W  type=1400 audit(0.0:181984): avc:  denied  { getattr } for  path="/proc/sys/net/ipv4/conf/all/rp_filter" dev="proc" ino=2617254 scontext=u:r:untrusted_app_32:s0:c247,c256,c512,c768 tcontext=u:object_r:proc_net:s0 tclass=file permissive=0 app=com.v2ray.ang
11:28:43.998  I  [Info] [2266353430] app/proxyman/outbound: failed to process outbound traffic > proxy/wireguard: failed to create virtual tun interface > failed to disable ipv4 rp_filter for all: stat /proc/sys/net/ipv4/conf/all/rp_filter: permission denied

CC @kunsonx

I added user-space mode in ea22f73, you can set kernelMode to false (which is false by default) to use gVisor virtual TUN for cases don't have sufficient permission to use system netstack

@kunsonx
Copy link
Contributor

kunsonx commented Nov 15, 2023

建议在 Android 环境使用 gVisor virtual netstack. 在标准 Android 环境下可能没有相关权限去启用 Tun 与配置权限.

@kunsonx
Copy link
Contributor

kunsonx commented Nov 15, 2023

The kernelMode is confusing for users. Could you make the changes disabled tun devices when Android environment?

@hax0r31337

@hax0r31337
Copy link
Contributor Author

The kernelMode is confusing for users. Could you make the changes disabled tun devices when Android environment?

@hax0r31337

In my opinion, it's necessary to keep a user-space feature in case of insufficient permission, or just for granting superuser permission as less as possible.
Perhaps it need a better name, I'm bad at naming things

@kunsonx
Copy link
Contributor

kunsonx commented Nov 15, 2023

Let's make the things as two.

The first one we can't use tun device and setup iptables params on Android. so the option for system tun should be disabled for anytime.

The second thing it is we can provide option for enable or disable system tun device and in my opinion it should be enable by default (It provide better netstack performance).

@hax0r31337
Copy link
Contributor Author

On the other hand, my opinion is to maintain an out-of-box experience. Since all of the default outbound/inbound configuration can work in the user-space, expect this thing.

@kunsonx
Copy link
Contributor

kunsonx commented Nov 15, 2023

So could we check which permissions we have when it started then choose which mode we can run by default? it's possible ?

@hax0r31337
Copy link
Contributor Author

So could we check which permissions we have when it started then choose which mode we can run by default? it's possible ?

Nice proposal, I'll give it a try

@hax0r31337
Copy link
Contributor Author

The kernelMode config can be ignored for most of the users from now on.

@kunsonx
Copy link
Contributor

kunsonx commented Nov 15, 2023

Thanks for your work. It looks better now.

@yuhan6665
Copy link
Member

测了一下更新
tun 可以了 但是似乎是 UDP 流量出不去 wg outbound
TCP 测了好像没有问题 等会儿我试下 inbound

10:53:22.291  I  [Info] app/dns: failed to lookup ip for domain imasdk.googleapis.com at server UDP:1.1.1.1:53 > context deadline exceeded
10:53:22.291  I  [Info] [3036575879] app/proxyman/outbound: failed to process outbound traffic > proxy/wireguard: failed to lookup DNS > app/dns: returning nil for domain imasdk.googleapis.com > multierr: context deadline exceeded | 
10:53:22.291  I  [Info] [3036575879] app/proxyman/inbound: connection ends > proxy/socks: connection ends > proxy/socks: failed to transport all TCP response > io: read/write on closed pipe

@yuhan6665
Copy link
Member

inbound 没有问题 我试了老版的 client 对新版的 server 完全正常

@hax0r31337
Copy link
Contributor Author

hax0r31337 commented Nov 16, 2023

测了一下更新 tun 可以了 但是似乎是 UDP 流量出不去 wg outbound TCP 测了好像没有问题 等会儿我试下 inbound

10:53:22.291  I  [Info] app/dns: failed to lookup ip for domain imasdk.googleapis.com at server UDP:1.1.1.1:53 > context deadline exceeded
10:53:22.291  I  [Info] [3036575879] app/proxyman/outbound: failed to process outbound traffic > proxy/wireguard: failed to lookup DNS > app/dns: returning nil for domain imasdk.googleapis.com > multierr: context deadline exceeded | 
10:53:22.291  I  [Info] [3036575879] app/proxyman/inbound: connection ends > proxy/socks: connection ends > proxy/socks: failed to transport all TCP response > io: read/write on closed pipe

Unfortunately, I was unable to reproduce this issue, it's working on my PC.

2023/11/16 12:21:34 [Debug] [1674829396] proxy/dokodemo: processing connection from: 127.0.0.1:51306
2023/11/16 12:21:34 [Info] [1674829396] proxy/dokodemo: received request for 127.0.0.1:51306
2023/11/16 12:21:34 [Info] [1674829396] app/dispatcher: default route for udp:9.9.9.9:53
2023/11/16 12:21:34 127.0.0.1:51306 accepted udp:9.9.9.9:53 [proxy1 >> client]

Config: https://pastebin.mozilla.org/pwtDSNZf
I have tested whether kernelMode set to on or off, it's both working

@yuhan6665
Copy link
Member

好的 感谢 我再研究一下 不行就先合发版
@kunsonx 麻烦你有空也测一下

@yuhan6665 yuhan6665 merged commit 0ac7da2 into XTLS:main Nov 18, 2023
34 checks passed
@yuhan6665
Copy link
Member

先合了 感谢两位大佬!

@Phoenix-999
Copy link

@hax0r31337
I know you are very busy, but do you have a step-by-step guide on how to set up WireGuard inbound and outbound correctly?
I appreciate your assistance in advance.

@hkbase
Copy link

hkbase commented Nov 26, 2023

{
    "tag": "wgserver",
    "port": 8888,
    "protocol": "wireguard",
    "settings": {
        "secretKey": "yIw6sjOIp94Ni4mdlPm3GMJ4PvowqGVDZ1Ouw+f7Ukc=",
        "peers": [
            {
                "publicKey": "VvME/dCl8xvuWXljnNqRJFBeekk32SfjGqf/vKbXB2M=",
                "allowedIPs": [
                    "192.168.1.0/24"
                ]
            }
        ],
        "mtu": 1412
    }
}

使用上面的配置,创建wireguard入站server配置失败,报错如下:
image
Failed to start: main: failed to create server > proxy/wireguard: TODO: support promiscuous mode

@hax0r31337
Copy link
Contributor Author

{ "tag": "wgserver", "port": 8888, "protocol": "wireguard", "settings": { "secretKey": "yIw6sjOIp94Ni4mdlPm3GMJ4PvowqGVDZ1Ouw+f7Ukc=", "peers": [ { "publicKey": "VvME/dCl8xvuWXljnNqRJFBeekk32SfjGqf/vKbXB2M=", "allowedIPs": [ "192.168.1.0/24" ] } ], "mtu": 1412 } } 使用上面的配置,创建wireguard入站server配置失败,报错如下: image Failed to start: main: failed to create server > proxy/wireguard: TODO: support promiscuous mode

You are running on a previliged user, which activates kernel mode automatically, but the wireguard server doesn't support kernel mode currently, you have to disable kernel mode manually by adding "kernelMode": false in the settings

@hkbase
Copy link

hkbase commented Nov 27, 2023

@hax0r31337 thank you very much~,adding "kernelMode": false in the settings,then it‘s OK~

{
  "inbounds": [
    {
      "tag": "wgserver",
      "port": 8888,
      "protocol": "wireguard",
      "settings": {
        "secretKey": "yIw6sjOIp94Ni4mdlPm3GMJ4PvowqGVDZ1Ouw+f7Ukc=",
        "peers": [
          {
            "publicKey": "VvME/dCl8xvuWXljnNqRJFBeekk32SfjGqf/vKbXB2M=",
            "allowedIPs": [
              "192.168.1.0/24"
            ]
          }
        ],
        "kernelMode": false,
        "mtu": 1412
      }
    }
  ]
}

@masbur
Copy link

masbur commented Dec 12, 2023

Is Wireguard inbound not support statsquery for each peer ?

{
    "stat": [
        {
            "name": "inbound>>>api>>>traffic>>>uplink",
            "value": "3144"
        },
        {
            "name": "inbound>>>api>>>traffic>>>downlink",
            "value": "5016"
        },
        {
            "name": "inbound>>>Wireguard>>>traffic>>>uplink",
            "value": "331012"
        },
        {
            "name": "inbound>>>Wireguard>>>traffic>>>downlink",
            "value": "7663508"
        },
        {
            "name": "outbound>>>blocked>>>traffic>>>uplink",
            "value": "0"
        },
        {
            "name": "outbound>>>blocked>>>traffic>>>downlink",
            "value": "0"
        }
    ]
}

@MJamshidnejad
Copy link

@hax0r31337 thank you very much~,adding "kernelMode": false in the settings,then it‘s OK~

{
  "inbounds": [
    {
      "tag": "wgserver",
      "port": 8888,
      "protocol": "wireguard",
      "settings": {
        "secretKey": "yIw6sjOIp94Ni4mdlPm3GMJ4PvowqGVDZ1Ouw+f7Ukc=",
        "peers": [
          {
            "publicKey": "VvME/dCl8xvuWXljnNqRJFBeekk32SfjGqf/vKbXB2M=",
            "allowedIPs": [
              "192.168.1.0/24"
            ]
          }
        ],
        "kernelMode": false,
        "mtu": 1412
      }
    }
  ]
}

It is needed to configuration guide page of Wireguard outbound.

@MrSaeid007
Copy link

I tested it and updated tun. It works, but it seems that UDP traffic cannot go out. wg outbound TCP. I tested it and it seems there is no problem. I will try inbound later.

10:53:22.291  I  [Info] app/dns: failed to lookup ip for domain imasdk.googleapis.com at server UDP:1.1.1.1:53 > context deadline exceeded
10:53:22.291  I  [Info] [3036575879] app/proxyman/outbound: failed to process outbound traffic > proxy/wireguard: failed to lookup DNS > app/dns: returning nil for domain imasdk.googleapis.com > multierr: context deadline exceeded | 
10:53:22.291  I  [Info] [3036575879] app/proxyman/inbound: connection ends > proxy/socks: connection ends > proxy/socks: failed to transport all TCP response > io: read/write on closed pipe

Unfortunately, I was unable to reproduce this issue, it's working on my PC.

2023/11/16 12:21:34 [Debug] [1674829396] proxy/dokodemo: processing connection from: 127.0.0.1:51306
2023/11/16 12:21:34 [Info] [1674829396] proxy/dokodemo: received request for 127.0.0.1:51306
2023/11/16 12:21:34 [Info] [1674829396] app/dispatcher: default route for udp:9.9.9.9:53
2023/11/16 12:21:34 127.0.0.1:51306 accepted udp:9.9.9.9:53 [proxy1 >> client]

Config: https://pastebin.mozilla.org/pwtDSNZf I have tested whether kernelMode set to on or off, it's both working

Hi, @hax0r31337
Is it possible to add L2tp or pptp into Xray-core?

@hax0r31337
Copy link
Contributor Author

I tested it and updated tun. It works, but it seems that UDP traffic cannot go out. wg outbound TCP. I tested it and it seems there is no problem. I will try inbound later.

10:53:22.291  I  [Info] app/dns: failed to lookup ip for domain imasdk.googleapis.com at server UDP:1.1.1.1:53 > context deadline exceeded
10:53:22.291  I  [Info] [3036575879] app/proxyman/outbound: failed to process outbound traffic > proxy/wireguard: failed to lookup DNS > app/dns: returning nil for domain imasdk.googleapis.com > multierr: context deadline exceeded | 
10:53:22.291  I  [Info] [3036575879] app/proxyman/inbound: connection ends > proxy/socks: connection ends > proxy/socks: failed to transport all TCP response > io: read/write on closed pipe

Unfortunately, I was unable to reproduce this issue, it's working on my PC.

2023/11/16 12:21:34 [Debug] [1674829396] proxy/dokodemo: processing connection from: 127.0.0.1:51306
2023/11/16 12:21:34 [Info] [1674829396] proxy/dokodemo: received request for 127.0.0.1:51306
2023/11/16 12:21:34 [Info] [1674829396] app/dispatcher: default route for udp:9.9.9.9:53
2023/11/16 12:21:34 127.0.0.1:51306 accepted udp:9.9.9.9:53 [proxy1 >> client]

Config: https://pastebin.mozilla.org/pwtDSNZf I have tested whether kernelMode set to on or off, it's both working

Hi, @hax0r31337 Is it possible to add L2tp or pptp into Xray-core?

It's possible, but these protocols have a decreasing audience and not future-proof.
It's not worth it to add these protocols to xray-core in my opinion

@MrSaeid007
Copy link

MrSaeid007 commented Mar 28, 2024

I tested it and updated tun. It works, but it seems that UDP traffic cannot go out. wg outbound TCP. I tested it and it seems there is no problem. I will try inbound later.

10:53:22.291  I  [Info] app/dns: failed to lookup ip for domain imasdk.googleapis.com at server UDP:1.1.1.1:53 > context deadline exceeded
10:53:22.291  I  [Info] [3036575879] app/proxyman/outbound: failed to process outbound traffic > proxy/wireguard: failed to lookup DNS > app/dns: returning nil for domain imasdk.googleapis.com > multierr: context deadline exceeded | 
10:53:22.291  I  [Info] [3036575879] app/proxyman/inbound: connection ends > proxy/socks: connection ends > proxy/socks: failed to transport all TCP response > io: read/write on closed pipe

Unfortunately, I was unable to reproduce this issue, it's working on my PC.

2023/11/16 12:21:34 [Debug] [1674829396] proxy/dokodemo: processing connection from: 127.0.0.1:51306
2023/11/16 12:21:34 [Info] [1674829396] proxy/dokodemo: received request for 127.0.0.1:51306
2023/11/16 12:21:34 [Info] [1674829396] app/dispatcher: default route for udp:9.9.9.9:53
2023/11/16 12:21:34 127.0.0.1:51306 accepted udp:9.9.9.9:53 [proxy1 >> client]

Config: https://pastebin.mozilla.org/pwtDSNZf I have tested whether kernelMode set to on or off, it's both working

Hi, @hax0r31337 Is it possible to add L2tp or pptp into Xray-core?

It's possible, but these protocols have a decreasing audience and not future-proof. It's not worth it to add these protocols to xray-core in my opinion

I understand what you mean but I just offered because many of modems(LTE,Fiber,etc) in market only support l2tp or pptp protocol and they not support wireguard or...

Even many clients like windows, mobile(Ipsec)...etc support built-in l2tp or pptp as well so I just offer maybe @RPRX accept.

But I don't have a knowledge to send PR request to do so. I don't know what's the idea of @RPRX to adding this protocol just to inbound Xray-core. so in x-ui panel we can create L2tp or pptp for inbound and connect or local server(VPS) in our country via this protocol.
cc @RPRX & @yuhan6665 & @hax0r31337

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

10 participants