WireGuard Inbound (User-space WireGuard server)

[hax0r31337]

WireGuard is one of the most commonly used VPN protocols. I believe it's essential to implement a server for Xray in order to introduce advanced routing features to WireGuard.

Example Xray server config

{
    "port": 31337,
    "protocol": "wireguard",
    "settings": {
        "secretKey": "EGs4lTSJPmgELx6YiJAmPR2meWi6bY+e9rTdCipSj10=",
        "peers": [
            {
                "publicKey": "osAMIyil18HeZXGGBDC9KpZoM+L2iGyXWVSYivuM9B0=",
                "allowedIPs": [
                    "192.168.0.0/16",
                    "fe81:0000:0000:0000:0000:0000:0000:0000/16"
                ]
            }
        ],
        "mtu": 1300
    },
    "tag": "server"
}

Corresponding WireGuard client config

[Interface]
Address = 192.168.6.2/24
DNS = 9.9.9.9
MTU = 1300
PrivateKey = CPQSpgxgdQRZa5SUbT3HLv+mmDVHLW5YR/rQlzum/2I=

[Peer]
AllowedIPs = 0.0.0.0/0
Endpoint = 10.0.13.37:31337
PublicKey = MmLJ5iHFVVBp7VsB0hxfpQ0wEzAbT2KQnpQpj0+RtBw=

[yuhan6665]

what do you think @RPRX

[master88wi]

+1

[RPRX]

我觉得可以有，让我们把 WireGuard 相关的 PR 放到 v1.8.5 后处理

[yuhan6665]

wg 这块重新实现了 @hax0r31337 能麻烦佬更新到最新的 main 吗？

[hax0r31337]

I need assistance using Linux Tun device with WireGuard server, as I have limited knowledge of the Linux netstack.

[yuhan6665]

感谢高速更新 我抽空测一下。。

[yuhan6665]

嗯。。看起来 5ae3791 至少在安卓上 wg 坏掉了。。

11:28:43.990  W  type=1400 audit(0.0:181984): avc:  denied  { getattr } for  path="/proc/sys/net/ipv4/conf/all/rp_filter" dev="proc" ino=2617254 scontext=u:r:untrusted_app_32:s0:c247,c256,c512,c768 tcontext=u:object_r:proc_net:s0 tclass=file permissive=0 app=com.v2ray.ang
11:28:43.998  I  [Info] [2266353430] app/proxyman/outbound: failed to process outbound traffic > proxy/wireguard: failed to create virtual tun interface > failed to disable ipv4 rp_filter for all: stat /proc/sys/net/ipv4/conf/all/rp_filter: permission denied

CC @kunsonx

[hax0r31337]

嗯。。看起来 5ae3791 至少在安卓上 wg 坏掉了。。

11:28:43.990  W  type=1400 audit(0.0:181984): avc:  denied  { getattr } for  path="/proc/sys/net/ipv4/conf/all/rp_filter" dev="proc" ino=2617254 scontext=u:r:untrusted_app_32:s0:c247,c256,c512,c768 tcontext=u:object_r:proc_net:s0 tclass=file permissive=0 app=com.v2ray.ang
11:28:43.998  I  [Info] [2266353430] app/proxyman/outbound: failed to process outbound traffic > proxy/wireguard: failed to create virtual tun interface > failed to disable ipv4 rp_filter for all: stat /proc/sys/net/ipv4/conf/all/rp_filter: permission denied

CC @kunsonx

I added user-space mode in ea22f73, you can set kernelMode to false (which is false by default) to use gVisor virtual TUN for cases don't have sufficient permission to use system netstack

[kunsonx]

建议在 Android 环境使用 gVisor virtual netstack. 在标准 Android 环境下可能没有相关权限去启用 Tun 与配置权限.

[kunsonx]

The kernelMode is confusing for users. Could you make the changes disabled tun devices when Android environment?

@hax0r31337

[hax0r31337]

The kernelMode is confusing for users. Could you make the changes disabled tun devices when Android environment?

@hax0r31337

In my opinion, it's necessary to keep a user-space feature in case of insufficient permission, or just for granting superuser permission as less as possible.
Perhaps it need a better name, I'm bad at naming things

[kunsonx]

Let's make the things as two.

The first one we can't use tun device and setup iptables params on Android. so the option for system tun should be disabled for anytime.

The second thing it is we can provide option for enable or disable system tun device and in my opinion it should be enable by default (It provide better netstack performance).

[hax0r31337]

On the other hand, my opinion is to maintain an out-of-box experience. Since all of the default outbound/inbound configuration can work in the user-space, expect this thing.

[kunsonx]

So could we check which permissions we have when it started then choose which mode we can run by default? it's possible ?

[hax0r31337]

So could we check which permissions we have when it started then choose which mode we can run by default? it's possible ?

Nice proposal, I'll give it a try

[hax0r31337]

The kernelMode config can be ignored for most of the users from now on.

[kunsonx]

Thanks for your work. It looks better now.

[yuhan6665]

测了一下更新
tun 可以了 但是似乎是 UDP 流量出不去 wg outbound
TCP 测了好像没有问题 等会儿我试下 inbound

10:53:22.291  I  [Info] app/dns: failed to lookup ip for domain imasdk.googleapis.com at server UDP:1.1.1.1:53 > context deadline exceeded
10:53:22.291  I  [Info] [3036575879] app/proxyman/outbound: failed to process outbound traffic > proxy/wireguard: failed to lookup DNS > app/dns: returning nil for domain imasdk.googleapis.com > multierr: context deadline exceeded | 
10:53:22.291  I  [Info] [3036575879] app/proxyman/inbound: connection ends > proxy/socks: connection ends > proxy/socks: failed to transport all TCP response > io: read/write on closed pipe

[yuhan6665]

inbound 没有问题 我试了老版的 client 对新版的 server 完全正常

[hax0r31337]

测了一下更新 tun 可以了 但是似乎是 UDP 流量出不去 wg outbound TCP 测了好像没有问题 等会儿我试下 inbound

10:53:22.291  I  [Info] app/dns: failed to lookup ip for domain imasdk.googleapis.com at server UDP:1.1.1.1:53 > context deadline exceeded
10:53:22.291  I  [Info] [3036575879] app/proxyman/outbound: failed to process outbound traffic > proxy/wireguard: failed to lookup DNS > app/dns: returning nil for domain imasdk.googleapis.com > multierr: context deadline exceeded | 
10:53:22.291  I  [Info] [3036575879] app/proxyman/inbound: connection ends > proxy/socks: connection ends > proxy/socks: failed to transport all TCP response > io: read/write on closed pipe

Unfortunately, I was unable to reproduce this issue, it's working on my PC.

2023/11/16 12:21:34 [Debug] [1674829396] proxy/dokodemo: processing connection from: 127.0.0.1:51306
2023/11/16 12:21:34 [Info] [1674829396] proxy/dokodemo: received request for 127.0.0.1:51306
2023/11/16 12:21:34 [Info] [1674829396] app/dispatcher: default route for udp:9.9.9.9:53
2023/11/16 12:21:34 127.0.0.1:51306 accepted udp:9.9.9.9:53 [proxy1 >> client]

Config: https://pastebin.mozilla.org/pwtDSNZf
I have tested whether kernelMode set to on or off, it's both working

[yuhan6665]

好的 感谢 我再研究一下 不行就先合发版
@kunsonx 麻烦你有空也测一下

[yuhan6665]

先合了 感谢两位大佬！

[Phoenix-999]

@hax0r31337
I know you are very busy, but do you have a step-by-step guide on how to set up WireGuard inbound and outbound correctly?
I appreciate your assistance in advance.

[hkbase]

{
    "tag": "wgserver",
    "port": 8888,
    "protocol": "wireguard",
    "settings": {
        "secretKey": "yIw6sjOIp94Ni4mdlPm3GMJ4PvowqGVDZ1Ouw+f7Ukc=",
        "peers": [
            {
                "publicKey": "VvME/dCl8xvuWXljnNqRJFBeekk32SfjGqf/vKbXB2M=",
                "allowedIPs": [
                    "192.168.1.0/24"
                ]
            }
        ],
        "mtu": 1412
    }
}

使用上面的配置，创建wireguard入站server配置失败，报错如下：

Failed to start: main: failed to create server > proxy/wireguard: TODO: support promiscuous mode

[hax0r31337]

{ "tag": "wgserver", "port": 8888, "protocol": "wireguard", "settings": { "secretKey": "yIw6sjOIp94Ni4mdlPm3GMJ4PvowqGVDZ1Ouw+f7Ukc=", "peers": [ { "publicKey": "VvME/dCl8xvuWXljnNqRJFBeekk32SfjGqf/vKbXB2M=", "allowedIPs": [ "192.168.1.0/24" ] } ], "mtu": 1412 } } 使用上面的配置，创建wireguard入站server配置失败，报错如下： Failed to start: main: failed to create server > proxy/wireguard: TODO: support promiscuous mode

You are running on a previliged user, which activates kernel mode automatically, but the wireguard server doesn't support kernel mode currently, you have to disable kernel mode manually by adding "kernelMode": false in the settings

[hkbase]

@hax0r31337 thank you very much～，adding "kernelMode": false in the settings，then it‘s OK～

{
  "inbounds": [
    {
      "tag": "wgserver",
      "port": 8888,
      "protocol": "wireguard",
      "settings": {
        "secretKey": "yIw6sjOIp94Ni4mdlPm3GMJ4PvowqGVDZ1Ouw+f7Ukc=",
        "peers": [
          {
            "publicKey": "VvME/dCl8xvuWXljnNqRJFBeekk32SfjGqf/vKbXB2M=",
            "allowedIPs": [
              "192.168.1.0/24"
            ]
          }
        ],
        "kernelMode": false,
        "mtu": 1412
      }
    }
  ]
}

[masbur]

Is Wireguard inbound not support statsquery for each peer ?

{
    "stat": [
        {
            "name": "inbound>>>api>>>traffic>>>uplink",
            "value": "3144"
        },
        {
            "name": "inbound>>>api>>>traffic>>>downlink",
            "value": "5016"
        },
        {
            "name": "inbound>>>Wireguard>>>traffic>>>uplink",
            "value": "331012"
        },
        {
            "name": "inbound>>>Wireguard>>>traffic>>>downlink",
            "value": "7663508"
        },
        {
            "name": "outbound>>>blocked>>>traffic>>>uplink",
            "value": "0"
        },
        {
            "name": "outbound>>>blocked>>>traffic>>>downlink",
            "value": "0"
        }
    ]
}

[MJamshidnejad]

@hax0r31337 thank you very much～，adding "kernelMode": false in the settings，then it‘s OK～

{
  "inbounds": [
    {
      "tag": "wgserver",
      "port": 8888,
      "protocol": "wireguard",
      "settings": {
        "secretKey": "yIw6sjOIp94Ni4mdlPm3GMJ4PvowqGVDZ1Ouw+f7Ukc=",
        "peers": [
          {
            "publicKey": "VvME/dCl8xvuWXljnNqRJFBeekk32SfjGqf/vKbXB2M=",
            "allowedIPs": [
              "192.168.1.0/24"
            ]
          }
        ],
        "kernelMode": false,
        "mtu": 1412
      }
    }
  ]
}

It is needed to configuration guide page of Wireguard outbound.

[MrSaeid007]

I tested it and updated tun. It works, but it seems that UDP traffic cannot go out. wg outbound TCP. I tested it and it seems there is no problem. I will try inbound later.

10:53:22.291  I  [Info] app/dns: failed to lookup ip for domain imasdk.googleapis.com at server UDP:1.1.1.1:53 > context deadline exceeded
10:53:22.291  I  [Info] [3036575879] app/proxyman/outbound: failed to process outbound traffic > proxy/wireguard: failed to lookup DNS > app/dns: returning nil for domain imasdk.googleapis.com > multierr: context deadline exceeded | 
10:53:22.291  I  [Info] [3036575879] app/proxyman/inbound: connection ends > proxy/socks: connection ends > proxy/socks: failed to transport all TCP response > io: read/write on closed pipe

Unfortunately, I was unable to reproduce this issue, it's working on my PC.

2023/11/16 12:21:34 [Debug] [1674829396] proxy/dokodemo: processing connection from: 127.0.0.1:51306
2023/11/16 12:21:34 [Info] [1674829396] proxy/dokodemo: received request for 127.0.0.1:51306
2023/11/16 12:21:34 [Info] [1674829396] app/dispatcher: default route for udp:9.9.9.9:53
2023/11/16 12:21:34 127.0.0.1:51306 accepted udp:9.9.9.9:53 [proxy1 >> client]

Config: https://pastebin.mozilla.org/pwtDSNZf I have tested whether kernelMode set to on or off, it's both working

Hi, @hax0r31337
Is it possible to add L2tp or pptp into Xray-core?

[hax0r31337]

I tested it and updated tun. It works, but it seems that UDP traffic cannot go out. wg outbound TCP. I tested it and it seems there is no problem. I will try inbound later.

10:53:22.291  I  [Info] app/dns: failed to lookup ip for domain imasdk.googleapis.com at server UDP:1.1.1.1:53 > context deadline exceeded
10:53:22.291  I  [Info] [3036575879] app/proxyman/outbound: failed to process outbound traffic > proxy/wireguard: failed to lookup DNS > app/dns: returning nil for domain imasdk.googleapis.com > multierr: context deadline exceeded | 
10:53:22.291  I  [Info] [3036575879] app/proxyman/inbound: connection ends > proxy/socks: connection ends > proxy/socks: failed to transport all TCP response > io: read/write on closed pipe

Unfortunately, I was unable to reproduce this issue, it's working on my PC.

2023/11/16 12:21:34 [Debug] [1674829396] proxy/dokodemo: processing connection from: 127.0.0.1:51306
2023/11/16 12:21:34 [Info] [1674829396] proxy/dokodemo: received request for 127.0.0.1:51306
2023/11/16 12:21:34 [Info] [1674829396] app/dispatcher: default route for udp:9.9.9.9:53
2023/11/16 12:21:34 127.0.0.1:51306 accepted udp:9.9.9.9:53 [proxy1 >> client]

Config: https://pastebin.mozilla.org/pwtDSNZf I have tested whether kernelMode set to on or off, it's both working

Hi, @hax0r31337 Is it possible to add L2tp or pptp into Xray-core?

It's possible, but these protocols have a decreasing audience and not future-proof.
It's not worth it to add these protocols to xray-core in my opinion

[MrSaeid007]

I tested it and updated tun. It works, but it seems that UDP traffic cannot go out. wg outbound TCP. I tested it and it seems there is no problem. I will try inbound later.

10:53:22.291  I  [Info] app/dns: failed to lookup ip for domain imasdk.googleapis.com at server UDP:1.1.1.1:53 > context deadline exceeded
10:53:22.291  I  [Info] [3036575879] app/proxyman/outbound: failed to process outbound traffic > proxy/wireguard: failed to lookup DNS > app/dns: returning nil for domain imasdk.googleapis.com > multierr: context deadline exceeded | 
10:53:22.291  I  [Info] [3036575879] app/proxyman/inbound: connection ends > proxy/socks: connection ends > proxy/socks: failed to transport all TCP response > io: read/write on closed pipe

Unfortunately, I was unable to reproduce this issue, it's working on my PC.

2023/11/16 12:21:34 [Debug] [1674829396] proxy/dokodemo: processing connection from: 127.0.0.1:51306
2023/11/16 12:21:34 [Info] [1674829396] proxy/dokodemo: received request for 127.0.0.1:51306
2023/11/16 12:21:34 [Info] [1674829396] app/dispatcher: default route for udp:9.9.9.9:53
2023/11/16 12:21:34 127.0.0.1:51306 accepted udp:9.9.9.9:53 [proxy1 >> client]

Config: https://pastebin.mozilla.org/pwtDSNZf I have tested whether kernelMode set to on or off, it's both working

Hi, @hax0r31337 Is it possible to add L2tp or pptp into Xray-core?

It's possible, but these protocols have a decreasing audience and not future-proof. It's not worth it to add these protocols to xray-core in my opinion

I understand what you mean but I just offered because many of modems(LTE,Fiber,etc) in market only support l2tp or pptp protocol and they not support wireguard or...

Even many clients like windows, mobile(Ipsec)...etc support built-in l2tp or pptp as well so I just offer maybe @RPRX accept.

But I don't have a knowledge to send PR request to do so. I don't know what's the idea of @RPRX to adding this protocol just to inbound Xray-core. so in x-ui panel we can create L2tp or pptp for inbound and connect or local server(VPS) in our country via this protocol.
cc @RPRX & @yuhan6665 & @hax0r31337