Warning

This translation was modified on 20 August 2024 and an updated version (1 November 2024) is available on the source page. View the original page

Wireguard

User-space implementation of the Wireguard protocol.

Danger

The Wireguard protocol is not specifically designed for circumvention purposes. If used as the outer layer for circumvention, its characteristics may lead to server blocking.

InboundConfigurationObject

{
  "secretKey": "PRIVATE_KEY",
  "peers": [
    {
      "publicKey": "PUBLIC_KEY",
      "allowedIPs":[""]
    }
  ],
  "kernelMode": true, // optional, default true if it's supported and permission is sufficient
  "mtu": 1420, // optional, default 1420
}

secretKey: string

Private key. Required.

mtu: int

Fragmentation size of the underlying Wireguard tun.

MTU Calculation Method

The structure of a Wireguard packet is as follows:

- 20-byte IPv4 header or 40 byte IPv6 header
- 8-byte UDP header
- 4-byte type
- 4-byte key index
- 8-byte nonce
- N-byte encrypted data
- 16-byte authentication tag

N-byte encrypted data is the MTU value we need. Depending on whether the endpoint is IPv4 or IPv6, the specific values can be 1440 (IPv4) or 1420 (IPv6). If in a special environment, subtract additional bytes accordingly (e.g., subtract 8 more bytes for PPPoE over home broadband).

peers: [ Peers ]

List of peer servers, where each entry is a server configuration.

Peers

{
  "publicKey": "PUBLIC_KEY",
  "allowedIPs": ["0.0.0.0/0"] // optional, default ["0.0.0.0/0", "::/0"]
}

publicKey: string

Public key, used for verification.

allowedIPs: string array

Allowed source IPs.