Warning
This translation was modified on 26 December 2023 and an updated version (21 November 2024) is available on the source page. View the original page
Wireguard
Wireguard is a standard implementation of the Wireguard protocol.
Danger
The Wireguard protocol is not specifically designed for circumvention purposes. If used as the outer layer for circumvention, its characteristics may lead to server blocking.
OutboundConfigurationObject
{
"secretKey": "PRIVATE_KEY",
"address": [
// optional, default ["10.0.0.1", "fd59:7153:2388:b5fd:0000:0000:0000:0001"]
"IPv4_CIDR",
"IPv6_CIDR",
"and more..."
],
"peers": [
{
"endpoint": "ENDPOINT_ADDR",
"publicKey": "PUBLIC_KEY"
}
],
"mtu": 1420, // optional, default 1420
"reserved": [1, 2, 3],
"workers": 2 // optional, default runtime.NumCPU()
"domainStrategy": "ForceIP"
}
Tip
Currently, the Wireguard protocol outbound does not support setting streamSettings
.
secretKey
: string
The user's private key. Required.
address
: string array
Wireguard will create a virtual network interface tun
locally. Use one or more IP addresses, including IPv6.
mtu
: int
The fragment size of the underlying tun
device in Wireguard.
reserved
[ number ]
Wireguard Reserved Bytes.
Xray-core v1.8.0 New parameter.
When connecting to warp via wireguard, due to cloudflare limitations, some IPs in Hong Kong and Los Angeles need to have a reserved
value in order to connect successfully.
The value of reserved
can be obtained using third-party tools such as warp-reg, warp-reg.sh.。
workers
: int
The number of threads used by Wireguard.
peers
: [ Peers ]
A list of Wireguard servers, where each item is a server configuration.
domainStrategy
: "ForceIPv6v4" | "ForceIPv6" | "ForceIPv4v6" | "ForceIPv4" | "ForceIP"
Xray-core v1.8.6 New parameter.
If you do not write this parameter, or leave it blank, the default value is "ForceIP"
.
When the destination address is a domain name, use the Xray-core built-in DNS server to get an IP (if no "dns"
configuration is written, system DNS is used), and send a connection to this IP via wireguard.
domainStrategy | test-ipv6.com | bgp.he.net | chat.openai.com |
---|---|---|---|
ForceIPv6v4 | IPv6v4 | IPv6 | IPv6 |
ForceIPv6 | The website won't open. | IPv6 | IPv6 |
ForceIPv4v6 | IPv6v4 1 | IPv4 | IPv4 |
ForceIPv4 | IPv4 | IPv4 | IPv4 |
ForceIP | IPv6v4 2 | IPv6 | IPv6 |
1: Tip You already have an IPv6 address, but your browser is less inclined to use it, which is more worrying.
2: The chances of prompting You already have an IPv6 address, but your browser is less inclined to use it, which is more worrisome.
Note 1:
- Conflicts with
"queryStrategy"
may cause the site to fail to open. - For example when
domainStrategy: "ForceIPv4"
is used, geosite:openai's site with"queryStrategy": "UseIPv6"
will fail to open.
"dns": {
"servers": [
"https://1.1.1.1/dns-query",
{
"address": "https://1.1.1.1/dns-query",
"domains": [
"geosite:openai"
],
"skipFallback": true,
"queryStrategy": "UseIPv6" // Query only AAAA records.
}
],
"queryStrategy": "UseIP" // If this parameter is not written, the default value is UseIP, i.e. both A and AAAA records are queried, optional values are UseIPv4 and UseIPv6, other record types are queried by the system DNS.
},
Note 2:
- Xray-core v1.8.0 - v1.8.4 without
"domainStrategy"
. - When the destination address is a domain name, use the Xray-core built-in DNS server query to obtain the IP, using the value of
"queryStrategy"
in the"dns"
configuration to control the IPv4 or IPv6 priority. - If the
"dns"
configuration is not written, the system DNS query is used to obtain IP, and the IPv4 or IPv6 priority is controlled by the system.
Peers
{
"endpoint": "ENDPOINT_ADDR",
"publicKey": "PUBLIC_KEY",
"preSharedKey": "PRE_SHARED_KEY", // optional, default "0000000000000000000000000000000000000000000000000000000000000000"
"keepAlive": 0, // optional, default 0
"allowedIPs": ["0.0.0.0/0"] // optional, default ["0.0.0.0/0", "::/0"]
}
endpoint
: address
The server address. Required.
URL:port format, e.g. engage.cloudflareclient.com:2408
.
IP:port format, e.g. 162.159.192.1:2408
or [2606:4700:d0::a29f:c001]:2408
.
publicKey
: string
The server's public key used for verification. Required.
preSharedKey
: string
An additional symmetric encryption key.
keepAlive
: int
The interval of keep-alive packets in seconds. The default is 0, which means no keep-alive.
allowedIPs
: string array
Only allow traffic from specific source IP addresses in Wireguard.