How to use Wireguard over Shadowsocks-Go?
thematrixdev opened this issue · comments
Shadowsocks-Go is deployed with Docker. This is the Docker-Compose command:
command: ["go-shadowsocks2", "-c", "ss://AEAD_CHACHA20_POLY1305:123456@ShadowSocksGoServerIP:8488", "-verbose", "-socks", "0.0.0.0:1080", "-u", "-udptun", "0.0.0.0:51820=WireGuardServerIP:51820"]
Setting system proxy to 127.0.0.1:1080 it works.
This is the WireGuard configuration file:
`[Interface]
Address = 10.0.0.2/24
PrivateKey = KEYKEYKEYKEYKEY
DNS = 1.1.1.1
[Peer]
AllowedIPs = 0.0.0.0/0
Endpoint = 127.0.0.1:51820
PublicKey = KEYKEYKEYKEYKEY`
After starting WireGuard, there is no Internet connection. May I know what is wrong with these?
Thanks.
Are you sure you running shadowsocks-go on the server side? AFAIK shadowsocks-go does not have UDP support and it is deprecated.
And just to be curious, why are you doing this?
Sure, shadowsocks-go is runnin, since I can browse Internet seeing "my IP" is the server IP.
I see shadowsocks-go supports these
SOCKS5 proxy with UDP Associate
UDP tunneling (e.g. relay DNS packets)
That means UDP works via shadowsocks-go?
By the way, I see in the example, 8.8.8.8 is tunneled on port 8053. May I know how to use this tunnel? Ubuntu 20.04 does not allow me setting a port number. Using OpenVPN, even 1.1.1.1 is set, it does not work.
I am now not inside GFW. But my company firewall blocks quite a lot of websites and services. I have tried Trojan buy my company blocks the domain name. So I am using Shadowsocks now. It seems running VPN over Shadowsocks a more secure solution.
shadowsocks-go (deprecated) is a different software than go-shadowsocks2 (this repo). Make sure which one you're using on the server side.
Yes, SSG2. No firewall is turned on on Ubuntu. Ports are opened on Vultr.
docker-compose.yml
version: '3.5'
services:
shadowsocks-server:
container_name: shadowsocks-server
image: shadowsocks-server
build:
context: ./
dockerfile: dockerfile
ports:
- "8488:8488/tcp"
- "8488:8488/udp"
command: ["go-shadowsocks2", "-s", "ss://AEAD_CHACHA20_POLY1305:123456@0.0.0.0:8488", "-verbose"]
restart: always
dockerfile
FROM golang:alpine
RUN apk add git
RUN go get -u -v github.com/shadowsocks/go-shadowsocks2
You need to use -udp option to enable UDP on the server side. I disabled it by default a while ago. Not sure if that's the reason.
May I know what is the use to TCP / UDP tunnel? For example, I can set system proxy to 127.0.0.1:1080, all connection will go through Shadowsocks. Setting up a tunnel, I set an application (e.g. 127.0.0.1:1194 to tunnel 0.0.0.0:1194), the connection will still go through Shadowsocks to the destination. I don't understand the difference.
Without -udp on server start-up command, I can see WireGuard connection is routed through ShadowSocks server to my WireGuard server. I suspect UDP works without this parameter.
A tunnel in go-ss2 connects to a fixed destination.
Without -udp on server start-up command, I can see WireGuard connection is routed through ShadowSocks server to my WireGuard server. I suspect UDP works without this parameter.
This is probably because your go-ss2 is older. The UDP is disabled by default recently due to security concerns.
I have tried using OpenVPN over Shadowsocks successfully.
The route is the key part.
socks-proxy 127.0.0.1 1080
route [SHADOWSOCKS_SERVER_IP] 255.255.255.255 net_gateway
verb 3
script-security 2
up /etc/openvpn/update-resolv-conf
down /etc/openvpn/update-resolv-conf
I will keep trying WireGuard.
Thank you very much for your work!
WireGuard works like the same. Since WireGuard does not officially support SOCKS5 proxy, we need to create a UDP-Tunnel on Shadowsocks-Go-2, and set WireGuard client connecting to the UDP-Tunnel. After connection, we need to add a route to make the traffic going to the Shadowsocks-Go-2 server go through default gateway (your router).
sudo ip route add [SHADOWSOCKS_SERVER_IP] via [DEFAULT_GATEWAY_IP] dev [PHYSICAL_NETWORK_ADAPTER]
So it works now?
Yes it works now. I will write a tutorial on it later. Thank you very much.
Great!
Yes it works now. I will write a tutorial on it later. Thank you very much.
Hi! Have you prepared a tutorial?
Yes it works now. I will write a tutorial on it later. Thank you very much.
Hi! The tutorial would be very much appreciated indeed
@thematrixdev @riobard
i was also trying to run the wireguard with Shadowsocks-Go
here is my docker compose.yaml for server
wireguard:
image: lscr.io/linuxserver/wireguard:latest
restart: unless-stopped
container_name: wireguard
cap_add:
- NET_ADMIN
- SYS_MODULE
environment:
- PUID=1000
- PGID=1000
- TZ=Etc/UTC
- SERVERURL=auto
- SERVERPORT=51820
- PERSISTENTKEEPALIVE_PEERS=
- LOG_CONFS=false
- PEERS=0
- PEERDNS=172.20.0.100
- INTERNAL_SUBNET=10.80.0.0
volumes:
- ./wireguard:/config
- /lib/modules:/lib/modules
ports:
- "51820:51820/udp"
- "8888:8888"
- "53:53/tcp"
- "53:53/udp"
dns:
- 172.20.0.100
- 172.20.0.200
sysctls:
- net.ipv4.conf.all.src_valid_mark=1
networks:
private_network:
ipv4_address: 172.20.0.100
shadowsocks-server:
container_name: shadowsocks-server
image: shadowsocks-server
build:
context: ./shadowsocks-docker
dockerfile: Dockerfile
ports:
- "8488:8488/tcp"
- "8488:8488/udp"
- "51821:51821/udp"
command: ["go-shadowsocks2", "-c", "ss://AEAD_CHACHA20_POLY1305:123456@serverip:8488", "-verbose", "-socks", "0.0.0.0:1080", "-u", "-udptun", "0.0.0.0:51820=serverip:51821"]
restart: always
networks:
private_network:
ipv4_address: 172.20.0.201
Dockerfile
FROM golang:alpine
RUN apk add git
RUN go install github.com/shadowsocks/go-shadowsocks2@latest
logs of shadowsocks-server
2024/05/25 18:25:44 tcp.go:18: SOCKS proxy 0.0.0.0:1080 <-> serverip:8488
2024/05/25 18:25:44 udp.go:48: UDP tunnel 0.0.0.0:51820 <-> serverip:8488 <-> serverip:51821
I deployed this on an Ubuntu server, but it didn't work. Could you please help me figure out what's wrong?