WireGuard + V2Ray
This is an English-language expansion of the instructions on the Chinese-language blog https://cupkappu.github.io/2020/09/27/Wireguard-over-V2ray. In the examples that follow:
- The Debian 11 server is assumed to be at IP address
168.168.168.168
- To keep the article simple, the V2Ray server on port
16823
does not use any obfuscation - WireGuard uses port
51820
- The client runs Windows 11
1. Server
1.1. Open Firewall on Debian 11 Server
SSH into your server as root. Open the firewall:
- Open firewall for input
UDP
on destination port16823
- Open firewall for input
T*****
on destination port16823
- Persist firewall rules across reboots
1.2. Install V2Ray on Debian 11 Server
Install V2Ray using the standard script:
curl -L https://raw.githubusercontent.com/v2fly/fhs-install-v2ray/master/install-release.sh | bash
Edit the configuration file /usr/local/etc/v2ray/config.json
. Make it look like as below. Change the universally unique id (UUID) and the port number as you prefer. If you need to, you can get a generated UUID from https://www.uuidgenerator.net.
{ "inbounds": [ { "port": 16823, "protocol": "vmess", "settings": { "clients": [ { "id": "fc4e5bb2-cbbc-44af-8edb-77360d068c1c", "alterId": 64 } ] } } ], "outbounds": [ { "protocol": "freedom", "settings": {} } ] }
Enable and start V2Ray:
systemctl enable v2ray
systemctl start v2ray
1.3. Install WireGuard on Debian 11 Server
Install WireGuard using the angristan
script:
curl -O https://raw.githubusercontent.com/angristan/wireguard-install/master/wireguard-install.sh
chmod +x wireguard-install.sh
./wireguard-install.sh
Answer the questions that the script prompts you for. You can accept the defaults or enter your own values. In the example that follows, all the values were defaults except for the port number of 51820
.
IPv4 or IPv6 public address: 168.168.168.168
Public interface: eth0
WireGuard interface name: wg0
Server's WireGuard IPv4: 10.66.66.1
Server's WireGuard IPv6: fd42:42:42::1
Server's WireGuard port [1-65535]: 51820
First DNS resolver to use for the clients: 94.140.14.14
Second DNS resolver to use for the clients (optional): 94.140.15.15
At the end of the script, enter your choices for the first WireGuard client:
Client name: pc
Client's WireGuard IPv4: 10.66.66.2
Client's WireGuard IPv6: fd42:42:42::2
The script creates a server configuration file /etc/wireguard/wg0.conf
that looks like this:
[Interface]
Address = 10.66.66.1/24,fd42:42:42::1/64
ListenPort = 51820
PrivateKey = wGZ+rBUlp1lh54E9+xfMyBNtQGgRff0YIxv43JGfN2A=
PostUp = iptables -A FORWARD -i eth0 -o wg0 -j ACCEPT; iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE; ip6tables -A FORWARD -i wg0 -j ACCEPT; ip6tables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i eth0 -o wg0 -j ACCEPT; iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE; ip6tables -D FORWARD -i wg0 -j ACCEPT; ip6tables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
[Peer]
PublicKey = 61D/sa8ZDysnWcEaUrXcv5e5yB+wln0bQh6ULky9gA8=
PresharedKey = eefSFlG2d/M2ajG9ooStEuPME+eFBpsZDAoUQ6UcU8U=
AllowedIPs = 10.66.66.2/32,fd42:42:42::2/128
The script also creates a first client configuration file /root/wg0-client-pc.conf
that looks like this:
[Interface]
PrivateKey = ULB+BKBTV39MVHfMApK59d+ip+FMQsPr8K9As5B0x0k=
Address = 10.66.66.2/32,fd42:42:42::2/128
DNS = 94.140.14.14,94.140.15.15
[Peer]
PublicKey = tWaWaa1NjhsYPIX+GeI2U+x8CiNy+v3vQMgrK936LhQ=
PresharedKey = eefSFlG2d/M2ajG9ooStEuPME+eFBpsZDAoUQ6UcU8U=
Endpoint = 168.168.168.168:51820
AllowedIPs = 0.0.0.0/0,::/0
You can check that the script has set the systemd service running with the command:
systemctl status wg-quick@wg0
2. Client
2.1. Install V2Ray on Windows 11 Client
Download the latest V2Ray client for Windows. For example, if the latest relese is version 5.0.6
, it will be at https://github.com/v2fly/v2ray-core/releases/download/v5.0.6/v2ray-windows-64.zip.
Unzip v2ray-windows-64.zip
.
Open Windows Notepad and edit Downloads\v2ray-windows-64\config.json
.
Substitute into what follows your actual server address, port, and UUID. They should match the values on the server. Note that alterId
needs to be 0
on the client for some reason.
{ "inbounds": [ { "tag":"wireguard", "port":51820, "protocol":"dokodemo-door", "settings":{ "address":"127.0.0.1", "port":51820, "network":"udp" } } ], "outbounds": [ { "tag":"proxy", "protocol": "vmess", "settings": { "vnext": [ { "address": "168.168.168.168", "port": 16823, "users": [ { "id": "fc4e5bb2-cbbc-44af-8edb-77360d068c1c", "alterId": 0 } ] } ] } } ], "routing":{ "rules":[ { "type":"field", "inboundTag":[ "wireguard" ], "outboundTag":"proxy" } ] } }
Save the edited config.json
file.
2.2. Install WireGuard on Windows 11 Client
Download the WireGuard for Windows installer from https://www.wireguard.com/install.
Run Downloads\wireguard-installer.exe
.
Click Yes to allow changes.
Click Add Tunnel > Add empty tunnel.
Set the tunnel name equal to Debian-11
or whatever you choose to name this server. No spaces are allowed.
Paste in the configuration below. Note that the endpoint has been changed to be localhost (127.0.0.1
), not the remote server!
[Interface]
PrivateKey = ULB+BKBTV39MVHfMApK59d+ip+FMQsPr8K9As5B0x0k=
Address = 10.66.66.2/32,fd42:42:42::2/128
DNS = 94.140.14.14,94.140.15.15
[Peer]
PublicKey = tWaWaa1NjhsYPIX+GeI2U+x8CiNy+v3vQMgrK936LhQ=
PresharedKey = eefSFlG2d/M2ajG9ooStEuPME+eFBpsZDAoUQ6UcU8U=
Endpoint = 127.0.0.1:51820
AllowedIPs = 0.0.0.0/0,::/0
Uncheck the box for a kill switch.
Click Save.
2.3. Add Route to Server
Open a Windows command prompt with Run as administrator. Click Yes to allow. Add a route to your server via your main interface’s gateway. For example, if your server is at 168.168.168.168
and your primary gateway is at 192.168.122.1
:
route ADD 168.168.168.168 MASK 255.255.255.255 192.168.122.1
2.4. Run V2Ray and WireGuard Windows 11 Clients
Open a new Windows command prompt. You do not need to run this one as administrator.
Change into the unzipped directory for V2Ray for Windows:
cd Downloads\v2ray-windows-64
Set the client running:
v2ray run
Leave the command prompt window open with V2Ray running in it. Expect to see messages Using default config
and V2Ray 5.0.6 started
.
In the WireGuard graphical user interface, select your tunnel and click Activate.
You can test your connection by visiting https://whatismyipaddress.com.
2.5. Disconnect
Deactivate the WireGuard tunnel in the GUI.
Stop V2Ray in the Windows command prompt window by pressing Ctrl+c on your computer keyboard. Close the command prompt window.
Delete the route you added to your server.
Updated 2022-06-06