mirror of
https://github.com/house-of-vanity/house-of-vanity.github.io.git
synced 2025-10-24 09:59:08 +00:00
Update wg-xray.md
This commit is contained in:
committed by
GitHub
parent
2a493f1d54
commit
8b2ccccbb6
@@ -1,5 +1,5 @@
|
|||||||
+++
|
+++
|
||||||
title = "WireGuard over xRay Vless protocol"
|
title = "WireGuard over Xray VLESS Protocol"
|
||||||
date = "2024-10-04"
|
date = "2024-10-04"
|
||||||
description = "How to Maintain the WireGuard Network in Censored Countries"
|
description = "How to Maintain the WireGuard Network in Censored Countries"
|
||||||
|
|
||||||
@@ -69,7 +69,7 @@ cat > server.json <<EOF
|
|||||||
"decryption": "none"
|
"decryption": "none"
|
||||||
},
|
},
|
||||||
"streamSettings": {
|
"streamSettings": {
|
||||||
"network": "h2",
|
"network": "tcp",
|
||||||
"security": "reality",
|
"security": "reality",
|
||||||
"realitySettings": {
|
"realitySettings": {
|
||||||
"show": false,
|
"show": false,
|
||||||
@@ -96,7 +96,7 @@ cat > server.json <<EOF
|
|||||||
EOF
|
EOF
|
||||||
```
|
```
|
||||||
|
|
||||||
This configuration sets up an inbound VLESS listener over HTTP/2 with Reality security, using the generated private key and short IDs.
|
This configuration sets up an inbound VLESS listener over TCP with Reality security, using the generated private key and short IDs.
|
||||||
|
|
||||||
### Client Configuration
|
### Client Configuration
|
||||||
|
|
||||||
@@ -140,7 +140,7 @@ cat > client.json <<EOF
|
|||||||
]
|
]
|
||||||
},
|
},
|
||||||
"streamSettings": {
|
"streamSettings": {
|
||||||
"network": "h2",
|
"network": "tcp",
|
||||||
"security": "reality",
|
"security": "reality",
|
||||||
"realitySettings": {
|
"realitySettings": {
|
||||||
"show": false,
|
"show": false,
|
||||||
@@ -167,7 +167,7 @@ This client configuration captures local UDP traffic (from WireGuard) and forwar
|
|||||||
Set up WireGuard on the server:
|
Set up WireGuard on the server:
|
||||||
|
|
||||||
```ini
|
```ini
|
||||||
# Server configuration: /etc/wireguard/wg0.conf
|
# Server configuration: /etc/wireguard/homenet.conf
|
||||||
[Interface]
|
[Interface]
|
||||||
Address = 10.0.0.1/24
|
Address = 10.0.0.1/24
|
||||||
ListenPort = 6666
|
ListenPort = 6666
|
||||||
@@ -175,6 +175,13 @@ PrivateKey = <server_private_key>
|
|||||||
PostUp = iptables -A FORWARD -i %i -o %i -j ACCEPT
|
PostUp = iptables -A FORWARD -i %i -o %i -j ACCEPT
|
||||||
PostDown = iptables -D FORWARD -i %i -o %i -j ACCEPT
|
PostDown = iptables -D FORWARD -i %i -o %i -j ACCEPT
|
||||||
SaveConfig = false
|
SaveConfig = false
|
||||||
|
MTU = 1300
|
||||||
|
|
||||||
|
[Peer]
|
||||||
|
PublicKey = <peer_public_key>
|
||||||
|
AllowedIPs = 10.0.0.2/32
|
||||||
|
Endpoint = 127.0.0.1:6666 # Local UDP port proxied by Xray
|
||||||
|
PersistentKeepalive = 10
|
||||||
```
|
```
|
||||||
|
|
||||||
### Client Configuration
|
### Client Configuration
|
||||||
@@ -197,6 +204,34 @@ PersistentKeepalive = 10
|
|||||||
|
|
||||||
In this setup, WireGuard traffic is sent to a local port (`6666`), which is proxied by Xray over the Reality protocol to the server.
|
In this setup, WireGuard traffic is sent to a local port (`6666`), which is proxied by Xray over the Reality protocol to the server.
|
||||||
|
|
||||||
|
## Routing a Single Client's Traffic through the VPN on Mikrotik
|
||||||
|
|
||||||
|
To route a specific client's traffic through the VPN using a Mikrotik router, follow these steps:
|
||||||
|
|
||||||
|
1. **Create a New Routing Table:**
|
||||||
|
|
||||||
|
```shell
|
||||||
|
/routing table add fib name=vpn
|
||||||
|
```
|
||||||
|
|
||||||
|
This command creates a new routing table named `vpn`, which will be used to direct traffic through the VPN interface.
|
||||||
|
|
||||||
|
2. **Mark Routing for the Specific Client:**
|
||||||
|
|
||||||
|
```shell
|
||||||
|
/ip firewall mangle add action=mark-routing chain=prerouting new-routing-mark=vpn passthrough=yes src-address=192.168.90.234
|
||||||
|
```
|
||||||
|
|
||||||
|
This firewall mangle rule marks all traffic originating from the client with IP address `192.168.90.234`. The `new-routing-mark=vpn` ensures that packets from this client use the `vpn` routing table.
|
||||||
|
|
||||||
|
3. **Add a Route in the VPN Routing Table:**
|
||||||
|
|
||||||
|
```shell
|
||||||
|
/ip route add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=homenet routing-table=vpn
|
||||||
|
```
|
||||||
|
|
||||||
|
This adds a default route (`0.0.0.0/0`) to the `vpn` routing table, directing marked traffic to the `homenet` gateway (which should be the VPN interface).
|
||||||
|
|
||||||
---
|
---
|
||||||
|
|
||||||
By combining Xray with WireGuard and the Reality protocol, you create a secure and obfuscated tunnel that can help bypass network restrictions. Remember to replace placeholder values like `<server_private_key>`, `<client_private_key>`, and `<server_public_key>` with your actual keys.
|
By combining Xray with WireGuard and configuring your Mikrotik router, you create a secure and selective VPN setup that can help bypass network restrictions for specific clients. Remember to replace placeholder values like `<server_private_key>`, `<client_private_key>`, and `<server_public_key>` with your actual keys.
|
||||||
|
Reference in New Issue
Block a user