search

XTLS / Xray-core

Xray, Penetrates Everything. Also the best v2ray-core, with XTLS support. Fully compatible configuration.
https://t.me/projectXray
Mozilla Public License 2.0
24.58k stars 3.84k forks source link

Full-cone NAT doesn't work with wireguard outbound. #2993

Closed rifting closed 7 months ago

rifting commented 7 months ago

Hello, I currently have an XRAY server with a wireguard outbound as follows.

{
    "log": {
        "loglevel": "warning"
    },
    "routing": {
        "domainStrategy": "IPIfNonMatch",
        "rules": [
            {
                "type": "field",
                "domain": [
                    "geosite:category-ads-all"
                ],
                "outboundTag": "block"
            },
            {
                "type": "field",
                "ip": [
                    "geoip:cn"
                ],
                "outboundTag": "block"
            }
        ]
    },
    "inbounds": [
        {
            "listen": "0.0.0.0",
            "port": 443,
            "protocol": "vless",
            "settings": {
                "clients": [
                    {
                        "id": "",
                        "flow": "xtls-rprx-vision"
                    }
                ],
                "decryption": "none"
            },
            "streamSettings": {
                "network": "tcp",
                "security": "reality",
                "realitySettings": {
                    "show": false,
                    "dest": "www.google.com:443",
                    "xver": 0,
                    "serverNames": [
                        "google.com"
                    ],
                    "privateKey": "",
                    "minClientVer": "",
                    "maxClientVer": "",
                    "maxTimeDiff": 0,
                    "shortIds": [
                    ]
                }
            },
            "sniffing": {
                "enabled": true,
                "destOverride": [
                    "http",
                    "tls"
                ]
            }
        }
    ],
    "outbounds": [
        {
            "protocol": "wireguard",
            "settings": {
              "secretKey": "",
              "address": ["172.16.0.2/32", ""],
              "peers": [
                {
                 "publicKey": "",
                 "endpoint": "engage.cloudflareclient.com:2408"
                }
              ]
            },
            "tag": "wireguard-1"
        },
        {
            "protocol": "blackhole",
            "tag": "block"
        }
    ],
    "policy": {
        "levels": {
            "0": {
                "handshake": 3,
                "connIdle": 180
            }
        }
    }
}

When I turn the outbound to freedom/direct and XUDP packet encoding in nekoray, games (Halo Infinite) that require NAT work fine. However, when I add the wireguard outbound, NAT fails and I cannot play the game. image This may be an issue with xray or there may be something I'm doing wrong. I doubt it is an issue with nekoray, but if it is and there is a suitable replacement that would work with these types of games please let me know.

ZqinKing commented 7 months ago

I'm guessing it's wireguard peer firewall that doesn't open all UDP ports, and maybe even NAT

Fangliding commented 7 months ago

Cloudflare warp does not support full cone NAT