Closed sevvian closed 7 months ago
chika0801
commented
7 months ago https://github.com/chika0801/sing-box-examples/blob/main/wireguard.md
It's described in this link. Take a look for yourself and if you have questions, ask them specifically.
sevvian
commented
7 months ago Thanks chika for the reply. sorry i was not clear without config. Let me share my config here and explain the issue i have as clearly as possible.
Server config :
{ "inbounds": [ { "type": "shadowtls", "listen": "::", "listen_port": 443, "version": 3, "users": [ { "name": "some user", "password": "masked password } ], "handshake": { "server": "nvidia.com", "server_port": 443 }, "detour": "vmess-in" }, { "type": "shadowsocks", "tag": "shadowsocks-in", "listen": "127.0.0.1", "network": "tcp", "method": "2022-blake3-aes-128-gcm", "password": "masked password" }, { "type": "vmess", "tag": "vmess-in", "listen": "127.0.0.1", "users": [{ "name": "some user", "uuid": "masked uuid, "alterId": 0 }] }
],
"outbounds": [ { "type": "direct", "tag": "warp-IPv4-out", "detour": "wireguard-out", "domain_strategy": "ipv4_only" }, { "type": "direct", "tag": "warp-IPv6-out", "detour": "wireguard-out", "domain_strategy": "ipv6_only" }, { "type": "wireguard", "tag": "wireguard-out", "server": "162.159.192.1", "server_port": 2408, "local_address": [ "172.16.0.2/32", "2606:1234:110:1234:ea2b:9523:1234:32d3/128" ], "private_key": "masked the private key", "peer_public_key": "bmXOC+F1FxEMF9dyiK2H5/1SUtzH0JuVo51h2wPfgyo=", "reserved": [1,2,3], // some random values for the purpose sharing "mtu": 1280, "network": "tcp" } ] }
client config:
"dns": { "rules": [], "servers": [ { "address": "tls://94.140.14.15", "tag": "dns-remote", "detour": "vmess-out", "strategy": "ipv4_only" } ] }, "inbounds": [ { "type": "tun", "interface_name": "ipv4-tun", "inet4_address": "172.19.0.1/28", "mtu": 1370, "stack": "gvisor", "endpoint_independent_nat": true, "auto_route": true, "strict_route": true, "sniff": true } ], "outbounds": [ { "type": "vmess", "tag": "vmess-out", "uuid": "masked it", "security": "auto", "alter_id": 0, "global_padding": false, "authenticated_length": true, "multiplex": { "enabled": false, "protocol": "smux", "max_connections": 5, "min_streams": 4, "max_streams": 0 }, "connect_timeout": "5s", "detour": "shadowtls-out" }, { "type": "shadowtls", "tag": "shadowtls-out", "server": "masked the server, "server_port": 443, "version": 3, "password": "masked password", "tls": { "enabled": true, "server_name": "nvidia.com", "utls": { "enabled": true, "fingerprint": "ios" } } }, { "tag": "dns-out", "type": "dns" } ], "route": { "auto_detect_interface": true, "final": "vmess-out", "rules": [ { "protocol": "dns", "outbound": "dns-out" } ] } }
The server and client config works perfectly when i don't have wireguard.
But what i wanted to achieve is client pc -->vmess --> shadowtls outbound ----> remote server( shadowtls inbound --> vmess inbound --- wireguard outbound) ----> internet
basically i want to run wireguard on my remote server as client and connect to warp /cloudflare. so i can mask my server ip from websites like having another level of proxy and present warp ip to websites i visit.
But i encounter error while the connection returns from wireguard to vmess on the remote server saying dial tcp failed and vmess inject failed.
Please let me know if am i doing it wrong or the config needs some change.
chika0801
commented
7 months ago pc -->vmess --> shadowtls outbound ----> remote server( shadowtls inbound --> vmess inbound --- wireguard outbound) ----> internet
I looked at your configuration and what you described.
I think the problem you are having is that the client is not successfully connecting to the server when using the VMESS+shadowtls combination.
Have you tested using the configuration file here https://github.com/chika0801/sing-box-examples/tree/main/ShadowTLS shadowsocks+shadowtls combo to see if the client can connect with the server successfully.
https://github.com/chika0801/sing-box-examples/blob/main/ShadowTLS/config_server.json#L15
Tips in this configuration, the use of shadowtls requires that the target site has TLS1.3, you can read the sing-box documentation for details.
You use this comparison test method to check if you are not using VMESS+shadowtls correctly.
chika0801
commented
7 months ago In addition to the server-side configuration, you can first do not use wireguard outbound, just use the default direct outbound, to confirm that your two ends of the VMESS + shadowtls configuration combination can be properly connected successfully. If successful, then change the server-side configuration outbound part to wireguard configuration.
Through this step by step test to troubleshoot which part of the problem. It is recommended to start with simple, step by step. This is my idea of troubleshooting.
sevvian
commented
7 months ago Thanks chika, i did took a step back and checked one by one. I took your config from github and tested shadowtls+vmess ->direct outbound to internet on the server, it does work. my pc/mobile able to connect to server through shadowtls and works perfectly fine
but when i added wireguard outbound on the server side (everything else stays same), then i get operation not permitted error as in the attachment
configuration as attached in previous reply. do you see any issue or i am miss configuring. i appreciate your expertise here to find out what is possibly going wrong.
sevvian
commented
7 months ago hi chika,
i just setup a plain wiregaurd outbound from my local pc via tun inbound. the config works and i can see the cloudflare ip ., with the same wireguard outbound config.
It looks like my server routing or iptables rules needs checking when wireguard is setup. so the issue seems to be my server in this case. i will troubleshoot it . thanks for your input. i will close this issue.
Thanks and continue your good work. i appreciate your configs and details tutorials for everyone's use.
chika0801
commented
7 months ago Thanks chika, i did took a step back and checked one by one. I took your config from github and tested shadowtls+vmess ->direct outbound to internet on the server, it does work. my pc/mobile able to connect to server through shadowtls and works perfectly fine
This proves that your shadowtls+vmess combo configuration is correct on both ends and the client can connect to the server.
but when i added wireguard outbound on the server side (everything else stays same), then i get operation not permitted error as in the attachment
You need to paste the wireguard configuration from your server side outbound and I'll take a look at it.
The possible reason is that some VPS in LA area, Hong Kong area need to use the parameter you get for the "reserved":[0, 0, 0], field, otherwise it won't connect to warp.
Generally speaking for server-side any combination of protocols inbound (for example, you are now shadowtls + vmess) will not conflict with wireguard outbound. That's why I asked you to check the reserved field in your wireguard configuration.
chika0801
commented
7 months ago "reserved": [1,2,3], // some random values for the purpose sharing
I don't know if the 1, 2, and 3 you've put in here are gibberish.
chika0801
commented
7 months ago https://github.com/fscarmen/warp-sh
You if you want to test if the server side wireguard into warp will work.
You can use this one-click script which works by globally taking over the outbound traffic of the VPS.
That's another way of thinking about getting into Warp. At this time sing-box server-side configuration only writes DIRECT outbound.
Thanks for sharing your configurations . If possible can you create some config for chaining proxies?
I have used your shadowtls config for client and server. But I have made a change to have wire guard outbound from my vps .
So it looks like. Client (shadowtls)-----> server (inbound shadowtls outbound - warp wireguard) --> cloudflare .
Could you please share config for this setup? I tried it did not work.