Project X

English

简体中文
Русский

English

简体中文
Русский

Appearance

WireGuard

User-space WireGuard protocol implementation.

DANGER

The WireGuard protocol is not designed specifically for bypassing firewalls. If used as the outer layer to cross the firewall, its distinct characteristics may lead to the server being blocked.

InboundConfigurationObject

json
{
  "secretKey": "PRIVATE_KEY",
  "address": [
    // optional, default ["10.0.0.1", "fd59:7153:2388:b5fd:0000:0000:0000:0001"]
    "10.0.0.1/32",
    "fd59:7153:2388:b5fd::1/128"
  ],
  "peers": [
    {
      "publicKey": "PUBLIC_KEY",
      "preSharedKey": "PRE_SHARED_KEY",
      "endpoint": "ENDPOINT_ADDR",
      "keepAlive": 0,
      "allowedIPs": ["10.0.0.2/32", "fd59:7153:2388:b5fd::2/128"]
    }
  ],
  "mtu": 1420 // optional, default 1420
}

secretKey: string

Private key. Required.

mtu: int

The MTU size of the underlying WireGuard TUN.

address: string array

Interface addresses for the WireGuard virtual TUN. Two formats are supported:

  • IP: e.g. "10.0.0.1" / "fd59:...::1"
  • CIDR: only /32 (IPv4) or /128 (IPv6) are allowed, e.g. "10.0.0.1/32" / "fd59:...::1/128"

If omitted, defaults to ["10.0.0.1", "fd59:7153:2388:b5fd:0000:0000:0000:0001"].

Method to Calculate MTU

The structure of a WireGuard packet is as follows:

- 20-byte IPv4 header or 40 byte IPv6 header
- 8-byte UDP header
- 4-byte type
- 4-byte key index
- 8-byte nonce
- N-byte encrypted data
- 16-byte authentication tag

N-byte encrypted data is the MTU value we need. Depending on whether the endpoint is IPv4 or IPv6, the specific value can be 1440 (IPv4) or 1420 (IPv6). If you are in a special network environment, you may need to subtract more (e.g., home broadband PPPoE requires an extra -8).

peers: [ Peers ]

List of peers, where each item is a peer configuration.

Peers

json
{
  "publicKey": "PUBLIC_KEY",
  "preSharedKey": "PRE_SHARED_KEY",
  "endpoint": "ENDPOINT_ADDR",
  "keepAlive": 0,
  "allowedIPs": ["10.0.0.2/32"] // optional, default ["0.0.0.0/0", "::0/0"]
}

publicKey: string

Public key, used for verification.

allowedIPs: string array

WireGuard AllowedIPs. If omitted, defaults to ["0.0.0.0/0", "::0/0"].

WARNING

When using WireGuard inbound (server-side), it is strongly recommended to explicitly set the allowed address ranges for each peer (usually /32 or /128) to avoid mis-routing.

preSharedKey: string

Pre-shared key (optional).

endpoint: string

Peer endpoint (optional). Usually in host:port format, e.g. example.com:51820 or 162.159.192.1:2408.

keepAlive: int

Keepalive interval in seconds. Default is 0 (disabled).

Notes

WireGuard inbound currently doesn't support kernel TUN (always uses gVisor TUN), so noKernelTun has no effect in inbound mode.

These fields are currently outbound-only (ignored by WireGuard inbound):

  • workers
  • reserved (must be empty or 3 bytes)
  • domainStrategy
Contributors (1)

Licensed under CC-BY-SA 4.0

Copyright © 2020-Present Project X Community