WireGuard + V2Ray

This is an English-language expansion of the instructions on the Chinese-language blog https://cupkappu.github.io/2020/09/27/Wireguard-over-V2ray. In the examples that follow:

1. Server

1.1. Open Firewall on Debian 11 Server

SSH into your server as root. Open the firewall:

  1. Open firewall for input UDP on destination port 16823
  2. Open firewall for input TCP on destination port 16823
  3. Persist firewall rules across reboots

1.2. Install V2Ray on Debian 11 Server

Install V2Ray using the standard script:

curl -L https://raw.githubusercontent.com/v2fly/fhs-install-v2ray/master/install-release.sh | bash

Edit the configuration file /usr/local/etc/v2ray/config.json. Make it look like as below. Change the universally unique id (UUID) and the port number as you prefer. If you need to, you can get a generated UUID from https://www.uuidgenerator.net.

{
  "inbounds": [
    {
      "port": 16823,
      "protocol": "vmess", 
      "settings": {
        "clients": [
          {
            "id": "fc4e5bb2-cbbc-44af-8edb-77360d068c1c", 
            "alterId": 64
          }
        ]
      }
    }
  ],
  "outbounds": [
    {
      "protocol": "freedom",
      "settings": {}
    }
  ]
}

Enable and start V2Ray:

systemctl enable v2ray
systemctl start v2ray

1.3. Install WireGuard on Debian 11 Server

Install WireGuard using the angristan script:

curl -O https://raw.githubusercontent.com/angristan/wireguard-install/master/wireguard-install.sh
chmod +x wireguard-install.sh
./wireguard-install.sh

Answer the questions that the script prompts you for. You can accept the defaults or enter your own values. In the example that follows, all the values were defaults except for the port number of 51820.

At the end of the script, enter your choices for the first WireGuard client:

The script creates a server configuration file /etc/wireguard/wg0.conf that looks like this:

[Interface]
Address = 10.66.66.1/24,fd42:42:42::1/64
ListenPort = 51820
PrivateKey = wGZ+rBUlp1lh54E9+xfMyBNtQGgRff0YIxv43JGfN2A=
PostUp = iptables -A FORWARD -i eth0 -o wg0 -j ACCEPT; iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE; ip6tables -A FORWARD -i wg0 -j ACCEPT; ip6tables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i eth0 -o wg0 -j ACCEPT; iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE; ip6tables -D FORWARD -i wg0 -j ACCEPT; ip6tables -t nat -D POSTROUTING -o eth0 -j MASQUERADE

[Peer]
PublicKey = 61D/sa8ZDysnWcEaUrXcv5e5yB+wln0bQh6ULky9gA8=
PresharedKey = eefSFlG2d/M2ajG9ooStEuPME+eFBpsZDAoUQ6UcU8U=
AllowedIPs = 10.66.66.2/32,fd42:42:42::2/128

The script also creates a first client configuration file /root/wg0-client-pc.conf that looks like this:

[Interface]
PrivateKey = ULB+BKBTV39MVHfMApK59d+ip+FMQsPr8K9As5B0x0k=
Address = 10.66.66.2/32,fd42:42:42::2/128
DNS = 94.140.14.14,94.140.15.15

[Peer]
PublicKey = tWaWaa1NjhsYPIX+GeI2U+x8CiNy+v3vQMgrK936LhQ=
PresharedKey = eefSFlG2d/M2ajG9ooStEuPME+eFBpsZDAoUQ6UcU8U=
Endpoint = 168.168.168.168:51820
AllowedIPs = 0.0.0.0/0,::/0

You can check that the script has set the systemd service running with the command:

systemctl status [email protected]

2. Client

2.1. Install V2Ray on Windows 11 Client

Download the latest V2Ray client for Windows. For example, if the latest relese is version 5.0.6, it will be at https://github.com/v2fly/v2ray-core/releases/download/v5.0.6/v2ray-windows-64.zip.

Unzip v2ray-windows-64.zip.

Open Windows Notepad and edit Downloads\v2ray-windows-64\config.json.

Substitute into what follows your actual server address, port, and UUID. They should match the values on the server. Note that alterId needs to be 0 on the client for some reason.

{
  "inbounds": [
    {
      "tag":"wireguard",
      "port":51820,
      "protocol":"dokodemo-door",
        "settings":{  
          "address":"127.0.0.1",
          "port":51820,
          "network":"udp"
        }
    }
  ],
  "outbounds": [
    {
      "tag":"proxy",
      "protocol": "vmess",
      "settings": {
        "vnext": [
          {
            "address": "168.168.168.168", 
            "port": 16823,
            "users": [
              {
                "id": "fc4e5bb2-cbbc-44af-8edb-77360d068c1c",
                "alterId": 0
              }
            ]
          }
        ]
      }
    }
  ],
  "routing":{  
    "rules":[  
      {  
        "type":"field",
        "inboundTag":[  
          "wireguard"
        ],
        "outboundTag":"proxy"
      }
    ]
  }
}

Save the edited config.json file.

2.2. Install WireGuard on Windows 11 Client

Download the WireGuard for Windows installer from https://www.wireguard.com/install.

Run Downloads\wireguard-installer.exe.

Click Yes to allow changes.

Click Add Tunnel > Add empty tunnel.

Set the tunnel name equal to Debian-11 or whatever you choose to name this server. No spaces are allowed.

Paste in the configuration below. Note that the endpoint has been changed to be localhost (127.0.0.1), not the remote server!

[Interface]
PrivateKey = ULB+BKBTV39MVHfMApK59d+ip+FMQsPr8K9As5B0x0k=
Address = 10.66.66.2/32,fd42:42:42::2/128
DNS = 94.140.14.14,94.140.15.15

[Peer]
PublicKey = tWaWaa1NjhsYPIX+GeI2U+x8CiNy+v3vQMgrK936LhQ=
PresharedKey = eefSFlG2d/M2ajG9ooStEuPME+eFBpsZDAoUQ6UcU8U=
Endpoint = 127.0.0.1:51820
AllowedIPs = 0.0.0.0/0,::/0

Uncheck the box for a kill switch.

Click Save.

2.3. Add Route to Server

Open a Windows command prompt with Run as administrator. Click Yes to allow. Add a route to your server via your main interface’s gateway. For example, if your server is at 168.168.168.168 and your primary gateway is at 192.168.122.1:

route ADD 168.168.168.168 MASK 255.255.255.255 192.168.122.1

2.4. Run V2Ray and WireGuard Windows 11 Clients

Open a new Windows command prompt. You do not need to run this one as administrator.

Change into the unzipped directory for V2Ray for Windows:

cd Downloads\v2ray-windows-64

Set the client running:

v2ray run

Leave the command prompt window open with V2Ray running in it. Expect to see messages Using default config and V2Ray 5.0.6 started.

In the WireGuard graphical user interface, select your tunnel and click Activate.

You can test your connection by visiting https://whatismyipaddress.com.

2.5. Disconnect

Deactivate the WireGuard tunnel in the GUI.

Stop V2Ray in the Windows command prompt window by pressing Ctrl+c on your computer keyboard. Close the command prompt window.

Delete the route you added to your server.

Updated 2022-06-06