udp2raw icon indicating copy to clipboard operation
udp2raw copied to clipboard
verified publisher icon wangyu-

Share my wireguard+udp2raw+docker practice

Open jearton opened this issue 1 year ago • 3 comments

Network Topology

image

Software Environment

  • Docker Compose
  • udp2raw
  • ngoduykhanh/wireguard-ui (used for wireguard configuration centralized manegement)

Step1: Run upd2raw server On My HK Debian VPS

  • Assume Public IP: 30.30.30.30
  • Run udp2raw_server, remote port points to the ListenPort in wireguard configuration, let's assume 32884
services:
  udp2raw_server:
    image: jearton1024/udp2raw:latest
    container_name: udp2raw_server
    restart: unless-stopped
    network_mode: host
    cap_add:
      - NET_ADMIN
    environment:
      - LISTEN_PORT=4096  # just for health check
    command: >
      -s
      -l0.0.0.0:4096
      -r127.0.0.1:32884
      -k "your_password"
      --raw-mode faketcp
      --fix-gro
      -a

Step2: Run udp2raw client and wireguard On My Home Ubuntu Device

  • Lan IP: 192.168.10.151
  • Prepare a ddns to access your home router, assume that is myddns.xxx.team
services:
  wireguard-ui:
    image: ngoduykhanh/wireguard-ui:latest
    container_name: wireguard-ui
    restart: unless-stopped
    depends_on:
      udp2raw_client_hk:
        condition: service_healthy
    networks:
      - backend
    cap_add:
      - NET_ADMIN
    ports:
      - "5000:5000"       # Management UI Port
      - "51886:51820/udp" # Wireguard Endpoint Port
    environment:
      - SESSION_SECRET=*******
      - SMTP_HOSTNAME=smtphz.qiye.163.com
      - SMTP_PORT=465
      - [email protected]
      - SMTP_PASSWORD=*******
      - SMTP_AUTH_TYPE=LOGIN
      - SMTP_ENCRYPTION=SSL
      - SMTP_HELO=vpn.xxx.team
      - [email protected]
      - WGUI_USERNAME=admin
      - WGUI_PASSWORD=admin
      - WGUI_ENDPOINT_ADDRESS=myddns.xxx.team:51886
      - WGUI_DNS=  # leave it blank
      - WGUI_MTU=1420
      - WGUI_PERSISTENT_KEEPALIVE=25
      - WGUI_LOG_LEVEL=INFO
      - WGUI_SERVER_INTERFACE_ADDRESSES=10.10.8.0/24
      - WGUI_SERVER_POST_UP_SCRIPT=iptables -t nat -A POSTROUTING -s 10.10.8.0/24 -o eth0 -j MASQUERADE; iptables -A INPUT -p udp -m udp --dport 51820 -j ACCEPT; iptables -A FORWARD -i wg0 -j ACCEPT; iptables -A FORWARD -o wg0 -j ACCEPT;
      - WGUI_SERVER_POST_DOWN_SCRIPT=iptables -t nat -D POSTROUTING -s 10.10.8.0/24 -o eth0 -j MASQUERADE; iptables -D INPUT -p udp -m udp --dport 51820 -j ACCEPT; iptables -D FORWARD -i wg0 -j ACCEPT; iptables -D FORWARD -o wg0 -j ACCEPT;
      - WGUI_DEFAULT_CLIENT_ALLOWED_IPS=10.10.8.0/24,192.168.10.0/24
      - WGUI_DEFAULT_CLIENT_USE_SERVER_DNS=false
      - WGUI_MANAGE_START=true
      - WGUI_MANAGE_RESTART=true
    volumes:
      - /home/ubuntu/apps/wireguard/db:/app/db
      - /home/ubuntu/apps/wireguard/config:/etc/wireguard
    logging:
      driver: json-file
      options:
        max-size: 5m
        
  udp2raw_client_hk:
    image: jearton1024/udp2raw:latest
    container_name: udp2raw_client_hk
    restart: unless-stopped
    networks:
      - backend
    cap_add:
      - NET_ADMIN
    environment:
      - LISTEN_PORT=51820 # just for health check
    command: >
      -c
      -l0.0.0.0:51820
      -r30.30.30.30:4096
      -k "your_password"
      --raw-mode faketcp
      --fix-gro
      -a

networks:
  backend:
    external: true

Port mapping from 51886 on home router to 51886 on this device.

image

Open the Wireguard UI in browser, add a new client, leave peer endpoint blank, that will be set later.

image

Then Apply Config

image

Download the client configuration and open it, add ListenPort, and reduce MTU to 1300

[Interface]
Address = 10.10.8.3/32
PrivateKey = *****
ListenPort = 32884
MTU = 1300

[Peer]
PublicKey = XSOxHjIDcTCRe4SbO18eD4mjiqD/9upUaq4s7kej9ig=
PresharedKey = *****
AllowedIPs = 10.10.8.0/24
Endpoint = myddns.xxx.team:51886
PersistentKeepalive = 25

Step3: Run wireguard On My HK Debian VPS

  • Assume Public IP: 30.30.30.30
  • Write wireguard client configuration to /etc/wireguard/myteam.conf and run wireguard client
modprobe wireguard \
  && apt install -y wireguard-tools \
  && cd /etc/wireguard \
  && vi myteam.conf

# write wireguard client configuration

wg-quick up myteam

Step4: Set wireguard peer endpoint On My Home Ubuntu Device

On My Home Ubuntu Device, edit the client, set peer endpoint pointing to the udp2raw_client, Save and Apply Config

image

image

Note: wireguard on udp2raw client side must start up after wireguard on udp2raw server side.

Step5: Verification

SSH Login into my HK Debian VPS, then ping the wireguard network gateway 10.10.8.0

ssh [email protected]

ping 10.10.8.0

Find the allowed MTU upper limit

ssh [email protected]

ping -M do -s 1270 10.10.8.0

Check Status Page on WIREGUARD UI

image

jearton avatar Jun 07 '24 04:06 jearton

Cross-Region Remote Networking

image

jearton avatar Jun 07 '24 17:06 jearton

Thank you for leaving these notes. Really neat starting place

tdonovic avatar Feb 25 '25 02:02 tdonovic

Thanks for the idea, trying to think if wg is on openwrt and setting udp2raw on docker swarm, just trying to work out if it connectable, since the udp2raw binaries is not valid for my router, so trying to think if i can try docker and bypass

Image

xxcbzxx avatar May 10 '25 02:05 xxcbzxx