Skip to content
Yuhaiin Docs

WireGuard

[!NOTE] This document is partially generated by AI.

WireGuard is an extremely simple yet fast and modern VPN that utilizes state-of-the-art cryptography. In yuhaiin, it is implemented as an outbound-only protocol.

Network Support

Section titled “Network Support”
  • TCP: Supported (Tunneled through WireGuard).
  • UDP: Supported (Tunneled through WireGuard).
    • NAT Type: Full-Cone NAT.

[!NOTE] WireGuard itself operates over UDP. The traffic inside the tunnel can be both TCP and UDP.

Outbound Configuration

Section titled “Outbound Configuration”

The wireguard configuration block includes both global interface settings and specific peer information.

Interface Fields

Section titled “Interface Fields”
  • secret_key (string): The client’s private key (Curve25519).
  • mtu (int): Maximum Transmission Unit. Default is usually 1420.
  • reserved (bytes): (Advanced/Optional) Three bytes typically used by certain providers (like Cloudflare Warp) for authentication or identification.
  • endpoint (string array): (Advanced) Local addresses to bind the WireGuard client to.

Peer Fields (peers)

Section titled “Peer Fields (peers)”
  • public_key (string): The remote server’s public key.
  • pre_shared_key (string): (Optional) A common secret key used for additional protection against post-quantum attacks.
  • endpoint (string): The physical address and port of the server (e.g., 1.2.3.4:51820).
  • keep_alive (int): Seconds between keep-alive packets sent to the server.
  • allowed_ips (string array): List of IP ranges that are allowed to pass through this tunnel. For a global proxy, use ["0.0.0.0/0", "::/0"].

Example Configuration

Section titled “Example Configuration”
{
  "name": "My-WireGuard-Client",
  "protocols": [
    {
      "wireguard": {
        "secret_key": "CLIENT_PRIVATE_KEY",
        "mtu": 1420,
        "peers": [
          {
            "public_key": "SERVER_PUBLIC_KEY",
            "endpoint": "remote-server.com:51820",
            "allowed_ips": ["0.0.0.0/0", "::/0"]
          }
        ]
      }
    }
  ]
}

Developer Details

Section titled “Developer Details”

Implementation

Section titled “Implementation”

yuhaiin uses the wireguard-go userspace library. The implementation is located in pkg/net/proxy/wireguard.

Tunneling

Section titled “Tunneling”

WireGuard packets are encapsulated in UDP. When used as an outbound, yuhaiin presents a virtual proxy interface that transparently handles the encryption and re-assembly of packets.