[FR] How can I expose the wireguard tunnel as a socks5 proxy on the client?

Roman Mamedov rm at romanrm.net
Fri Oct 9 16:05:05 CEST 2020

On Fri, 9 Oct 2020 17:16:18 +0330
Rudi C <rudiwillalwaysloveyou at gmail.com> wrote:

> > On Fri, Oct 9, 2020 at 5:04 PM Roman Mamedov <rm at romanrm.net> wrote:
> > Seems like you misunderstand what I mean. If you use the in-VPN (internal) IP
> > of your VPS, all communication with the SOCKS proxy installed on the VPS will
> > happen via the WireGuard tunnel. No DPI can look into that.
> You're right! Some questions:
> 1. What should I do client-side so that wireguard only covers my VPS's
> IP (and does not otherwise route traffic)? Will `AllowedIPs =
> SERVER_IP/32` do it?

SERVER_IP should be the in-VPN IP here, otherwise yes, and remove .0.0.0/0
and ::/0 from AllowedIPs.

> 2. How do I get the in-VPN IP of the server? Is it `Address` in `[Interface]`?

Yes. You can confirm via "ip addr list dev wgX" on the server.

> 3. I use ufw for the firewall on the server. Will ufw block my local
> machine? If not, with what IP should I set ufw rules? (My local
> machine doesn't have a static IP.) Of course, I could alternatively
> expose the socks proxy to the world with a password; How secure will
> that be?

Sorry, not familiar with ufw; generally you need to allow only connections
from the WG interface, or from the internal IP range (or just the "Address ="
of the client), and block all others.

With respect,

More information about the WireGuard mailing list