[FR] How can I expose the wireguard tunnel as a socks5 proxy on the client?

Chris wireguard at spam-free.eu
Fri Oct 9 16:19:22 CEST 2020

Maybe I oversimplify your problem, but from what I read, your standard route 
will be using the Iranian net.
And - I guess - it is only a limited numer of IP addresses, that you would like 
to reach through the tunnel.

I don't know your OS, but simply adding ip routes pointing to the tunnel for the 
desired destinations would do the job.


On 09/10/2020 15:22, Roman Mamedov wrote:
> On Sun, 4 Oct 2020 15:41:52 +0330
> Rudi C <rudiwillalwaysloveyou at gmail.com> wrote:
>> I use Wireguard to circumvent Iran's censorship. A major problem with
>> it is that it's very hard to selectively proxy specific domains/apps
>> through Wireguard, while leaving others alone. This is an essential
>> feature for Iran's internet, as:
>> 1. The connection is terrible, so avoiding using the proxy for
>> uncensored sites helps a lot.
>> 2. International traffic is 2x more expensive, so avoiding the proxy
>> for internal traffic is very beneficial.
>> 3. Some internal sites ban international IPs and need Iranian IPs.
>> The easiest way to solve this program, as far as I understand, is to
>> add the ability to expose the tunnel as a socks5 proxy on the client
>> side. This is the approach that shadowsocks, v2ray, etc have adopted.
>> There are mature solutions to selectively routing traffic through a
>> socks proxy.
>> I searched around, and there are docker containers that already do
>> this wireguard-to-socks thing; But running docker is expensive on a
>> non-Linux machine, so it'd be much appreciated if you could support
>> exposing socks and HTTP proxy servers natively.
> If you tunnel to a VPS abroad, just install a SOCKS proxy on the remote end.
> A good one is [1]. Then set the remote end's in-VPN IP and proxy port in your
> apps to use.
> [1] https://socks-relay.sourceforge.io/
> To separate which sites use which proxy (or no proxy) SwitchSharp for Chrome
> and FoxyProxy for Firefox, but you probably already know about those.
> In case you meant connecting to commercial "VPN" services, then yes it
> becomes a bit more complex, but you can try srelay on the local machine and
> use the "-J" option, "outbound interface name". But I'm not sure if that would
> just work on its own, or also needs some help from ip(6)tables or ip-rule.

More information about the WireGuard mailing list