You can use Surge as a WireGuard client, converting L3 VPN as an outbound proxy policy.
[Proxy] wireguard-home = wireguard, section-name = HomeServer [WireGuard HomeServer] private-key = sDEZLACT3zgNCS0CyClgcBC2eYROqYrwLT4wdtAJj3s= self-ip = 10.0.2.2 dns-server = 18.104.22.168 mtu = 1280 peer = (public-key = fWO8XS9/nwUQcqnkfBpKeqIqbzclQ6EKP20Pgvzwclg=, allowed-ips = 0.0.0.0/0, endpoint = 192.168.20.6:51820)
Notes for configuration:
- All keys can be in base64 or HEX form.
self-ipfield must be provided, please note that the
self-ipmust be different for each device, otherwise it may cause IP preemption.
- The peer field can be configured with multiple nodes, separated by commas, and indicated by () for one node.
keepaliveare optional parameters for peers.
- The endpoint of the peer can use a domain. Please note that the resolution of the endpoint is done by the DNS resolver configured by the [General] section and is not related to the
dns-serverparameter in this paragraph.
allowed-ipsof 0.0.0.0/0 means that the policy can be used to access any address, or it can be configured for a specific intranet address.
- If you need to access a host using a domain name through this policy, you must configure the
dns-server, and Surge will perform DNS resolution to that server through the WireGuard's VPN tunnel. Multiple DNS addresses can be configured, separated by commas.
- The [WireGuard NAME] segment can be split into a Detached Profile Section file.
- Multiple Wireguard instances can be configured and used simultaneously.
- WireGuard is an L3 VPN, so the overhead during processing is significantly higher than other general proxy protocols. It is suitable for scenarios with low bandwidth requirements.
- Surge supports peers with IPv6 endpoints, but IPv6 tunnel is not supported.
- The tunnel only supports TCP and UDP protocol. In addition, a very simple ICMP response mechanism is provided, when WireGuard handshake is successful, you can ping the client tunnel IP from the server-side to test the connectivity.
- Since WireGuard protocol itself has no error reporting mechanism, in most cases, WireGuard policy errors are timeouts (e.g., wrong key, firewall blocking, not configuring server-side NAT, etc.), so please analyze the cause by grabbing packets yourself.