You can use Surge as a WireGuard client, converting L3 VPN as an outbound proxy policy.
[Proxy] wireguard-home = wireguard, section-name = HomeServer [WireGuard HomeServer] private-key = sDEZLACT3zgNCS0CyClgcBC2eYROqYrwLT4wdtAJj3s= self-ip = 10.0.2.2 self-ip-v6 = fd00:1111::11 dns-server = 22.214.171.124, 2606:4700:4700::1001 prefer-ipv6 = false mtu = 1280 peer = (public-key = fWO8XS9/nwUQcqnkfBpKeqIqbzclQ6EKP20Pgvzwclg=, allowed-ips = 0.0.0.0/0, endpoint = 192.168.20.6:51820)
Notes for configuration:
- All keys can be in base64 or HEX form.
- You may configure
self-ip-v6simultaneously to utilize the IPv4 & IPv6 dual stack, or just one of them to use the single stack.
- Please note that the
self-ip-v6must be different for each device, otherwise it may cause IP preemption.
prefer-ipv6is true, prefer the IPv6 if a domain has both A & AAAA records configured when the IPv4 & IPv6 dual stack is enabled.
- The peer field can be configured with multiple nodes, separated by commas and indicated by () for one node.
keepaliveare optional parameters for peers.
- The endpoint of the peer can use a domain. Please note that the resolution of the endpoint is done by the DNS resolver configured by the [General] section and has nothing to do with the
dns-serverparameter in this paragraph.
allowed-ipsof 0.0.0.0/0 means that the policy can be used to access any address, or it can be configured for a specific intranet address.
- If you need to access a host using a domain name through this policy, you must configure the
dns-server, and Surge will perform DNS resolution to that server through WireGuard's VPN tunnel. Multiple DNS addresses can be configured, separated by commas.
[WireGuard NAME]segment can be split into a Detached Profile Section file.
- Multiple Wireguard instances can be configured and used simultaneously.
- WireGuard is an L3 VPN, so the overhead during processing is significantly higher than other general proxy protocols. It is suitable for scenarios with low bandwidth requirements.
- The tunnel only supports TCP and UDP protocols. In addition, a very simple ICMP/ICMPv6 response mechanism is provided. When the WireGuard handshake is successful, you can ping the client tunnel IP from the server side to test the connectivity.
- Since WireGuard protocol has no error reporting mechanism, in most cases, WireGuard policy errors are timeouts (e.g., wrong key, firewall blocking, not configuring server-side NAT, etc.), so please analyze the cause by grabbing packets yourself.
Customize Reserved Bits
Starting from Surge iOS 5.3.1 and Surge Mac 4.10.3, Surge now supports customizing the reserved bits of WireGuard. It might be used as the client ID or routing ID for some implementations, such as Cloudflare WARP.
peer = (public-key = <key>, allowed-ips = "0.0.0.0/0, ::/0", endpoint = example.com:51820, client-id = 83/12/235)