Skip to main content
Instead of the native WireGuard client, you can use any V2Ray-compatible core that supports a WireGuard outbound. Two well-maintained options are:
  • xray-core — used by clients such as v2rayN (desktop) and v2rayNG (Android)
  • sing-box — used by clients such as NekoBox and Hiddify
This approach lets you configure additional inbound protocols (SOCKS5, HTTP proxy) alongside WireGuard and apply fine-grained routing rules — for example, routing only specific domains or IP ranges through the tunnel.
The WireGuard outbound endpoint must be 127.0.0.1:9000 (the proxy client’s listen address), and mtu must be 1280. These values are required regardless of which core you use.

Configuration

{
  "inbounds": [
    {
      "protocol": "socks",
      "listen": "127.0.0.1",
      "port": 1080,
      "settings": {
        "udp": true
      },
      "sniffing": {
        "enabled": true,
        "destOverride": ["http", "tls"]
      }
    },
    {
      "protocol": "http",
      "listen": "127.0.0.1",
      "port": 8080,
      "sniffing": {
        "enabled": true,
        "destOverride": ["http", "tls"]
      }
    }
  ],
  "outbounds": [
    {
      "protocol": "wireguard",
      "settings": {
        "secretKey": "<client secret key>",
        "peers": [
          {
            "endpoint": "127.0.0.1:9000",
            "publicKey": "<server public key>"
          }
        ],
        "domainStrategy": "ForceIPv4",
        "mtu": 1280
      }
    }
  ]
}

How it works

  • The client config exposes a SOCKS5 proxy on 127.0.0.1:1080 (with UDP support) and an HTTP proxy on 127.0.0.1:8080. Any application that can use a SOCKS5 or HTTP proxy can route traffic through the tunnel without system-wide routing changes.
  • The WireGuard outbound connects to 127.0.0.1:9000, which is where the VK TURN Proxy client is listening. The core never contacts the VPS directly — the proxy handles that.
  • On the server side, xray/sing-box receives the WireGuard traffic on port 51820 and forwards it to the internet using the freedom outbound. This replaces the standalone WireGuard server daemon.
  • domainStrategy: ForceIPv4 on the client and domainStrategy: UseIPv4 on the server prevent IPv6 resolution issues in environments where IPv6 is not fully supported end-to-end.
You can extend the client config with routing rules to send only specific traffic through the WireGuard outbound and keep everything else on the direct connection. Refer to the xray-core or sing-box routing documentation for details.

Build docs developers (and LLMs) love

Get started for freeTalk to us