Surge或Mihomo用WireGuard远程到家
1. BackgroundI have a soft router equipped with a public IPv4 address. Previously, when running OpenWRT, I would set up an SS server for remote access. However, I'm no longer interested in using OpenWRT. This led me to explore alternative solutions.
Given that I use iOS and have purchased Surge, which supports the WireGuard protocol, and considering Mihomo also supports WireGuard, I decided to set up a WireGuard connection for remote access. Here's a rundown of my setup:
Soft Router: 5105 (ikuai as the main router, Debian, Windows 10)
Debian - Service End
iOS device with Surge - Client End
2. Installation
Since Debian is stable, I chose to install WireGuard on it. As root user:
apt install wireguard
3. Generating Public and Private Keys
It's crucial to generate all keys on the service end.
3.1 Generating Server Keys
First, create the server's public and private keys:
cd /etc/wireguard
wg genkey | tee server_private.key | wg pubkey > server_public.key
3.2 Generating Client Keys
For each client, generate a pair of public and private keys. For example, if you have an iOS device with Surge and a Windows PC with Mihomo, you'd generate two pairs:
wg genkey | tee ios_private.key | wg pubkey > ios_public.key
4. Configuring wg*.conf
The wg configuration files must reside in /etc/wireguard and be named wg*.conf. Here's an example for wg0.conf:
Address = 192.168.63.1/24
ListenPort = 22334
PrivateKey =
PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -A FORWARD -o wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o ens18 -j MASQUERADE
PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -D FORWARD -o wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o ens18 -j MASQUERADE
PublicKey =
AllowedIPs = 192.168.63.2/32
PublicKey =
AllowedIPs = 192.168.63.3/32
4.1 Pitfalls
- Ensure the UDP port is open (22334 in this case).
- In the wg0.conf file, include only the server's private key and the public keys of the clients.
- Identify your outgoing network interface (ens18 in this example).
- The service end should cover the entire subnet (24), while clients represent individual devices (32).
5. Starting the Server
cd /etc/wireguard
wg-quick up wg0
6. Configuring Surge
Here's the configuration for Surge:
Home = wireguard, section-name = Home
IP-CIDR,192.168.88.0/24,Home,no-resolve
private-key =
self-ip = 192.168.63.2
mtu = 1280
peer = (public-key = , allowed-ips = "0.0.0.0/0, ::0/0", endpoint = ddns.cn:22334, keepalive = 25)
6.1 Considerations
- self-ip must match the Interface's network segment.
- endpoint should be the public IP of your home (ddns.cn:22334).
7. Configuring Mihomo
The configuration for Mihomo is similar to Surge:
proxies:
- name: "wg"
type: wireguard
ip: 192.168.63.3
private-key:
peers:
- server: ddns.cn
port: 22334
public-key:
allowed-ips: ['0.0.0.0/0']
udp: true
This concludes the setup guide.
页:
[1]