Xray-docs-next/docs/ru/config/inbounds/wireguard.md

# Wireguard

User-space implementation of the Wireguard protocol.

::: danger
**The Wireguard protocol is not specifically designed for circumvention purposes. If used as the outer layer for circumvention, its characteristics may lead to server blocking.**
:::

## InboundConfigurationObject

```json
{
  "secretKey": "PRIVATE_KEY",
  "peers": [
    {
      "publicKey": "PUBLIC_KEY",
      "allowedIPs":[""]
    }
  ],
  "kernelMode": true, // optional, default true if it's supported and permission is sufficient
  "mtu": 1420, // optional, default 1420
}
```

> `secretKey`: string

Private key. Required.

> `mtu`: int

Fragmentation size of the underlying Wireguard tun.

<details>
<summary>MTU Calculation Method</summary>

The structure of a Wireguard packet is as follows:

```
- 20-byte IPv4 header or 40 byte IPv6 header
- 8-byte UDP header
- 4-byte type
- 4-byte key index
- 8-byte nonce
- N-byte encrypted data
- 16-byte authentication tag
```

`N-byte encrypted data` is the MTU value we need. Depending on whether the endpoint is IPv4 or IPv6, the specific values can be 1440 (IPv4) or 1420 (IPv6). If in a special environment, subtract additional bytes accordingly (e.g., subtract 8 more bytes for PPPoE over home broadband).

</details>

> `peers`: \[ [Peers](#peers) \]

List of peer servers, where each entry is a server configuration.

### Peers

```json
{
  "publicKey": "PUBLIC_KEY",
  "allowedIPs": ["0.0.0.0/0"] // optional, default ["0.0.0.0/0", "::/0"]
}
```

> `publicKey`: string

Public key, used for verification.

> `allowedIPs`: string array

Allowed source IPs.
Remove legacy `timeout` config (#577) * Remove `timeout` field in dokodemo-door * Remove `timeout` field in HTTP inbound * Minor fixes to The Great Chronicles * Force update wireguard inbound to russian docs 2024-09-15 18:22:25 +08:00			`# Wireguard`

			`User-space implementation of the Wireguard protocol.`

			`::: danger`
			`The Wireguard protocol is not specifically designed for circumvention purposes. If used as the outer layer for circumvention, its characteristics may lead to server blocking.`
			`:::`

			`## InboundConfigurationObject`

			```json
			`{`
			`"secretKey": "PRIVATE_KEY",`
			`"peers": [`
			`{`
			`"publicKey": "PUBLIC_KEY",`
			`"allowedIPs":[""]`
			`}`
			`],`
			`"kernelMode": true, // optional, default true if it's supported and permission is sufficient`
			`"mtu": 1420, // optional, default 1420`
			`}`
			```

			> `secretKey`: string

			`Private key. Required.`

			> `mtu`: int

			`Fragmentation size of the underlying Wireguard tun.`

			`<details>`
			`<summary>MTU Calculation Method</summary>`

			`The structure of a Wireguard packet is as follows:`

			```
			`- 20-byte IPv4 header or 40 byte IPv6 header`
			`- 8-byte UDP header`
			`- 4-byte type`
			`- 4-byte key index`
			`- 8-byte nonce`
			`- N-byte encrypted data`
			`- 16-byte authentication tag`
			```

			`N-byte encrypted data` is the MTU value we need. Depending on whether the endpoint is IPv4 or IPv6, the specific values can be 1440 (IPv4) or 1420 (IPv6). If in a special environment, subtract additional bytes accordingly (e.g., subtract 8 more bytes for PPPoE over home broadband).

			`</details>`

			> `peers`: \[ [Peers](#peers) \]

			`List of peer servers, where each entry is a server configuration.`

			`### Peers`

			```json
			`{`
			`"publicKey": "PUBLIC_KEY",`
			`"allowedIPs": ["0.0.0.0/0"] // optional, default ["0.0.0.0/0", "::/0"]`
			`}`
			```

			> `publicKey`: string

			`Public key, used for verification.`

			> `allowedIPs`: string array

			`Allowed source IPs.`