[solved]need help with "wireguard server + shadowsocks-rust local-tun" setup

[ew12]

I set up a wireguard vpn server ( interface wg0 ) on my debian 12 laptop , the wireguard server conf is something like this:

Address = 10.6.1.1/24,fd1c:9339:e931::1/64 
PostUp = iptables -A FORWARD -i %i -j ACCEPT
PostUp = iptables -A FORWARD -o %i -j ACCEPT
PostUp = iptables -t nat -A POSTROUTING -o enp4s0f2 -j MASQUERADE
PostUp = ip6tables -A FORWARD -i %i -j ACCEPT
PostUp = ip6tables -A FORWARD -o %i -j ACCEPT
PostUp = ip6tables -t nat -A POSTROUTING -o enp4s0f2 -j MASQUERADE
PostDown = iptables -D FORWARD -i %i -j ACCEPT
PostDown = iptables -D FORWARD -o %i -j ACCEPT
PostDown = iptables -t nat -D POSTROUTING -o enp4s0f2 -j MASQUERADE
PostDown = ip6tables -D FORWARD -i %i -j ACCEPT
PostDown = ip6tables -D FORWARD -o %i -j ACCEPT
PostDown = ip6tables -t nat -D POSTROUTING -o enp4s0f2 -j MASQUERADE
ListenPort = 10000
FwMark = 0x55

and it worked . I can connect to this vpn server from another machine and get to the internet through the server's default internet interface enp4s0f2 .

but now I want the wireguard client get to the internet through server's shadowsocks-rust local-tun ( 10.255.0.1 tun0 ), I googled a bit , modified the wireguard server conf like this:

Address = 10.6.1.1/24,fd1c:9339:e931::1/64
PostUp = iptables -A FORWARD -i %i -j ACCEPT
PostUp = iptables -A FORWARD -o %i -j ACCEPT
PostUp = iptables -t nat -A POSTROUTING -s 10.6.1.0/24 -o tun0 -j MASQUERADE
PostUp = ip6tables -A FORWARD -i %i -j ACCEPT
PostUp = ip6tables -A FORWARD -o %i -j ACCEPT
PostUp = ip6tables -t nat -A POSTROUTING -s fd1c:9339:e931::/64 -o tun0 -j MASQUERADE
PostDown = iptables -D FORWARD -i %i -j ACCEPT
PostDown = iptables -D FORWARD -o %i -j ACCEPT
PostDown = iptables -t nat -D POSTROUTING -s 10.6.1.0/24 -o tun0 -j MASQUERADE
PostDown = ip6tables -D FORWARD -i %i -j ACCEPT
PostDown = ip6tables -D FORWARD -o %i -j ACCEPT
PostDown = ip6tables -t nat -D POSTROUTING -s fd1c:9339:e931::/64 -o tun0 -j MASQUERADE
ListenPort = 10000
FwMark = 0x55

and did some policy routing like this:

ip route add default via 10.255.0.1 dev tun0 table 7
ip rule add fwmark 0x55 table 7
ip rule add from 10.6.1.0/24 table 7
ip route flush cache

then the wireguard client failed to reach the internet . 'tcpdump -i wg0' shows nothing , 'tcpdump -i tun0' only shows this:

IP 10.255.0.1.10000 > 192.168.1.25.54717: UDP, length 92

'192.168.1.25' is the client's lan ip . what went wrong here , anybody has any suggestion ?

[ew12]

After one and a half year, I come back with a working setup.

wg0.conf:

Address = 10.6.1.1/24
PostUp = iptables -A FORWARD -i tun0 -o %i -m state --state RELATED,ESTABLISHED -j ACCEPT
PostUp = iptables -A FORWARD -i %i -o tun0 -j ACCEPT
PostUp = iptables -A PREROUTING -t mangle -s 10.6.1.0/24 -j MARK --set-mark 555
PostUp = iptables -t nat -A POSTROUTING -s 10.6.1.0/24 -j SNAT --to-source 10.255.0.1
PostDown = iptables -D FORWARD -i tun0 -o %i -m state --state RELATED,ESTABLISHED -j ACCEPT
PostDown = iptables -D FORWARD -i %i -o tun0 -j ACCEPT
PostDown = iptables -D PREROUTING -t mangle -s 10.6.1.0/24 -j MARK --set-mark 555
PostDown = iptables -t nat -D POSTROUTING -s 10.6.1.0/24 -j SNAT --to-source 10.255.0.1
ListenPort = 10000
FwMark = 555

Add a line "200 wg" to /etc/iproute2/rt_tables.

Some ip routes and rules ( you can make it a script, auto-run when you boot into the system ) :

ip route add default dev tun0 table wg
ip rule add fwmark 555 table wg

Note:
If your wireguard clients can ping/nslookup but can't browse the internet,
then you may want to tinker your clients' mtu setting a little bit.