Stunnel + Shadowsocks + Wireguard not working

[herr1n]

What version of shadowsocks-libev are you using?

3.3.4

What operating system are you using?

Ubuntu Focal

What did you do?

I'm trying to run wireguard over shadowsocks + stunnel as outer layer so traffic looks like TLS.
stunnel + shadowsocks alone works
wireguard + shadowsocks should work too
However, all together do not work up to now.
I'm unsure about the syntax and when/how to use "-L"/tunnel option of shadowsocks.

What is your config in detail (with all sensitive info masked)?

ss-client.json

{
"server":"127.0.0.1",
"server_port":1080,
"mode":"tcp_and_udp",
"local_address":"127.0.0.1",
"local_port":1081,
"password":"password123",
"timeout":60,
"method":"chacha20-ietf-poly1305"
}

ss-server,json

{
"server":"127.0.0.1",
"mode":"tcp_and_udp",
"server_port":1080,
"password":"password123",
"timeout":60,
"method":"chacha20-ietf-poly1305",
}

stunnel-client.conf

foreground=yes
debug=7
pid = /tmp/stunnel.pid
client=yes
[ssh]
accept=127.0.0.1:1080
connect=myip:443
CAPath=cert.pem

stunnel-server.conf:

foreground=yes
debug=7
pid = /tmp/stunnel.pid
client=no
[ssh]
accept=443
connect=127.0.0.1:1080
cert=cert.pem
key=key.pem

client setup:

stunnel stunnel-client.conf &
ss-local -c ss-client.json &
sudo ip link del wg0
sudo ip link add dev wg0 type wireguard
sudo ip address add dev wg0 172.16.0.1/24
sudo wg set wg0 private-key key1 peer key2 endpoint 127.0.0.1:1081 allowed-ips 0.0.0.0/0
sudo ip link set up dev wg0

server setup:

sudo stunnel stunnel-server.conf &
sudo ss-server -c ss-server.json &
sudo ip link del wg0
sudo ip link add dev wg0 type wireguard
sudo ip address add dev wg0 172.16.0.2/24
sudo wg set wg0 listen-port 1081 private-key key3 peer key4 allowed-ips 172.16.0.1/24
sudo ip link set up dev wg0

What did you expect to see?

Successful wireguard connection

What did you see instead?

With this setup

curl --socks5 127.0.0.1:1081 https://checkip.amazonaws.com

gives my correct server ip. So stunnel + shadowsocks works.

But pinging the server from the client:

ping -I tun0 172.16.0.2

gives

[udp] Invalid header with addr type 0

The packets don't even make it to the remote end. So there is some problem between wireguard and the shadowsocks layer.
I'm not sure if the error is a bug or if there is some problem with the shadowsocks config file syntax.

[herr1n]

Could it be that while shadowsocks can tunnel udp, the outer layer must be udp too?
So this works: wireguard (udp) --> shadowsocks (udp) --> shadowsocks (udp) ...
Also this: shadowsocks (tcp) --> stunnel (tcp) --> stunnel (tcp) ...
But his does not: wireguard (udp) --> shadowsocks (udp or tcp) --> stunnel (tcp) --> stunnel (tcp) ...
Because you either have a conflict with wireguard or with stunnel.
So either stunnel would be udp or wireguard needs to be TCP?

[honwen]

try gost, if u want to Tunnel UDP over TCP

https://github.com/ginuerzh/gost#%E7%89%B9%E6%80%A7

[0neday]

Could it be that while shadowsocks can tunnel udp, the outer layer must be udp too?
So this works: wireguard (udp) --> shadowsocks (udp) --> shadowsocks (udp) ...
Also this: shadowsocks (tcp) --> stunnel (tcp) --> stunnel (tcp) ...
But his does not: wireguard (udp) --> shadowsocks (udp or tcp) --> stunnel (tcp) --> stunnel (tcp) ...
Because you either have a conflict with wireguard or with stunnel.
So either stunnel would be udp or wireguard needs to be TCP?

but, what you want to get?
if you just want query dns over vpn, you could use trojan forward mode to forward dns. check here, trojan-gfw/trojan#514 (comment)
if you want use wireguard to get dns query, you need to set right iptables policy, check here, https://github.com/0neday/vps-auto-installer