ZGoCloud + Wstunnel + Clash Verge Rev under Ubuntu 26.04

I have been using ZgoCloud + Wstunnel + Clash Verge Rev on Windows before, and it is quite stable. Recently, I want to reproduce a set on Ubuntu 26.04, and I hope that it can be automatically connected when it is turned on, without manually typing commands every time. After tossing for an afternoon, I finally got it done. Write down the process and leave a note for yourself, in case you can reinstall the system in the future.

First, let’s talk about the components I use

• VPS service provider: zgocloud (wstunnel + wireguard has been configured on the server side)
• Local penetration tool: wstunnel v10.5.5 (version must be the same as the server)
• Proxy client: Clash Verge Rev (with its Wireguard node and shunt)
• System: Ubuntu 26.04, notebook is x86_64 architecture

2. Install Clash Verge Rev

At first, I searched for ‘clash’ in the ‘software’ application of ubuntu, and the results were not what I wanted (Figure 1). Later, I went to github to see, it turns out that Clash Verge Rev only provides .deb And .appimage, not on the shelves.

I downloaded Clash.verge_2.5.1_amd64.deb(Because my computer is x86_64). After downloading, right-click this in the file manager .deb file, select ‘Open Method’ → ‘Software Installation’ (Figure 2). The system will pop up an installation window, click ‘Install’ and enter the password (Figure 3).

After installing, there is a Clash Verge Rev icon in the application menu.

3. Deploy the WSTUnnel client

The version I use on the wstunnel server is v10.5.5, so the client must also download this version, otherwise it will not be able to connect. Go erebe/wstunnel downloaded wstunnel_10.5.5_linux_amd64.tar.gz.

After downloading, right-click the compressed package → ‘Extract to…’, I extract it to the current directory (Figure 4). Unzip a folder, there is only one in it wstnnel executable file.

I need to put this wstnnel Put it in the system PATH, such as /usr/local/bin. Open File Manager, press Ctrl+L Enter /usr/local/bin, and found that this directory is empty (Figure 5).

The direct right-click paste is gray, because the permissions are not enough. I find it troublesome to graph, so I directly use the command:

sudo cp /home/wangqiang/下载/wstunnel_10.5.5_linux_amd64/wstunnel /usr/local/bin/
sudo chmod +x /usr/local/bin/wstunnel

Then check the version:

$ /usr/local/bin/wstunnel --version
wstunnel-cli 10.5.5

No problem (upper half of Figure 6).

Then I created a startup script in my home directory ~/start-vpn.sh, the content is as follows (remember to replace the server IP and domain name with your own):

#!/bin/bash
/usr/local/bin/wstunnel client -L udp://127.0.0.1:51820:127.0.0.1:51820?timeout_sec=0 --tls-sni-override wg.shuijingwanwq.com wss://154.21.196.249:443

Give execution permission:

chmod +x ~/start-vpn.sh

Use cat Confirm the contents (the middle part of Figure 6).

4. Realize wstunnel self-start at boot (systemd user service)

I don’t want to do it manually every time I turn it on nohup ~/start-vpn.sh ..., too troublesome. So use systemd’s user service to manage.

Create a service file first:

mkdir -p ~/.config/systemd/user
nano ~/.config/systemd/user/wstunnel.service

The content is as follows:

[Unit]
Description=Wstunnel Client for VPN
After=network-online.target
Wants=network-online.target

[Service]
Type=simple
ExecStart=/home/wangqiang/start-vpn.sh
Restart=on-failure
RestartSec=5s

[Install]
WantedBy=default.target

After saving, reload systemd, enable the service and start immediately:

systemctl --user daemon-reload
systemctl --user enable wstunnel.service
systemctl --user start wstunnel.service

View status:

$ systemctl --user status wstunnel.service
● wstunnel.service - Wstunnel Client for VPN
     Active: active (running) since ...

You can see the service is running (Figure 7). In addition, check the port listening:

$ ss -lun | grep 51820
UNCONN 0      0          127.0.0.1:51820      0.0.0.0:*

It means that the UDP port is already up.

5. Prepare the Clash configuration file

I have debugged a copy on windows zgocloud-vpn.yaml, which defines WireGuard nodes (public key, private key, pre-shared key) and shunt rules. Copy directly to Ubuntu and put it in the home directory:

vi ~/ZgoCloud-VPN.yaml

Paste the content and save it. The core is that Type: WireGuard proxy configuration. For specific configurations, please refer to:Troubleshooting Transcript: Solve the DNS deadlock problem of ‘some websites cannot be accessed’ under Clash Verge + Wstunnel + Wireguard

6. Import configuration in Clash Verge Rev

Open the Clash Verge Rev graphical interface, click ‘Subscribe’ on the left, and then click ‘New’ → select the ‘Local’ type (Figure 6). I filled in the name zgocloud-vpn, then click ‘Select File’, select ~/zgocloud-vpn.yaml, save.

After importing, right-click this configuration in the subscription list and select ‘Use’. Then switch to the ‘Agent’ page, you can see zgocloud-wg This WireGuard node (Figure 7).

Go back to the ‘Home’ and turn on the ‘System Agent’ switch (Figure 8).

At this time, the browser can already access the external network (Figure 9), and the website test has passed.

7. Let Clash Verge Rev also boot from boot

In Clash Verge Rev’s ‘Settings’ → ‘System Settings’, there is a ‘Start Up’ switch, which I turned on (Figure 10). In this way, every time you log in to the desktop, the software will automatically start.

8. Restart the test

After setting all the above steps, I restarted the computer. After logging back into the desktop:

• Check the WSTUnnel service:systemctl --user status wstunnel.service Display active (running)and the log has New UDP Connection Handshake information with TLS (Figure 11).
• Test Google, youtube, github, apple four websites in Clash Verge Rev, all of them are normal (Figure 12).

9. The pit I stepped on

1. Do not install the system’s WireGuard package manually.Sudo apt install wireguard It is redundant, because the built-in Mihomo kernel of Clash Verge Rev has implemented WireGuard with user space.
2. The wstunnel version must match. Server v10.5.5, the client should also download v10.5.5, otherwise the protocol may not be compatible.
3. systemd service failed to start, report address in use. It’s because I used it manually nohup Running through a WSTUnnel takes up port 51820. I executed pkill wstunnel Kill the manual process, and then start the systemd service.

10. Today’s daily experience

Boot → Log in to the desktop → Open the browser directly to access the external network. Both wstunnel and clash verge rev run automatically in the background, and I don’t need manual intervention at all. Domestic websites are directly connected, foreign websites go to VPN, and the diversion rules are automatically judged. The speed is enough to see YouTube 4K, port 443 + TLS has never been walled.

This solution was ported from Windows to Ubuntu, and although I stepped on a few small pits in the middle, I was very satisfied with the final result. Record this process, in case you need to reinstall the system or change the computer in the future, you can follow this article again.

If you have similar needs, I hope my record can give you some reference. However, everyone’s network environment and configuration are different. What I wrote is just my own approach, and there is no guarantee that it is completely universal. Good luck to you~