Wireguard domestic direct connection + foreign tunnel configuration

Self-Hosted VPN

(1) From LetsVPN to self-built Wireguard VPN full process review (with pit guide)

(2) WireGuard VPN configuration optimization: domestic website direct connection, foreign traffic to go to VPN (actual measurement is effective)

(3) Wireguard domestic direct connection + foreign tunnel configuration

客户端无「上次握手时间」，一直处于等待连接状态。客户端显示看似连接，但实际无握手、无流量转发，接收一直为 0。

(4) Self-built VPN series Part 4 Wireguard self-built VPN accidental unavailable full replay: from normal use → suddenly no handshake → port is blocked → port change + intelligent shunt complete solution process

Speedtest 出口带宽测速，打开：https://www.speedtest.net/ 。结果如图2

(5) After deactivating self-built WireGuard from LetsVPN: Chengdu Mobile Broadband + Vultr Singapore node The measured network speed is very slow to review + pit dry goods

2. VPS 通过 iptables 做端口段转发：20000~60000 全部UDP端口，统一转发到本机 51820； 3. Vultr 防火墙只需放行 20000~60000 端口段，不用逐个添加单端口规则；

(6) Self-built WireGuard solution port is frequently blocked, the ultimate minimalist solution (nanny class can be reproduced)

洛杉矶节点：Premium、Eyeball、Tier 1 三种网络类型下所有实例均处于缺货状态，包括我能勉强接受的 LAX.AN5.Pro.TINY（Premium 网络，12.98美元/月），该节点 AN5 系列已告罄（如图6）；

(7) Wireguard handshake is normal but can’t open the network? Why do we have to CN2 GIA, with DMIT deployment & out of stock alternatives

需要确保首页 - 当前节点 - ZgoCloud-VPN 是绿色状态（如图25）。

(8) ZgoCloud + Wstunnel + Wireguard speed up 4 times, Clash Verge Rev automatically splits and 443 port anti-sealing actual combat

不可访问：`www.google.com` 提示 `ERR_CONNECTION_CLOSED`；`chatgpt.com`、`v2ex.com` 提示 `ERR_CERT_COMMON_NAME_INVALID`（HSTS 导致的证书错误）

(9) Troubleshooting Transcript: Solve the DNS deadlock problem of “some websites cannot be accessed” under Clash Verge + Wstunnel + Wireguard

(10) ZGoCloud + Wstunnel + Clash Verge Rev under Ubuntu 26.04

分析：第三次测试依然稳健，上传甚至回升到了 81 Mbps。这证明了 CN2 GIA + 9929 线路在下午时段（非深夜）的优异表现。（图7：VPN 测速 #3 详细数据截图）

(11) Under Ubuntu 26.04 Self-built VPN speed test report: ZgoCloud + Wstunnel + Wireguard solution experience and comparison guide

(12) zgocloud + wstunnel + flclash VPN configuration under android

(13) Complete troubleshooting and schema optimization for Google Play update exceptions on Android

(14) Thunderbird can’t send Gmail mail after self-built VPN: Cause and Solution

(15) Can’t update the Play Store app after self-built VPN? Don’t toss wstunnel, the problem is in the Clash diversion rules

关键信息是 code=exited, status=203/EXEC。这个退出码意味着 systemd 无法执行指定的程序。

(16) systemd user service 203/exec error troubleshooting: wstunnel self-starting configuration record

(17) Practical Guide to Stable Clash Verge Rev + WireGuard + Wstunnel Configuration (Part 1): Minimalist Principles and Initial Setup

使用 Clash Verge Rev 内置的连接测试，对常用 13 个目标进行检测：

(18) Clash Verge Rev + Wireguard + WSTunnel Stable Configuration Practice (2): Minimum Correction of DNS Contaminated by Google

你好，我按照你博客文章按流程操作了一下服务器，服务器防火墙也开了，但是手机修改端口还是没有握手提示，也上不了网，这是哪里出问题了吗？

(19) Help customers to remotely troubleshoot vultr Wireguard without handshake and cannot access the Internet problem (full record)

Thunderbird 无法与 imap.gmail.com 连接，请稍后再试。如果问题依然存在，则可能是您超出了此服务器允许的最大连接数量。可在IMAP服务器设置中减少缓存的连接数量。

(20) Full check record from Thunderbird connection failure to switching to Gmail API client

(21) WSTUnnel + Ficlash Remote Troubleshooting full record under client android: from script creation to IP mismatch

在 FlClash 中查看实时请求日志，所有 Play 商店相关的请求全部走代理

(22) FLCLASH + WireGuard + WSTUnnel Stable Configuration Practice (3): Google Play download problem solving

Post Views: 153

As a user who often needs to visit overseas websites (ChatGPT, Youtube, Google Translate, etc.), I have always wanted to achieve Wireguard’s ‘Domestic Website Direct, Foreign Website Tunneling’ function——Not only ensure the native speed of domestic web pages, but also stable access to overseas services, and at the same time avoid unnecessary traffic consumption caused by global agents. In the process, I stepped on a very typical routing configuration pit, and after some tossing, I solved it perfectly, and sorted it into this blog to avoid the pit for friends who have the same needs.

1. Demand background
The WireGuard client was initially configured, but encountered a strange problem:

Google Translate (https://translate.google.com/) can be opened normally
chatgpt (https://chatgpt.com/), youtube (https://www.youtube.com/), v2ex (https://v2ex.com/) can’t be opened at all times, and it prompts that it cannot be accessed. as shown in Figure 1

chatgpt (https://chatgpt.com/), youtube (https://www.youtube.com/), v2ex (https://v2ex.com/) can't be opened at all times, and it prompts that it cannot be accessed. as shown in Figure 1

It is suspected that the server bandwidth is insufficient, but the test basic bandwidth is sufficient to eliminate the bandwidth problem
Core requirements: retain the diversion logic of direct domestic connection and foreign tunnels, and solve the problem that some overseas websites cannot be accessed, and there is no need to increase the server configuration.

2. Initial configuration (step on the pit version)
The original WireGuard client configuration is as follows, and the problem is in the allowedips line: For reference:Wireguard VPN configuration optimization: domestic website direct connection, foreign traffic go to VPN (actual measurement is effective), has not completely solved the problem before. as shown in Figure 2

The original WireGuard client configuration is as follows, the problem is in the allowedips line: see: WireGuard VPN Configuration optimization: domestic websites are directly connected, and foreign traffic goes to VPN (the actual measurement is effective), but the problem has not been completely solved before. as shown in Figure 2

[Interface]
PrivateKey = MNcoOjHNvao4gH1...
Address = 10.66.66.2/32, fd42:42:42::2/128
DNS = 223.5.5.5, 223.6.6.6

[Peer]
PublicKey = XZ2LNJxO7RqjGKHyubFw35eR7AkRa1iHqltQJYdsY3g=
PresharedKey = Fz04FNeapuPYQ+QAH+...
AllowedIPs = 0.0.0.0/1, 128.0.0.0/2, ::/1, 8000::/1
Endpoint = 139.180.154.26:2096
PersistentKeepalive = 25

3. Troubleshooting: Allowedips network segments are incomplete
At first, I mistakenly thought that the bandwidth was not enough. Later, the investigation found that the root cause is that the IPv4 segment of Allowedips is not configured completely, resulting in a large number of overseas IPs that have not been included in the tunnel route and cannot be accessed.

First understand: 0.0.0.0/1, 128.0.0.0/2 coverage

0.0.0.0/1: Override the first half of IPv4 address, i.e. 0.0.0.0 ~ 127.255.255.255
128.0.0.0/2: only cover the first 1/4 of the last half of IPv4, that is, 128.0.0.0 ~ 191.255.255.255
Key vulnerabilities: The two network segments are combined and missed 192.0.0.0 ~ 255.255.255.255. And many servers of major overseas manufacturers such as ChatGPT and Youtube are just in 192.x, 203.x, 204.x and other missing network segments, so they cannot be accessed through tunnels, and naturally cannot be opened.

Supplementary note: IPv6 configuration is correct
The IPv6 section in the initial configuration::/1, 8000::/1 is exactly correct:

::/1: Override all addresses of IPv6 first half
8000::1: Overwrite all the addresses of the last half of IPv6
The combination of the two can fully cover all IPv6 addresses and ensure that all overseas IPv6 traffic goes through the tunnel, which is why there is no IPv6-related access problem.

Fourth, the perfect solution: complete diversion configuration (domestic direct connection + foreign tunnel)
The core of solving the problem is to replace the IPv4 part in Allowedips, and use a complete overseas IPv4 to summarize the network segments to cover all overseas IPs, and at the same time preserve the logic of domestic IP direct connection.
The final available configuration (direct copy use) is shown in Figure 3

[Interface]
PrivateKey = MNcoOjHNvao4gH1...
Address = 10.66.66.2/32, fd42:42:42::2/128
DNS = 223.5.5.5, 223.6.6.6

[Peer]
PublicKey = XZ2LNJxO7RqjGKHyubFw35eR7AkRa1iHqltQJYdsY3g=
PresharedKey = Fz04FNeapuPYQ+QAH+...
# 核心：完整海外IPv4+全覆盖IPv6，实现国内直连、国外走隧道
AllowedIPs = 1.0.0.0/8, 2.0.0.0/7, 4.0.0.0/6, 8.0.0.0/5, 16.0.0.0/4, 32.0.0.0/3, 64.0.0.0/2, 128.0.0.0/1, ::/1, 8000::/1
Endpoint = 139.180.154.26:2096
PersistentKeepalive = 25

Configuration instructions (use with confidence, no extra operations)

IPv4 part: 1.0.0.0/8 ~ 128.0.0.0/1 This series of network segments completely covers all overseas IPv4 addresses, and at the same time avoids domestic IPv4 Network segment, realizing direct domestic connection and foreign tunnels.
IPv6 part: keep the correct ::/1, 8000::/1, fully cover all IPv6 addresses, ensure that the overseas IPv6 traffic goes through the tunnel normally.
Other parameters: no need to modify privatekey, endpoint, etc., just replace allowedips.
Steps (3 steps to get it)
Open the WireGuard client and edit the current configuration file;
Delete the original allowedips line and copy the full allowedips replacement above;
Save the configuration, disconnect the WireGuard connection and reactivate it, and test the access.

5. Test effect (test verification)
After the configuration is modified, reconnect to WireGuard, the test results are as follows:

Domestic websites: Baidu, Taobao, B station, WeChat, etc., all directly connected, the speed is the same as when the agent is not opened;
Overseas websites: chatgpt, youtube, google translation, v2ex (Note: I thought this is a domestic website, but I didn’t expect the server to be abroad), etc., all opened normally, smooth without lag; as shown in Figure 4

Overseas websites: chatgpt, youtube, google translation, v2ex (Note: I thought this is a domestic website, but I didn't expect the server to be abroad), etc., all opened normally, smooth without lag; as shown in Figure 4

There is no need to increase the server bandwidth, the basic 1C1G server can meet daily use (suffice to brush youtube, and use ChatGPT is enough).

6. Summary of the pits (key notes)

Do not use 0.0.0.0/1, 128.0.0.0/2 as an IPv4 shunting rule, which will miss a lot of overseas IP, which will cause some overseas websites to be inaccessible;
IPv6 shunts ::/1, 8000::/1 can be fully covered without modification;
Overseas websites cannot be opened, and priority is given to checking the allowedips network segment coverage, rather than server bandwidth (in most cases, it has nothing to do with bandwidth);
If you want to connect directly to domestic + go abroad, you can directly use the complete allowedips provided by this article, without additional configuration, one-click to do it.
If there are still some overseas websites that cannot be accessed after the modification, the high probability is that the IP of the website is not in the summary network segment, you can leave a message to feedback, and add accurate routing rules. I hope this blog can help friends who are also tossing the diversion of Wireguard, step less on pits and take less detours!