Routing traffic to a remote VPN via chains xrays

[ruz]

Hi,

I have the following working setup. Laptop with local xray with inbound wireguard and outgoings vless + freedom. Laptop has WG client that connects to this local xray and routes all traffic through it. Remote xray has vless inbound and freedom outbound. So far so good. The most common path is laptop -> WG -> xray local -> xray remote -> freedom.

My goal and struggle is a new requirement to setup WG outbound on remove xray to connect to VPN network of a company.

Here is what I did:

• Checked DNS. DNS works just fine, the company decided to use public DNS records and domains are resolved to 172.16.0.0/16.
• Made sure that on the laptop wg client is configured to allow 172.16.0.0/16. Config is correct and check via route says that gateway is a tunel when WG is active and en0 when it's not
• Configured WG outbound on the remote xray. IP based routing (not sure if it's needed or not).

setup doesn't work and I'm not sure where the problem. I tried to change logging to debug/trace, but don't see anything in the logs to help me.

My configuration, xray on laptop:

{
  "log": {
    "loglevel": "trace"
  },
  "reverse": {
    "bridges": [
      {
        "tag": "bridge",
        "domain": "reverse.proxy"
      }
    ]
  },
  "inbounds": [
    {
      "protocol": "wireguard",
      "listen": "127.0.0.1",
      "port": {% $wg_local_port %},
      "settings": {
        "secretKey": "{% $wg_server_private_key %}",
        "peers": [
          {
            "publicKey": "{% $wg_client_public_key %}"
          }
        ]
      },
      "sniffing": {
        "enabled": true,
        "destOverride": [
          "http",
          "tls",
          "quic"
        ]
      }
    }
  ],
  "outbounds": [
    {
      "tag": "vless_tls",
      "protocol": "vless",
      "settings": {
        "vnext": [
          {
            "address": "{% $xray_server_address %}",
            "port": 443,
            "users": [
              {
                "id": "{% ... %}",
                "flow": "xtls-rprx-vision",
                "encryption": "none"
              }
            ]
          }
        ]
      },
      "streamSettings": {
        "network": "tcp",
        "security": "reality",
        "realitySettings": {
          "serverName": "www.amd.com",
          "fingerprint": "chrome",
          "publicKey": "{% $xray_server_public_key %}",
          "shortId": "...",
          "spiderX": "/"
        },
        "sockopt": {
          "interface": "en0"
        }
      }
    },
    {
      "tag": "direct",
      "protocol": "freedom",
      "settings": {},
      "streamSettings": {
        "sockopt": {
          "interface": "en0"
        }
      }
    },
    {
      "tag": "torrent_local",
      "protocol": "freedom",
      "settings": {
        "redirect": "127.0.0.1:60000"
      }
    }
  ],
  "dns": {
    "hosts": {
      "dns.google": ["8.8.8.8", "8.8.4.4"]
    },
    "servers": [
      "8.8.8.8",
      "8.8.4.4",
      "9.9.9.9"
    ],
    "queryStrategy": "UseIPv4",
    "disableCache": false,
    "disableFallback": false,
    "disableFallbackIfMatch": false,
    "tag": "dns_inbound"
  },
  "routing": {
    "rules": [
      {
        "type": "field",
        "outboundTag": "direct",
        "domain": [
          ...
        ]
      },
      {
        "type": "field",
        "inboundTag": ["bridge"],
        "domain": [
          "full:reverse.proxy"
        ],
        "outboundTag": "vless_tls"
      },
      {
        "type": "field",
        "inboundTag": ["bridge"],
        "outboundTag": "torrent_local"
      },
      {
        "type": "field",
        "ip": [
          "192.168.40.0/24",
          "172.16.0.0/16"
        ],
        "outboundTag": "vless_tls"
      }
    ]
  }
}

xray on remote server:

{
  "log": {
    "loglevel": "error"
  },
  "routing": {
    "rules": [
      {
        "type": "field",
        "inboundTag": ["forward-60000"],
        "outboundTag": "portal",
        "network": "tcp,udp"
      },
      {
        "type": "field",
        "inboundTag": ["vless_tls"],
        "domain": [
          "full:reverse.proxy"
        ],
        "outboundTag": "portal"
      },
      {
        "type": "field",
        "inboundTag": ["vless_tls"],
        "ip": [
          "192.168.40.0/24",
          "172.16.0.0/16"
        ],
        "outboundTag": "xxx_vpn"
      }
    ],
    "domainStrategy": "AsIs"
  },
  "inbounds": [
    {
      "tag": "vless_tls",
      "protocol": "vless",
      "port": 443,
      "settings": {
        "clients": [
          {
            "id": "....",
            "email": "user1@myserver",
            "flow": "xtls-rprx-vision"
          }
        ],
        "decryption": "none"
      },
      "streamSettings": {
        "network": "tcp",
        "security": "reality",
        "realitySettings": {
          "show": false,
          "dest": "www.amd.com:443",
          "xver": 0,
          "serverNames": [
            "www.amd.com"
          ],
          "privateKey": "{% $xray_server_private_key %}",
          "minClientVer": "",
          "maxClientVer": "",
          "maxTimeDiff": 0,
          "shortIds": [
            "..."
          ]
        }
      },
      "sniffing": {
        "enabled": true,
        "destOverride": [
          "http",
          "tls",
          "quic"
        ]
      }
    },
    {
      "tag": "forward-60000",
      "protocol": "dokodemo-door",
      "port": 60000,
      "settings": {
        "address": "127.0.0.1",
        "port": 60000,
        "network": "tcp,udp"
      },
      "streamSettings": {},
      "sniffing": {
        "enabled": true
      }
    }
  ],
  "outbounds": [
    {
      "protocol": "freedom",
      "tag": "direct"
    },
    {
      "protocol": "wireguard",
      "tag": "xxx_vpn",
      "settings": {
        "secretKey": "....",
        "address": ["192.168.40.8"],
        "peers": [
          {
            "publicKey": "...",
            "endpoint": "3.122. ...",
            "keepAlive": 300,
            "allowedIPs": [
              "192.168.40.0/24",
              "172.16.0.0/16"
            ]
          }
        ]
      }
    },
    {
      "protocol": "blackhole",
      "tag": "block"
    }
  ],
  "reverse": {
    "portals": [
      {
        "tag": "portal",
        "domain": "reverse.proxy"
      }
    ]
  }
}

[ruz]

In case somebody stumbles upon this thread. The problem was in "domainStrategy": "AsIs". My traffic that should go into xxx_vpn is HTTP, so sniffing added domain and routing is domain based by default. Changing to IPIfNoMatch or IPOnDemand solved the issue. I find it surprising. At the end, even if you sniffed domain from tls hello, xray still has tcp/ip connection and it has dst IP. Not sure why matching is not based on that IP and why documentation talks about resolving domain.