WireGuard over Xray

[mike-668]

Hello everyone,
Today, I tested the combination shown in the title in the intranet, referring to "https://cscot.pages.dev/2023/04/13/wireguard-xray/", and the wireguard connection failed. Any suggestions from you will be greatly appreciated.
The computer is installed with wireguard and xray clients, the server router MikroTik has built-in wireguard function, the server container is installed with Xray-1.8.23 and Nginx-1.24.0, and the routing setting dstnat maps the 443 interface of the public network IP to the container interface IP of Xray. The gateway of Xray and Nginx containers is the intranet IP of the router. (Wireguard connection is successful without Xray). The specific configuration is as follows:

Xray client config.json
{
"log": {
"loglevel": "warning"
},
"routing":{
"rules": [
{
"type": "field",
"inboundTag": [
"wireguard"
],
"outboundTag": "proxy"
}
]
},
"inbounds": [
{
"tag": "wireguard",
"listen": "127.0.0.1",
"port": 12345,
"protocol": "dokodemo-door",
"settings": {
"address": "Router intranet ip",
"port": 12345,
"network": "udp"
}
}
],
"outbounds": [
{
"tag":"proxy",
"protocol": "vless",
"settings": {
"vnext": [
{
"address": "ip of Server",
"port": 443,
"users": [
{
"id": "UUID",
"encryption": "none",
"flow": "xtls-rprx-vision"
}
]
}
]
},
"streamSettings": {
"network": "tcp",
"security": "tls",
"tlsSettings": {
"serverName": "Server domain",
"allowInsecure": false,
"fingerprint": "chrome"
}
},
"tag": "proxy"
},
{
"protocol": "freedom",
"tag": "direct"
},
{
"protocol": "blackhole",
"tag": "block"
}
]
}

Xray Server config.json
{
"log":{
"loglevel":"warning",
"access": "/var/log/xray/access.log",
"error": "/var/log/xray/error.log"
},
"routing": {
"domainStrategy": "IPIfNonMatch",
"rules": [
{
"type": "field",
"ip": [
"geoip:cn"
],
"outboundTag": "block"
}
]
},
"inbounds": [
{
"listen": "0.0.0.0",
"port": 443,
"protocol": "vless",
"settings": {
"clients": [
{
"id": "UUID",
"flow": "xtls-rprx-vision"
}
],
"decryption": "none",
"fallbacks": [
{
"dest": "NginxIP:8001",
"xver": 1
},
{
"alpn": "h2",
"dest": "NginxIP:8002",
"xver": 1
}
]
},
"streamSettings": {
"network": "tcp",
"security": "tls",
"tlsSettings": {
"rejectUnknownSni": true,
"minVersion": "1.2",
"certificates": [
{
"ocspStapling": 3600,
"certificateFile": "/etc/ssl/private/server.crt",
"keyFile": "/etc/ssl/private/private.pem"
}
]
}
},
"sniffing": {
"enabled": true,
"destOverride": [
"http",
"tls"
]
}
}
],
"outbounds": [
{
"protocol": "freedom",
"tag": "direct"
},
{
"protocol": "blackhole",
"tag": "block"
}
],
"policy": {
"levels": {
"0": {
"handshake": 2,
"connIdle": 120
}
}
}
}

Nginx.conf
user nginx;
worker_processes auto;
pid /var/run/nginx.pid;

error_log /var/log/nginx/error.log notice;

events {
worker_connections 1024;
}

http {
log_format main '[$time_local] $proxy_protocol_addr "$http_referer" "$http_user_agent"';
access_log /var/log/nginx/access.log main;

map $http_upgrade $connection_upgrade {
    default upgrade;
    ""      close;
}

map $proxy_protocol_addr $proxy_forwarded_elem {
    ~^[0-9.]+$        "for=$proxy_protocol_addr";
    ~^[0-9A-Fa-f:.]+$ "for=\"[$proxy_protocol_addr]\"";
    default           "for=unknown";
}

map $http_forwarded $proxy_add_forwarded {
    "~^(,[ \\t]*)*([!#$%&'*+.^_`|~0-9A-Za-z-]+=([!#$%&'*+.^_`|~0-9A-Za-z-]+|\"([\\t \\x21\\x23-\\x5B\\x5D-\\x7E\\x80-\\xFF]|\\\\[\\t \\x21-\\x7E\\x80-\\xFF])*\"))?(;([!#$%&'*+.^_`|~0-9A-Za-z-]+=([!#$%&'*+.^_`|~0-9A-Za-z-]+|\"([\\t \\x21\\x23-\\x5B\\x5D-\\x7E\\x80-\\xFF]|\\\\[\\t \\x21-\\x7E\\x80-\\xFF])*\"))?)*([ \\t]*,([ \\t]*([!#$%&'*+.^_`|~0-9A-Za-z-]+=([!#$%&'*+.^_`|~0-9A-Za-z-]+|\"([\\t \\x21\\x23-\\x5B\\x5D-\\x7E\\x80-\\xFF]|\\\\[\\t \\x21-\\x7E\\x80-\\xFF])*\"))?(;([!#$%&'*+.^_`|~0-9A-Za-z-]+=([!#$%&'*+.^_`|~0-9A-Za-z-]+|\"([\\t \\x21\\x23-\\x5B\\x5D-\\x7E\\x80-\\xFF]|\\\\[\\t \\x21-\\x7E\\x80-\\xFF])*\"))?)*)?)*$" "$http_forwarded, $proxy_forwarded_elem";
    default "$proxy_forwarded_elem";
}

# When ACME uses standalone mode to request or renew a certificate, 
# it will listen on port 80. If port 80 is occupied, ACME will fail.
# Therefore comment out the block that makes Nginx listen on port 80.
 #server {
    #listen 80;
     #return 301 https://$host$request_uri;
 #}

server {
    listen 127.0.0.1:8001 proxy_protocol;
    listen 127.0.0.1:8002 http2 proxy_protocol;
    set_real_ip_from XrayIP;

    location / {
        sub_filter                         $proxy_host $host;
        sub_filter_once                    off;

        proxy_pass                         www.lovelive-anime.jp;
        proxy_set_header Host              $proxy_host;

        proxy_http_version                 1.1;
        proxy_cache_bypass                 $http_upgrade;

        proxy_ssl_server_name              on;

        proxy_set_header Upgrade           $http_upgrade;
        proxy_set_header Connection        $connection_upgrade;
        proxy_set_header X-Real-IP         $proxy_protocol_addr;
        proxy_set_header Forwarded         $proxy_add_forwarded;
        proxy_set_header X-Forwarded-For   $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header X-Forwarded-Host  $host;
        proxy_set_header X-Forwarded-Port  $server_port;

        proxy_connect_timeout              60s;
        proxy_send_timeout                 60s;
        proxy_read_timeout                 60s;

        resolver 1.1.1.1;
    }
}

}

log of Xray (Server)
【MikroTik] > /container/shell 1
/ # cat /var/log/xray/access.log
2024/08/24 15:55:08 tcp:192.168.1.6:50353 accepted udp:10.10.1.1:33168 [direct]

[bogorad]

Check here, maybe a loop

https://computerscot.github.io/wireguard-over-xray.html