WireGuard — mihomo
mihomo's WireGuard outbound runs in userspace (gVisor-backed). The schema offers both a simplified single-peer shape (where peer fields sit at the proxy root) and a verbose multi-peer shape via peers:. The optional amnezia-wg-option block enables interoperation with AmneziaWG-flavored servers.
Outbound
Entry under proxies: with type: wireguard. Embeds BasicOption plus the simplified-peer fields from WireGuardPeerOption.
| Field | Type | Default | Allowed values | Description |
|---|---|---|---|---|
name | string | (required) | <string> | Unique proxy name. |
ip | string | (unset) | <IPv4 CIDR> | Local tunnel IPv4 address (e.g. `10.0.0.2/32`). |
ipv6 | string | (unset) | <IPv6 CIDR> | Local tunnel IPv6 address. |
private-key | string | (required) | <base64 key> | Local private key. |
workers | int | (CPU-based) | <int> | Encryption-pipeline worker count. |
mtu | int | 1408 | <bytes> | Tunnel MTU. |
udp | bool | false | true | false | Enable UDP relay. |
persistent-keepalive | int | 0 | <seconds> | Persistent-keepalive interval. 0 disables keepalives. |
amnezia-wg-option | *AmneziaWGOption | (unset) | AmneziaWGOption | AmneziaWG obfuscation parameters (junk packets, header masking). |
peers | []WireGuardPeerOption | (use simplified shape) | [WireGuardPeerOption] | Verbose multi-peer list. When set, the embedded simplified fields are ignored. |
remote-dns-resolve | bool | false | true | false | Resolve DNS queries through the WireGuard tunnel using the peer's resolvers. |
dns | []string | [] | [<DNS server>] | Resolvers to use inside the tunnel when `remote-dns-resolve` is true. |
refresh-server-ip-interval | int | 0 | <seconds> | Re-resolve peer hostnames every N seconds. 0 disables periodic re-resolution. |
Source: adapter/outbound/wireguard.go:57-77 · pinned at v1.19.27 (5184081)
peers[] — multi-peer shape
| Field | Type | Default | Allowed values | Description |
|---|---|---|---|---|
server | string | (required) | <host> | Peer hostname or IP. |
port | int | (required) | <port> | Peer UDP port. |
public-key | string | (required) | <base64 key> | Peer public key. |
pre-shared-key | string | (unset) | <base64 key> | Optional PSK. |
reserved | []uint8 | (empty) | <3 bytes> | 3-byte reserved-field override. |
allowed-ips | []string | [] | [<CIDR>] | Allowed-IPs for this peer. |
Source: adapter/outbound/wireguard.go:79-86 · pinned at v1.19.27 (5184081)
amnezia-wg-option
| Field | Type | Default | Allowed values | Description |
|---|---|---|---|---|
jc | int | 0 | <int> | Junk-packet count per handshake. |
jmin | int | 0 | <bytes> | Minimum junk-packet size. |
jmax | int | 0 | <bytes> | Maximum junk-packet size. |
s1 | int | 0 | <bytes> | Pre-init-packet padding length. |
s2 | int | 0 | <bytes> | Pre-response-packet padding length. |
s3 | int | 0 | <bytes> | AmneziaWG v1.5/v2 — pre-cookie-packet padding length. |
s4 | int | 0 | <bytes> | AmneziaWG v1.5/v2 — pre-data-packet padding length. |
h1 | string | (unset) | <int or hex> | Header magic for the init packet. Numeric or hex. |
h2 | string | (unset) | <int or hex> | Header magic for the response packet. |
h3 | string | (unset) | <int or hex> | Header magic for the cookie packet. |
h4 | string | (unset) | <int or hex> | Header magic for the data packet. |
i1 | string | (unset) | <hex> | AmneziaWG v1.5/v2 — special-packet 1 payload. |
i2 | string | (unset) | <hex> | Special-packet 2 payload. |
i3 | string | (unset) | <hex> | Special-packet 3 payload. |
i4 | string | (unset) | <hex> | Special-packet 4 payload. |
i5 | string | (unset) | <hex> | Special-packet 5 payload. |
j1 | string | (unset) | <hex> | AmneziaWG v1.5 only — junk packet 1 payload. |
j2 | string | (unset) | <hex> | AmneziaWG v1.5 only — junk packet 2 payload. |
j3 | string | (unset) | <hex> | AmneziaWG v1.5 only — junk packet 3 payload. |
itime | int64 | 0 | <seconds> | AmneziaWG v1.5 only — junk-packet emission cadence. |
Source: adapter/outbound/wireguard.go:88-109 · pinned at v1.19.27 (5184081)
Examples
Simplified single-peer outbound:
yaml
proxies:
- name: wg-simple
type: wireguard
server: wg.example.com
port: 51820
private-key: <base64>
public-key: <base64 peer key>
ip: 10.0.0.2/32
ipv6: fd00::2/128
allowed-ips: ['0.0.0.0/0', '::/0']
udp: true
persistent-keepalive: 25Multi-peer outbound (e.g., a hub-and-spoke setup):
yaml
proxies:
- name: wg-multi
type: wireguard
private-key: <base64>
ip: 10.0.0.2/32
udp: true
peers:
- server: spoke1.example.com
port: 51820
public-key: <base64-spoke1>
allowed-ips: ['10.0.1.0/24']
- server: spoke2.example.com
port: 51820
public-key: <base64-spoke2>
allowed-ips: ['10.0.2.0/24']AmneziaWG-compatible outbound:
yaml
proxies:
- name: awg
type: wireguard
server: awg.example.com
port: 12345
private-key: <base64>
public-key: <base64>
ip: 10.13.13.2/32
allowed-ips: ['0.0.0.0/0']
udp: true
amnezia-wg-option:
jc: 4
jmin: 40
jmax: 80
s1: 0
s2: 0
h1: '0x12345678'
h2: '0x87654321'
h3: '0xabcdef01'
h4: '0x10fedcba'Notes
- mihomo accepts both the simplified shape (top-level
server/port/public-key/allowed-ips) and the verbosepeers:list. Whenpeersis set, the embedded simplified fields are ignored. remote-dns-resolve: truemakes WireGuard tunnel DNS queries to the resolvers listed indns:(instead of using the local resolver). Useful when the local DNS cannot reach the destination.refresh-server-ip-intervalonly matters when a peer'sserveris a hostname; the field re-resolves it on a fixed interval, useful for dynamic-DNS endpoints.amnezia-wg-optionfields are versioned:s3/s4/i1-i5are AmneziaWG v1.5+;j1/j2/j3/itimeare v1.5-only (removed in v2.0). See source comments atadapter/outbound/wireguard.go:94-108.
Cross-core notes
- Xray-core uses
peers:always (no simplified shape), exposes anoKernelTunflag for the Linux fast path, and uses field names likesecretKey,address,publicKey(camelCase). See WireGuard — Xray-core. - sing-box moved WireGuard to the endpoints model — it is no longer under
outbounds[]. Field names use snake_case (private_key,allowed_ips). See WireGuard — sing-box.
Source: adapter/outbound/wireguard.go:57-109 · v1.19.27 (5184081)