Wireguard over ShadowSocks

I have an GL-iNet Beryl AX that I am trying to use as a Wireguard Client with the traffic being proxied through ShadowSocks to obfuscate my traffic. I have it working for the most part (huge thank you to @maurer for this thread. But I am hitting an issue where it connects just fine to my wireguard server, but when I try and ping or curl icanhazip.com, I end up getting 100% packet loss and the wireguard service restarting. I discovered that if I manually run the ip route add command on travel router (adjusted from the original blog post), the VPN tunnel becomes 100% functional.

I can't seem to set a postup/postdown bit of my wireguard config via the GL-iNet GUI(it doesn't saved). I am assuming I could just modify the script I think gets called when the interface comes up by modifying /etc/wireguard/wgclient-route.update.sh, but I feel that this is a short term solution. I am assuming these scripts would get wiped on updates. Through troubleshooting, I discovered I could completely remove the config route 'route_to_wg_server' and config wireguard_vpn 'wgserver' (from Maurer's comment) and it doesn't seem to effect anything with my setup. Any ideas on why those 2 config blocks aren't going into effect and if getting those blocks to go into effect would fix my problem?

It appears you are using firmware that is not from the official OpenWrt project.

When using forks/offshoots/vendor-specific builds that are "based on OpenWrt", there may be many differences compared to the official versions (hosted by OpenWrt.org). Some of these customizations may fundamentally change the way that OpenWrt works. You might need help from people with specific/specialized knowledge about the firmware you are using, so it is possible that advice you get here may not be useful.

You may find that the best options are:

  1. Install an official version of OpenWrt, if your device is supported (see https://firmware-selector.openwrt.org).
  2. Ask for help from the maintainer(s) or user community of the specific firmware that you are using.
  3. Provide the source code for the firmware so that users on this forum can understand how your firmware works (OpenWrt forum users are volunteers, so somebody might look at the code if they have time and are interested in your issue).

If you believe that this specific issue is common to generic/official OpenWrt and/or the maintainers of your build have indicated as such, please feel free to clarify.


Please redo your setup with official openwrt firmware https://openwrt.org/toh/gl.inet/gl-mt3000 as my tutorial was specifically written for it


Thank you. I performed the flash to stock OpenWRT firmware. It looks like it is connecting to wireguard through the shadowsocks proxy. However, it appears that any clients on my LAN only have access to the router + my wireguard host. Even after enabling masquerading, I can't seem to get all traffic to route through the tunnel. Do you by chance have an example firewall config? I had been attempting to follow this guide but slightly modified but that didn't seem to the trick.

Please post (and redact any private info like public IPs and MAC addresses) your cat /etc/config/firewall and cat /etc/config/network

After tinkering with it all day, I got it working just really slow throughput... (I switched to using pbr which removed my need to set the static route to my WG's public Ip address, which isn't actually a static address.)

However, I am experiencing no-where near the same throughput you were getting... I am averaging .27 Mb/s down and 18.8 Mb/s up on clients with their traffic routing through shadowsocks + wireguard vpn tunnel. Was there anything you did to to tune your connection to get your ~200Mb/s throughput? My openwrt client has a 300Mb symmetrical connection to a WG server that as a 1Gb symmetrical connection. So bandwidth shouldn't be the issue here.

For diagnosing this do you want me to upload any specific config files?