Posts

Introduction This post explains how to use sing-box on macOS to replace the combination of wireguard-tools + Xray + Proxifier, achieving global proxy, multiple VPN network coexistence, and auto-start on boot. The old approach had several pain points: Scattered tooling: Required three tools working together – Xray (proxy) + Proxifier (global proxy) + wireguard-tools (multiple VPNs) Manual startup: Each boot required launching Proxifier separately and manually running sudo wg-quick up to join each VPN network VM incompatibility: Proxifier is based on NetworkExtension, which cannot share the proxy with NAT-based macOS VMs (e.g., Tart-based VMs) Official WireGuard limitations: The Mac App Store WireGuard client does not support connecting to multiple VPN networks simultaneously, making userspace WireGuard the only viable option for now sing-box intercepts traffic at L3 via TUN mode, essentially configuring the system routing table. This means: ...

Introduction This post explains how to set up automated code review powered by Claude Code in a self-hosted GitLab instance, without relying on GitLab’s enterprise AI features (GitLab Duo). All you need is: A Claude Code Max subscription A GitLab Runner with proxy access configured This gives your team AI-powered code review, generating reports in both Markdown and PDF formats. Prerequisites Personal Advice Do not use a personal subscription in CI. Use Anthropic’s API service instead of a personal subscription – a personal subscription will be banned for violating the multi-user sharing rule in the terms of service. This is based on my experience of having 2 Max accounts banned. ...

TLDR Bare metal server link aggregation configuration Bare metal server link aggregation + VLAN configuration Bare metal server link aggregation + VLAN + Bridge configuration Bare metal server derived practices Introduction It has been a while since I last wrote a blog post. Two reasons kept me from writing. First, OpenAI’s ChatGPT already provides excellent answers to many technical questions, making my repetition seem redundant. Second, exhaustion left me unable to think clearly – I did not know what to share, and therefore could not find the motivation to write. ...

Kernel Module Logic Specify the module initialization entry function wg_device_init Register the virtual network device rtnl_link_register(&link_ops) Initialize the net_device struct via wg_setup Specify the initialization operation for the ip link add command (where the main functional logic resides) wg_newlink Specify the operation when the virtual network device is brought up wg_open Specify the operation when the virtual network device is stopped wg_stop Specify the operation when the virtual network device starts transmitting the first packet wg_xmit The WireGuard initialization steps are: Add a virtual network device via ip link add dev wg0 type wireguard Configure the virtual network device address via ip addr add 10.0.0.4/24 dev wg0 Apply WireGuard configuration via wg set wg0 Bring up the virtual network device via ip link set wg0 up Therefore, we should first look at the logic of wg_newlink, then the logic of wg_open

Introduction This article is based on the WireGuard Golang implementation, on the Linux platform, at Git revision: 12269c2 Content Packet Sending and Receiving WireGuard interacts with the system’s network stack by creating a TUN device. Data Abstraction Overview Rate Limiter Before performing data encryption and decryption, WireGuard needs to negotiate a symmetric encryption key (ephemeral) through the Noise Protocol based on cryptographic algorithms. This negotiation process (handshake) involves encryption/decryption and hashing operations. To prevent DoS attacks targeting the responder’s CPU load, the responder rate-limits handshake requests based on real-time load. It instantiates a token bucket for each source IP (one token bucket per source IP) and applies frequency limits to handshake packets based on the token bucket. The default policy allows 20 handshake packets per second, with a burst capacity of up to 5 handshake packets at any given moment (i.e., per nanosecond). ...

Introduction This article is a supplement to the previous post: WireGuard: Cross-City LAN Communication. It focuses on how remote developers – those outside the office network – can access services within the office LAN across cities using WireGuard(R). Scenario The team embraces remote work, with developers located across the country. The company has an office in a certain city, where virtualization is self-hosted on the office LAN, running a series of development services (GitLab, CI, K8s). ...

Introduction Physical leased lines can interconnect devices across multiple LANs (as if they were on the same LAN), but the complex process (ISP approval and deployment) makes them unfriendly for individual developers and small teams. This article introduces how to build a WireGuard-based “cloud leased line” using WireGuard(R), achieving cross-LAN device interconnection at a low cost (no approval needed, only 60 CNY per year1). Challenges LAN-level traffic forwarding. Any device in LAN A can access any device in LAN B (as if they were on the same LAN). The WireGuard node in each LAN is behind an ISP NAT device, with no NAT traversal support and no public IP. Only one WireGuard node runs in each LAN. Scenario A company has multiple offices (distributed across different cities), each with its own LAN hosting self-built private services (K8s, GitLab, CI). ...

Introduction WireGuard® is a Linux kernel module (built into all major distributions). Recently, I have been studying WireGuard’s source code through debugging. This article documents the process of debugging the WireGuard kernel module source code. Challenges How to build a kernel with debug symbols How to set up a debugging environment with QEMU How to perform remote debugging with GDB How to integrate graphical debugging in VSCode Content Approach Build a Linux kernel with DEBUG symbols based on the latest WireGuard kernel module source code Boot a virtual machine using QEMU with the kernel built in the previous step Perform remote debugging via GDB Prerequisites The local development environment must meet the following requirements: ...

Introduction While reading the WireGuard(R) source code and whitepaper, I used Wireshark for packet analysis. This article documents the process of capturing WireGuard encrypted packets with Wireshark and decrypting them in real time1. Content Approach Set up two virtual machines to build a WireGuard VPN test network, where VM A acts as the initiator and VM B acts as the responder. Install Wireshark (with sshdump support) on a local Windows laptop and connect to VM A via SSH for remote real-time packet capture. Challenges Forward secrecy2 complicates traffic analysis. To ensure forward secrecy, WireGuard rotates ephemeral keys (one-time use) every 120 seconds to encrypt data packets. Therefore, to obtain real-time plaintext data, Wireshark needs to dynamically retrieve ephemeral keys and decrypt packets on the fly. Kernel replacement is required. WireGuard is a Linux kernel module. In my test environment, I needed to recompile and replace the kernel to dynamically retrieve ephemeral keys via Kprobe. Step-by-Step Operations Compiling and Replacing the Kernel Since I capture packets on VM A, I need to compile and replace VM A’s kernel. See: Arch Linux Wiki ...

Introduction My local machine is a Windows 11 ThinkPad T480, while my development environment runs on a Linux server accessed and controlled via SSH. I wanted to use y in Vim on the Linux server to copy code to my local Windows 11 clipboard, and use p to paste the latest content from my local Windows 11 clipboard into Vim on the server. This article provides a low-cost solution. Approach Windows’ WSL supports running Linux X11 GUI programs directly, and within a Linux X11 GUI, you can directly access the Windows local clipboard. This means that inside WSL, we can use SSH X11 Forwarding to forward the remote X11 session into WSL, allowing X11 GUI programs on the Linux server to access the Windows 11 local clipboard through WSL as a relay. ...