gluetun-shadowsocks-wg-easy.yml

services:
  client:
    image: qmcgaw/gluetun:v3.39.0
    cap_add:
      - NET_ADMIN
    sysctls:
      - net.ipv4.ip_forward=1
      - net.ipv6.conf.all.disable_ipv6=0
    environment:
      VPN_SERVICE_PROVIDER: ${WIREGUARD_CLIENT_SERVICE_PROVIDER}
      VPN_TYPE: wireguard
      WIREGUARD_MTU: 1296
      WIREGUARD_PRIVATE_KEY: ${WIREGUARD_CLIENT_PRIVATE_KEY}
      WIREGUARD_ADDRESSES: ${WIREGUARD_CLIENT_ADDRESSES}
      SERVER_COUNTRIES: ${WIREGUARD_CLIENT_COUNTRIES}
      SHADOWSOCKS: on
      SHADOWSOCKS_PASSWORD: "${SHADOWSOCKS_PASSWORD:-secret}"
      SHADOWSOCKS_CIPHER: aes-128-gcm
    restart: unless-stopped

  proxy:
    image: ghcr.io/shadowsocks/sslocal-rust:v1.20.4
    cap_add:
      - NET_ADMIN
    devices:
      - /dev/net/tun:/dev/net/tun
    entrypoint:
      - /bin/sh
      - -ec
      - >
        wget -qO- "https://gist.githubusercontent.com/nedix/27f291577b03ced31076b3e093b604d2/raw/e2ea27707ede65c7df044d7596c09609523cf741/local.conf" > /etc/sysctl.d/local.conf;
        setsid sslocal \
          -U \
          --protocol tun \
          --server-addr "client:8388" \
          --encrypt-method "aes-128-gcm" \
          --password "${SHADOWSOCKS_PASSWORD:-secret}" \
          --tun-interface-address "${NETWORK_PREFIX:-10.8.0}.0/32"
    ports:
      - 51821:51821/tcp
      - 51820:51820/udp
    depends_on:
      client:
        condition: service_healthy
    restart: unless-stopped

  server:
    image: ghcr.io/wg-easy/wg-easy:14
    cap_add:
      - NET_ADMIN
    sysctls:
      - net.ipv4.ip_forward=1
      - net.ipv6.conf.all.disable_ipv6=0
    environment:
      WG_HOST: "${HOSTNAME:-host.docker.internal}"
      WG_DEFAULT_ADDRESS: "${NETWORK_PREFIX:-10.8.0}.x"
      WG_MTU: 1296
      WG_POST_UP: >
        ip route add default dev tun0 table 123;
        ip rule add from "${NETWORK_PREFIX:-10.8.0}.0/24" table 123;
    network_mode: service:proxy
    volumes:
      - /config
    restart: unless-stopped

local.conf

# Source: https://github.com/shadowsocks/shadowsocks/wiki/Optimizing-Shadowsocks

# max open files
fs.file-max = 51200
# max read buffer
net.core.rmem_max = 67108864
# max write buffer
net.core.wmem_max = 67108864
# default read buffer
net.core.rmem_default = 65536
# default write buffer
net.core.wmem_default = 65536
# max processor input queue
net.core.netdev_max_backlog = 4096
# max backlog
net.core.somaxconn = 4096

# resist SYN flood attacks
net.ipv4.tcp_syncookies = 1
# reuse timewait sockets when safe
net.ipv4.tcp_tw_reuse = 1
# turn off fast timewait sockets recycling
net.ipv4.tcp_tw_recycle = 0
# short FIN timeout
net.ipv4.tcp_fin_timeout = 30
# short keepalive time
net.ipv4.tcp_keepalive_time = 1200
# outbound port range
net.ipv4.ip_local_port_range = 10000 65000
# max SYN backlog
net.ipv4.tcp_max_syn_backlog = 4096
# max timewait sockets held by system simultaneously
net.ipv4.tcp_max_tw_buckets = 5000
# turn on TCP Fast Open on both client and server side
net.ipv4.tcp_fastopen = 3
# TCP receive buffer
net.ipv4.tcp_rmem = 4096 87380 67108864
# TCP write buffer
net.ipv4.tcp_wmem = 4096 65536 67108864
# turn on path MTU discovery
net.ipv4.tcp_mtu_probing = 1

# for high-latency network
# net.ipv4.tcp_congestion_control = hybla

# for low-latency network, use cubic instead
net.ipv4.tcp_congestion_control = cubic