Overview

Userspace WireGuard lets Clash handle WireGuard-style proxy connections without relying entirely on a kernel module. It is useful on systems where kernel-level WireGuard is unavailable or inconvenient.

Configuration notes

WireGuard-style outbound settings are sensitive to keys, endpoints, allowed IP ranges, MTU and DNS. A small typo can look like a general network connection symptom.

Testing

Test endpoint reachability first, then confirm that the proxy group selecting the WireGuard outbound is actually used by the matching rule.

Support Checks

Common causes include wrong private keys, unreachable endpoints, prompted UDP, unsuitable MTU and DNS rules that resolve through the wrong path.

Reference examples

These examples mirror the corresponding Chinese documentation page so the English page carries the same configuration material.

proxies:
  - name: "wg"
    type: wireguard
    server: 127.0.0.1
    port: 443
    ip: 172.16.0.2
    # ipv6: your_ipv6
    private-key: eCtXsJZ27+4PbhDkHnB923tkUn2Gj59wZw5wFA75MnU=
    public-key: Cr8hWlKvtDt7nrvf+f0brNQQzabAqrjfBvas9pmowjo=
    # preshared-key: base64
    # reference note
    # dns: [1.1.1.1, 8.8.8.8]
    # mtu: 1420
    udp: true

Userspace WireGuard

Overview

Configuration notes

Testing

Support Checks

Related pages

Reference examples