Wireguard outbound ignores sockopt:domainStrategy setting #5363
Description
Integrity requirements
- I have read all the comments in the issue template and ensured that this issue meet the requirements.
- I confirm that I have read the documentation, understand the meaning of all the configuration items I wrote, and did not pile up seemingly useful options or default values.
- I provided the complete config and logs, rather than just providing the truncated parts based on my own judgment.
- I searched issues and did not find any similar issues.
- The problem can be successfully reproduced in the latest Release
Description
I want to prioritize IPv6 connections with my wireguard server, which has IPv6 and IPv4 addresses. The client ignores any settings for specifying this priority in the server connection properties: domainStrategy, happyEyeballs settings are ignored.
Reproduction Method
Create a new WireGuard connection and try setting the IPv6 address priority using the settings I provided below. In log you will see that DNS in any case return A record, even if it is disabled.
With happyEyeballs options you will see random ipv4 connections to the server.
Client config
Variant 1: priority with domainStrategy setting
{
"log": {
"loglevel": "debug",
"dnsLog": true
},
"dns": {
"hosts": {
"common.dot.dns.yandex.net": [
"77.88.8.8",
"77.88.8.1",
"2a02:6b8::feed:0ff",
"2a02:6b8:0:1::feed:0ff"
]
},
"servers": [
"https://one.one.one.one/dns-query",
{
"address": "https+local://common.dot.dns.yandex.net/dns-query",
"domains": [
"domain:engage.cloudflareclient.com"
],
"tag": "domestic-dns"
}
],
"disableFallback": true,
"tag": "dns-module"
},
"routing": {
"domainStrategy": "AsIs",
"rules": [
{
"type": "field",
"inboundTag": [
"domestic-dns"
],
"outboundTag": "direct"
}
]
},
"inbounds": [
{
"listen": "127.0.0.1",
"port": 10808,
"protocol": "socks",
"settings": {
"auth": "noauth",
"udp": true,
"userLevel": 8
},
"sniffing": {
"destOverride": [
"http",
"tls",
"quic"
],
"enabled": true,
"routeOnly": false
},
"tag": "socks"
}
],
"outbounds": [
{
"mux": {
"concurrency": -1,
"enabled": false
},
"protocol": "wireguard",
"settings": {
"address": [
"172.16.0.2/32",
"2606:4700:110:86c3:3476:1d78:57b7:638/128"
],
"mtu": 1280,
"peers": [
{
"endpoint": "engage.cloudflareclient.com:2408",
"publicKey": "bmXOC+F1FxEMF9dyiK2H5/1SUtzH0JuVo51h2wPfgyo="
}
],
"reserved": [
210,
107,
225
],
"secretKey": "J7H+ZOphnt1S2eQUBfnuoXSk/ycI7BMQmw+BEyOvCQw="
},
"streamSettings": {
"network": "tcp",
"domainStrategy": "ForceIPv6",
}
},
"tag": "proxy"
},
{
"protocol": "freedom",
"streamSettings": {
"sockopt": {
"domainStrategy": "UseIP",
"happyEyeballs": {
"interleave": 2,
"maxConcurrentTry": 4,
"prioritizeIPv6": true,
"tryDelayMs": 250
}
}
},
"tag": "direct"
},
{
"protocol": "blackhole",
"settings": {
"response": {
"type": "http"
}
},
"tag": "block"
}
]
}
Variant 2: priority with happyEyeballs
{
"log": {
"loglevel": "debug",
"dnsLog": true
},
"dns": {
"hosts": {
"common.dot.dns.yandex.net": [
"77.88.8.8",
"77.88.8.1",
"2a02:6b8::feed:0ff",
"2a02:6b8:0:1::feed:0ff"
]
},
"servers": [
"https://one.one.one.one/dns-query",
{
"address": "https+local://common.dot.dns.yandex.net/dns-query",
"domains": [
"domain:engage.cloudflareclient.com"
],
"tag": "domestic-dns"
}
],
"disableFallback": true,
"tag": "dns-module"
},
"routing": {
"domainStrategy": "AsIs",
"rules": [
{
"type": "field",
"inboundTag": [
"domestic-dns"
],
"outboundTag": "direct"
}
]
},
"inbounds": [
{
"listen": "127.0.0.1",
"port": 10808,
"protocol": "socks",
"settings": {
"auth": "noauth",
"udp": true,
"userLevel": 8
},
"sniffing": {
"destOverride": [
"http",
"tls",
"quic"
],
"enabled": true,
"routeOnly": false
},
"tag": "socks"
}
],
"outbounds": [
{
"mux": {
"concurrency": -1,
"enabled": false
},
"protocol": "wireguard",
"settings": {
"address": [
"172.16.0.2/32",
"2606:4700:110:86c3:3476:1d78:57b7:638/128"
],
"mtu": 1280,
"peers": [
{
"endpoint": "engage.cloudflareclient.com:2408",
"publicKey": "bmXOC+F1FxEMF9dyiK2H5/1SUtzH0JuVo51h2wPfgyo="
}
],
"reserved": [
210,
107,
225
],
"secretKey": "J7H+ZOphnt1S2eQUBfnuoXSk/ycI7BMQmw+BEyOvCQw="
},
"streamSettings": {
"network": "tcp",
"domainStrategy": "UseIP",
"happyEyeballs": {
"interleave": 2,
"maxConcurrentTry": 4,
"prioritizeIPv6": true,
"tryDelayMs": 250
}
}
},
"tag": "proxy"
},
{
"protocol": "freedom",
"streamSettings": {
"sockopt": {
"domainStrategy": "UseIP",
"happyEyeballs": {
"interleave": 2,
"maxConcurrentTry": 4,
"prioritizeIPv6": true,
"tryDelayMs": 250
}
}
},
"tag": "direct"
},
{
"protocol": "blackhole",
"settings": {
"response": {
"type": "http"
}
},
"tag": "block"
}
]
}
Server config
.
Client log
Priority with domainStrategy setting
Xray 25.12.2 (Xray, Penetrates Everything.) e403abe (go1.25.4 android/arm64)
A unified platform for anti-censorship.
2025/12/03 05:09:55.543600 Using config from STDIN
2025/12/03 05:09:55.543745 [Info] infra/conf/serial: Reading config: &{Name:stdin: Format:json}
2025/12/03 05:09:55.546254 [Debug] app/log: Logger started
2025/12/03 05:09:55.546277 [Info] app/dns: DNS: created DOH client for https://one.one.one.one/dns-query, with h2c false
2025/12/03 05:09:55.546286 [Info] app/dns: DNS: created DOHL client for https://common.dot.dns.yandex.net/dns-query, with h2c false
2025/12/03 05:09:55.546426 [Debug] app/proxyman/inbound: creating stream worker on 127.0.0.1:10808
2025/12/03 05:09:55.546432 [Debug] app/stats: create new counter outbound>>>proxy>>>traffic>>>uplink
2025/12/03 05:09:55.546434 [Debug] app/stats: create new counter outbound>>>proxy>>>traffic>>>downlink
2025/12/03 05:09:55.546435 [Debug] app/stats: create new counter outbound>>>direct>>>traffic>>>uplink
2025/12/03 05:09:55.546437 [Debug] app/stats: create new counter outbound>>>direct>>>traffic>>>downlink
2025/12/03 05:09:55.546439 [Debug] app/stats: create new counter outbound>>>block>>>traffic>>>uplink
2025/12/03 05:09:55.546440 [Debug] app/stats: create new counter outbound>>>block>>>traffic>>>downlink
2025/12/03 05:09:55.546634 [Info] transport/internet/tcp: listening TCP on 127.0.0.1:10808
2025/12/03 05:09:55.546804 [Info] transport/internet/udp: listening UDP on 127.0.0.1:10808
2025/12/03 05:09:55.546855 [Info] app/commander: API server listening on 127.0.0.1:15861
2025/12/03 05:09:55.546859 [Warning] core: Xray 25.12.2 started
2025/12/03 05:10:04.720187 [Debug] [1869883453] proxy/socks: Not Socks request, try to parse as HTTP request
2025/12/03 05:10:04.720424 [Info] [1869883453] proxy/http: request to Method [CONNECT] Host [ads.mozilla.org:443] with URL [//ads.mozilla.org:443]
2025/12/03 05:10:04.721542 [Info] [1869883453] app/dispatcher: sniffed domain: ads.mozilla.org
2025/12/03 05:10:04.721556 [Info] [1869883453] app/dispatcher: default route for tcp:ads.mozilla.org:443
2025/12/03 05:10:04.721558 [Info] switching dialer
2025/12/03 05:10:04.721560 [Warning] proxy/wireguard: Using gVisor TUN. Kernel TUN is not supported on your OS, or your permission is insufficient.
2025/12/03 05:10:04.721659 from 127.0.0.1:52420 accepted //ads.mozilla.org:443 [socks >> proxy]
2025/12/03 05:10:04.721828 [Debug] app/dns: domain engage.cloudflareclient.com matches following rules: [domain:engage.cloudflareclient.com(DNS idx:1)]
2025/12/03 05:10:04.721831 [Debug] app/dns: domain engage.cloudflareclient.com will use DNS in order: [DOHL//common.dot.dns.yandex.net]
2025/12/03 05:10:04.721833 [Info] app/dns: DOHL//common.dot.dns.yandex.net querying: engage.cloudflareclient.com.
2025/12/03 05:10:04.722638 from DNS accepted https://common.dot.dns.yandex.net/dns-query [local]
2025/12/03 05:10:04.722661 [Debug] transport/internet: dialing to tcp:common.dot.dns.yandex.net:443
2025/12/03 05:10:04.727078 from 127.0.0.1:52422 accepted http://detectportal.firefox.com/success.txt?ipv4 [socks >> proxy]
2025/12/03 05:10:04.727349 [Debug] [1409662596] proxy/socks: Not Socks request, try to parse as HTTP request
2025/12/03 05:10:04.727363 [Info] [1409662596] proxy/http: request to Method [GET] Host [detectportal.firefox.com] with URL [http://detectportal.firefox.com/success.txt?ipv4]
2025/12/03 05:10:04.727370 [Info] [1409662596] app/dispatcher: default route for tcp:detectportal.firefox.com:80
2025/12/03 05:10:04.728865 [Debug] [3694486531] proxy/socks: Not Socks request, try to parse as HTTP request
2025/12/03 05:10:04.728887 [Info] [3694486531] proxy/http: request to Method [GET] Host [detectportal.firefox.com] with URL [http://detectportal.firefox.com/success.txt?ipv6]
2025/12/03 05:10:04.728923 from 127.0.0.1:52430 accepted http://detectportal.firefox.com/success.txt?ipv6 [socks >> proxy]
2025/12/03 05:10:04.728949 [Info] [3694486531] app/dispatcher: default route for tcp:detectportal.firefox.com:80
2025/12/03 05:10:04.730735 [Debug] [1259029611] proxy/socks: Not Socks request, try to parse as HTTP request
2025/12/03 05:10:04.730763 [Info] [1259029611] proxy/http: request to Method [CONNECT] Host [ads.mozilla.org:443] with URL [//ads.mozilla.org:443]
2025/12/03 05:10:04.730765 [Debug] [4291056118] proxy/socks: Not Socks request, try to parse as HTTP request
2025/12/03 05:10:04.730770 [Info] [4291056118] proxy/http: request to Method [CONNECT] Host [incoming.telemetry.mozilla.org:443] with URL [//incoming.telemetry.mozilla.org:443]
2025/12/03 05:10:04.732900 from 127.0.0.1:52440 accepted //incoming.telemetry.mozilla.org:443 [socks >> proxy]
2025/12/03 05:10:04.732935 [Info] [4291056118] app/dispatcher: sniffed domain: incoming.telemetry.mozilla.org
2025/12/03 05:10:04.732943 [Info] [4291056118] app/dispatcher: default route for tcp:incoming.telemetry.mozilla.org:443
2025/12/03 05:10:04.733241 from 127.0.0.1:52438 accepted //ads.mozilla.org:443 [socks >> proxy]
2025/12/03 05:10:04.733251 [Info] [1259029611] app/dispatcher: sniffed domain: ads.mozilla.org
2025/12/03 05:10:04.733254 [Info] [1259029611] app/dispatcher: default route for tcp:ads.mozilla.org:443
2025/12/03 05:10:04.957151 [Info] app/dns: DOHL//common.dot.dns.yandex.net got answer: engage.cloudflareclient.com. TypeAAAA -> [2606:4700:d0::a29f:c001], rtt: 235.303646ms, lock: 3.698µs
2025/12/03 05:10:04.957188 [Info] app/dns: DOHL//common.dot.dns.yandex.net got answer: engage.cloudflareclient.com. TypeA -> [162.159.192.1], rtt: 235.317396ms, lock: 3.125µs
2025/12/03 05:10:04.957202 DOHL//common.dot.dns.yandex.net got answer: engage.cloudflareclient.com. -> [162.159.192.1, 2606:4700:d0::a29f:c001] 235.355ms
2025/12/03 05:10:04.957215 [Debug] Routine: encryption worker 1 - started
2025/12/03 05:10:04.957227 [Debug] Routine: encryption worker 2 - started
2025/12/03 05:10:04.957230 [Debug] Routine: decryption worker 1 - started
2025/12/03 05:10:04.957236 [Debug] Routine: decryption worker 3 - started
2025/12/03 05:10:04.957239 [Debug] Routine: handshake worker 1 - started
2025/12/03 05:10:04.957242 [Debug] Routine: handshake worker 2 - started
2025/12/03 05:10:04.957244 [Debug] Routine: encryption worker 3 - started
2025/12/03 05:10:04.957246 [Debug] Routine: encryption worker 5 - started
2025/12/03 05:10:04.957252 [Debug] Routine: encryption worker 4 - started
2025/12/03 05:10:04.957261 [Debug] Routine: decryption worker 4 - started
2025/12/03 05:10:04.957263 [Debug] Routine: handshake worker 4 - started
2025/12/03 05:10:04.957265 [Debug] Routine: encryption worker 6 - started
2025/12/03 05:10:04.957267 [Debug] Routine: handshake worker 3 - started
2025/12/03 05:10:04.957269 [Debug] Routine: decryption worker 5 - started
2025/12/03 05:10:04.957271 [Debug] Routine: handshake worker 5 - started
2025/12/03 05:10:04.957273 [Debug] Routine: handshake worker 6 - started
2025/12/03 05:10:04.957275 [Debug] Routine: handshake worker 7 - started
2025/12/03 05:10:04.957277 [Debug] UAPI: Updating private key
2025/12/03 05:10:04.957282 [Debug] Routine: encryption worker 7 - started
2025/12/03 05:10:04.957284 [Debug] Routine: decryption worker 6 - started
2025/12/03 05:10:04.957300 [Debug] Routine: handshake worker 8 - started
2025/12/03 05:10:04.957302 [Debug] Routine: decryption worker 7 - started
2025/12/03 05:10:04.957304 [Debug] Routine: decryption worker 8 - started
2025/12/03 05:10:04.957306 [Debug] Routine: encryption worker 8 - started
2025/12/03 05:10:04.957308 [Debug] Routine: TUN reader - started
2025/12/03 05:10:04.957373 [Debug] Routine: decryption worker 2 - started
2025/12/03 05:10:04.957383 [Debug] Routine: event worker - started
2025/12/03 05:10:04.957386 [Debug] Interface up requested
2025/12/03 05:10:04.957415 [Debug] UDP bind has been updated
2025/12/03 05:10:04.957455 [Debug] Routine: receive incoming Open - started
2025/12/03 05:10:04.957755 [Debug] peer(bmXO…fgyo) - UAPI: Created
2025/12/03 05:10:04.957758 [Debug] peer(bmXO…fgyo) - UAPI: Updating endpoint
2025/12/03 05:10:04.957759 [Debug] peer(bmXO…fgyo) - UAPI: Adding allowedip
2025/12/03 05:10:04.957761 [Debug] peer(bmXO…fgyo) - UAPI: Adding allowedip
2025/12/03 05:10:04.957763 [Debug] peer(bmXO…fgyo) - Starting
2025/12/03 05:10:04.957765 [Debug] Interface state was Down, requested Up, now Up
2025/12/03 05:10:04.958107 [Warning] app/dns: domain ads.mozilla.org will use the first DNS: [DOH//one.one.one.one]
2025/12/03 05:10:04.958118 [Info] app/dns: DOH//one.one.one.one querying: ads.mozilla.org.
2025/12/03 05:10:04.958325 [Debug] peer(bmXO…fgyo) - Routine: sequential sender - started
2025/12/03 05:10:04.958335 [Debug] peer(bmXO…fgyo) - Routine: sequential receiver - started
2025/12/03 05:10:04.958367 [Warning] app/dns: domain detectportal.firefox.com will use the first DNS: [DOH//one.one.one.one]
2025/12/03 05:10:04.958370 [Info] app/dns: DOH//one.one.one.one querying: detectportal.firefox.com.
2025/12/03 05:10:04.958375 [Warning] app/dns: domain incoming.telemetry.mozilla.org will use the first DNS: [DOH//one.one.one.one]
2025/12/03 05:10:04.958503 [Info] app/dns: DOH//one.one.one.one querying: incoming.telemetry.mozilla.org.
Server log
.