← ClaudeAtlas

reality-wireguard-relaylisted

Deploy a two-hop proxy chain where clients reach a VLESS-XHTTP-REALITY entry on a relay/中转 VPS, and the relay forwards over a WireGuard tunnel to one or more landing/落地 VPS that egress to the internet (so the exit IP is the landing's, not the relay's). Use this whenever the user wants to 搭中转+落地 / 中转走 reality 落地走 wireguard / build a REALITY front with a WireGuard backhaul, expose multiple exit IPs from landing machines, hide a GFW-blocked relay IPv4 behind its IPv6, or chain an xray REALITY inbound to a WireGuard NAT/SNAT exit. Triggers on "中转 reality 落地 wireguard", "vless xhttp reality + wireguard 出口", "relay to landing via wireguard", "多出口 IP 落地", even when not phrased exactly. NOT for the user's one-click superchaospc/xray-relay SOCKS5/直连 script (that's the xray-relay-deploy skill) and NOT for plain single-box VLESS setups with no WireGuard backhaul.
superchaospc/reality-wireguard-relay · ★ 0 · AI & Automation · score 72
Install: claude install-skill superchaospc/reality-wireguard-relay
# REALITY → WireGuard relay/landing chain Build the topology: ``` Client ──VLESS/XHTTP/REALITY──▶ Relay (中转, reachable entry) │ └──WireGuard──▶ Landing (落地) ──NAT──▶ Internet exit IP = landing's public IP(s) ``` The **relay** terminates REALITY and forwards proxied traffic into a WireGuard tunnel. The **landing** does the real egress. Keep the landing as a **pure kernel WireGuard forward + NAT** with **no userspace proxy** — that is the lowest-overhead design and should be the default. Only run xray/socks on the landing if the user has a concrete reason. This skill assumes SSH root access to both ends. It drives the boxes over SSH and is non-interactive. Work one phase at a time and **verify each phase before moving on** — silent misconfig here looks like "线路不通" later and is expensive to chase. ## Before anything: settle the design (read references/architecture.md) Four decisions shape everything. Resolve them up front; don't guess: 1. **Which relay address can clients actually reach?** A relay's IPv4 is often GFW-blocked while its IPv6 still works (or vice-versa). The client link must point at the *reachable* family, and **the client must have that same IP family**. Confirm this — it is the #1 real-world cause of "connects on the server but not for me". 2. **What IP family does the WireGuard backhaul use?** Whatever the *landing* has. If th