WireGuard as a “Switch”

Not really a switch, but similar. If you want to exchange data from two network using a host on Internet, this post helps.

In this case, Router 1 want to use Router 2 as gateway for some destinations. All 3 Nodes here have Internet public IP address.

I set-up a network,, using WireGuard. Our work are all on the Server in the middle.

If I put such config to /etc/wireguard/wg0.conf and run wg-quick up wg0, then I may lost connection to the server, because of the default route.

Now, add a route table to your system and change wg0.conf, let’s name it wgswitch and table id 201.

Then modify wg0.conf.

Now when you establish connections, you’ll be able to ping from router1 to router2 using network.

But if you want to try a custom network, that’s not enough, you need extra route and ip rule for your network

WireGuard as a “Switch” by @sskaje: https://sskaje.me/2019/11/wireguard-as-a-switch/

Azure Site-to-Site VPN with Dynamic Client IP

以前自己用 strongswan 等软件配 IPSec site-to-site 的时候,可以直接指定客户端的 IP 是,Azure 的 site-to-site IPSec VPN 必须要指定客户端 IP。

PowerShell 爱好者可以参考 https://www.hayesjupe.com/using-azure-rm-site-to-site-vpn-with-a-dynamic-ip/ 这篇文章。

我还是习惯用 Linux,于是使用 Azure CLI 来解决这个问题。

在 VPN 的 Virtual Network 里放置一台 Linux 虚拟机。按照上述连接里的说明安装软件。接下来开始操作。

1 登录

SSH 登录虚拟机后,执行命令,并按照输出,用浏览器登录 Azure 账号,完成认证。

如果是中国区 Azure,先需要设置服务器


2 添加更新服务

参考 DDNS 的玩法,让客户端定期更新IP。服务端可以简单地将数据记录到数据库、文件、或者任何地方,配置一个 cron 来执行更新检测和 Gateway IP 更新。

3 更新 Gateway IP

这里会有个问题,如果源 IP 和新 IP 相同,update 可能会出一个莫名其妙的404 错误。

看了眼 –verbose –debug 的输出,这个 update 命令先发送了一条命令到服务端,然后轮询等待任务更新。可能这个任务服务端直接判定不需要执行,所以返回的 operation id 无效。

Azure Site-to-Site VPN with Dynamic Client IP by @sskaje: https://sskaje.me/2019/08/azure-site-to-site-vpn-with-dynamic-client-ip/

Incoming search terms:

Unity Package Manager 协议分析

Unity Package Manager 的 Windows 版不认系统的证书设置,直接配置代理走 Charles Proxy 没法抓到请求的包。懒得去搭反向代理,直接使用 Charles Proxy 的 Map Remote 功能,在 manifest.json 里随便设置一个地址,用 Charles Proxy 修改请求到 https://packages.unity.com 上,就可以抓包了。


1 请求 /com.unity.package-manager.metadata ,官方地址 https://packages.unity.com/com.unity.package-manager.metadata

2 根据 1 的响应里的searchablePackages,拼接 https://packages.unity.com/{PACKAGE} 获取包信息,例如 https://packages.unity.com/com.unity.xiaomi

3 从 2 的响应里读取包下载地址,从 dist.tarball 里获取下载地址。例如 https://download.packages.unity.com/com.unity.xiaomi/-/com.unity.xiaomi-1.0.3.tgz

根据这个协议,自己写个服务端,甚至用nginx搭建一个,还是比较简单的。此外 nexus 是个好选择,不用处理 3 里域名的问题,具体看 https://sskaje.me/2019/08/sonatype-nexus-3-as-unity-package-mirror/

Unity Package Manager 协议分析 by @sskaje: https://sskaje.me/2019/08/unity-package-manager-%e5%8d%8f%e8%ae%ae%e5%88%86%e6%9e%90/

Incoming search terms:

Sonatype Nexus 3 as Unity Package Mirror

Unity Package Manager 使用了 npm 的协议,配置起来比较简单。安装好nexus 3之后,直接创建一个 npm 的 proxy,Remote Storage 设置成 https://packages.unity.com 就行。国内服务器有条件设置一个代理也好,毕竟unity 的服务器被墙的概率挺高的。


1 Unity Package Manager 启动的时候会发无数个 HEAD 请求,而 nexus 3 并不支持HEAD,直接返回了404,于是 UPM 里一片红色的报警,但是不影响安装。

2 UPM 不支持加密认证,所以要想使用本地的镜像仓库,或者用 nexus 来管理自己的包,只能开启匿名访问。而公司场景的 nexus,最好从比 http 更底层的方式控制访问,例如各层加 来源 IP 控制。官方说 2020.1 才会加认证的支持 https://forum.unity.com/threads/setup-for-scoped-registries-private-registries.573934/ 。

3 墙的问题太严重。

Sonatype Nexus 3 as Unity Package Mirror by @sskaje: https://sskaje.me/2019/08/sonatype-nexus-3-as-unity-package-mirror/

MacOS VPN Auto Add Routes

I tested on macOS 10.14, L2TP VPN.

I connect to my office VPN to work remotely, but I don’t want to send all traffic to VPN interface. Usually, I open a Terminal.app and execute commands after VPN connected: is address block used in my office, is VPN gateway address.

It’s really inconvenient. But I have a new solution: networksetup.

Usage: networksetup -setadditionalroutes <networkservice> [ <dest> <mask> <gateway> ]*
        Set additional IPv4 routes associated with <networkservice>
        by specifying one or more [ <dest> <mask> <gateway> ] tuples.
        Remove additional routes by specifying no arguments.
        If <gateway> is “”, the route is direct to the interface

First, find your service name.

Find your VPN connection name, in my case ‘My Office’.

If you have multiple route entries to add,

L2TP is a Point-to-Point VPN, the gateway address is not that important, that’s why I use “” instead of

MacOS VPN Auto Add Routes by @sskaje: https://sskaje.me/2019/04/macos-vpn-auto-add-routes/