Proxy: Add Hysteria 2 inbound & transport (supports listening port range, Salamander finalmask)

[LjhAUMEM]

已测试 fullcone

hy clients 只在搭配 hy 传输层才生效

配置示例

{
  "log": { "loglevel": "debug" },
  "inbounds": [
    {
      "listen": "127.0.0.1",
      "port": 1080,
      "protocol": "socks",
      "settings": {
        "auth": "noauth",
        "udp": true
      }
    }
  ],
  "outbounds": [
    {
      "protocol": "hysteria",
      "settings": {
        "version": 2,
        "address": "127.0.0.1",
        "port": 1081
      },
      "streamSettings": {
        "network": "hysteria",
        "hysteriaSettings": {
          "version": 2,
          "auth": "5783a3e7-e373-51cd-8642-c83782b807c5"
        },
        "security": "tls",
        "tlsSettings": {
          "serverName": "xray.com",
          "alpn": ["h3"],
          "pinnedPeerCertSha256": "f91e9cf7e75e42b020eb974e44302430157bd665a2c402e6dc3c7fd9fb7d7e1b"
        },
        "finalmask": {
          "udp": [
            {
              "type": "salamander",
              "settings": {
                "password": "1234"
              }
            }
          ]
        }
      }
    }
  ]
}

{
  "log": { "loglevel": "debug" },
  "inbounds": [
    {
      "listen": "127.0.0.1",
      "port": 1081,
      "protocol": "hysteria",
      "settings": {
        "version": 2,
        "clients": [
          {
            "auth": "5783a3e7-e373-51cd-8642-c83782b807c5"
          }
        ]
      },
      "streamSettings": {
        "network": "hysteria",
        "hysteriaSettings": {
          "version": 2
        },
        "security": "tls",
        "tlsSettings": {
          "alpn": ["h3"],
          "certificates": [
            {
              "certificateFile": "ca.crt",
              "keyFile": "ca.key"
            }
          ]
        },
        "finalmask": {
          "udp": [
            {
              "type": "salamander",
              "settings": {
                "password": "1234"
              }
            }
          ]
        }
      }
    }
  ],
  "outbounds": [
    {
      "protocol": "freedom"
    }
  ]
}

[teddysun]

撒花

[evansvl]

can't wait for a merge

[Fangliding]

有一个 sync "sync" 的导入
确定绝对没有问题要忽略err返回的地方用 common.Must2()
新入站尽量用 dispatchlink

[LjhAUMEM]

有一个 sync "sync" 的导入
确定绝对没有问题要忽略err返回的地方用 common.Must2()

改了几个 ParseDestination 的地方，我再找找还有没有

新入站尽量用 dispatchlink

done，好像会忽略后面的 Policy

[LjhAUMEM]

好像会忽略后面的 Policy

看了下 DefaultDispatcher 的 WrapLink 里有 policy，所以应该不会忽略

用上 DispatchLink 后就默认 fullcone 了，把 server 里的 ctx.Value("cone").(bool) 删了

[LjhAUMEM]

测试 hy 用户路由正常

{
  "log": { "loglevel": "debug" },
  "inbounds": [
    {
      "listen": "127.0.0.1",
      "port": 1080,
      "protocol": "socks",
      "settings": {
        "auth": "noauth",
        "udp": true
      }
    },
    {
      "listen": "127.0.0.1",
      "port": 1081,
      "protocol": "hysteria",
      "settings": {
        "version": 2,
        "clients": [
          {
            "auth": "5783a3e7-e373-51cd-8642-c83782b807c5",
            "email": "a"
          }
        ]
      },
      "streamSettings": {
        "network": "hysteria",
        "hysteriaSettings": {
          "version": 2
        },
        "security": "tls",
        "tlsSettings": {
          "alpn": ["h3"],
          "certificates": [
            {
              "certificateFile": "ca.crt",
              "keyFile": "ca.key"
            }
          ]
        }
      }
    }
  ],
  "outbounds": [
    {
      "protocol": "hysteria",
      "settings": {
        "version": 2,
        "address": "127.0.0.1",
        "port": 1081
      },
      "streamSettings": {
        "network": "hysteria",
        "hysteriaSettings": {
          "version": 2,
          "auth": "5783a3e7-e373-51cd-8642-c83782b807c5"
        },
        "security": "tls",
        "tlsSettings": {
          "serverName": "xray.com",
          "alpn": ["h3"],
          "pinnedPeerCertSha256": "f91e9cf7e75e42b020eb974e44302430157bd665a2c402e6dc3c7fd9fb7d7e1b"
        }
      }
    },
    {
      "tag": "direct",
      "protocol": "freedom"
    }
  ],
  "routing": {
    "rules": [
      {
        "user": ["a"],
        "outboundTag": "direct"
      }
    ]
  }
}

测试 vless hy 正常

{
  "log": { "loglevel": "debug" },
  "inbounds": [
    {
      "listen": "127.0.0.1",
      "port": 1080,
      "protocol": "socks",
      "settings": {
        "auth": "noauth",
        "udp": true
      }
    },
    {
      "listen": "127.0.0.1",
      "port": 1081,
      "protocol": "vless",
      "settings": {
        "clients": [
          {
            "id": "5783a3e7-e373-51cd-8642-c83782b807c5",
            "email": "a"
          }
        ],
        "decryption": "none"
      },
      "streamSettings": {
        "network": "hysteria",
        "hysteriaSettings": {
          "version": 2,
          "auth": "5783a3e7-e373-51cd-8642-c83782b807c5"
        },
        "security": "tls",
        "tlsSettings": {
          "alpn": ["h3"],
          "certificates": [
            {
              "certificateFile": "ca.crt",
              "keyFile": "ca.key"
            }
          ]
        }
      }
    }
  ],
  "outbounds": [
    {
      "protocol": "vless",
      "settings": {
        "address": "127.0.0.1",
        "port": 1081,
        "id": "5783a3e7-e373-51cd-8642-c83782b807c5",
        "encryption": "none"
      },
      "streamSettings": {
        "network": "hysteria",
        "hysteriaSettings": {
          "version": 2,
          "auth": "5783a3e7-e373-51cd-8642-c83782b807c5"
        },
        "security": "tls",
        "tlsSettings": {
          "serverName": "xray.com",
          "alpn": ["h3"],
          "pinnedPeerCertSha256": "f91e9cf7e75e42b020eb974e44302430157bd665a2c402e6dc3c7fd9fb7d7e1b"
        }
      }
    },
    {
      "tag": "direct",
      "protocol": "freedom"
    }
  ],
  "routing": {
    "rules": [
      {
        "user": ["a"],
        "outboundTag": "direct"
      }
    ]
  }
}

不过 hy 入站用户因为是在传输层认证所以只在搭配 hy 传输层的时候才会生效

[LjhAUMEM]

所以应该不会忽略

感觉还是不对，tcp 先换回 Dispatch 了，udp 保持 DispatchLink，反正 udp 也不受 policy 影响

[LjhAUMEM]

测试 hy raw 正常，hy 搭配非 hy 只能代理 tcp

{
  "log": { "loglevel": "debug" },
  "inbounds": [
    {
      "listen": "127.0.0.1",
      "port": 1080,
      "protocol": "socks",
      "settings": {
        "auth": "noauth",
        "udp": true
      }
    },
    {
      "tag": "a",
      "listen": "127.0.0.1",
      "port": 1081,
      "protocol": "hysteria",
      "settings": {
        "version": 2
      },
      "streamSettings": {
        "network": "raw"
      }
    }
  ],
  "outbounds": [
    {
      "protocol": "hysteria",
      "settings": {
        "version": 2,
        "address": "127.0.0.1",
        "port": 1081
      },
      "streamSettings": {
        "network": "raw"
      }
    },
    {
      "tag": "direct",
      "protocol": "freedom"
    }
  ],
  "routing": {
    "rules": [
      {
        "inboundTag": ["a"],
        "outboundTag": "direct"
      }
    ]
  }
}

[Fangliding]

我没管过policy 可以看一下socks和vless入站 都改成dispatchlink了 我就只是觉得代码简单不少

[LjhAUMEM]

看了下 socks 也是只在开头 ReadDeadline 用了一下然后就 DispatchLink 了，和我之前改的一样，vless 的有点长一会再看

[LjhAUMEM]

好像可以把 hy 的 frag 直接用在原生 udp 上，虽然没有加密

配置文件再加个 network 字段，话说如果 shadowsock 开了原生 udp + 配置 kcp 传输层会不会监听冲突

[Fangliding]

会 老问题

[Fangliding]

因为 shadowsocks over xxx 并非原协议定义用法所以不被作为bug

[ImMohammad20000]

Is there api support?

[j4Uq]

hy + reality？省了证书的事

[LjhAUMEM]

Is there api support?

有，入站出站包括增删用户，不过 hy 用户只在搭配 hy 传输层才生效

hy + reality？省了证书的事

hy 没 uot，只 tcp 倒是可以

[LjhAUMEM]

适配上了原生 udp 传输层，也可以 fullcone，就是有点丢包，之前 write 逻辑有问题，修复了

{
  "log": { "loglevel": "debug" },
  "inbounds": [
    {
      // "listen": "127.0.0.1",
      "port": 1081,
      "protocol": "hysteria",
      "settings": {
        "version": 2,
        "udpraw": true
      },
      "streamSettings": {
        "network": "raw"
      }
    }
  ],
  "outbounds": [
    {
      "protocol": "freedom"
    }
  ]
}

{
  "log": { "loglevel": "debug" },
  "inbounds": [
    {
      "listen": "127.0.0.1",
      "port": 1080,
      "protocol": "socks",
      "settings": {
        "auth": "noauth",
        "udp": true
      }
    }
  ],
  "outbounds": [
    {
      "protocol": "hysteria",
      "settings": {
        "version": 2,
        "address": "127.0.0.1",
        "port": 1081,
        "udpraw": true
      },
      "streamSettings": {
        "network": "raw"
      }
    }
  ]
}

[gfw-killer]

Is the combination of VLESS+Hy2 transport, Unreliable Datagram like the original Hysteria2? or it is necessary to use Hy2 protocol for Hy2 transport?

[Fangliding]

单个的这hy proxy protocol有啥用 直接强制要求hy传输吧

[LjhAUMEM]

单个的这hy proxy protocol有啥用 直接强制要求hy传输吧

跟无认证的 socks5 没啥区别（除了有 padding），不过有了 udpmask 后可以有 hy+raw+reality+udpmask 组合

[LjhAUMEM]

Is the combination of VLESS+Hy2 transport, Unreliable Datagram like the original Hysteria2? or it is necessary to use Hy2 protocol for Hy2 transport?

protocol 和 transport 可以任意搭配，可选 udpraw 在搭配 raw transport 时启用原生 udp

[Fangliding]

跟无认证的 socks5 没啥区别（除了有 padding），不过有了 udpmask 后可以有 hy+raw+reality+udpmask 组合

看起来就为了蹭个不可靠udp? 跑reality还同端口非quic数据包

[LjhAUMEM]

不像 ss 有 uot，如果搭配其他传输层只能 tcp 那更没用了，补个可用原生吧

[LjhAUMEM]

应该没什么要改了，我这边准备好了

[LjhAUMEM]

想了一下 ParseDestination 还是不能 must2，这次应该真的准备好了

[RPRX]

udpraw: 用于搭配非 hy 传输层时启用原生 udp

没必要，删了，Hy2 代理协议就只为了搭配 Hy2 传输层，Xray-core 接受它们也只是为了不被排除在选项外，想试就试反正会被 Q

话说 Hy2 传输层对于 UDP 目前是可靠还是不可靠传输

[LjhAUMEM]

没必要，删了，Hy2 代理协议就只为了搭配 Hy2 传输层，Xray-core 接受它们也只是为了不被排除在选项外，想试就试反正会被 Q

done

话说 Hy2 传输层对于 UDP 目前是可靠还是不可靠传输

不可靠，除非做个 uot 在 stream 里跑 就可靠

https://quic-go.net/docs/quic/datagrams/#the-unreliable-datagram-extension

[RPRX]

那符合预期，ready 的时候说一下

把 Hy2 代理层协议扩展到别的用途没必要还徒增维护成本，想要同时有原生 UDP 的话现在可以 Shadowsocks，以后可以 VLESS

当然我觉得简单粗暴地同端口并不是啥好习惯，至少得分流到别的高位端口演一下吧，总之 UDP 这块今年 Xray 会再发力下

[LjhAUMEM]

ready 了，刚刚那个 ReleaseMulti 是个可有可无的修改，如果没有也会遍历完一个一个 release，有就提前 release

[RPRX]

@LjhAUMEM 对了话说 Xray 的 listening port range 你能不能改一下，改成共用一个 inbound 实例，不然感觉 Hy2 udphop 要炸

[Fangliding]

socket操作就没有正常bind一堆端口的 所以我说那玩意是邪道 udphop连hy官端都是用ipt的
而且在那里听一堆端口开出来的conn不是一个还没法hop 连接不认识

[RPRX]

@LjhAUMEM 改吧改吧，改成 bind 一堆 port 但共用一个 inbound 实例

[LjhAUMEM]

不监听就只能走转发了，用户态转发不如自己 dokodemo-door