Proxy: Add Hysteria 2 inbound & transport (supports listening port range, Salamander finalmask) by LjhAUMEM · Pull Request #5679 · XTLS/Xray-core

LjhAUMEM · 2026-02-11T05:01:46Z

已测试 fullcone

hy clients 只在搭配 hy 传输层才生效

配置示例

{
  "log": { "loglevel": "debug" },
  "inbounds": [
    {
      "listen": "127.0.0.1",
      "port": 1080,
      "protocol": "socks",
      "settings": {
        "auth": "noauth",
        "udp": true
      }
    }
  ],
  "outbounds": [
    {
      "protocol": "hysteria",
      "settings": {
        "version": 2,
        "address": "127.0.0.1",
        "port": 1081
      },
      "streamSettings": {
        "network": "hysteria",
        "hysteriaSettings": {
          "version": 2,
          "auth": "5783a3e7-e373-51cd-8642-c83782b807c5"
        },
        "security": "tls",
        "tlsSettings": {
          "serverName": "xray.com",
          "alpn": ["h3"],
          "pinnedPeerCertSha256": "f91e9cf7e75e42b020eb974e44302430157bd665a2c402e6dc3c7fd9fb7d7e1b"
        },
        "finalmask": {
          "udp": [
            {
              "type": "salamander",
              "settings": {
                "password": "1234"
              }
            }
          ]
        }
      }
    }
  ]
}

{
  "log": { "loglevel": "debug" },
  "inbounds": [
    {
      "listen": "127.0.0.1",
      "port": 1081,
      "protocol": "hysteria",
      "settings": {
        "version": 2,
        "clients": [
          {
            "auth": "5783a3e7-e373-51cd-8642-c83782b807c5"
          }
        ]
      },
      "streamSettings": {
        "network": "hysteria",
        "hysteriaSettings": {
          "version": 2
        },
        "security": "tls",
        "tlsSettings": {
          "alpn": ["h3"],
          "certificates": [
            {
              "certificateFile": "ca.crt",
              "keyFile": "ca.key"
            }
          ]
        },
        "finalmask": {
          "udp": [
            {
              "type": "salamander",
              "settings": {
                "password": "1234"
              }
            }
          ]
        }
      }
    }
  ],
  "outbounds": [
    {
      "protocol": "freedom"
    }
  ]
}

teddysun · 2026-02-11T05:08:03Z

撒花

evansvl

can't wait for a merge

Fangliding · 2026-02-11T10:09:17Z

有一个 sync "sync" 的导入
确定绝对没有问题要忽略err返回的地方用 common.Must2()
新入站尽量用 dispatchlink

LjhAUMEM · 2026-02-11T11:28:11Z

有一个 sync "sync" 的导入
确定绝对没有问题要忽略err返回的地方用 common.Must2()

改了几个 ParseDestination 的地方，~~我再找找还有没有~~

新入站尽量用 dispatchlink

done，好像会忽略后面的 Policy

LjhAUMEM · 2026-02-11T12:46:44Z

好像会忽略后面的 Policy

看了下 DefaultDispatcher 的 WrapLink 里有 policy，~~所以应该不会忽略~~

用上 DispatchLink 后就默认 fullcone 了，把 server 里的 ctx.Value("cone").(bool) 删了

LjhAUMEM · 2026-02-11T13:13:24Z

测试 hy 用户路由正常

{
  "log": { "loglevel": "debug" },
  "inbounds": [
    {
      "listen": "127.0.0.1",
      "port": 1080,
      "protocol": "socks",
      "settings": {
        "auth": "noauth",
        "udp": true
      }
    },
    {
      "listen": "127.0.0.1",
      "port": 1081,
      "protocol": "hysteria",
      "settings": {
        "version": 2,
        "clients": [
          {
            "auth": "5783a3e7-e373-51cd-8642-c83782b807c5",
            "email": "a"
          }
        ]
      },
      "streamSettings": {
        "network": "hysteria",
        "hysteriaSettings": {
          "version": 2
        },
        "security": "tls",
        "tlsSettings": {
          "alpn": ["h3"],
          "certificates": [
            {
              "certificateFile": "ca.crt",
              "keyFile": "ca.key"
            }
          ]
        }
      }
    }
  ],
  "outbounds": [
    {
      "protocol": "hysteria",
      "settings": {
        "version": 2,
        "address": "127.0.0.1",
        "port": 1081
      },
      "streamSettings": {
        "network": "hysteria",
        "hysteriaSettings": {
          "version": 2,
          "auth": "5783a3e7-e373-51cd-8642-c83782b807c5"
        },
        "security": "tls",
        "tlsSettings": {
          "serverName": "xray.com",
          "alpn": ["h3"],
          "pinnedPeerCertSha256": "f91e9cf7e75e42b020eb974e44302430157bd665a2c402e6dc3c7fd9fb7d7e1b"
        }
      }
    },
    {
      "tag": "direct",
      "protocol": "freedom"
    }
  ],
  "routing": {
    "rules": [
      {
        "user": ["a"],
        "outboundTag": "direct"
      }
    ]
  }
}

测试 vless hy 正常

{
  "log": { "loglevel": "debug" },
  "inbounds": [
    {
      "listen": "127.0.0.1",
      "port": 1080,
      "protocol": "socks",
      "settings": {
        "auth": "noauth",
        "udp": true
      }
    },
    {
      "listen": "127.0.0.1",
      "port": 1081,
      "protocol": "vless",
      "settings": {
        "clients": [
          {
            "id": "5783a3e7-e373-51cd-8642-c83782b807c5",
            "email": "a"
          }
        ],
        "decryption": "none"
      },
      "streamSettings": {
        "network": "hysteria",
        "hysteriaSettings": {
          "version": 2,
          "auth": "5783a3e7-e373-51cd-8642-c83782b807c5"
        },
        "security": "tls",
        "tlsSettings": {
          "alpn": ["h3"],
          "certificates": [
            {
              "certificateFile": "ca.crt",
              "keyFile": "ca.key"
            }
          ]
        }
      }
    }
  ],
  "outbounds": [
    {
      "protocol": "vless",
      "settings": {
        "address": "127.0.0.1",
        "port": 1081,
        "id": "5783a3e7-e373-51cd-8642-c83782b807c5",
        "encryption": "none"
      },
      "streamSettings": {
        "network": "hysteria",
        "hysteriaSettings": {
          "version": 2,
          "auth": "5783a3e7-e373-51cd-8642-c83782b807c5"
        },
        "security": "tls",
        "tlsSettings": {
          "serverName": "xray.com",
          "alpn": ["h3"],
          "pinnedPeerCertSha256": "f91e9cf7e75e42b020eb974e44302430157bd665a2c402e6dc3c7fd9fb7d7e1b"
        }
      }
    },
    {
      "tag": "direct",
      "protocol": "freedom"
    }
  ],
  "routing": {
    "rules": [
      {
        "user": ["a"],
        "outboundTag": "direct"
      }
    ]
  }
}

不过 hy 入站用户因为是在传输层认证所以只在搭配 hy 传输层的时候才会生效

LjhAUMEM · 2026-02-11T13:24:08Z

~~所以应该不会忽略~~

感觉还是不对，tcp 先换回 Dispatch 了，udp 保持 DispatchLink，~~反正 udp 也不受 policy 影响~~

LjhAUMEM · 2026-02-11T13:31:58Z

测试 hy raw 正常，hy 搭配非 hy 只能代理 tcp

{
  "log": { "loglevel": "debug" },
  "inbounds": [
    {
      "listen": "127.0.0.1",
      "port": 1080,
      "protocol": "socks",
      "settings": {
        "auth": "noauth",
        "udp": true
      }
    },
    {
      "tag": "a",
      "listen": "127.0.0.1",
      "port": 1081,
      "protocol": "hysteria",
      "settings": {
        "version": 2
      },
      "streamSettings": {
        "network": "raw"
      }
    }
  ],
  "outbounds": [
    {
      "protocol": "hysteria",
      "settings": {
        "version": 2,
        "address": "127.0.0.1",
        "port": 1081
      },
      "streamSettings": {
        "network": "raw"
      }
    },
    {
      "tag": "direct",
      "protocol": "freedom"
    }
  ],
  "routing": {
    "rules": [
      {
        "inboundTag": ["a"],
        "outboundTag": "direct"
      }
    ]
  }
}

Fangliding · 2026-02-11T13:32:31Z

我没管过policy 可以看一下socks和vless入站都改成dispatchlink了我就只是觉得代码简单不少

LjhAUMEM · 2026-02-11T13:35:51Z

看了下 socks 也是只在开头 ReadDeadline 用了一下然后就 DispatchLink 了，和我之前改的一样，~~vless 的有点长一会再看~~

LjhAUMEM · 2026-02-11T13:44:38Z

好像可以把 hy 的 frag 直接用在原生 udp 上，~~虽然没有加密~~

配置文件再加个 network 字段，话说如果 shadowsock 开了原生 udp + 配置 kcp 传输层会不会监听冲突

Fangliding · 2026-02-11T13:46:26Z

会老问题

Fangliding · 2026-02-11T13:49:28Z

因为 shadowsocks over xxx 并非原协议定义用法所以不被作为bug

ImMohammad20000 · 2026-02-11T14:12:25Z

Is there api support?

j4Uq · 2026-02-11T15:08:09Z

hy + reality？省了证书的事

LjhAUMEM · 2026-02-11T15:43:53Z

Is there api support?

有，入站出站包括增删用户，不过 hy 用户只在搭配 hy 传输层才生效

hy + reality？省了证书的事

hy 没 uot，只 tcp 倒是可以

LjhAUMEM · 2026-02-11T15:45:21Z

适配上了原生 udp 传输层，也可以 fullcone，~~就是有点丢包，之前 write 逻辑有问题，修复了~~

{
  "log": { "loglevel": "debug" },
  "inbounds": [
    {
      // "listen": "127.0.0.1",
      "port": 1081,
      "protocol": "hysteria",
      "settings": {
        "version": 2,
        "udpraw": true
      },
      "streamSettings": {
        "network": "raw"
      }
    }
  ],
  "outbounds": [
    {
      "protocol": "freedom"
    }
  ]
}

{
  "log": { "loglevel": "debug" },
  "inbounds": [
    {
      "listen": "127.0.0.1",
      "port": 1080,
      "protocol": "socks",
      "settings": {
        "auth": "noauth",
        "udp": true
      }
    }
  ],
  "outbounds": [
    {
      "protocol": "hysteria",
      "settings": {
        "version": 2,
        "address": "127.0.0.1",
        "port": 1081,
        "udpraw": true
      },
      "streamSettings": {
        "network": "raw"
      }
    }
  ]
}

gfw-killer · 2026-02-11T17:29:40Z

Is the combination of VLESS+Hy2 transport, Unreliable Datagram like the original Hysteria2? or it is necessary to use Hy2 protocol for Hy2 transport?

Fangliding · 2026-02-11T17:33:13Z

单个的这hy proxy protocol有啥用直接强制要求hy传输吧

LjhAUMEM · 2026-02-12T00:39:25Z

单个的这hy proxy protocol有啥用直接强制要求hy传输吧

跟无认证的 socks5 没啥区别（除了有 padding），不过有了 udpmask 后可以有 hy+raw+reality+udpmask 组合

LjhAUMEM · 2026-02-12T01:26:05Z

Is the combination of VLESS+Hy2 transport, Unreliable Datagram like the original Hysteria2? or it is necessary to use Hy2 protocol for Hy2 transport?

protocol 和 transport 可以任意搭配，可选 udpraw 在搭配 raw transport 时启用原生 udp

Fangliding · 2026-02-12T01:52:05Z

跟无认证的 socks5 没啥区别（除了有 padding），不过有了 udpmask 后可以有 hy+raw+reality+udpmask 组合

看起来就为了蹭个不可靠udp? 跑reality还同端口非quic数据包

LjhAUMEM · 2026-02-12T01:54:38Z

不像 ss 有 uot，~~如果搭配其他传输层只能 tcp 那更没用了，补个可用原生吧~~

LjhAUMEM · 2026-02-12T02:20:48Z

~~应该没什么要改了，我这边准备好了~~

LjhAUMEM · 2026-02-12T02:46:26Z

想了一下 ParseDestination 还是不能 must2，~~这次应该真的准备好了~~

RPRX · 2026-02-12T04:03:14Z

udpraw: 用于搭配非 hy 传输层时启用原生 udp

没必要，删了，Hy2 代理协议就只为了搭配 Hy2 传输层，Xray-core 接受它们也只是为了不被排除在选项外，~~想试就试反正会被 Q~~

话说 Hy2 传输层对于 UDP 目前是可靠还是不可靠传输

LjhAUMEM · 2026-02-12T04:13:41Z

没必要，删了，Hy2 代理协议就只为了搭配 Hy2 传输层，Xray-core 接受它们也只是为了不被排除在选项外，~~想试就试反正会被 Q~~

done

话说 Hy2 传输层对于 UDP 目前是可靠还是不可靠传输

不可靠，除非做个 uot 在 stream 里跑就可靠

https://quic-go.net/docs/quic/datagrams/#the-unreliable-datagram-extension

RPRX · 2026-02-12T12:18:43Z

那符合预期，ready 的时候说一下

把 Hy2 代理层协议扩展到别的用途没必要还徒增维护成本，想要同时有原生 UDP 的话现在可以 Shadowsocks，以后可以 VLESS

~~当然我觉得简单粗暴地同端口并不是啥好习惯，至少得分流到别的高位端口演一下吧，总之 UDP 这块今年 Xray 会再发力下~~

LjhAUMEM · 2026-02-12T12:21:27Z

ready 了，~~刚刚那个 ReleaseMulti 是个可有可无的修改，如果没有也会遍历完一个一个 release，有就提前 release~~

RPRX · 2026-02-12T14:57:35Z

@LjhAUMEM 对了话说 Xray 的 listening port range 你能不能改一下，改成共用一个 inbound 实例，~~不然感觉 Hy2 udphop 要炸~~

Fangliding · 2026-02-12T15:01:37Z

socket操作就没有正常bind一堆端口的所以我说那玩意是邪道 udphop连hy官端都是用ipt的
而且在那里听一堆端口开出来的conn不是一个还没法hop 连接不认识

RPRX · 2026-02-12T15:13:38Z

@LjhAUMEM 改吧改吧，~~改成 bind 一堆 port 但共用一个 inbound 实例~~

LjhAUMEM · 2026-02-13T01:45:05Z

不监听就只能走转发了，~~用户态转发不如自己 dokodemo-door~~

hyhub

a3a9348

evansvl approved these changes Feb 11, 2026

View reviewed changes

null added 2 commits February 11, 2026 17:30

typo

4a8c18d

interConn

15955d7

null added 4 commits February 11, 2026 18:11

InterUdpConn

6c45279

sync

de5d7ab

RWMutex

a8b3adb

DispatchLink

bfaee2a

null added 2 commits February 11, 2026 20:16

single step lock

afb0684

1

c2872a7

Dispatch

ddbf1f2

udpraw

11a7990

DispatchLink

2245a0e

null added 2 commits February 12, 2026 08:46

fix logic

ac69875

Refactor udpSM

214b0e5

must2

5986931

fix logic

b061f2d

null added 2 commits February 12, 2026 12:08

some log

1947fe9

remove udpraw

259c0de

ReleaseMulti

c9cc7ea

RPRX changed the title ~~hysteria inbound & transport hub~~ Proxy: Add Hysteria 2 inbound & transport Feb 12, 2026

RPRX changed the title ~~Proxy: Add Hysteria 2 inbound & transport~~ Proxy: Add Hysteria 2 inbound & transport (supports listening port range, Salamander finalmask) Feb 12, 2026

RPRX merged commit 6a909b2 into XTLS:main Feb 12, 2026
39 checks passed

Conversation

LjhAUMEM commented Feb 11, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

teddysun commented Feb 11, 2026

Uh oh!

evansvl left a comment

Choose a reason for hiding this comment

Uh oh!

Fangliding commented Feb 11, 2026

Uh oh!

LjhAUMEM commented Feb 11, 2026

Uh oh!

LjhAUMEM commented Feb 11, 2026

Uh oh!

LjhAUMEM commented Feb 11, 2026

Uh oh!

LjhAUMEM commented Feb 11, 2026

Uh oh!

LjhAUMEM commented Feb 11, 2026

Uh oh!

Fangliding commented Feb 11, 2026

Uh oh!

LjhAUMEM commented Feb 11, 2026

Uh oh!

LjhAUMEM commented Feb 11, 2026

Uh oh!

Fangliding commented Feb 11, 2026

Uh oh!

Fangliding commented Feb 11, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

ImMohammad20000 commented Feb 11, 2026

Uh oh!

j4Uq commented Feb 11, 2026

Uh oh!

LjhAUMEM commented Feb 11, 2026

Uh oh!

LjhAUMEM commented Feb 11, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

gfw-killer commented Feb 11, 2026

Uh oh!

Fangliding commented Feb 11, 2026

Uh oh!

LjhAUMEM commented Feb 12, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

LjhAUMEM commented Feb 12, 2026

Uh oh!

Fangliding commented Feb 12, 2026

Uh oh!

LjhAUMEM commented Feb 12, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

LjhAUMEM commented Feb 12, 2026

Uh oh!

LjhAUMEM commented Feb 12, 2026

Uh oh!

RPRX commented Feb 12, 2026

Uh oh!

LjhAUMEM commented Feb 12, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

RPRX commented Feb 12, 2026

Uh oh!

LjhAUMEM commented Feb 12, 2026

Uh oh!

Uh oh!

RPRX commented Feb 12, 2026

Uh oh!

Fangliding commented Feb 12, 2026

Uh oh!

RPRX commented Feb 12, 2026

Uh oh!

LjhAUMEM commented Feb 13, 2026

Uh oh!

Reviewers

Assignees

Labels

LjhAUMEM commented Feb 11, 2026 •

edited

Loading

Fangliding commented Feb 11, 2026 •

edited

Loading

LjhAUMEM commented Feb 11, 2026 •

edited

Loading

LjhAUMEM commented Feb 12, 2026 •

edited

Loading

LjhAUMEM commented Feb 12, 2026 •

edited

Loading

LjhAUMEM commented Feb 12, 2026 •

edited

Loading