diff --git a/ACL.md b/ACL.md deleted file mode 100644 index f2b4023..0000000 --- a/ACL.md +++ /dev/null @@ -1,52 +0,0 @@ -# ACL File Format - -ACL files describe how to process incoming requests. Both the server and the client support ACL and follow the identical -syntax. - -``` -action condition_type condition argument -``` - -Example: - -``` -direct domain evil.corp -proxy domain-suffix google.com -block ip 1.2.3.4 -block country cn -hijack cidr 192.168.1.1/24 127.0.0.1 - -direct all -``` - -Hysteria acts according to the first matching rule in the file for each request. When there is no match, the default -behavior is to proxy all connections. You can override this by adding a rule at the end of the file with the condition -`all`. - -4 actions: - -`direct` - connect directly to the target server without going through the proxy - -`proxy` - connect to the target server through the proxy (only available on the client) - -`block` - block the connection from establishing - -`hijack` - hijack the connection to another target address (must be specified in the argument) - -6 condition types: - -`domain` - match a specific domain (does NOT match subdomains! e.g. `apple.com` will not match `cdn.apple.com`) - -`domain-suffix` - match a domain suffix (match subdomains, but `apple.com` will still not match `fakeapple.com`) - -`cidr` - IPv4 or IPv6 CIDR - -`ip` - IPv4 or IPv6 address - -`country` - match IP by ISO 3166-1 alpha-2 country code - -`all` - match anything (usually placed at the end of the file as a default rule) - -For domain requests, Hysteria will try to resolve the domains and match both domain & IP rules. In other words, an IP -rule covers all connections that would end up connecting to this IP, regardless of whether the client requests with IP -or domain. \ No newline at end of file diff --git a/ACL.zh.md b/ACL.zh.md deleted file mode 100644 index 0e2684d..0000000 --- a/ACL.zh.md +++ /dev/null @@ -1,47 +0,0 @@ -# ACL 文件格式 - -ACL 文件描述如何处理传入请求。服务器和客户端都支持 ACL,并且遵循相同的语法。 - -``` -处理方式 条件类型 条件 参数 -``` - -例子: - -``` -direct domain evil.corp -proxy domain-suffix google.com -block ip 1.2.3.4 -block country cn -hijack cidr 192.168.1.1/24 127.0.0.1 - -direct all -``` - -Hysteria 根据文件中第一个匹配到规则对每个请求进行操作。当没有匹配时默认的行为是代理连接。可以通过在文件的末尾添加一个规则加上条件 "all" 来设置默认行为。 - -4 种处理方式: - -`direct` - 直接连接到目标服务器,不经过代理 - -`proxy` - 通过代理连接到目标服务器(仅在客户端上可用) - -`block` - 拒绝连接建立 - -`hijack` - 把连接劫持到另一个目的地 (必须在参数中指定) - -6 种条件类型: - -`domain` - 匹配特定的域名(不匹配子域名!例如:`apple.com` 不匹配 `cdn.apple.com`) - -`domain-suffix` - 匹配域名后缀(包含子域名,但 `apple.com` 仍不会匹配 `fakeapple.com`) - -`cidr` - IPv4 / IPv6 CIDR - -`ip` - IPv4 / IPv6 地址 - -`country` - 匹配国家 IP,ISO 两位字母国家代码 - -`all` - 匹配所有地址 (通常放在文件尾作为默认规则) - -对于域名请求,Hysteria 将尝试解析域名并同时匹配域名规则和 IP 规则。换句话说,IP 规则能覆盖到所有连接,无论客户端是用 IP 还是域名请求。 \ No newline at end of file diff --git a/Docker.md b/Docker.md deleted file mode 100644 index 92c96b5..0000000 --- a/Docker.md +++ /dev/null @@ -1,67 +0,0 @@ -## About Dockerfile - -The hysteria docker image is based on the **alpine** system. This means that -**some glibc calls may not work if you run programs that depend on glibc in a container.** - -By default, **bash** is installed in the docker container for debugging, **tzdata** is used to -provide container time zone configuration, and **ca-certificates** is used to ensure the -trust of the ssl certificate chain; in addition, the docker container does not contain -any tools other than the alpine standard system. - -The hysteria binary is installed in `/usr/local/bin/hysteria`, and the **ENTRYPOINT** -of the docker container is set to **execute the `hysteria` command**; this means that -the `hysteria` command is always the first command. - -## How to use docker image? - -### For standard docker users - -You can mount the configuration file to any location of the docker container and use it. - -In the following commands, we assume that the **`/root/hysteria.json`** configuration -file is mounted to **`/etc/hysteria.json`**: - -⚠️ Note: **If you don't want to use the host network (`--network=host`), please make sure that -the hysteria UDP port is correctly mapped (`-p 1234:1234/udp`)** - -```sh -# Please replace `/root/hysteria.json` with the actual configuration file location -docker run -dt --network=host --name hysteria \ - -v /root/hysteria.json:/etc/hysteria.json \ - tobyxdd/hysteria -config /etc/hysteria.json server -``` - -### For docker-compose users - -First, you need to create a directory with any name, and then copy [docker-compose.yaml](https://raw.githubusercontent.com/HyNetwork/hysteria/master/docker-compose.yaml) to -that directory. Finally, create your configuration file and start it. - -```sh -# Create dir -mkdir hysteria && cd hysteria - -# Download the docker-compose example config -wget https://raw.githubusercontent.com/HyNetwork/hysteria/master/docker-compose.yaml - -# Create your config -cat < hysteria.json -{ - "listen": ":36712", - "acme": { - "domains": [ - "your.domain.com" - ], - "email": "hacker@gmail.com" - }, - "obfs": "fuck me till the daylight", - "up_mbps": 100, - "down_mbps": 100 -} -EOF - -# Start container -docker-compose up -d -``` - - - diff --git a/Docker.zh.md b/Docker.zh.md deleted file mode 100644 index 94ee358..0000000 --- a/Docker.zh.md +++ /dev/null @@ -1,62 +0,0 @@ -## 关于 Dockerfile - -hysteria 的 docker 镜像基于 **alpine** 系统,这意味着如果您在容器里运行一些依赖于 glibc -的自定义程序可能会失败。 - -默认情况下容器内安装了 **`bash`** 用于调试目的,安装的 **`tzdata`** 用于提供容器的时区信息; -为了保证 ACME 等连其他网站时 SSL 证书信任还安装了 **`ca-certificates`**;除此之外容器内不包含 -任何非标准 alpine 系统的其他工具。 - -hysteria 二进制可执行文件默认被安装到 `/usr/local/bin/hysteria`,同时容器的 **ENTRYPOINT** -被设置为**执行 `hysteria` 命令**;这意味着在不进行覆盖的情况下容器启动后首先将执行 `hysteria` -命令。 - -## 如何使用本镜像? - -### 标准 Docker 用户 - -您可以将配置文件挂载到容器内的任何位置然后使用它。 - -在下面的命令中我们假设将 **`/root/hysteria.json`** 配置文件挂载为容器内的 **`/etc/hysteria.json`** 文件。 - -⚠️ 注意: 如果您不想使用宿主机网络(`--network=host`),请确保正确的映射了 hysteria 的 UDP 端口(`-p 1234:1234/udp`)。 - -```sh -# Please replace `/root/hysteria.json` with the actual configuration file location -docker run -dt --network=host --name hysteria \ - -v /root/hysteria.json:/etc/hysteria.json \ - tobyxdd/hysteria -config /etc/hysteria.json server -``` - -### Docker Compose 用户 - -首先您需要创建一个任意名称的目录,然后将项目内的 [docker-compose.yaml](https://raw.githubusercontent.com/HyNetwork/hysteria/master/docker-compose.yaml) 文件复制到该目录; -最后创建自己的配置文件并启动即可。 - -```sh -# Create dir -mkdir hysteria && cd hysteria - -# Download the docker-compose example config -wget https://raw.githubusercontent.com/HyNetwork/hysteria/master/docker-compose.yaml - -# Create your config -cat < hysteria.json -{ - "listen": ":36712", - "acme": { - "domains": [ - "your.domain.com" - ], - "email": "hacker@gmail.com" - }, - "obfs": "fuck me till the daylight", - "up_mbps": 100, - "down_mbps": 100 -} -EOF - -# Start container -docker-compose up -d -``` - diff --git a/README.md b/README.md index 499d73b..5699848 100644 --- a/README.md +++ b/README.md @@ -18,8 +18,6 @@ [8]: https://github.com/HyNetwork/hysteria/discussions -[中文](README.zh.md) - Hysteria is a feature-packed network utility optimized for networks of poor quality (e.g. satellite connections, congested public Wi-Fi, connecting from China to servers abroad) powered by a custom version of QUIC protocol. It currently has the following features: (still growing!) @@ -30,467 +28,20 @@ currently has the following features: (still growing!) - TCP/UDP TPROXY (Linux only) - TUN (TAP on Windows) -## Installation +**[Documentation has now been moved to our wiki](https://github.com/HyNetwork/hysteria/wiki)** -### Windows, Linux, macOS CLI +---------- -- Download pre-built binaries from https://github.com/tobyxdd/hysteria/releases - - Linux builds are available as `hysteria-tun` (with tun support) and `hysteria` (without tun support). Builds - without tun support are statically linked and do not depend on glibc. **If you use a Linux distribution that - can't run `hysteria-tun` properly, try `hysteria` instead.** - - Other platforms do not have glibc compatibility issues. The builds are all with tun support. -- Use Docker or Docker Compose: https://github.com/HyNetwork/hysteria/blob/master/Docker.md -- Use our Arch Linux AUR: https://aur.archlinux.org/packages/hysteria/ -- Build from source with `go build ./cmd` +Hysteria 是一个功能丰富的,专为恶劣网络环境进行优化的网络工具(双边加速),比如卫星网络、拥挤的公共 Wi-Fi、在中国连接国外服务器等。 基于修改版的 QUIC 协议。目前有以下模式:(仍在增加中) -### OpenWrt LuCI app +SOCKS5 代理 (TCP & UDP) +HTTP/HTTPS 代理 +TCP/UDP 转发 +TCP/UDP TPROXY 透明代理 (Linux) +TUN (Windows 下为 TAP) -- [openwrt-passwall](https://github.com/xiaorouji/openwrt-passwall) +**[文档现已移动到 wiki](https://github.com/HyNetwork/hysteria/wiki/%E9%A6%96%E9%A1%B5)** -### Android - -- [SagerNet](https://github.com/SagerNet/SagerNet) with [hysteria-plugin](https://github.com/SagerNet/SagerNet/releases/tag/hysteria-plugin-0.9.3) - -### iOS - -- [Shadowrocket](https://apps.apple.com/us/app/shadowrocket/id932747118) - -## Quick Start - -Note: This is only a bare-bones example to get the server and client running. Go to [Advanced usage](#advanced-usage) -for all the available options. - -### Server - -Create a `config.json` under the root directory of the program: - -```json -{ - "listen": ":36712", - "acme": { - "domains": [ - "your.domain.com" - ], - "email": "hacker@gmail.com" - }, - "obfs": "fuck me till the daylight", - "up_mbps": 100, - "down_mbps": 100 -} -``` - -Hysteria requires a TLS certificate. You can either get a trusted TLS certificate from Let's Encrypt automatically using -the built-in ACME integration, or provide it yourself. It does not have to be valid and trusted, but in that case the -clients need additional configuration. To use your own existing TLS certificate, refer to this config: - -```json -{ - "listen": ":36712", - "cert": "/home/ubuntu/my.crt", - "key": "/home/ubuntu/my.key", - "obfs": "fuck me till the daylight", - "up_mbps": 100, - "down_mbps": 100 -} -``` - -The (optional) `obfs` option obfuscates the protocol using the provided password, so that it is not apparent that this -is Hysteria/QUIC, which could be useful for bypassing DPI blocking or QoS. If the passwords of the server and client do -not match, no connection can be established. Therefore, this can also serve as a simple password authentication. For -more advanced authentication schemes, see `auth` below. - -`up_mbps` and `down_mbps` limit the maximum upload and download speed of the server for each client. Feel free to remove -them if you don't need. - -To launch the server, simply run - -``` -./hysteria-linux-amd64 server -``` - -If your config file is not named `config.json` or is in a different path, specify it with `-config`: - -``` -./hysteria-linux-amd64 -config blah.json server -``` - -### Client - -Same as the server side, create a `config.json` under the root directory of the program: - -```json -{ - "server": "example.com:36712", - "obfs": "fuck me till the daylight", - "up_mbps": 10, - "down_mbps": 50, - "socks5": { - "listen": "127.0.0.1:1080" - }, - "http": { - "listen": "127.0.0.1:8080" - } -} -``` - -This config enables a SOCKS5 proxy (with both TCP & UDP support), and an HTTP proxy at the same time. There are many -other modes in Hysteria, be sure to check them out in [Advanced usage](#advanced-usage)! To enable or disable a mode, -simply add or remove its entry in the config file. - -If your server certificate is not issued by a trusted CA, you need to specify the CA used -with `"ca": "/path/to/file.ca"` on the client or use `"insecure": true` to ignore all certificate errors (not -recommended). - -`up_mbps` and `down_mbps` are mandatory on the client side. Try to fill in these values as accurately as possible -according to your network conditions, as they are crucial for Hysteria to work optimally. - -Some users may attempt to forward other encrypted proxy protocols such as Shadowsocks with relay. While this technically -works, it's not optimal from a performance standpoint - Hysteria itself uses TLS, considering that the proxy protocol -being forwarded is also encrypted, and the fact that almost all sites are now using HTTPS, it essentially becomes triple -encryption. If you need a proxy, just use our proxy modes. - -## Comparison +---------- ![Bench](docs/bench/bench.png) - -## Advanced usage - -### Server - -```json5 -{ - "listen": ":36712", // Listen address - "protocol": "faketcp", // Blank, "udp", "wechat-video", "faketcp" - "acme": { - "domains": [ - "your.domain.com", - "another.domain.net" - ], // Domains for the ACME cert - "email": "hacker@gmail.com", // Registration email, optional but recommended - "disable_http": false, // Disable HTTP challenges - "disable_tlsalpn": false, // Disable TLS-ALPN challenges - "alt_http_port": 8080, // Alternate port for HTTP challenges - "alt_tlsalpn_port": 4433 // Alternate port for TLS-ALPN challenges - }, - "cert": "/home/ubuntu/my_cert.crt", // Cert file, mutually exclusive with the ACME options above - "key": "/home/ubuntu/my_key.crt", // Key file, mutually exclusive with the ACME options above - "up_mbps": 100, // Max upload Mbps per client - "down_mbps": 100, // Max download Mbps per client - "disable_udp": false, // Disable UDP support - "acl": "my_list.acl", // See ACL below - "mmdb": "GeoLite2-Country.mmdb", // MaxMind database for ACL country lookups - "obfs": "AMOGUS", // Obfuscation password - "auth": { // Authentication - "mode": "password", // Mode, supports "password" "none" and "external" for now - "config": { - "password": "yubiyubi" - } - }, - "alpn": "ayaya", // QUIC TLS ALPN - "prometheus_listen": ":8080", // Prometheus HTTP metrics server listen address (at /metrics) - "recv_window_conn": 15728640, // QUIC stream receive window - "recv_window_client": 67108864, // QUIC connection receive window - "max_conn_client": 4096, // Max concurrent connections per client - "disable_mtu_discovery": false, // Disable Path MTU Discovery (RFC 8899) - "ipv6_only": false, // Only resolve domains to IPv6 address - "resolver": "1.1.1.1:53" // DNS resolver address -} -``` - -#### ACME - -Only HTTP and TLS-ALPN challenges are currently supported (no DNS challenges). Make sure your TCP ports 80/443 are -accessible respectively. - -#### External authentication integration - -If you are a commercial proxy provider, you may want to connect Hysteria to your own authentication backend. - -```json5 -{ - // ... - "auth": { - "mode": "external", - "config": { - "http": "https://api.example.com/auth" // Both HTTP and HTTPS are supported - } - } -} -``` - -For the above config, Hysteria sends a POST request to `https://api.example.com/auth` upon each client's connection: - -```json5 -{ - "addr": "111.222.111.222:52731", - "payload": "[BASE64]", // auth or auth_str of the client - "send": 12500000, // Negotiated server send speed for this client (Bps) - "recv": 12500000 // Negotiated server recv speed for this client (Bps) -} -``` - -The endpoint must return results with HTTP status code 200 (even if the authentication failed): - -```json5 -{ - "ok": false, - "msg": "No idea who you are" -} -``` - -`ok` indicates whether the authentication passed. `msg` is a success/failure message. - -#### Prometheus Metrics - -You can make Hysteria expose a Prometheus HTTP client endpoint for monitoring traffic usage with `prometheus_listen`. -If configured on port 8080, the endpoint would be at `http://example.com:8080/metrics`. - -```text -hysteria_active_conn{auth="55m95auW5oCq"} 32 -hysteria_active_conn{auth="aGFja2VyISE="} 7 - -hysteria_traffic_downlink_bytes_total{auth="55m95auW5oCq"} 122639 -hysteria_traffic_downlink_bytes_total{auth="aGFja2VyISE="} 3.225058e+06 - -hysteria_traffic_uplink_bytes_total{auth="55m95auW5oCq"} 40710 -hysteria_traffic_uplink_bytes_total{auth="aGFja2VyISE="} 37452 -``` - -`auth` is the auth payload sent by the clients, encoded in Base64. - -### Client - -```json5 -{ - "server": "example.com:36712", // Server address - "protocol": "faketcp", // Blank, "udp", "wechat-video", "faketcp" - "up_mbps": 10, // Max upload Mbps - "down_mbps": 50, // Max download Mbps - "socks5": { - "listen": "127.0.0.1:1080", // SOCKS5 listen address - "timeout": 300, // TCP timeout in seconds - "disable_udp": false, // Disable UDP support - "user": "me", // SOCKS5 authentication username - "password": "lmaolmao" // SOCKS5 authentication password - }, - "http": { - "listen": "127.0.0.1:8080", // HTTP listen address - "timeout": 300, // TCP timeout in seconds - "user": "me", // HTTP authentication username - "password": "lmaolmao", // HTTP authentication password - "cert": "/home/ubuntu/my_cert.crt", // Cert file (HTTPS proxy) - "key": "/home/ubuntu/my_key.crt" // Key file (HTTPS proxy) - }, - "tun": { - "name": "tun-hy", // TUN interface name - "timeout": 300, // Timeout in seconds - "address": "192.0.2.2", // TUN interface address, not applicable for Linux - "gateway": "192.0.2.1", // TUN interface gateway, not applicable for Linux - "mask": "255.255.255.252", // TUN interface mask, not applicable for Linux - "dns": [ "8.8.8.8", "8.8.4.4" ], // TUN interface DNS, only applicable for Windows - "persist": false // Persist TUN interface after exit, only applicable for Linux - }, - "relay_tcps": [ - { - "listen": "127.0.0.1:2222", // TCP relay listen address - "remote": "123.123.123.123:22", // TCP relay remote address - "timeout": 300 // TCP timeout in seconds - }, - { - "listen": "127.0.0.1:13389", // TCP relay listen address - "remote": "124.124.124.124:3389", // TCP relay remote address - "timeout": 300 // TCP timeout in seconds - } - ], - "relay_udps": [ - { - "listen": "127.0.0.1:5333", // UDP relay listen address - "remote": "8.8.8.8:53", // UDP relay remote address - "timeout": 60 // UDP session timeout in seconds - }, - { - "listen": "127.0.0.1:11080", // UDP relay listen address - "remote": "9.9.9.9.9:1080", // UDP relay remote address - "timeout": 60 // UDP session timeout in seconds - } - ], - "tproxy_tcp": { - "listen": "127.0.0.1:9000", // TCP TProxy listen address - "timeout": 300 // TCP timeout in seconds - }, - "tproxy_udp": { - "listen": "127.0.0.1:9000", // UDP TProxy listen address - "timeout": 60 // UDP session timeout in seconds - }, - "acl": "my_list.acl", // See ACL below - "mmdb": "GeoLite2-Country.mmdb", // MaxMind database for ACL country lookups - "obfs": "AMOGUS", // Obfuscation password - "auth": "[BASE64]", // Authentication payload in Base64 - "auth_str": "yubiyubi", // Authentication payload in string, mutually exclusive with the option above - "alpn": "ayaya", // QUIC TLS ALPN - "server_name": "real.name.com", // TLS hostname used to verify the server certificate - "insecure": false, // Ignore all certificate errors - "ca": "my.ca", // Custom CA file - "recv_window_conn": 15728640, // QUIC stream receive window - "recv_window": 67108864, // QUIC connection receive window - "disable_mtu_discovery": false, // Disable Path MTU Discovery (RFC 8899) - "resolver": "1.1.1.1:53" // DNS resolver address -} -``` - -#### Fake TCP / TCP masquerade - -Certain networks may impose various restrictions on UDP traffic or block it altogether. Hysteria offers a "faketcp" mode -that allows servers and clients to communicate using a protocol that looks like TCP but does not actually go through the -system TCP stack. This tricks whatever middleboxes into thinking it's actually TCP traffic, rendering UDP-specific -restrictions useless. - -This mode is currently only supported on Linux (both client and server) and requires root privileges. - -If your server is behind a firewall, open the corresponding TCP port instead of UDP. - -#### Transparent proxy - -TPROXY modes (`tproxy_tcp` & `tproxy_udp`) are only available on Linux. - -References: -- https://www.kernel.org/doc/Documentation/networking/tproxy.txt -- https://powerdns.org/tproxydoc/tproxy.md.html - -## Optimization tips - -### Optimizing for extreme transfer speeds - -If you want to use Hysteria for very high speed transfers (e.g. 10GE, 1G+ over inter-country long fat pipes), consider -increasing your system's UDP receive buffer size. - -```shell -sysctl -w net.core.rmem_max=4000000 -``` - -This would increase the buffer size to roughly 4 MB on Linux. - -You may also need to increase `recv_window_conn` and `recv_window` (`recv_window_client` on server side) to make sure -they are at least no less than the bandwidth-delay product. For example, if you want to achieve a transfer speed of 500 -MB/s on a line with an RTT of 200 ms, you need a minimum receive window size of 100 MB (500*0.2). - -### Routers and other embedded devices - -For devices with very limited computing power and RAM, turning off obfuscation can bring a slight performance boost. - -The default receive window size for both Hysteria server and client is 64 MB. Consider lowering them if it's too large -for your device. Keeping a ratio of one to four between stream receive window and connection receive window is -recommended. - -## ACL - -[ACL File Format](ACL.md) - -ACL is available on both client & server. On the server side it can be used to restrict what the clients can access, and -is valid for any mode on the client side. On the client side, it's only supported in SOCKS5 & HTTP proxy modes, and has -no effect in other modes (all traffic will go through the proxy) - -## URI Scheme - -Third party clients looking to implement a "share by link" feature are advised to follow the following URI scheme -(initially introduced by Shadowrocket): - - hysteria://host:port?protocol=udp&auth=123456&peer=sni.domain&insecure=1&upmbps=100&downmbps=100&alpn=hysteria&obfs=xplus&obfsParam=123456#remarks - - - host: hostname or IP address of the server to connect to (required) - - port: port of the server to connect to (required) - - protocol: protocol to use ("udp", "wechat-video", "faketcp") (optional, default: "udp") - - auth: authentication payload (string) (optional) - - peer: SNI for TLS (optional) - - insecure: ignore certificate errors (optional) - - upmbps: upstream bandwidth in Mbps (required) - - downmbps: downstream bandwidth in Mbps (required) - - alpn: QUIC ALPN (optional) - - obfs: Obfuscation mode (optional, empty or "xplus") - - obfsParam: Obfuscation password (optional) - - remarks: remarks (optional) - -## Logging - -The program outputs `DEBUG` level, text format logs via stdout by default. - -To change the logging level, use `LOGGING_LEVEL` environment variable. The available levels are `panic`, `fatal` -, `error`, `warn`, `info`, ` debug`, `trace` - -To print JSON instead, set `LOGGING_FORMATTER` to `json` - -To change the logging timestamp format, set `LOGGING_TIMESTAMP_FORMAT` - -## Custom CA - - 1. Suppose the server address is `123.123.123.123`, UDP port `5678` is not blocked by firewall - 2. openssl is already installed - 3. hysteria is already installed in `/root/hysteria/` -
- 4. Generate custom CA certificate - -- Run the script below in `/root/hysteria/` - -``` shell -#!/usr/bin/env bash - -domain=$(openssl rand -hex 8) -password=$(openssl rand -hex 16) -obfs=$(openssl rand -hex 6) -path="/root/hysteria" - -openssl genrsa -out hysteria.ca.key 2048 - -openssl req -new -x509 -days 3650 -key hysteria.ca.key -subj "/C=CN/ST=GD/L=SZ/O=Hysteria, Inc./CN=Hysteria Root CA" -out hysteria.ca.crt - -openssl req -newkey rsa:2048 -nodes -keyout hysteria.server.key -subj "/C=CN/ST=GD/L=SZ/O=Hysteria, Inc./CN=*.${domain}.com" -out hysteria.server.csr - -openssl x509 -req -extfile <(printf "subjectAltName=DNS:${domain}.com,DNS:www.${domain}.com") -days 3650 -in hysteria.server.csr -CA hysteria.ca.crt -CAkey hysteria.ca.key -CAcreateserial -out hysteria.server.crt - -cat > ./client.json < ./server.json < - -5. On the server side, copy `server.json`, `hysteria.server.crt`, `hysteria.server.key` to `/root/hysteria/`, - run `/root/hysteria/hysteria -c /root/hysteria/server.json server` - -6. On the client side, assuming that the client is also in `/root/hysteria`, copy `client.json`, `hysteria.ca.crt` - to `/root/hysteria/`, run `/root/hysteria/hysteria -c /root/hysteria/client.json` - -7. After getting your certificate, modify the server address, port, certificate path, etc. according to your needs - -8. If you are using Shadowrocket on iOS, you can airdrop the file `hysteria.ca.crt` to your device and install it diff --git a/README.zh.md b/README.zh.md deleted file mode 100644 index 11e48ed..0000000 --- a/README.zh.md +++ /dev/null @@ -1,473 +0,0 @@ -# ![Logo](docs/logos/readme.png) - -[![License][1]][2] [![Release][3]][4] [![Telegram][5]][6] [![Discussions][7]][8] - -[1]: https://img.shields.io/github/license/tobyxdd/hysteria?style=flat-square - -[2]: LICENSE.md - -[3]: https://img.shields.io/github/v/release/tobyxdd/hysteria?style=flat-square - -[4]: https://github.com/tobyxdd/hysteria/releases - -[5]: https://img.shields.io/badge/chat-Telegram-blue?style=flat-square - -[6]: https://t.me/hysteria_github - -[7]: https://img.shields.io/github/discussions/HyNetwork/hysteria?style=flat-square - -[8]: https://github.com/HyNetwork/hysteria/discussions - -Hysteria 是一个功能丰富的,专为恶劣网络环境进行优化的网络工具(双边加速),比如卫星网络、拥挤的公共 Wi-Fi、在中国连接国外服务器等。 -基于修改版的 QUIC 协议。目前有以下模式:(仍在增加中) - -- SOCKS5 代理 (TCP & UDP) -- HTTP/HTTPS 代理 -- TCP/UDP 转发 -- TCP/UDP TPROXY 透明代理 (Linux) -- TUN (Windows 下为 TAP) - -## 下载安装 - -### Windows, Linux, macOS CLI - -- 从 https://github.com/tobyxdd/hysteria/releases 下载编译好的版本 - - Linux 分为 `hysteria-tun` (带有 tun 支持) 和 `hysteria` (无 tun 支持) 两个版本。无 tun 支持的版本是静态链接,不依赖系统 - glibc 的。**如果你使用的 Linux 发行版无法正常执行 `hysteria-tun`,请尝试 `hysteria`** - - 其余平台无 glibc 兼容性问题,提供的都是带有 tun 支持的版本 -- 使用 Docker 或 Docker Compose: https://github.com/HyNetwork/hysteria/blob/master/Docker.zh.md -- 使用 Arch Linux AUR: https://aur.archlinux.org/packages/hysteria/ -- 自己用 `go build ./cmd` 从源码编译 - -### OpenWrt LuCI app - -- [openwrt-passwall](https://github.com/xiaorouji/openwrt-passwall) - -### Android - -- [SagerNet](https://github.com/SagerNet/SagerNet) 配合 [hysteria-plugin](https://github.com/SagerNet/SagerNet/releases/tag/hysteria-plugin-0.9.3) - -### iOS - -- [Shadowrocket](https://apps.apple.com/us/app/shadowrocket/id932747118) - -## 快速入门 - -注意:本节提供的配置只是为了快速上手,可能无法满足你的需求。请到 [高级用法](#高级用法) 中查看所有可用选项与含义。 - -### 服务器 - -在目录下建立一个 `config.json` - -```json -{ - "listen": ":36712", - "acme": { - "domains": [ - "your.domain.com" - ], - "email": "hacker@gmail.com" - }, - "obfs": "fuck me till the daylight", - "up_mbps": 100, - "down_mbps": 100 -} -``` - -服务端需要一个 TLS 证书。 你可以让 Hysteria 内置的 ACME 尝试自动从 Let's Encrypt 为你的服务器签发一个证书,也可以自己提供。 -证书未必一定要是有效、可信的,但在这种情况下客户端需要进行额外的配置。要使用自己的 TLS 证书,参考这个配置: - -```json -{ - "listen": ":36712", - "cert": "/home/ubuntu/my.crt", - "key": "/home/ubuntu/my.key", - "obfs": "fuck me till the daylight", - "up_mbps": 100, - "down_mbps": 100 -} -``` - -可选的 `obfs` 选项使用提供的密码对协议进行混淆,这样协议就不容易被检测出是 Hysteria/QUIC,可以用来绕过针对性的 DPI 屏蔽或者 QoS。 -如果服务端和客户端的密码不匹配就不能建立连接,因此这也可以作为一个简单的密码验证。对于更高级的验证方案请见下文 `auth`。 - -`up_mbps` 和 `down_mbps` 限制服务器对每个客户端的最大上传和下载速度。这些也是可选的,如果不需要可以移除。 - -要启动服务端,只需运行 - -``` -./hysteria-linux-amd64 server -``` - -如果你的配置文件没有命名为 `config.json` 或在别的路径,请用 `-config` 指定路径: - -``` -./hysteria-linux-amd64 -config blah.json server -``` - -### 客户端 - -和服务器端一样,在程序根目录下建立一个`config.json`。 - -```json -{ - "server": "example.com:36712", - "obfs": "fuck me till the daylight", - "up_mbps": 10, - "down_mbps": 50, - "socks5": { - "listen": "127.0.0.1:1080" - }, - "http": { - "listen": "127.0.0.1:8080" - } -} -``` - -这个配置同时开了 SOCK5 (支持 TCP & UDP) 代理和 HTTP 代理。Hysteria 还有很多其他模式,请务必前往 [高级用法](#高级用法) 了解一下! -要启用/禁用一个模式,在配置文件中添加/移除对应条目即可。 - -如果你的服务端证书不是由受信任的 CA 签发的,需要用 `"ca": "/path/to/file.ca"` 指定使用的 CA 或者用 `"insecure": true` 忽略所有 -证书错误(不推荐)。 - -`up_mbps` 和 `down_mbps` 在客户端是必填选项,请根据实际网络情况尽量准确地填写,否则将影响 Hysteria 的使用体验。 - -有些用户可能会尝试用这个功能转发其他加密代理协议,比如 Shadowsocks。这样虽然可行,但从性能的角度不推荐 - Hysteria 本身就用 TLS, -转发的代理协议也是加密的,再加上如今几乎所有网站都是 HTTPS 了,等于做了三重加密。如果需要代理,建议直接使用代理模式。 - -## 对比 - -![Bench](docs/bench/bench.png) - -## 高级用法 - -### 服务器 - -```json5 -{ - "listen": ":36712", // 监听地址 - "protocol": "faketcp", // 留空或 "udp", "wechat-video", "faketcp" - "acme": { - "domains": [ - "your.domain.com", - "another.domain.net" - ], // ACME 证书域名 - "email": "hacker@gmail.com", // 注册邮箱,可选,推荐 - "disable_http": false, // 禁用 HTTP 验证方式 - "disable_tlsalpn": false, // 禁用 TLS-ALPN 验证方式 - "alt_http_port": 8080, // HTTP 验证方式替代端口 - "alt_tlsalpn_port": 4433 // TLS-ALPN 验证方式替代端口 - }, - "cert": "/home/ubuntu/my_cert.crt", // 证书 - "key": "/home/ubuntu/my_key.crt", // 证书密钥 - "up_mbps": 100, // 单客户端最大上传速度 - "down_mbps": 100, // 单客户端最大下载速度 - "disable_udp": false, // 禁用 UDP 支持 - "acl": "my_list.acl", // 见下文 ACL - "mmdb": "GeoLite2-Country.mmdb", // MaxMind IP 库 (ACL) - "obfs": "AMOGUS", // 混淆密码 - "auth": { // 验证 - "mode": "password", // 验证模式,暂时只支持 "password" 与 "none" - "config": { - "password": "yubiyubi" - } - }, - "alpn": "ayaya", // QUIC TLS ALPN - "prometheus_listen": ":8080", // Prometheus 统计接口监听地址 (在 /metrics) - "recv_window_conn": 15728640, // QUIC stream receive window - "recv_window_client": 67108864, // QUIC connection receive window - "max_conn_client": 4096, // 单客户端最大活跃连接数 - "disable_mtu_discovery": false, // 禁用 MTU 探测 (RFC 8899) - "ipv6_only": false, // 强制把域名解析成 IPv6 地址 - "resolver": "1.1.1.1:53" // DNS 地址 -} -``` - -#### ACME - -目前仅支持 HTTP 与 TLS-ALPN 验证方式,不支持 DNS 验证。对于两种方式请分别确保 TCP 80/443 端口能够被访问。 - -#### 接入外部验证 - -如果你是商业代理服务提供商,可以这样把 Hysteria 接入到自己的验证后端: - -```json5 -{ - // ... - "auth": { - "mode": "external", - "config": { - "http": "https://api.example.com/auth" // 支持 HTTP 和 HTTPS - } - } -} -``` - -对于上述配置,Hysteria 会把验证请求通过 HTTP POST 发送到 `https://api.example.com/auth` - -```json5 -{ - "addr": "111.222.111.222:52731", - "payload": "[BASE64]", // 对应客户端配置的 auth 或 auth_str 字段 - "send": 12500000, // 协商后的服务端最大发送速率 (Bps) - "recv": 12500000 // 协商后的服务端最大接收速率 (Bps) -} -``` - -后端必须用 HTTP 200 状态码返回验证结果(即使验证不通过): - -```json5 -{ - "ok": false, - "msg": "No idea who you are" -} -``` - -`ok` 表示验证是否通过,`msg` 是成功/失败消息。 - -#### Prometheus 流量统计 - -通过 `prometheus_listen` 选项可以让 Hysteria 暴露一个 Prometheus HTTP 客户端 endpoint 用来统计流量使用情况。 -例如如果配置在 8080 端口,则 API 地址是 `http://example.com:8080/metrics` - -```text -hysteria_active_conn{auth="55m95auW5oCq"} 32 -hysteria_active_conn{auth="aGFja2VyISE="} 7 - -hysteria_traffic_downlink_bytes_total{auth="55m95auW5oCq"} 122639 -hysteria_traffic_downlink_bytes_total{auth="aGFja2VyISE="} 3.225058e+06 - -hysteria_traffic_uplink_bytes_total{auth="55m95auW5oCq"} 40710 -hysteria_traffic_uplink_bytes_total{auth="aGFja2VyISE="} 37452 -``` - -`auth` 是客户端发来的验证密钥,经过 Base64 编码。 - -### 客户端 - -```json5 -{ - "server": "example.com:36712", // 服务器地址 - "protocol": "faketcp", // 留空或 "udp", "wechat-video", "faketcp" - "up_mbps": 10, // 最大上传速度 - "down_mbps": 50, // 最大下载速度 - "socks5": { - "listen": "127.0.0.1:1080", // SOCKS5 监听地址 - "timeout": 300, // TCP 超时秒数 - "disable_udp": false, // 禁用 UDP 支持 - "user": "me", // SOCKS5 验证用户名 - "password": "lmaolmao" // SOCKS5 验证密码 - }, - "http": { - "listen": "127.0.0.1:8080", // HTTP 监听地址 - "timeout": 300, // TCP 超时秒数 - "user": "me", // HTTP 验证用户名 - "password": "lmaolmao", // HTTP 验证密码 - "cert": "/home/ubuntu/my_cert.crt", // 证书 (变为 HTTPS 代理) - "key": "/home/ubuntu/my_key.crt" // 证书密钥 (变为 HTTPS 代理) - }, - "tun": { - "name": "tun-hy", // TUN 接口名称 - "timeout": 300, // 超时秒数 - "address": "192.0.2.2", // TUN 接口地址(不适用于 Linux) - "gateway": "192.0.2.1", // TUN 接口网关(不适用于 Linux) - "mask": "255.255.255.252", // TUN 接口子网掩码(不适用于 Linux) - "dns": [ "8.8.8.8", "8.8.4.4" ], // TUN 接口 DNS 服务器(仅适用于 Windows) - "persist": false // 在程序退出之后保留接口(仅适用于 Linux) - }, - "relay_tcps": [ - { - "listen": "127.0.0.1:2222", // TCP 转发监听地址 - "remote": "123.123.123.123:22", // TCP 转发目标地址 - "timeout": 300 // TCP 超时秒数 - }, - { - "listen": "127.0.0.1:13389", // TCP 转发监听地址 - "remote": "124.124.124.124:3389", // TCP 转发目标地址 - "timeout": 300 // TCP 超时秒数 - } - ], - "relay_udps": [ - { - "listen": "127.0.0.1:5333", // UDP 转发监听地址 - "remote": "8.8.8.8:53", // UDP 转发目标地址 - "timeout": 60 // UDP 超时秒数 - }, - { - "listen": "127.0.0.1:11080", // UDP 转发监听地址 - "remote": "9.9.9.9.9:1080", // UDP 转发目标地址 - "timeout": 60 // UDP 超时秒数 - } - ], - "tproxy_tcp": { - "listen": "127.0.0.1:9000", // TCP 透明代理监听地址 - "timeout": 300 // TCP 超时秒数 - }, - "tproxy_udp": { - "listen": "127.0.0.1:9000", // UDP 透明代理监听地址 - "timeout": 60 // UDP 超时秒数 - }, - "acl": "my_list.acl", // 见下文 ACL - "mmdb": "GeoLite2-Country.mmdb", // MaxMind IP 库 (ACL) - "obfs": "AMOGUS", // 混淆密码 - "auth": "[BASE64]", // Base64 验证密钥 - "auth_str": "yubiyubi", // 字符串验证密钥,和上面的选项二选一 - "alpn": "ayaya", // QUIC TLS ALPN - "server_name": "real.name.com", // 用于验证服务端证书的 hostname - "insecure": false, // 忽略一切证书错误 - "ca": "my.ca", // 自定义 CA - "recv_window_conn": 15728640, // QUIC stream receive window - "recv_window": 67108864, // QUIC connection receive window - "disable_mtu_discovery": false, // 禁用 MTU 探测 (RFC 8899) - "resolver": "1.1.1.1:53" // DNS 地址 -} -``` - -#### 伪装 TCP (faketcp 模式) - -某些网络可能对 UDP 流量施加各种限制,或者完全屏蔽。Hysteria 提供了一个 "faketcp" 模式,让服务端与客户端之间用看起来是 TCP 但实际不走 -系统 TCP 栈的方式通信。通过这种方式可以让防火墙、QoS 设备认为这是真的 TCP 连接,绕过对 UDP 的限制。 - -目前只在 Linux 上支持(客户端和服务器都是),并且需要 root 权限。 - -如果你的服务器有防火墙,请放行相应的 TCP 端口而不是 UDP。 - -#### 透明代理 - -TPROXY 模式 (`tproxy_tcp` 和 `tproxy_udp`) 只在 Linux 下可用。 - -参考阅读: -- https://www.kernel.org/doc/Documentation/networking/tproxy.txt -- https://powerdns.org/tproxydoc/tproxy.md.html - -## 优化建议 - -### 针对超高传速度进行优化 - -如果要用 Hysteria 进行极高速度的传输 (如内网超过 10G 或高延迟跨国超过 1G),请增加系统的 UDP receive buffer 大小。 - -```shell -sysctl -w net.core.rmem_max=4000000 -``` - -这个命令会在 Linux 下将 buffer 大小提升到 4 MB 左右。 - -你可能还需要提高 `recv_window_conn` 和 `recv_window` (服务器端是 `recv_window_client`) 以确保它们至少不低于带宽-延迟的乘积。 -比如如果想在一条 RTT 200ms 的线路上达到 500 MB/s 的速度,receive window 至少需要 100 MB (500*0.2) - -### 路由器与其他嵌入式设备 - -对于运算性能和内存十分有限的嵌入式设备,如果不是必须的话建议关闭混淆,可以带来少许性能提升。 - -Hysteria 服务端与客户端默认的 receive window 大小是 64 MB。如果设备内存不够,请考虑通过配置降低。建议保持 stream receive window -和 connection receive window 之间 1:4 的比例关系。 - -## 关于 ACL - -[ACL 文件格式](ACL.zh.md) - -ACL 在服务端和客户端都可以使用。在服务端可以用来实现限制客户端能访问的目标,对客户端任何模式都有效。在客户端只有 SOCKS5 和 HTTP 代理 -支持 ACL。其他模式下没有效果(所有流量都会走代理)。 - -## URI Scheme - -希望包含链接分享/导入功能的第三方客户端,建议按照如下 URI Scheme 实现(最初由 Shadowrocket 引入): - - hysteria://host:port?protocol=udp&auth=123456&peer=sni.domain&insecure=1&upmbps=100&downmbps=100&alpn=hysteria&obfs=xplus&obfsParam=123456#remarks - - - host: hostname or IP address of the server to connect to (required) - - port: port of the server to connect to (required) - - protocol: protocol to use ("udp", "wechat-video", "faketcp") (optional, default: "udp") - - auth: authentication payload (string) (optional) - - peer: SNI for TLS (optional) - - insecure: ignore certificate errors (optional) - - upmbps: upstream bandwidth in Mbps (required) - - downmbps: downstream bandwidth in Mbps (required) - - alpn: QUIC ALPN (optional) - - obfs: Obfuscation mode (optional, empty or "xplus") - - obfsParam: Obfuscation password (optional) - - remarks: remarks (optional) - -## 日志 - -程序默认在 stdout 输出 DEBUG 级别,文字格式的日志。 - -如果需要修改日志级别可以使用 `LOGGING_LEVEL` 环境变量,支持 `panic`, `fatal`, `error`, `warn`, `info`, `debug`, `trace` - -如果需要输出 JSON 可以把 `LOGGING_FORMATTER` 设置为 `json` - -如果需要修改日志时间戳格式可以使用 `LOGGING_TIMESTAMP_FORMAT` - - - ## 自定义 CA 方法 - - 1. 假设服务器地址是 `123.123.123.123`, 端口`5678`UDP/TCP协议未被防火墙拦截 - 2. 已经安装了 openssl - 3. hysteria 已经安装在 `/root/hysteria/`目录下 -
- 4. 生成自定义CA证书 - -- 在 `/root/hysteria/` 目录下,将以下shell命令保存为 `generate.sh` , 并赋予执行权限: `chmod +x ./generate.sh` 后,运行 `./generate.sh` 命令生成自定义CA证书 -- 或者在`/root/hysteria/` 目录下,直接执行以下shell命令生成自定义CA证书 - -``` shell -#!/usr/bin/env bash - -domain=$(openssl rand -hex 8) -password=$(openssl rand -hex 16) -obfs=$(openssl rand -hex 6) -path="/root/hysteria" -# 生成CAkey -openssl genrsa -out hysteria.ca.key 2048 -# 生成CA证书 -openssl req -new -x509 -days 3650 -key hysteria.ca.key -subj "/C=CN/ST=GD/L=SZ/O=Hysteria, Inc./CN=Hysteria Root CA" -out hysteria.ca.crt - -openssl req -newkey rsa:2048 -nodes -keyout hysteria.server.key -subj "/C=CN/ST=GD/L=SZ/O=Hysteria, Inc./CN=*.${domain}.com" -out hysteria.server.csr -# 签发服务端用的证书 -openssl x509 -req -extfile <(printf "subjectAltName=DNS:${domain}.com,DNS:www.${domain}.com") -days 3650 -in hysteria.server.csr -CA hysteria.ca.crt -CAkey hysteria.ca.key -CAcreateserial -out hysteria.server.crt - -cat > ./client.json < ./server.json < - -5. 服务端:复制 `server.json`、 `hysteria.server.crt`、 `hysteria.server.key` 到 `/root/hysteria/` 目录下,运行 `/root/hysteria/hysteria -c /root/hysteria/server.json server` 命令 - -6. 客户端:假设客户端运行目录也为`/root/hysteria`, 复制 `client.json`、`hysteria.ca.crt` 到 `/root/hysteria/` 目录下,运行 `/root/hysteria/hysteria -c /root/hysteria/client.json` 命令 - -7. 生成CA证书之后,根据自身情况修改服务器地址、端口和证书文件路径,加上`obfs`和`alpn`是防止首次在某些环境下被墙,第一次在全参数情况下测试通过后,可以自身网络环境删除不必须要参数,比如`obfs`和`alpn`. - -8. iOS 端如果使用的是小火箭 Shadowrocket,可以把文件`hysteria.ca.crt` airdrop到手机,然后在手机上安装并信任后, 就可以使用自定义CA证书了。