search

Gozargah / Marzban

Unified GUI Censorship Resistant Solution Powered by Xray
https://t.me/gozargah_marzban
GNU Affero General Public License v3.0
2.71k stars 389 forks source link

quic bugs #886

Open fodhelper opened 3 months ago

fodhelper commented 3 months ago

Hello quic config of v2rayNG custom config is not correct so it will prevent v2rayNG from updating subscription (raises error on server) sing-box does not support xray-core's quic, and currently having enabled quic config on hosts will prevent sing-box from updating subscription, marzban must do not send quic config to sing-box https://sing-box.sagernet.org/configuration/shared/v2ray-transport/#quic it's not supported by clash or clash.meta too, marzban must do not send quic config to clash or clash.meta

sing box and clash and clash meta does not support mKCP too- i didn't check if marzban sends them to this clients too or not

marzban error while trying to update v2rayNG sub :

marzban  | ERROR:    Exception in ASGI application
marzban  | Traceback (most recent call last):
marzban  |   File "/usr/local/lib/python3.10/site-packages/uvicorn/protocols/http/httptools_impl.py", line 419, in run_asgi
marzban  |     result = await app(  # type: ignore[func-returns-value]
marzban  |   File "/usr/local/lib/python3.10/site-packages/uvicorn/middleware/proxy_headers.py", line 78, in __call__
marzban  |     return await self.app(scope, receive, send)
marzban  |   File "/usr/local/lib/python3.10/site-packages/fastapi/applications.py", line 271, in __call__
marzban  |     await super().__call__(scope, receive, send)
marzban  |   File "/usr/local/lib/python3.10/site-packages/starlette/applications.py", line 118, in __call__
marzban  |     await self.middleware_stack(scope, receive, send)
marzban  |   File "/usr/local/lib/python3.10/site-packages/starlette/middleware/errors.py", line 184, in __call__
marzban  |     raise exc
marzban  |   File "/usr/local/lib/python3.10/site-packages/starlette/middleware/errors.py", line 162, in __call__
marzban  |     await self.app(scope, receive, _send)
marzban  |   File "/usr/local/lib/python3.10/site-packages/starlette/middleware/cors.py", line 84, in __call__
marzban  |     await self.app(scope, receive, send)
marzban  |   File "/usr/local/lib/python3.10/site-packages/starlette/middleware/exceptions.py", line 79, in __call__
marzban  |     raise exc
marzban  |   File "/usr/local/lib/python3.10/site-packages/starlette/middleware/exceptions.py", line 68, in __call__
marzban  |     await self.app(scope, receive, sender)
marzban  |   File "/usr/local/lib/python3.10/site-packages/fastapi/middleware/asyncexitstack.py", line 21, in __call__
marzban  |     raise e
marzban  |   File "/usr/local/lib/python3.10/site-packages/fastapi/middleware/asyncexitstack.py", line 18, in __call__
marzban  |     await self.app(scope, receive, send)
marzban  |   File "/usr/local/lib/python3.10/site-packages/starlette/routing.py", line 706, in __call__
marzban  |     await route.handle(scope, receive, send)
marzban  |   File "/usr/local/lib/python3.10/site-packages/starlette/routing.py", line 276, in handle
marzban  |     await self.app(scope, receive, send)
marzban  |   File "/usr/local/lib/python3.10/site-packages/starlette/routing.py", line 66, in app
marzban  |     response = await func(request)
marzban  |   File "/usr/local/lib/python3.10/site-packages/fastapi/routing.py", line 237, in app
marzban  |     raw_response = await run_endpoint_function(
marzban  |   File "/usr/local/lib/python3.10/site-packages/fastapi/routing.py", line 165, in run_endpoint_function
marzban  |     return await run_in_threadpool(dependant.call, **values)
marzban  |   File "/usr/local/lib/python3.10/site-packages/starlette/concurrency.py", line 41, in run_in_threadpool
marzban  |     return await anyio.to_thread.run_sync(func, *args)
marzban  |   File "/usr/local/lib/python3.10/site-packages/anyio/to_thread.py", line 31, in run_sync
marzban  |     return await get_asynclib().run_sync_in_worker_thread(
marzban  |   File "/usr/local/lib/python3.10/site-packages/anyio/_backends/_asyncio.py", line 937, in run_sync_in_worker_thread
marzban  |     return await future
marzban  |   File "/usr/local/lib/python3.10/site-packages/anyio/_backends/_asyncio.py", line 867, in run
marzban  |     result = context.run(func, *args)
marzban  |   File "/code/app/views/subscription.py", line 97, in user_subscription
marzban  |     conf = generate_subscription(user=user, config_format="v2ray-json", as_base64=False)
marzban  |   File "/code/app/subscription/share.py", line 181, in generate_subscription
marzban  |     config = generate_v2ray_json_subscription(**kwargs)
marzban  |   File "/code/app/subscription/share.py", line 154, in generate_v2ray_json_subscription
marzban  |     return process_inbounds_and_tags(
marzban  |   File "/code/app/subscription/share.py", line 345, in process_inbounds_and_tags
marzban  |     conf.add(
marzban  |   File "/code/app/subscription/v2ray.py", line 600, in add
marzban  |     outbound["streamSettings"] = self.make_stream_setting(
marzban  |   File "/code/app/subscription/v2ray.py", line 517, in make_stream_setting
marzban  |     network_setting = self.quic_config(
marzban  |   File "/code/app/subscription/v2ray.py", line 342, in quic_config
marzban  |     quicSettings["header"]["type"] = header
marzban  | TypeError: 'set' object does not support item assignment
ImMohammad20000 commented 3 months ago

Hello can you send us your quic inbound config too

M03ED commented 3 months ago

send you inbound and correct type of config output

fodhelper commented 3 months ago

xray quic server and client config :

      "streamSettings": {
        "network": "quic",
        "quicSettings": {
          "security": "chacha20-poly1305",
          "key": "abcdefg123",
          "header": {
            "type": "dtls"
          }
        },
        "security": "none"
      }

https://xtls.github.io/en/config/transports/quic.html

QUIC requires TLS to be enabled and if it is not enabled in the Transport Protocol, Xray will issue a self-signed certificate for TLS communication.

tls must be disabled in xray client config (for xray based client apps only- others can't work without tls enabled) but if enabled, allowInsecure must be true too (except when tls certificate is not self signed)

there is a tip in xtls blog :

When neither encryption nor obfuscation is enabled, QUIC transport is compatible with other QUIC tools. However it is recommended to enable either or both for better undetectable communication.

so sing-box and v2fly based client apps support xray's quic config but only if additional encryption and obfuscation type is none (tested it myself and works with a valid tls cert or self sign cert + allowInsecure)

M03ED commented 2 months ago

Can you send some json sample for each type ? I want to fix it tonight

fodhelper commented 2 months ago

Hello @M03ED

    {
      "tag": "quic-sample-01",
      "listen": "0.0.0.0",
      "port": 8010,
      "protocol": "vmess",
      "settings": {
        "clients": []
      },
      "streamSettings": {
        "network": "quic",
        "quicSettings": {
          "security": "none",
          "key": "",
          "header": {
            "type": "none"
          }
        },
        "security": "tls",
        "tlsSettings": {
          "certificates": [
            {
              "certificate": [
                "-----BEGIN CERTIFICATE-----",
                "MIIBfzCCASWgAwIBAgIQRl8qtWEIRJKVlKA3zc/zgDAKBggqhkjOPQQDAjAmMREw",
                "DwYDVQQKEwhYcmF5IEluYzERMA8GA1UEAxMIWHJheSBJbmMwHhcNMjQwNDI1MTkw",
                "NDQ0WhcNMjQwNzI0MjAwNDQ0WjAmMREwDwYDVQQKEwhYcmF5IEluYzERMA8GA1UE",
                "AxMIWHJheSBJbmMwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQ8TfwbliCYpYQa",
                "FJpzsav/imgXfmLh7/wyLmbVe8ih50nMsGPzcCAH7gYANf36ryZggz5cpvcuh+YX",
                "JG9ucfDcozUwMzAOBgNVHQ8BAf8EBAMCBaAwEwYDVR0lBAwwCgYIKwYBBQUHAwEw",
                "DAYDVR0TAQH/BAIwADAKBggqhkjOPQQDAgNIADBFAiEAjf+fBprRN6NtoxTlsfZt",
                "U+c7CsutFaBqpjC2qD5mOv8CIFzmn/7+Y+hg0RLlttV+LNPcr4q1dTDttpQhDgua",
                "rTK8",
                "-----END CERTIFICATE-----"
              ],
              "key": [
                "-----BEGIN RSA PRIVATE KEY-----",
                "MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgfSvb6qARZLme3GYs",
                "GloEd5lHBpaerVfDizUG8gw+DmGhRANCAAQ8TfwbliCYpYQaFJpzsav/imgXfmLh",
                "7/wyLmbVe8ih50nMsGPzcCAH7gYANf36ryZggz5cpvcuh+YXJG9ucfDc",
                "-----END RSA PRIVATE KEY-----"
              ]
            }
          ]
        },
        "sniffing": {
          "enabled": true,
          "destOverride": [
            "http",
            "tls"
          ]
        }
      }
    },
    {
      "tag": "quic-sample-02",
      "listen": "0.0.0.0",
      "port": 8011,
      "protocol": "vless",
      "settings": {
        "clients": [],
        "decryption": "none"
      },
      "streamSettings": {
        "network": "quic",
        "quicSettings": {
          "security": "chacha20-poly1305",
          "key": "mysecretkey123",
          "header": {
            "type": "dtls"
          }
        },
        "security": "none"
      },
      "sniffing": {
        "enabled": true,
        "destOverride": [
          "http",
          "tls"
        ]
      }
    }

Sample 1 is supported by Sing-Box client (Enable allow-insecure or use a valid cert)

Sample 2 is Xray Exclusive because the additional encryption and obfuscation is not supported by other clients

M03ED commented 2 months ago

test new pr