TCP Brutal behavior with ShadowTLS

[ysakura99]

Operating system

Linux

System version

Ubuntu 22.04 + Kernel 5.15

Installation type

Original sing-box Command Line

If you are using a graphical client, please provide the version of the client.

No response

Version

1.9.4

Description

Thanks for your time!

I am trying to use ShadowTLS with TCP Brutal under sing-box and I followed common ShadowTLS configuration on Google by detouring the ShadowTLS inbound to Shadowsocks inbound.

Since ShadowTLS doesn't support multiplex and inherently brutal, I enabled the brutal at Shadowsocks inbound. Then I start to concern that whether brutal will be set since the socket listing belongs to ShadowTLS.

Then I did a simple experiement to see the TCP_CONGESTION socket option of the ShadowTLS accepted socket by using ss -ti. Unsurprisingly, the socket is using the system default congestion control instead of brutal.

• sing-box shadowtls inbound machine ip 192.168.28.2
• sing-box shadowtls outbound machine ip 192.168.28.3

$ netstat -npta | grep sing
tcp        0      0 127.0.0.1:43081         0.0.0.0:*               LISTEN      52911/sing-box      
tcp   4026984      0 192.168.28.2:47832     104.21.85.176:443       ESTABLISHED 52911/sing-box      
tcp6       0      0 :::443                  :::*                    LISTEN      52911/sing-box      
tcp6       0 1585560 192.168.28.2:443       192.168.28.3:58238     ESTABLISHED 52911/sing-box 

# ss -ti | rg -C 1 58238
ESTAB 0       1610541 [::ffff:192.168.28.2]:https   [::ffff:192.168.28.3]:58238
     bbr wscale:8,7 rto:468 rtt:264.915/4.593 ato:40 mss:1448 pmtu:1500 rcvmss:989 advmss:1448 cwnd:5454 bytes_sent:53956654 bytes_retrans:1448 bytes_acked:52380865 bytes_received:2012 segs_out:37631 segs_in:1993 data_segs_out:37625 data_segs_in:8 bbr:(bw:57.9Mbps,mrtt:259.311,pacing_gain:2.88672,cwnd_gain:2.88672) send 238Mbps lastrcv:2240 pacing_rate 238Mbps delivery_rate 57.9Mbps delivered:36532 app_limited busy:9840ms rwnd_limited:4280ms(43.5%) sndbuf_limited:1104ms(11.2%) unacked:1094 retrans:0/1 dsack_dups:1 reordering:68 reord_seen:210 rcv_space:14600 rcv_ssthresh:64076 notsent:36200 minrtt:259.311

I also checked sockets on inbound with directly connected and enabled brutal. ss-ti can show brutal correctly

ss -ti | rg -C 1 brutal
ESTAB      0      0               192.168.28.3:42366           192.168.28.2:20555  
     brutal wscale:7,8 rto:397 rtt:196.235/12.354 ato:41 mss:1440 pmtu:1500 rcvmss:1440 advmss:1448 cwnd:3402 bytes_sent:74106 bytes_retrans:517 bytes_acked:73590 bytes_received:71910 segs_out:332 segs_in:340 data_segs_out:220 data_segs_in:193 send 200Mbps lastsnd:10735 lastrcv:10735 lastack:10509 pacing_rate 100Mbps delivery_rate 344kbps delivered:220 app_limited busy:24285ms retrans:0/1 reord_seen:29 rcv_rtt:480046 rcv_space:43864 rcv_ssthresh:168594 minrtt:185.109                                                                                      

May I ask how can I enable brutal for ShadowTLS listen socket accepted sockets?

I maybe able to help write some code for this feature.

Thanks a lot again.

Reproduction

Server

{
  "log": {
    "level": "trace"
  },
  "inbounds": [
    {
      "type": "shadowtls",
      "listen": "::",
      "listen_port": 443,
      "tcp_fast_open": true,
      "version": 3,
      "users": [
        {
          "name": "test",
          "password": "CQqC8d+iVa4Hyw3KP0JW/Q=="
        }
      ],
      "handshake": {
        "server": "www.douyin.com",
        "server_port": 443
      },
      "strict_mode": true,
      "detour": "shadowsocks-in"
    },
    {
      "type": "shadowsocks",
      "tag": "shadowsocks-in",
      "network": "tcp",
      "method": "2022-blake3-aes-128-gcm",
      "password": "CQqC8d+iVa4Hyw3KP0JW/Q==",
      "multiplex": {
        "enabled": true,
        "padding": false,
        "brutal": {
          "enabled": true,
          "up_mbps": 200,
          "down_mbps": 200
        }
      }
    }
  ],
  "outbounds": [
    {
      "tag": "direct",
      "type": "direct",
      "domain_strategy": "ipv4_only"
    },
    {
      "tag": "block",
      "type": "block"
    },
    {
      "tag": "dns-out",
      "type": "dns"
    }
  ],
  "route": {
    "auto_detect_interface": true,
    "final": "direct"
  }
}

Client

{
  "log": {
    "level": "debug"
  },
  "inbounds": [
    {
      "type": "socks",
      "listen": "0.0.0.0",
      "listen_port": 10808,
      "sniff_timeout": "300ms",
      "tag": "socks-in"
    }
  ],
  "outbounds": [
    {
      "type": "shadowsocks",
      "tag": "shadowsocks-out",
      "detour": "shadowtls-out",
      "method": "2022-blake3-aes-128-gcm",
      "password": "CQqC8d+iVa4Hyw3KP0JW/Q==",
      "multiplex": {
        "enabled": true,
        "max_connections": 1,
        "padding": false,
        "brutal": {
          "enabled": true,
          "up_mbps": 200,
          "down_mbps": 200
        }
      }
    },
    {
      "type": "shadowtls",
      "tag": "shadowtls-out",
      "server": "192.168.28.2",
      "server_port": 443,
      "version": 3,
      "password": "CQqC8d+iVa4Hyw3KP0JW/Q==",
      "tls": {
          "enabled": true,
          "server_name": "www.douyin.com",
          "utls": {
              "enabled": true,
              "fingerprint": "chrome"
          }
      }
    }
  ],
  "route": {
    "auto_detect_interface": true,
    "rules": [
      {
        "inbound": [
          "socks-in"
        ],
        "outbound": "shadowsocks-out"
      }
    ]
  }
}

Logs

No response

Supporter

• [ ] I am a sponsor

Integrity requirements

• [X] I confirm that I have read the documentation, understand the meaning of all the configuration items I wrote, and did not pile up seemingly useful options or default values.
• [X] I confirm that I have provided the server and client configuration files and process that can be reproduced locally, instead of a complicated client configuration file that has been stripped of sensitive data.
• [X] I confirm that I have provided the simplest configuration that can be used to reproduce the error I reported, instead of depending on remote servers, TUN, graphical interface clients, or other closed-source software.
• [X] I confirm that I have provided the complete configuration files and logs, rather than just providing parts I think are useful out of confidence in my own intelligence.

[nekohasekai]

Due to the difficulty in installing kernel modules, brutal is not mandatory on the client side.