Closed impossiblearchitect closed 2 months ago
First, fallback is unnecessary when using reality.
When a reality server receives an unauthorized connect (such as from your browser), it will directly forward it to dest.
Fallback inbound can only use "network": "tcp"
realitySettings
does not support "certificates"
. Don't add fields without your knowledge.
"Wireguard outbound" is just a simple implement and not in line with wireguard's design intention. It's added is largely used to abuse the cloudflare warp service, and you cannot use the more advanced features of Wireguard VPN on Xray
Hello all. Thanks for making it possible to breach the GFW.
I'm trying to set up a server using VLess-REALITY, with a fallback to a "decoy" website on port 444. That is, I'd like connections from a browser (or anything else not running XRay REALITY) to hit the website once they fail the first-packet screening. The "decoy" is in fact an existing server set up using Nginx and using Let's Encrypt/Certbot for HTTPS that I've been using for some time. If needed, I can provide the Nginx configuration as well, but I suspect that that's not the issue, as it's been minimally modified (I just switched it from listening on port 443 directly to 444) and I can still get the homepage with
curl -k 127.0.0.1:444
.Is this in fact what the
fallbacks
option in XRay is for? That was my original impression when reading through the documentation, but several hours of debugging later I'm no longer convinced of my understanding.Here's my configuration, with various parts censored with ◆s:
Symptoms: All my connections cut out when TLS starts, by which I mean that when I use the Firefox or Edge dev console to look at my network packets I see that they cut out after the "establishing connection" stage. I think this is actually "progress" over a previous iteration of the configs, which just gave the sort of "invalid certificate" errors you'd expect from trying to use the certificates from one site at some other domain name -- an indication that REALITY is doing its job, to be sure, but leaving me very confused about what the fallbacks were (not?) doing; at least this way I can be sure that VLess is also doing its job and breaking the connection if it doesn't fit the protocol. But maybe it's actually a regression, and the way I had it the first time was better?
Regarding a few points where my configuration has been customized:
funnyappropriate to "borrow" TLS handshakes from the Bank of Transylvania. I think it passes the requirements -- Edge tells me that while it prefers QUIC and HTTP/3, it still loads a number of resources over HTTP/2, and it certainly is using TLS 1.3 and OCSP -- but honestly, I'm pretty sure I'm not even getting that far before my connection breaks.tlsSettings
fields rather than arealitySettings
field in their configs. Digging into the code, I saw that REALITY at least supports acertificates
etc option in the Go side of its config, so I've crammed in the "extra" TLS settings in the hopes that they're more of an undocumented feature... ^.^;.xray -test
doesn't complain, though?freedom
/direct
outbound and have a Wireguard VPN listed first. If this was an error, please let me know and I'll change it... though again, I don't think I'm getting anywhere near that far before the connection fails, so I doubt that's my immediate problem at least.Thanks again for all your work; sorry for all the extra complexity; please advise!