VLESS+Reality and intermediate server configuration

[vint2k]

Integrity requirements

• [X] I confirm that I have read the documentation, understand the meaning of all the configuration items I wrote, and did not pile up seemingly useful options or default values.
• [X] I provided the complete config and logs, rather than just providing the truncated parts based on my own judgment.
• [X] I searched issues and did not find any similar issues.
• [X] The problem can be successfully reproduced in the latest Release

Description

When using VLESS+Reality and a configuration with an intermediate server (XRay_Client <- VLESS+Reality -> XRay_Server1 <- VLESS+Reality -> XRay_Server2), some services work very inconsistently. For example, https://console.firebase.google.com/ refuses to load, or parts of its functionality become unavailable.

Enabling or disabling sniffing, does not change the situation.

However, if the classic configuration with a single XRay server is used (XRay_Client <- VLESS+Reality -> XRay_Server2), such issues do not occur.

Reproduction Method

Create configuration: XRay_Client <- VLESS+Reality -> XRay_Server1 <- VLESS+Reality -> XRay_Server2 and go to https://console.firebase.google.com/

Client config

N/A

Server config

XRay_server1 conf

{
  "inbounds": [
    {
      "listen": "0.0.0.0",
      "port": 443,
      "protocol": "vless",
      "settings": {
        "clients": [
          {
            "email": "client",
            "flow": "xtls-rprx-vision",
            "id": "<- UUID ->"
          }
        ],
        "decryption": "none"
      },
      "streamSettings": {
        "network": "tcp",
        "realitySettings": {
          "dest": "<- dest domain:port ->",
          "maxClient": "",
          "maxTimediff": 0,
          "minClient": "",
          "privateKey": "<- private key ->",
          "serverNames": [
            "<- dest domain ->"
          ],
          "shortIds": [
            ""
          ],
          "show": true,
          "xver": 0
        },
        "security": "reality"
      },
      "tag": "inbound-443"
    }
  ],
  "outbounds": [
    {
      "tag": "xray2",
      "protocol": "vless",
      "settings": {
        "vnext": [
          {
            "address": "<- dest domain/IP ->",
            "port": 443,
            "users": [
              {
                "id": "<- UUID ->",
                "flow": "xtls-rprx-vision",
                "encryption": "none"
              }
            ]
          }
        ]
      },
      "streamSettings": {
        "network": "tcp",
        "security": "reality",
        "realitySettings": {
          "publicKey": "<- public key ->",
          "fingerprint": "chrome",
          "serverName": "<- dest domain ->",
          "shortId": "",
          "spiderX": "/"
        }
      }
    }
  ]
}

XRay_server2 conf

{
  "inbounds": [
    {
      "listen": "0.0.0.0",
      "port": 443,
      "protocol": "vless",
      "settings": {
        "clients": [
          {
            "email": "xray1",
            "flow": "xtls-rprx-vision",
            "id": "<- UUID ->"
          },
          {
            "email": "client",
            "flow": "xtls-rprx-vision",
            "id": "<- UUID ->"
          }
        ],
        "decryption": "none"
      },
      "streamSettings": {
        "network": "tcp",
        "realitySettings": {
          "dest": "<- dest domain:port ->",
          "maxClient": "",
          "maxTimediff": 0,
          "minClient": "",
          "privateKey": "<- private key ->",
          "serverNames": [
            "<- dest domain ->"
          ],
          "shortIds": [
            ""
          ],
          "show": true,
          "xver": 0
        },
        "security": "reality"
      },
      "tag": "inbound-443"
    }
  ],
  "outbounds": [
    {
      "tag": "direct",
      "protocol": "freedom"
    }
  ]
}

Client log

N/A

Server log

N/A

[Fangliding]

尝试在服务器上设置环境变量 xray.buf.splice = disable

[vint2k]

I added Environment="XRAY_BUF_SPLICE=false" to systemd service on two servers, but nothing changed.

[vint2k]

Error log from XRay_Server2

> 2024/11/20 08:26:45 [Info] [4170149687] proxy: CopyRawConn readv > 2024/11/20 08:26:45 [Info] [1200094941] proxy/vless/inbound: firstLen = 1186 > 2024/11/20 08:26:45 [Info] [1200094941] proxy/vless/inbound: received request for tcp:console.firebase.google.com:443 > 2024/11/20 08:26:45 [Info] [1200094941] app/dispatcher: default route for tcp:console.firebase.google.com:443 > 2024/11/20 08:26:45 [Info] [1200094941] transport/internet/tcp: dialing TCP to tcp:console.firebase.google.com:443 > 2024/11/20 08:26:45 [Debug] [1200094941] transport/internet: dialing to tcp:console.firebase.google.com:443 > 2024/11/20 08:26:45 [Info] [1200094941] proxy: Xtls Unpadding new block, content 1097 padding 160 command 0 > 2024/11/20 08:26:45 [Info] [1200094941] proxy: XtlsFilterTls found tls client hello! 1097 > 2024/11/20 08:26:45 [Info] [1200094941] proxy: Xtls Unpadding new block, content 640 padding 641 command 0 > 2024/11/20 08:26:45 [Info] [1200094941] proxy/freedom: connection opened to tcp:console.firebase.google.com:443, local endpoint 192.168.9.7:55678, remote endpoint 64.233.165.102:443 > 2024/11/20 08:26:45 [Info] [1200094941] proxy: CopyRawConn readv > 2024/11/20 08:26:45 [Info] [1200094941] proxy: XtlsFilterTls found tls 1.3! 8192 TLS_AES_128_GCM_SHA256 > 2024/11/20 08:26:45 [Info] [1200094941] proxy: ReshapeMultiBuffer 133 8059 3623 > 2024/11/20 08:26:45 [Info] [1200094941] proxy: XtlsPadding 133 1016 0 > 2024/11/20 08:26:45 [Info] [1200094941] proxy: XtlsPadding 8059 112 0 > 2024/11/20 08:26:45 [Info] [1200094941] proxy: XtlsPadding 3623 209 2 > 2024/11/20 08:26:46 [Info] [1200094941] proxy: Xtls Unpadding new block, content 74 padding 899 command 0 > 2024/11/20 08:26:46 [Info] [1200094941] proxy: Xtls Unpadding new block, content 92 padding 841 command 2 > 2024/11/20 08:26:46 [Info] [1200094941] proxy: CopyRawConn readv > 2024/11/20 08:26:46 [Info] [1200094941] app/proxyman/outbound: app/proxyman/outbound: failed to process outbound traffic > proxy/freedom: connection ends > proxy: failed to process response > read tcp 192.168.9.7:55678->64.233.165.102:443: read: connectio > n reset by peer > 2024/11/20 08:26:46 [Info] [1200094941] app/proxyman/inbound: connection ends > proxy/vless/inbound: connection ends > proxy/vless/inbound: failed to transfer response payload > io: read/write on closed pipe > ... > 2024/11/20 08:30:15 [Info] [3193776322] proxy/vless/inbound: firstLen = 1186 > 2024/11/20 08:30:15 [Info] [3193776322] proxy/vless/inbound: received request for tcp:waa-pa.clients6.google.com:443 > 2024/11/20 08:30:15 [Info] [3193776322] app/dispatcher: default route for tcp:waa-pa.clients6.google.com:443 > 2024/11/20 08:30:15 [Info] [3193776322] transport/internet/tcp: dialing TCP to tcp:waa-pa.clients6.google.com:443 > 2024/11/20 08:30:15 [Debug] [3193776322] transport/internet: dialing to tcp:waa-pa.clients6.google.com:443 > 2024/11/20 08:30:15 [Info] [3193776322] proxy: Xtls Unpadding new block, content 1098 padding 172 command 0 > 2024/11/20 08:30:15 [Info] [3193776322] proxy: XtlsFilterTls found tls client hello! 1098 > 2024/11/20 08:30:15 [Info] [3193776322] proxy: Xtls Unpadding new block, content 809 padding 489 command 0 > 2024/11/20 08:30:15 [Info] [3193776322] proxy/freedom: connection opened to tcp:waa-pa.clients6.google.com:443, local endpoint 192.168.9.7:58084, remote endpoint 173.194.221.95:443 > 2024/11/20 08:30:15 [Info] [3193776322] proxy: CopyRawConn readv > 2024/11/20 08:30:15 [Info] [3193776322] proxy: XtlsFilterTls found tls 1.3! 8192 TLS_AES_128_GCM_SHA256 > 2024/11/20 08:30:15 [Info] [3193776322] proxy: ReshapeMultiBuffer 133 8059 1439 > 2024/11/20 08:30:15 [Info] [3193776322] proxy: XtlsPadding 133 1236 0 > 2024/11/20 08:30:15 [Info] [3193776322] proxy: XtlsPadding 8059 112 0 > 2024/11/20 08:30:15 [Info] [3193776322] proxy: XtlsPadding 1439 178 2 > 2024/11/20 08:30:15 [Info] [3193776322] proxy: Xtls Unpadding new block, content 64 padding 1265 command 0 > 2024/11/20 08:30:15 [Info] [3193776322] proxy: Xtls Unpadding new block, content 545 padding 554 command 2 > 2024/11/20 08:30:15 [Info] [3193776322] proxy: CopyRawConn readv > 2024/11/20 08:30:15 [Info] [313257240] proxy/vless/inbound: firstLen = 1186 > 2024/11/20 08:30:15 [Info] [313257240] proxy/vless/inbound: received request for tcp:waa-pa.clients6.google.com:443 > 2024/11/20 08:30:15 [Info] [313257240] app/dispatcher: default route for tcp:waa-pa.clients6.google.com:443 > 2024/11/20 08:30:15 [Info] [313257240] transport/internet/tcp: dialing TCP to tcp:waa-pa.clients6.google.com:443 > 2024/11/20 08:30:15 [Debug] [313257240] transport/internet: dialing to tcp:waa-pa.clients6.google.com:443 > 2024/11/20 08:30:15 [Info] [313257240] proxy: Xtls Unpadding new block, content 1098 padding 239 command 0 > 2024/11/20 08:30:15 [Info] [313257240] proxy: XtlsFilterTls found tls client hello! 1098 > 2024/11/20 08:30:15 [Info] [313257240] proxy: Xtls Unpadding new block, content 809 padding 99 command 0 > 2024/11/20 08:30:15 [Info] [313257240] proxy/freedom: connection opened to tcp:waa-pa.clients6.google.com:443, local endpoint 192.168.9.7:34708, remote endpoint 173.194.73.95:443 > 2024/11/20 08:30:15 [Info] [313257240] proxy: CopyRawConn readv > 2024/11/20 08:30:15 [Info] [313257240] proxy: XtlsFilterTls found tls 1.3! 8192 TLS_AES_128_GCM_SHA256 > 2024/11/20 08:30:15 [Info] [313257240] proxy: ReshapeMultiBuffer 133 8059 1438 > 2024/11/20 08:30:15 [Info] [313257240] proxy: XtlsPadding 133 772 0 > 2024/11/20 08:30:15 [Info] [313257240] proxy: XtlsPadding 8059 112 0 > 2024/11/20 08:30:15 [Info] [313257240] proxy: XtlsPadding 1438 151 2 > 2024/11/20 08:30:16 [Info] [313257240] proxy: Xtls Unpadding new block, content 64 padding 1311 command 0 > 2024/11/20 08:30:16 [Info] [313257240] proxy: Xtls Unpadding new block, content 2576 padding 190 command 2 > 2024/11/20 08:30:16 [Info] [313257240] proxy: CopyRawConn readv > 2024/11/20 08:30:16 [Info] [313257240] app/proxyman/outbound: app/proxyman/outbound: failed to process outbound traffic > proxy/freedom: connection ends > proxy: failed to process response > read tcp 192.168.9.7:34708->173.194.73.95:443: read: connection > reset by peer > 2024/11/20 08:30:16 [Info] [313257240] app/proxyman/inbound: connection ends > proxy/vless/inbound: connection ends > proxy/vless/inbound: failed to transfer response payload > io: read/write on closed pipe > 2024/11/20 08:30:17 [Info] [4067341659] app/proxyman/inbound: connection ends > proxy/vless/inbound: connection ends > context canceled > 2024/11/20 08:30:17 [Info] [2957937547] proxy/vless/inbound: firstLen = 1186 > 2024/11/20 08:30:17 [Info] [2957937547] proxy/vless/inbound: received request for tcp:waa-pa.googleapis.com:443 > 2024/11/20 08:30:17 [Info] [2957937547] app/dispatcher: default route for tcp:waa-pa.googleapis.com:443 > 2024/11/20 08:30:17 [Info] [2957937547] transport/internet/tcp: dialing TCP to tcp:waa-pa.googleapis.com:443 > 2024/11/20 08:30:17 [Debug] [2957937547] transport/internet: dialing to tcp:waa-pa.googleapis.com:443 > 2024/11/20 08:30:17 [Info] [2957937547] proxy: Xtls Unpadding new block, content 1103 padding 78 command 0 > 2024/11/20 08:30:17 [Info] [2957937547] proxy: XtlsFilterTls found tls client hello! 1103 > 2024/11/20 08:30:17 [Info] [2957937547] proxy: Xtls Unpadding new block, content 799 padding 366 command 0 > 2024/11/20 08:30:17 [Info] [2957937547] proxy/freedom: connection opened to tcp:waa-pa.googleapis.com:443, local endpoint 192.168.9.7:33522, remote endpoint 173.194.220.95:443 > 2024/11/20 08:30:17 [Info] [2957937547] proxy: CopyRawConn readv > 2024/11/20 08:30:17 [Info] [2957937547] proxy: XtlsFilterTls found tls 1.3! 4495 TLS_AES_128_GCM_SHA256 > 2024/11/20 08:30:17 [Info] [2957937547] proxy: XtlsPadding 4495 90 0 > 2024/11/20 08:30:17 [Info] [2957937547] proxy: Xtls Unpadding new block, content 64 padding 979 command 0 > 2024/11/20 08:30:17 [Info] [2957937547] proxy: XtlsPadding 62 1305 2 > 2024/11/20 08:30:17 [Info] [2957937547] proxy: Xtls Unpadding new block, content 2212 padding 133 command 2 > 2024/11/20 08:30:17 [Info] [2957937547] proxy: CopyRawConn readv > 2024/11/20 08:30:18 [Info] [3673060933] proxy/vless/inbound: firstLen = 1186