Smallthing
commented
1 year ago 希望可以做在acl分流上 如默认直接访问 ,在acl中转发的域名/ip 发到socks5或者转发到其他interface 还有希望能有ip段分流。。
Open RaGgOtArc opened 1 year ago
Smallthing
commented
1 year ago 希望可以做在acl分流上 如默认直接访问 ,在acl中转发的域名/ip 发到socks5或者转发到其他interface 还有希望能有ip段分流。。
egg1234
commented
1 year ago 其实有一个临时的解决方案,就是在hysteria服务器的同一台机器上安装v2ray或xray,然后v2ray或xray配置inbound是socks5,把hysteria服务器配置socks5 outbound到本机这个v2ray或xray的socsk5 inbound,在v2ray或xray本机的outbound配置分流也是可以的
Smallthing
commented
1 year ago 其实有一个临时的解决方案,就是在hysteria服务器的同一台机器上安装v2ray或xray,然后v2ray或xray配置inbound是socks5,把hysteria服务器配置socks5 outbound到本机这个v2ray或xray的socsk5 inbound,在v2ray或xray本机的outbound配置分流也是可以的
有点重了 我是用wgcf建立一个没有默认路由表的warp,然后把探测出来的几个ip直接写死路由表。
onlyJinx
commented
1 year ago +1,最近使用GPT,但IP被openai ban了,用v2ray的时候把openai的域名指定到一个warp的出口去访问,现在切换到hysteria发现无法实现这个功能。
tobyxdd
commented
1 year ago 这个应该和 https://github.com/apernet/hysteria/issues/596 是类似的请求吧?服务端 ACL 目前 proxy 和 direct 的处理方式是一样的(如果没有设置 socks5 outbound 就都是直连,如果设置了就都是走 socks5 outbound),如果改成在设置了 socks5 outbound 的情况下,proxy 是走 outbound 而 direct 依然是直连 应该可以满足你的这个需求?
YiqingG
commented
1 year ago 这个应该和 #596 是类似的请求吧?服务端 ACL 目前 proxy 和 direct 的处理方式是一样的(如果没有设置 socks5 outbound 就都是直连,如果设置了就都是走 socks5 outbound),如果改成在设置了 socks5 outbound 的情况下,proxy 是走 outbound 而 direct 依然是直连 应该可以满足你的这个需求?
您好,请问是修改服务器端的/etc/hihy/acl/hihyServer.acl 这个文件么?不太清楚acl文件格式,比如proxy特定的 xxx.com(包含子域名)到socks5://127.0.0.1:端口号,需要如何编写,谢谢!
YiqingG
commented
1 year ago 这个应该和 #596 是类似的请求吧?服务端 ACL 目前 proxy 和 direct 的处理方式是一样的(如果没有设置 socks5 outbound 就都是直连,如果设置了就都是走 socks5 outbound),如果改成在设置了 socks5 outbound 的情况下,proxy 是走 outbound 而 direct 依然是直连 应该可以满足你的这个需求?
我尝试写入 proxy domain-suffix xxx.com sock5/127.0.0.1:1234 是无法运行的
YiqingG
commented
1 year ago Hysteria
请问xray的配置中怎么写入inbound呢
不太清楚hysteria用的是什么outbound
onlyJinx
commented
1 year ago 我尝试写入 proxy domain-suffix xxx.com sock5/127.0.0.1:1234 是无法运行的
我现在的临时解决方案是: 服务端本机搭建一个v2ray监听本地 1080 端口, 然后把hystaria接收到的所有流量都转交给v2ray来分流, 需要在hysteria的原有配置上加一个
"socks5_outbound": {
"server": "127.0.0.1:1080"
}v2ray的路由模块里添加需要分流的域名
{
"type": "field",
"domains": [
"domain:openai.com",
"domain:bing.com"
],
"network": "tcp",
"outboundTag": "cf_warp"
}v2ray 出口指向本地的warp的入口
{
"tag":"cf_warp",
"protocol": "socks",
"settings": {
"servers": [
{
"address": "127.0.0.1",
"port": 40000
}
]
}
}我尝试写入 proxy domain-suffix xxx.com sock5/127.0.0.1:1234 是无法运行的
我现在的临时解决方案是: 服务端本机搭建一个v2ray监听本地 1080 端口, 然后把hystaria接收到的所有流量都转交给v2ray来分流, 需要在hysteria的原有配置上加一个
"socks5_outbound": { "server": "127.0.0.1:1080" }v2ray的路由模块里添加需要分流的域名
{ "type": "field", "domains": [ "domain:openai.com", "domain:bing.com" ], "network": "tcp", "outboundTag": "cf_warp" }v2ray 出口指向本地的warp的入口
{ "tag":"cf_warp", "protocol": "socks", "settings": { "servers": [ { "address": "127.0.0.1", "port": 40000 } ] } }
got it! 非常感谢,我去试试!
YiqingG
commented
1 year ago 我尝试写入 proxy domain-suffix xxx.com sock5/127.0.0.1:1234 是无法运行的
我现在的临时解决方案是: 服务端本机搭建一个v2ray监听本地 1080 端口, 然后把hystaria接收到的所有流量都转交给v2ray来分流, 需要在hysteria的原有配置上加一个
"socks5_outbound": { "server": "127.0.0.1:1080" }v2ray的路由模块里添加需要分流的域名
{ "type": "field", "domains": [ "domain:openai.com", "domain:bing.com" ], "network": "tcp", "outboundTag": "cf_warp" }v2ray 出口指向本地的warp的入口
{ "tag":"cf_warp", "protocol": "socks", "settings": { "servers": [ { "address": "127.0.0.1", "port": 40000 } ] } }
哥们,有空接受付费咨询不,我搞不定 --
onlyJinx
commented
1 year ago 你把配置文件贴出来, 我看哪里出问题
YiqingG
commented
1 year ago 你把配置文件贴出来, 我看哪里出问题
不好意思占用您时间,刚把正常的网络修复
hysteria我是用脚本一键配置的,根据您给出的outbound,在/etc/hihy/conf/hihyServer.json 中增加一行后,systemctl restart hihy
"protocol": "wechat-video", "acme": { "domains": [ "daili yumin" ], "socks5_outbound": { "server": "127.0.0.1:1080" 后面省略 }
一键安装v2ray
bash <(curl -L https://raw.githubusercontent.com/v2fly/fhs-install-v2ray/master/install-release.sh)
修改/usr/local/etc/v2ray/config.json如下
{ "inbounds": [ { "port": 1080, "listen": "127.0.0.1", "protocol": "socks5", } ], "policy": [ { "type": "field", "domains": [ "domain:openai.com", "domain:bing.com", "ip138.com" ], "network": "tcp", "outboundTag": "cf_warp" } ] "outbounds": [ { "protocol": "freedom", "settings": {} } { "tag":"cf_warp", "protocol": "socks", "settings": { "servers": [ { "address": "127.0.0.1", "port": 40000 } ] } } ] }
烦请 斧正
onlyJinx
commented
1 year ago @YiqingG 直接抄我这个配置
{
"log": {
"loglevel": "warning"
},
"inbounds": [{
"port": 1080,
"listen": "127.0.0.1",
"protocol": "socks",
"sniffing": {
"enabled": true,
"destOverride": [
"http",
"tls"
]
},
"settings": {
"auth": "noauth",
"udp": true
}
}],
"outbounds": [{
"tag": "DIRECT",
"protocol": "freedom"
},
{
"tag": "cf_warp",
"protocol": "socks",
"settings": {
"servers": [{
"address": "127.0.0.1",
"port": 40000
}]
}
}
],
"routing": {
"domainStrategy": "IPOnDemand",
"rules": [{
"type": "field",
"domains": [
"domain:openai.com"
],
"network": "tcp",
"outboundTag": "cf_warp"
}]
}
}@onlyJinx 收到 感谢
onlyJinx
commented
1 year ago journalctl -fu v2ray观察一下v2ray的日志"server": "127.0.0.1:1080"改成"server": "127.0.0.1:40000"YiqingG
commented
1 year ago @onlyJinx 重启了,直接40000什么都打不开,我感觉可能不是v2ray的问题,应该是hysteria 配置出口有错误 我是直接我需改/etc/hihy/conf/hihyServer.json在重启的,不知道对不对
{ "listen": ":18181", "protocol": "wechat-video", "acme": { "domains": [ "域名.top" ], "socks5_outbound": { "server": "127.0.0.1:1080" } "email": "pekora@域名" },
Smallthing
commented
1 year ago 弄这么复杂,iptables 写两行就完事的
egg1234
commented
1 year ago @YiqingG 如果你是直接用warp做出口的话,warp启动后会变更系统路由,因为它是VPN的做法,所以不存在warp直接生成inbound socks5代理端口的情况,楼上说的warp 40000端口的socsk5正常情况下是不存在的,如果要要生成warp socsk5代理端口,至少要使用下面的项目 https://github.com/pufferffish/wireproxy 它可以直接利用wgcf生成的参数生成socks5代理而且出口就是warp的出口,并且根本不需要启动warp,假设你设置了wireproxy的socsk5代理端口是40000,这时你就可按照楼上说的把v2ray的outbound配置的"tag": "cf_warp",设置为socks5的40000端口
@Smallthing 想请教一下,具体iptables怎么写,能否举一例子,其实我都嫌v2ray+wireproxy这个方式太麻烦了,谢谢!
onlyJinx
commented
1 year ago @egg1234 好像有一个模式是只在本地开一个socks而不接管全局流量,我参考的这篇文章 https://github.com/willoong9559/XrayWarp
@Smallthing 同请教下如何两行解决
Smallthing
commented
1 year ago warp使用网卡模式而不是socks5. 这样被系统接管 然后wireguard的配置文件删除掉 allowips 所有那行。
` MTU = 1420 PostUp = ip -4 rule add from 172.26.0.240 lookup main PostDown = ip -4 rule delete from 172.26.0.240 lookup main [Peer] PublicKey = bxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxo= AllowedIPs = 104.18.2.0/24 AllowedIPs = 104.18.3.0/24 AllowedIPs = 13.107.237.0/24 AllowedIPs = 13.107.238.0/24 AllowedIPs = 104.18.7.0 AllowedIPs = 104.18.2.0 AllowedIPs = 104.18.12.0/24 AllowedIPs = 104.18.13.0/24 AllowedIPs = 13.107.237.0/24 AllowedIPs = 172.67.155.0/24 AllowedIPs = 204.79.197.200/32 AllowedIPs = 204.79.197.201/32 AllowedIPs = 13.107.21.200/32 Endpoint = 162.159.195.9:2408
`
wgcf启动的时候会自动将这些加入路由表,down的时候会自动删除,比较麻烦的是自己去找 IP段。但是其实变动不大 也算一劳永逸的。
Smallthing
commented
1 year ago 其结果是不仅是hysteria 同机器的爬虫/xray都走了这个路由
haruue
commented
1 year ago @mkevinstever
And I noticed hysteria socks5 proxy outbound doesn't support udp protocol right now. (even if target socks5 server has support) That's really bad.
The socks_outbound feature of the Hysteria server is designed to support UDP.
What's the socks5 server you are using as the target? Please tell us so we can have a test on it.
haruue
commented
1 year ago It's here: https://hub.docker.com/r/cooolin/socks5
I was did the test from follow steps: 1.stop firewall or accept related ingress traffic. 2.connected servers between A and B used zerotier. (I think this point isn't important) 3.install hysteria on server A 4.install socks5 server on server B 5.On server A, modify hysteria config file, set the socks5 outbound server to B.
This docker image is just a piece of s**t.
I launched it and it appears that only the following iptables rules were added:
iptables -t nat -A POSTROUTING -s 172.17.0.2/32 -d 172.17.0.2/32 -p tcp -m tcp --dport 1080 -j MASQUERADE
iptables -t nat -A DOCKER ! -i docker0 -p tcp -m tcp --dport 1080 -j DNAT --to-destination 172.17.0.2:1080
iptables -t filter -A DOCKER -d 172.17.0.2/32 ! -i docker0 -o docker0 -p tcp -m tcp --dport 1080 -j ACCEPTWith only these iptables rules, it is definitely impossible to support UDP associate request from another machine (the server A in your case). It would only support UDP associate request from exactly the machine running this docker image (the server B).
Reference: RFC1928
TLDR:
Client->Server(TCP:192.168.1.1:1080): (UDP associate Request) I want to send UDP packets
Server(TCP:192.168.1.1:1080)->Client: (UDP associate response) Please send UDP packets to 192.168.1.1:39802 (39802 is a random selected port), and I will relay them for you.
Client->Server(UDP:192.168.1.1:39802): (UDP Request) ATYP=v4 DST=1.1.1.1:53 DATA=\<payload>
In the general case, as the client made the connection to the server with TCP:192.168.1.1:1080, it would also be able to send UDP packets to any UDP port of 192.168.1.1, most of socks5 server works base on this assumption. However, docker will always break this, as all packets sent into docker container is actually required to be DNAT by the host. As there is no such iptables rules on the host that handles UDP DNAT, all UDP packets after the associate request are just f**ked up.
I have always been against running this kind of network tool in docker. It often makes things more complicated and confusing, as it's difficult to tell what actually happened.
If you intend to use a socks5 server for socks_outbound on a different server than the one running hysteria server, I'd recommand to use a socks5 server (such as v2fly with socks5 inbound) directly on the host.
PinkD
commented
1 year ago Server(TCP:192.168.1.1:1080)->Client: (UDP associate response) Please send UDP packets to 192.168.1.1:39802 (39802 is a random selected port), and I will relay them for you.
In most socks5 server implementations, the udp relay port is configured as BindPort and will be the same for every client.
For example:
https://github.com/haxii/socks5/blob/bb9bca477f9b3ca36fa3b43e3127e3128da1c15b/request.go#L290-L294
https://github.com/v2fly/v2ray-core/blob/62bef88a19e76d3a9bb43d92d54942114c6a823d/proxy/socks/protocol.go#L191-L208
haruue
commented
1 year ago @PinkD
In most socks5 server implementations, the udp relay port is configured as
BindPortand will be the same for every client. For example: https://github.com/haxii/socks5/blob/bb9bca477f9b3ca36fa3b43e3127e3128da1c15b/request.go#L290-L294 https://github.com/v2fly/v2ray-core/blob/62bef88a19e76d3a9bb43d92d54942114c6a823d/proxy/socks/protocol.go#L191-L208
This is a known issue in the v2fly (but not got fixed). https://github.com/v2fly/v2fly-github-io/issues/104
iKun4real
commented
11 months ago 同求,因为有一样的需求,所以我目前是用sing-box内核的hysteria,自带的分流用起来很香,但是sing-box的hysteria版本比较低,作者也说不考虑支持端口跳跃,所以如果原版hysteria能增加类似的分流功能,那就舒服了。
niuniudada
commented
11 months ago 看来还是让我把我的配置分享出来吧
使用我的配置前请务必安装好 hysteria 和 xray!!!
hysteria 配置
在hysteria配置文件后面追加
{
……
……
"socks5_outbound":{
"server":"127.0.0.1:1080"
}
}xray 配置
{
"log":{
"access":"/var/log/xray/access.log",
"error":"/var/log/xray/error.log",
"loglevel":"warning"
},
"inbounds":[
{
"listen":"127.0.0.1",
"port":1080,
"protocol":"socks",
"settings":{
"udp":true
},
"sniffing":{
"enabled":true,
"destOverride":[
"http",
"tls",
"quic"
]
}
},
{
"listen":"127.0.0.1",
"port":1081,
"protocol":"http",
"settings":{
},
"sniffing":{
"enabled":true,
"destOverride":[
"http",
"tls",
"quic"
]
}
}
],
"outbounds":[
{
"protocol":"freedom",
"tag":"direct"
},
{
"protocol":"freedom",
"settings":{
"domainStrategy":"UseIPv4"
},
"tag":"ipv4_out"
},
{
"protocol":"freedom",
"settings":{
"domainStrategy":"UseIPv6"
},
"tag":"ipv6_out"
},
{
"protocol":"freedom",
"settings":{
"domainStrategy":"UseIPv4"
},
"proxySettings":{
"tag":"wireguard"
},
"tag":"warp_ipv4"
},
{
"protocol":"freedom",
"settings":{
"domainStrategy":"UseIPv6"
},
"proxySettings":{
"tag":"wireguard"
},
"tag":"warp_ipv6"
},
{
"protocol":"wireguard",
"settings":{
"secretKey":"秘钥",
"address":[
"172.16.0.2/32",
"2606:4700:110:8890:a0d7:44b9:47a9:d0c1/128"
],
"peers":[
{
"publicKey":"公钥",
"allowedIPs":[
"0.0.0.0/0",
"::/0"
],
"endpoint":"engage.cloudflareclient.com:2408"
}
],
"reserved":[
225,
128,
32
],
"mtu":1280
},
"tag":"wireguard"
},
{
"protocol":"blackhole",
"tag":"block",
"settings":{
"response":{
"type":"http"
}
}
}
],
"routing":{
"domainStrategy":"IPIfNonMatch",
"rules":[
{
"type":"field",
"domain":[
"geosite:cn"
],
"outboundTag":"wireguard"
},
{
"type":"field",
"outboundTag":"wireguard",
"ip":[
"geoip:cn"
]
},
{
"type": "field",
"domain": [
"geosite:openai"
],
"outboundTag": "warp_ipv4"
},
{
"type":"field",
"outboundTag":"ipv4_out",
"domain":[
"domain:www.google.com"
]
},
{
"type":"field",
"outboundTag":"direct",
"network":"tcp,udp"
}
]
}
}wireguard 秘钥与公钥的生成请参考: https://github.com/chika0801/Xray-examples/blob/main/wireguard.md
题外话,顺带提一下
使用 naiveproxy 也是可以利用 xray 进行分流的
Caddyfile 文件配置如下
{
order forward_proxy before file_server
}
:443, domaindomain.com {
tls xxxxxxxxx@gmail.com
forward_proxy {
basic_auth username password
hide_ip
hide_via
probe_resistance
upstream http://127.0.0.1:1081
}
file_server {
root /var/www/html
}
}config.json 文件配置如下
{
"apps":{
"http":{
"servers":{
"srv0":{
"listen":[
":443"
],
"routes":[
{
"handle":[
{
"auth_pass_deprecated":"password",
"auth_user_deprecated":"username",
"handler":"forward_proxy",
"hide_ip":true,
"hide_via":true,
"probe_resistance":{
},
"upstream":"http://127.0.0.1:1081/"
},
{
"handler":"file_server",
"root":"/var/www/html"
}
]
}
]
}
}
},
"tls":{
"certificates":{
"automate":[
"domaindomain.com"
]
},
"automation":{
"policies":[
{
"subjects":[
"domaindomain.com"
],
"issuers":[
{
"email":"xxxxxxxxx@gmail.com",
"module":"acme"
},
{
"email":"xxxxxx@gmail.com",
"module":"zerossl"
}
]
}
]
}
}
}
}
Jasonzhang2023
commented
11 months ago 感谢大佬,解决了hysteria和naiveproxy分流的问题!
us254
commented
8 months ago https://gitlab.com/fscarmen/warp
wget -N https://gitlab.com/fscarmen/warp/-/raw/main/menu.sh && bash menu.sh
✔️Add WARP dual stack interface to Native dual stack VPS ✔️Non-global ✔️Install wireproxy. Wireguard client that exposes itself as a socks5 proxy or tunnels I've opted for the non-global wireproxy option. Following that choice, I modify the configuration of the Hysteria server by adding the following configuration at the end.
"outbounds": [
{
"name": "myOutbound",
"type": "socks5",
"socks5": {
"addr": "127.0.0.1:40000",
"auth": "no"
}
}
]
ideal
commented
4 months ago warp 直接支持 proxy 模式的,https://blog.cloudflare.com/announcing-warp-for-linux-and-proxy-mode
warp-cli set-mode proxy
是可以将 v2ray 分流到 warp 的。
功能描述
希望Hysteria可以根据域名规则分流到指定端口。
这个功能的必要性
最近chat AI比较热门,但是对于IP的封锁力度较大,部分IDC也无法幸免。目前一个成熟的解决方案就是分流到warp上,如果全局分流则违背了使用hysteria对于速度要求的初衷,希望作者能够帮忙添加域名分流(例如*.bing.com)的功能。
当前可用的替代方案
No response
补充
https://github.com/fscarmen/warp/blob/main/README.md