[Help me] dns wildcard

[freecode505]

Details

Is it possible that it supports dns wildcard and how should it work in what way? It would be nice to support please

Example *.Google.com

Hysteria server information

..

VPS information

..

Server config

..

Server logs

...

Hysteria client information

...

Client config

...

Client environment (operating system)

.

Client logs

..

[haruue]

Hysteria currently does not support the DNS-01 challenge of ACMEv2, which is required for wildcard issuance.

Because Golang does not allow for runtime loadable modules, including DNS API plugins in the release would complicate the download and upgrade process. For an example, refer to the Caddy download page.

I believe it's feasible to generate wildcard certificates using external ACME tools like acme.sh and configure them with the "cert" and "key" options of Hysteria. This approach should also be effective.

[freecode505]

How would the configuration of the JSON server if I do not want to use domain or certificate, connect by IP of my server without using domain?

My supplier has prohibited external domains only allows IP use

@haruue

[haruue]

@testingnic

How would the configuration of the JSON server if I do not want to use domain or certificate, connect by IP of my server without using domain?

My supplier has prohibited external domains only allows IP use

It is not possible to obtains an IP address certificate with the ACME-HTTP-01 challenge supported by hysteria. Therefore, the best way to achieve this goal is to use a self-signed IP address certificate.

Here is a script that generates an self-signed IP address certificate and corresponding hysteria config files.

#!/usr/bin/env bash

ipaddress="192.0.2.1"
#ipaddress="2001:db8::1"
password=$(openssl rand -hex 16)

format_host() {
  local _ip=$1
  if echo "$_ip" | grep -q '\.'; then
    echo "$_ip"
  else
    echo "[$_ip]"
  fi
}

openssl genrsa -out hysteria.ca.key 2048

openssl req -new -x509 -days 3650 -key hysteria.ca.key -subj "/O=Hysteria, Inc./CN=Hysteria Root CA" -out hysteria.ca.crt

openssl req -newkey rsa:2048 -nodes -keyout hysteria.server.key -subj "/O=Hysteria, Inc./CN=${ipaddress}" -out hysteria.server.csr

openssl x509 -req -extfile <(printf "subjectAltName=IP:${ipaddress}") -days 3650 -in hysteria.server.csr -CA hysteria.ca.crt -CAkey hysteria.ca.key -CAcreateserial -out hysteria.server.crt

cat > ./client.json <<EOF
{
  "server": "$(format_host $ipaddress):5678",
  "alpn": "h3",
  "auth_str": "${password}",
  "up_mbps": 30,
  "down_mbps": 30,
  "socks5": {
      "listen": "127.0.0.1:1080"
  },
  "http": {
      "listen": "127.0.0.1:8080"
  },
  "ca": "hysteria.ca.crt"
}
EOF

cat > ./server.json <<EOF
{
  "listen": ":5678",
  "alpn": "h3",
  "cert": "hysteria.server.crt",
  "key": "hysteria.server.key" ,
  "auth": {
      "mode": "password",
      "config": {
          "password": "${password}"
      }
  }
}
EOF

[freecode505]

2023-04-27T11:32:14-07:00 [INFO] [config:{Server:45.58.56.179:5678 Protocol: Up: UpMbps:30 Down: DownMbps:30 Retry:0 RetryInterval: QuitOnDisconnect:false HandshakeTimeout:0 IdleTimeout:0 HopInterval:0 SOCKS5:{Listen:127.0.0.1:1080 Timeout:0 DisableUDP:false User: Password:} HTTP:{Listen:127.0.0.1:8085 Timeout:0 User: Password: Cert: Key:} TUN:{Name: Timeout:0 MTU:0 TCPSendBufferSize: TCPReceiveBufferSize: TCPModerateReceiveBuffer:false} TCPRelays:[] TCPRelay:{Listen: Remote: Timeout:0} UDPRelays:[] UDPRelay:{Listen: Remote: Timeout:0} TCPTProxy:{Listen: Timeout:0} UDPTProxy:{Listen: Timeout:0} TCPRedirect:{Listen: Timeout:0} ACL: MMDB: Obfs: Auth:[] AuthString:049718acb9944a4e13501ce14721d829 ALPN:h3 ServerName: Insecure:false CustomCA:hysteria.ca.crt ReceiveWindowConn:0 ReceiveWindow:0 DisableMTUDiscovery:false FastOpen:false LazyStart:false Resolver: ResolvePreference:}] Client configuration loaded 2023-04-27T11:32:14-07:00 [FATA] [file:hysteria.ca.crt] [error:open hysteria.ca.crt: The system cannot find the file specified.] Failed to load CA

[freecode505]

Name: Insecure:false CustomCA:hysteria.ca.crt ReceiveWindowConn:0 ReceiveWindow:0 DisableMTUDiscovery:false FastOpen:false LazyStart:false Resolver: ResolvePreference:}] Client configuration loaded 2023-04-27T14:16:57-07:00 [ERRO] [error:CRYPTO_ERROR 0x150 (remote): tls: internal error] Failed to initialize client 2023-04-27T14:16:57-07:00 [FATA] Out of retries, exiting...

[freecode505]

Is there a way to run it without "ca": on the client?

@haruue

[haruue]

@testingnic

Is there a way to run it without "ca": on the client?

You can enable the "insecure": true option in the client-side configuration, but Hysteria will still use TLS as required by QUIC specifications.

Could you please tell us how your supplier "prohibited external domains only allows IP" excatly works?

[freecode505]

I'll explain my provider only allows IP I mean V2ray etc or the times I've crossed a firewall only using my server's IP if I use any domain it doesn't allow me to connect.

and the other way is my provider has allowed sites or captive portals, suppose my provider is allowed wikipedia.com, some times I did is fakeDNS with subdomain in v2ray as server my domain maybe is (hysteria.vps) then to a subdomain with header of the word allowed, I mean, it would stay this way.

wikipedia.com.hysteria.vps

allowed host + my domain and in this way I could exceed for that reason I was looking for dns wildcard.

but with what you just gave me I think I can do it..

@haruue

[haruue]

2023-04-27T11:32:14-07:00 [FATA] [file:hysteria.ca.crt] [error:open hysteria.ca.crt: The system cannot find the file specified.] Failed to load CA

You should copy the hysteria.ca.crt generated by the script to the client side.

[haruue]

I'll explain my provider only allows IP I mean V2ray etc or the times I've crossed a firewall only using my server's IP if I use any domain it doesn't allow me to connect.

and the other way is my provider has allowed sites or captive portals, suppose my provider is allowed wikipedia.com, some times I did is fakeDNS with subdomain in v2ray as server my domain maybe is (hysteria.vps) then to a subdomain with header of the word allowed, I mean, it would stay this way.

wikipedia.com.hysteria.vps

allowed host + my domain and in this way I could exceed for that reason I was looking for dns wildcard.

Did you tried setting up domain like wikipedia.com.hysteria.vps to your hysteria server and sign a certificate with this domain?

And I want to clarify a few points.

1. You can issue a certificate with host like wikipedia.com.hysteria.vps, simply set the correct DNS record pointing to the hysteria server and set them exactly into acme domains of the server side config of hysteria.
2. A wildcard certificate of *.hysteria.vps won't match wikipedia.com.hysteria.vps, you will need *.com.hysteria.vps, and seems like this does also not meet your requirement.
3. Hysteria utilizes QUIC, which is a protocol based on UDP (obviously different from v2ray+tls). Maybe you should ensure your provider allows UDP traffic first.
4. Did you ever tried the "obfs" feature of hysteria? It makes traffic seems like randomly bytes for middle-box so they cannot extract any domain from it.

[freecode505]

Hello, I managed to bypass my firewalls using IP, but my ISP has limited udp traffic apparently, I have only 1 mb speed, is there any way I can improve this? for the better The speed, how can I send multiple segmented packets to access it or something that can be done?

[freecode505]

@haruue ??

[haruue]

Perhaps have a try on v2fly+tls with an IP address certificate.

In the hysteria, the way to bypass the UDP speed limit (or QoS) is using protocol: "faketcp". However, based on the information discussed above about your internet supplier, it is unlikely that this method would be effective.