Jasonzhang2023
commented
1 year ago 已核实,不是outbound解析域名,是openwrt的hysteria客户端插件已将域名解析为ip,传给了服务端。 原因是我把sock5_outbound这语句删了,用最普通的科学上网方式,看到hysteria服务端的日志已经是ip,而非域名。因此初步判断是openwrt的hysteria客户端已经解析了:
2023-07-15T00:44:29+08:00 [INFO] [src:222.64.189.170:51396] [dst:40.70.161.7:443] [error:read tcp 134.195.14.182:29452->40.70.161.7:443: read: connection reset by peer] T CP error 2023-07-15T00:44:50+08:00 [INFO] [src:222.64.189.170:51396] [dst:52.168.112.67:443] [error:read tcp 134.195.14.182:13616->52.168.112.67:443: read: connection reset by pee r] TCP error 2023-07-15T00:49:21+08:00 [INFO] [src:222.64.189.170:51396] [dst:52.168.112.67:443] [error:read tcp 134.195.14.182:58936->52.168.112.67:443: read: connection reset by pee r] TCP error
问题详情
歇斯底里大佬,本人小白,在昨天的问题中已将sock5_outbound吃透了(自以为是)。 使用#594的https://github.com/apernet/hysteria/issues/594#issuecomment-1623255562方法,成功将分流的任务(netflix,使得这部分流量要走ipv6),引入到了v2ray中: 1、即hy服务端设置出站 : "socks5_outbound":{ "server":"127.0.0.1:10801" 2、v2ray分流中设置入站: "inbounds":[ { "listen":"127.0.0.1", "port":10801, "protocol":"socks", "settings":{ "udp":true }
问题来了: 在v2ray的windows版本中(v2rayN-v6.23),hysteria是最新版本1.3.5,可以成功的将域名直接发送给v2ray服务端,让服务端来解析IP:
2023/07/15 00:03:15 tcp:127.0.0.1:57644 accepted tcp:web.prod.cloud.netflix.com:443 [IPv6_out] 2023/07/15 00:03:15 tcp:127.0.0.1:57676 accepted tcp:www.netflix.com:443 [IPv6_out]
但是,我用openwrt passwall插件(已更新最新版本hysteria1.3.5),本地客户端是已经将域名解析为IP,再传送给服务端(或者是服务器端outbound解析为IP,传输给v2ray-inbound,这样会导致分流失败:【198.38.112.xxx是netflix的部分IP】
2023/07/15 00:06:30 tcp:127.0.0.1:46360 accepted tcp:198.38.112.163:443 [IPv4_out] 2023/07/15 00:06:30 tcp:127.0.0.1:46392 accepted tcp:198.38.112.173:443 [IPv4_out] 2023/07/15 00:06:30 tcp:127.0.0.1:46396 accepted tcp:198.38.112.173:443 [IPv4_out]
我遍历了问题,在理论上outbound不解析域名了【#273】(https://github.com/apernet/hysteria/issues/273),这个应该已经增强了。让我很困惑的是,我在openwrt中使用passwall,我用v2ray插件来科学上网,在客户端是没有解析为ip的,依旧是将域名发给v2ray的服务器来解析ip:
2023/07/15 00:14:36 222.64.189.170:0 accepted tcp:8.8.8.8:53 [IPv4_out] email: password11@gmail.com 2023/07/15 00:14:37 222.64.189.170:0 accepted tcp:ipv6-c229-sea001-ix.1.oca.nflxvideo.net:443 [IPv6_out] email: password11@gmail.com 2023/07/15 00:14:37 222.64.189.170:0 accepted tcp:ipv6-c224-sea001-ix.1.oca.nflxvideo.net:443 [IPv6_out] email: password11@gmail.com 2023/07/15 00:14:37 222.64.189.170:0 accepted tcp:ipv6-c224-sea001-ix.1.oca.nflxvideo.net:443 [IPv6_out] email: password11@gmail.com
其中openwrt的v2ray插件是有routing域名解析策略 "routing": { "domainStrategy": "AsIs", "rules": [ ], "domainMatcher": "hybrid" },
如何才能使得hysteria在passwall的客户端不解析域名,outbound给v2ray做分流使用呢?
服务端安装信息或者一键脚本信息
Hi Hysteria Version: 0.4.8.a , 最新版本【 v1.3.5 】
VPS 信息
hyperexper 美国洛杉矶机房 系统: ubuntu-22.04 [kvm:x86_64] CPU: [ "AMD Ryzen 9 3900X 12-Core Processor 1 Virtual Core" ] 硬盘: 6.63GB/19.59GB 内存: 471.11MB/957.57MB
服务端配置
无
服务端日志
2023-07-15T00:27:55+08:00 [INFO] [config:{Listen::11200 Protocol:udp ACME:{Domains:[] Email: DisableHTTPChallenge:false DisableTLSALPNChallenge:false AltHTTPPort:0 AltTLSALPNPort:0} CertFile:/root/.acme.sh/hyper.windy.net_ecc/fullchain.cer KeyFile:/root/.acme.sh/hyper.windy.net_ecc/hyper.windy.net.key Up: UpMbps:0 Down: DownMbps:0 DisableUDP:false ACL:/etc/hihy/acl/hihyServer.acl MMDB: Obfs: Auth:{Mode:password Config:[123 10 34 112 97 115 115 119 111 114 100 34 58 32 34 99 101 52 111 80 105 66 117 48 105 112 78 122 100 66 71 72 78 77 81 117 80 111 49 72 115 65 57 83 55 103 118 112 121 73 100 121 85 110 107 68 98 102 55 82 81 66 98 51 97 34 10 125]} ALPN:h3 PrometheusListen: ReceiveWindowConn:5767168 ReceiveWindowClient:23068672 MaxConnClient:4096 DisableMTUDiscovery:true Resolver: ResolvePreference:64 SOCKS5Outbound:{Server:127.0.0.1:10801 User: Password:} BindOutbound:{Address: Device:}}] Server configuration loaded 2023-07-15T00:27:55+08:00 [INFO] Password authentication enabled 2023-07-15T00:27:55+08:00 [INFO] [addr::11200] Server up and running 2023-07-15T00:28:18+08:00 [INFO] [src:222.64.189.170:48686] Client connected
客户端安装信息
hysteria version v1.3.5 2023-06-11 23:47:46 57c5164854d6cfe00bead730cce731da2babe406
客户端配置
passwall内hysteria的插件,需要输入的参数比较少,超级简洁:
{ "insecure": false, "protocol": "udp", "down_mbps": 55, "server": "hyper.windy.net:11200", "tproxy_udp": { "timeout": 60, "listen": "0.0.0.0:1041" }, "redirect_tcp": { "timeout": 300, "listen": "0.0.0.0:1041" }, "disable_mtu_discovery": false, "auth_str": "ce4oPiBu0ipNzdBGHNMQuPo1HsA9S7gvpyIdyUnkDbf7RQBb2a", "retry_interval": 5, "up_mbps": 11, "retry": -1, "alpn": "h3",
"server_name": "hyper.windy.net" }
客户端运行环境(操作系统)
openwrt,插件是passwall,版本不知道哪里看,hysteria是1.3.5
客户端日志
2023-07-15 00:26:08: 删除相关防火墙规则完成。 2023-07-15 00:26:11: 清空并关闭相关程序和缓存完成。 2023-07-15 00:26:11: TCP节点:[US-Hys-hyper.windy]hyper.windy.net:11200,监听端口:1041 2023-07-15 00:26:11: 过滤服务配置:准备接管域名解析... 2023-07-15 00:26:11: - 域名解析:dns2tcp + 使用(TCP节点)解析域名... 2023-07-15 00:26:11: * 请确认上游 DNS 支持 TCP 查询,如非直连地址,确保 TCP 代理打开,并且已经正确转发! 2023-07-15 00:26:11: | - (chinadns-ng) 最高支持4级域名过滤... 2023-07-15 00:26:11: | - 0 代理域名表合并到防火墙域名表 2023-07-15 00:26:11: | - 0 域名白名单合并到中国域名表 2023-07-15 00:26:11: + 过滤服务:ChinaDNS-NG(:15354):国内DNS:116.228.111.118,180.168.255.18,可信DNS:127.0.0.1#15353 2023-07-15 00:26:11: - 以上所列以外及默认:127.0.0.1#15354 2023-07-15 00:26:11: - PassWall必须依赖于Dnsmasq,如果你自行配置了错误的DNS流程,将会导致域名(直连/代理域名)分流失效!!! 2023-07-15 00:26:11: 开始加载防火墙规则... 2023-07-15 00:26:11: 加入负载均衡的节点到ipset[vpsiplist]直连完成 2023-07-15 00:26:11: 加入所有节点到ipset[vpsiplist]直连完成 2023-07-15 00:26:12: 加载路由器自身 TCP 代理... 2023-07-15 00:26:12: - [0]将上游 DNS 服务器 8.8.8.8:53 加入到路由器自身代理的 TCP 转发链 2023-07-15 00:26:12: 加载路由器自身 UDP 代理... 2023-07-15 00:26:12: TCP默认代理:使用TCP节点[US-Hys-hyper.windy] 中国列表以外代理所有端口 2023-07-15 00:26:12: UDP默认代理:使用UDP节点[US-Hys-hyper.windy] 中国列表以外代理所有端口 2023-07-15 00:26:12: 防火墙规则加载完成! 2023-07-15 00:26:14: 重启 dnsmasq 服务 2023-07-15 00:26:14: 运行完成!