Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add XTLS RPRX's Vision #1235

Merged
merged 5 commits into from
Oct 29, 2022
Merged

Add XTLS RPRX's Vision #1235

merged 5 commits into from
Oct 29, 2022

Conversation

yuhan6665
Copy link
Member

@yuhan6665 yuhan6665 commented Oct 3, 2022

新流控实验选项:xtls-rprx-vision

  • 解决已知漏洞
  • 针对 tls1.3 开启 xtls (直接拷贝) 模式
  • 增加 tls 握手长度混淆
  • 简化代码

注意:"streamSettings" "security" 必须使用 “tls” "tlsSettings" 不能使用 “xtls” “xtlsSettings”

@SekiBetu
Copy link

SekiBetu commented Oct 9, 2022

请问这个流控是双端都需要开启的吗

@yuhan6665
Copy link
Member Author

请问这个流控是双端都需要开启的吗

对 因为与其它现存流控区别很大 必须两端都改

@SekiBetu
Copy link

SekiBetu commented Oct 9, 2022

请问这个流控是双端都需要开启的吗

对 因为与其它现存流控区别很大 必须两端都改

好的

@chika0801
Copy link
Contributor

chika0801 commented Oct 9, 2022

第一次打开一个网址,chrome先报
网址为 www.michelin.co.jp 的网页可能暂时无法连接,或者它已永久性地移动到了新网址。ERR_SSL_BAD_RECORD_MAC_ALERT

等5秒左右,网页自动刷新,此时报 www.michelin.co.jp 使用了不受支持的协议。ERR_SSL_VERSION_OR_CIPHER_MISMATCH

再等约5秒,又报ERR_SSL_BAD_RECORD_MAC_ALERT,再等5秒,网页正常打开。此时关闭浏览器,再开,再打开网址,就直接显示内容了。

如果出错,直接按F5刷新,也是这错误界面,可能第4、5次刷新就正常了。正常后,再打开就是直接开,不会再报错。很多网址第1次打开,都是重复这现象,也有的网址没这现象。

服务器配置

点击查看详细
{
    "log": {
        "access": "",
        "error": "",
        "loglevel": "warning"
    },
    "dns": {
        "servers": [
            "1.1.1.1"
        ],
        "queryStrategy": "UseIPv4"
    },
    "routing": {
        "domainStrategy": "IPIfNonMatch",
        "rules": [
            {
                "type": "field",
                "domain": [
                    "geosite:category-ads-all"
                ],
                "outboundTag": "block"
            },
            {
                "type": "field",
                "ip": [
                    "geoip:cn",
                    "geoip:private"
                ],
                "outboundTag": "block"
            }
        ]
    },
    "inbounds": [
        {
            "listen": "0.0.0.0",
            "port": 443,
            "protocol": "vless",
            "settings": {
                "clients": [
                    {
                        "id": "chika",
                        "flow": "xtls-rprx-vision"
                    }
                ],
                "decryption": "none",
                "fallbacks": [
                    {
                        "dest": "8001",
                        "xver": 1
                    },
                    {
                        "alpn": "h2",
                        "dest": "8002",
                        "xver": 1
                    }
                ]
            },
            "streamSettings": {
                "network": "tcp",
                "security": "tls",
                "tlsSettings": {
                    "rejectUnknownSni": true,
                    "minVersion": "1.3",
                    "certificates": [
                        {
                            "certificateFile": "/etc/ssl/private/fullchain.cer",
                            "keyFile": "/etc/ssl/private/private.key"
                        }
                    ]
                }
            },
            "sniffing": {
                "enabled": true,
                "destOverride": [
                    "http",
                    "tls"
                ]
            }
        }
    ],
    "outbounds": [
        {
            "protocol": "freedom",
            "settings": {
                "domainStrategy": "UseIPv4"
            },
            "tag": "direct"
        },
        {
            "protocol": "blackhole",
            "settings": {
                "response": {
                    "type": "http"
                }
            },
            "tag": "block"
        }
    ]
}

客户端配置

点击查看详细
{
    "log": {
        "access": "",
        "error": "",
        "loglevel": "warning"
    },
    "dns": {
        "servers": [
            "1.1.1.1"
        ],
        "queryStrategy": "UseIPv4"
    },
    "routing": {
        "domainStrategy": "IPIfNonMatch",
        "rules": [
            {
                "type": "field",
                "ip": [
                    "1.1.1.1"
                ],
                "outboundTag": "proxy"
            },
            {
                "type": "field",
                "domain": [
                    "geosite:category-ads-all"
                ],
                "outboundTag": "block"
            },
            {
                "type": "field",
                "domain": [
                    "geosite:geolocation-!cn"
                ],
                "outboundTag": "proxy"
            },
            {
                "type": "field",
                "domain": [
                    "geosite:tld-cn",
                    "geosite:cn"
                ],
                "outboundTag": "direct"
            },
            {
                "type": "field",
                "ip": [
                    "geoip:cn",
                    "geoip:private"
                ],
                "outboundTag": "direct"
            }
        ]
    },
    "inbounds": [
        {
            "listen": "127.0.0.1",
            "port": 10808,
            "protocol": "socks",
            "settings": {
                "udp": true
            },
            "sniffing": {
                "enabled": true,
                "destOverride": [
                    "http",
                    "tls"
                ]
            }
        },
        {
            "listen": "127.0.0.1",
            "port": 10809,
            "protocol": "http",
            "sniffing": {
                "enabled": true,
                "destOverride": [
                    "http",
                    "tls"
                ]
            }
        }
    ],
    "outbounds": [
        {
            "protocol": "vless",
            "settings": {
                "vnext": [
                    {
                        "address": "103.88.XXX.XXX",
                        "port": 443,
                        "users": [
                            {
                                "id": "chika",
                                "encryption": "none",
                                "flow": "xtls-rprx-vision"
                            }
                        ]
                    }
                ]
            },
            "streamSettings": {
                "network": "tcp",
                "security": "tls",
                "tlsSettings": {
                    "serverName": "lovelive-XXXXXX.top",
                    "allowInsecure": false
                }
            },
            "tag": "proxy"
        },
        {
            "protocol": "freedom",
            "settings": {
                "domainStrategy": "AsIs"
            },
            "tag": "direct"
        },
        {
            "protocol": "blackhole",
            "settings": {
                "response": {
                    "type": "http"
                }
            },
            "tag": "block"
        }
    ]
}

@yuhan6665
Copy link
Member Author

@chika0801 感谢测试 我也注意到刚开代理的时候有这个现象 大概是握手的 padding 处理有 bug
目前是内测 主要是想知道 padding 对防封锁有没有用

@SekiBetu
Copy link

我在同一VPS商上购买了两台服务器,安装了Debian11系统,一台使用了vless+tls+开启了MUX多路复用,一台使用了上述的组合vless+tls(xtls-rprx-vision)[因提示无法与mux功能同时开启,所以没有开启mux功能]
经过一天后,使用了vless+tls的组合端口被封,使用了上述组合的安然无事
可以在一定程度上得出以下结论:
新增的握手长度混淆流控在短期内可以延长服务器被识别的时间,有效

@chika0801
Copy link
Contributor

Screenshot_2022-10-09-13-37-50-387_com android chrome

@SekiBetu
Copy link

SekiBetu commented Oct 10, 2022

Screenshot_2022-10-09-13-37-50-387_com android chrome

需要开发者继续完善这种长度混淆,让其变为随机或者是用户可以编辑的选项,让每台服务器拥有不同的规则,这样可以大大拖延被识别的时间

@yuhan6665
Copy link
Member Author

yuhan6665 commented Oct 10, 2022

@SekiBetu 感谢你的测试 两台新机器的使用情况呢?
请继续在 vision 上使用大流量
@chika0801 以我对人工智能应用的了解 想要适应新变化没有那么快

@yuhan6665 yuhan6665 closed this Oct 10, 2022
@yuhan6665 yuhan6665 reopened this Oct 10, 2022
@yuhan6665
Copy link
Member Author

https://github.com/yuhan6665/v2rayNG/releases/download/aar-test/v2rayNG_1.7.20-vision_null.apk
暂时放一个测试版 方便在安卓上测
注意:需要将服务端改为自动构建 https://github.com/XTLS/Xray-core/actions/runs/3218983882 并修改相应配置

我看了一下 ssl 报错 似乎是因为目前的随机长度混淆有时会超长 下个版本会修的 不影响测试 gfw 的效果

@yuhan6665
Copy link
Member Author

yuhan6665 commented Oct 10, 2022

新 xtls 流控实验
最近在修 xtls 漏洞 同时研究 tls 握手 刚好 gfw 升级 顺手加了一个握手包长度混淆 赶紧趁这个机会测试一下

@yuhan6665 这是什么

@Fangliding
Copy link
Member

@yuhan6665 漂亮的很呐

@liaoliaots
Copy link

liaoliaots commented Oct 10, 2022

@yuhan6665 It's pretty cool!!!

2022-10-10 21:00 - 23:59
Bandwidth usage in about two hours: 90GB

一些现象:

  • 大多数网站需要刷新多次才能进入,甚至10+
  • 期间BT下载时(100mbps左右)(同时Youtube 4K,5GB.bin下载)有断流情况,Terminal 关闭 重启 xray 后恢复 有时,有时等几分钟恢复,错误为 "failed to find an available destination ...",不确定问题出在哪一方
  • 但是,关闭BT后 下载10gb.bin文件 速度稳定在 30mb/s 高一些或低一些;10GB文件下载了6个,过程稳定非常,无断流;
  • IP 及 443 正常
  • 客户端添加 指纹参数 后,启动xray后一旦传输会报错退出

VPS Details:
Vultr Seattle Intel Xeon (Cascadelake) 2.893GHz 1024 MB China Unicom AS4837 Only IPV4 Ping Latency: 170ms No Package Loss

Server Side Configuration - Toggle me!
{
  "log": {
    "loglevel": "info",
    "dnsLog": true
  },
  "inbounds": [
    {
      "listen": "0.0.0.0",
      "port": 443,
      "protocol": "vless",
      "settings": {
        "clients": [
          {
            "id": "469ec843-4c16-43e5-a0a8-512d02c5bb96",
            "flow": "xtls-rprx-vision"
          }
        ],
        "decryption": "none",
        "fallbacks": [
          {
            "dest": 2001
          },
          {
            "dest": 2002,
            "alpn": "h2"
          }
        ]
      },
      "streamSettings": {
        "network": "tcp",
        "security": "tls",
        "tlsSettings": {
          "rejectUnknownSni": true,
          "alpn": ["h2", "http/1.1"],
          "minVersion": "1.3",
          "certificates": [
            {
              "certificateFile": "./fullchain.crt",
              "keyFile": "./private.key"
            }
          ]
        }
      }
    }
  ],
  "outbounds": [
    {
      "sendThrough": "0.0.0.0",
      "protocol": "freedom",
      "settings": {
        "domainStrategy": "UseIPv4"
      }
    }
  ],
  "dns": {
    "servers": [
      "94.140.14.140",
      "94.140.14.141",
      "208.67.222.222",
      "208.67.220.220",
      "1.1.1.1",
      "1.0.0.1",
      "8.8.8.8",
      "8.8.4.4"
    ],
    "queryStrategy": "UseIPv4"
  }
}
Client Side Configuration - Toggle me!
{
  "log": {
    "loglevel": "info",
    "dnsLog": true
  },
  "inbounds": [
    {
      "listen": "127.0.0.1",
      "port": 8080,
      "protocol": "http"
    }
  ],
  "outbounds": [
    {
      "protocol": "vless",
      "settings": {
        "vnext": [
          {
            "address": "xxxx.xxx",
            "port": 443,
            "users": [
              {
                "id": "469ec843-4c16-43e5-a0a8-512d02c5bb96",
                "encryption": "none",
                "flow": "xtls-rprx-vision"
              }
            ]
          }
        ]
      },
      "streamSettings": {
        "network": "tcp",
        "security": "tls",
        "tlsSettings": {
          "alpn": ["h2", "http/1.1"],
          "minVersion": "1.3"
        }
      }
    }
  ]
}

@yuhan6665
Copy link
Member Author

@liaoliaots 感谢反馈 BT 我没试 还需要后续研究
关于指纹问题 新流控的一个重要优点就是重新回到了 tls 标准库 这意味着将来 xtls 将可以搭配 utls 使用 隐藏客户端指纹

@lanlandezei
Copy link

昨天使用了这个配置,今天还正常。

@HezeCaoxian
Copy link

坐标河南濮阳,今天出差过来发现这边的联通和移动,用了这个vless+xtls-rprx-vision,配了上海腾讯云做中转,电脑到腾讯云用vless+xtls-rprx-vision,腾讯云到新加坡vultr用vless+xtls-rprx-vision,能用一会会,只要打开过YouTube,没几分钟必死,死了上海腾讯云的22和443都连不上。

@lanlandezei
Copy link

坐标河南濮发现阳,今天出差来腾讯云到上海的联通和移动,用了这个vless+xtls-rprx-vision,配了腾讯云做中转,电脑到腾讯云用vless+xtls-rprx-vision,新加坡vultrless+xtls-rprx-vision,能用一会会,只要打开YouTube,没用v必死,死了上海腾讯云的22和443都连不上。

上面都说了 注意:"streamSettings" "security" 必须使用 “tls” "tlsSettings" 不能使用 “xtls” “xtlsSettings”

@chika0801
Copy link
Contributor

@chika0801 感谢测试 我也注意到刚开代理的时候有这个现象 大概是握手的 padding 处理有 bug 目前是内测 主要是想知道 padding 对防封锁有没有用

padding的BUG除了要多刷新几次网页才打开,还发现一个现象是网页打开了,图片可能没刷出来,这时个再F5刷新,图片也刷不出来。期待下一个测试版(不是催更)
1

@GeorgeRudd
Copy link

xtls-rprx-vision这个模式没有tls in tls特征是吗

@yuhan6665
Copy link
Member Author

坐标河南濮阳,今天出差过来发现这边的联通和移动,用了这个vless+xtls-rprx-vision,配了上海腾讯云做中转,电脑到腾讯云用vless+xtls-rprx-vision,腾讯云到新加坡vultr用vless+xtls-rprx-vision,能用一会会,只要打开过YouTube,没几分钟必死,死了上海腾讯云的22和443都连不上。

感谢测试 目前需要更多样本
我不太清楚河南的情况 是不是可以直连海外VPS 如果可能的话麻烦测一下直连
国内VPS中转确实暴露因素太多了(裁判都是我的人

@liaoliaots
Copy link

liaoliaots commented Oct 11, 2022

@yuhan6665

Traffic Black Hole Direct AS4837 Vultr

2022-10-11
Traffic: 22.58GB
Time: 21min

  • 可能是数据源的原因,没速度了,但客户端LOG无报错,正常访问
  • 过程非常稳定,前期30MB/s,中期15MB/s,后期10MB/s,然后为0
  • 换源继续测试中...

@yuhan6665
Copy link
Member Author

@yuhan6665

Traffic Black Hole Direct AS4837 Vultr

Traffic: 22.58GB Time: 21min

  • 可能是数据源的原因,没速度了,但客户端LOG无报错,正常访问
  • 过程非常稳定,前期30MB/s,中期15MB/s,后期10MB/s,然后为0
  • 换源继续测试中...

你的意思是端口没封 真链接测试是通的但是没有速度?这台机器是你昨天测的那个大流量吗? 你说换源是指换了 vps 还是换了本地?感谢测试

@chika0801
Copy link
Contributor

发现一旦安卓客户端(v1.7.24)同时使用xtls-rprx-vision和设置了uTLS选项(Chrome)之后,激活VPN就会无限循环显示VPN已经连接成功,不能连接。去掉uTLS为空就好了。

现在版本不支持utls,所以你勾上出错连不上。

@GreatMichaelLee
Copy link

youtube会断流,不知何故

@e1732a364fed
Copy link

在我实现vs对tls lazy encrypt(也是包外过滤)的时候,我遇到过 tls record的切包问题,当时花了好大功夫完善好。你这里没有切包的问题吗?

就是说,如果切换到裸奔的那一瞬间,把一个 tls 数据切成了两半,一半加密、一半裸奔,就会导致出错的。

@hrimfaxi
Copy link

hrimfaxi commented Nov 2, 2022

发现一旦安卓客户端(v1.7.24)同时使用xtls-rprx-vision和设置了uTLS选项(Chrome)之后,激活VPN就会无限循环显示VPN已经连接成功,不能连接。去掉uTLS为空就好了。

现在版本不支持utls,所以你勾上出错连不上。

用了1天xtls-rprx-vision被封了,换端口就OK,可能还是不支持uTLS被查出来了?

@yuhan6665
Copy link
Member Author

在我实现vs对tls lazy encrypt(也是包外过滤)的时候,我遇到过 tls record的切包问题,当时花了好大功夫完善好。你这里没有切包的问题吗?

就是说,如果切换到裸奔的那一瞬间,把一个 tls 数据切成了两半,一半加密、一半裸奔,就会导致出错的。

感谢 @e1732a364fed 关注,现在大佬太少了,代码没人看其实还是很慌的。
目前 vision 里面没有切包的(如果过长好像是底层会根据 MTU 切 但我理解那个不影响上层)我测试的时候切换裸奔总是第二个 23 3 3 application data 的开头。
有一个坑卡了很久,就是我发现转裸奔的时候不能立即往 tls conn 里面写数据,需要等 5 ms,大概跟TLS库内部状态有关

@yuhan6665
Copy link
Member Author

发现一旦安卓客户端(v1.7.24)同时使用xtls-rprx-vision和设置了uTLS选项(Chrome)之后,激活VPN就会无限循环显示VPN已经连接成功,不能连接。去掉uTLS为空就好了。

现在版本不支持utls,所以你勾上出错连不上。

用了1天xtls-rprx-vision被封了,换端口就OK,可能还是不支持uTLS被查出来了?

感谢反馈,如果能提供更多信息,比如有无特殊配置,使用环境等信息就更好了

@lanlandezei
Copy link

报告一下使用情况,使用了该配置,第一次用了2 3天端口被封,自己有设置白名单只有自己IP能访问,被封端口后改了端口,白名单关了改为任何IP能连接该端口,用到了现在竟然没出问题,现在已经使用了20天多了。

@hrimfaxi
Copy link

hrimfaxi commented Nov 2, 2022

发现一旦安卓客户端(v1.7.24)同时使用xtls-rprx-vision和设置了uTLS选项(Chrome)之后,激活VPN就会无限循环显示VPN已经连接成功,不能连接。去掉uTLS为空就好了。

现在版本不支持utls,所以你勾上出错连不上。

用了1天xtls-rprx-vision被封了,换端口就OK,可能还是不支持uTLS被查出来了?

感谢反馈,如果能提供更多信息,比如有无特殊配置,使用环境等信息就更好了

服务器 (Ubuntu 22.04.1 LTS,Xray-core v1.6.2)

{
    "log": {
        "loglevel": "warning"
    },
    "inbounds": [
        {
            "port": 443,
            "protocol": "vless",
            "settings": {
                "clients": [
                    {
                        "id": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
                        "flow": "xtls-rprx-vision"
                    }
                ],
                "decryption": "none",
                "fallbacks": [
                    {
                        "dest": 8080
                    }
                ]
            },
            "streamSettings": {
                "network": "tcp",
                "security": "tls",
                "tlsSettings": {
                    "minVersion": "1.3",
                    "alpn": ["h2", "http/1.1"],
                    "certificates": [
                        {
                            "certificateFile": "/etc/xray/xray.crt",
                            "keyFile": "/etc/xray/xray.key"
                        }
                    ]
                },
                "sockopt": {
                    "tcpFastOpen": true,
                    "tcpKeepAliveIdle": 30,
                    "tcpKeepAliveInterval": 30
                }
            }
        }
    ],
    "outbounds": [
        {
            "protocol": "freedom",
            "streamSettings": {
                "sockopt": {
                    "tcpFastOpen": true
                }
            }
        }
    ]
}

客户端(安卓,v1.7.24):

vless://xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx@xxx.xxx.xxx.xx:443?security=tls&encryption=none&alpn=h2&headerType=none&type=tcp&flow=xtls-rprx-vision&sni=xxxx.xxxxxxxxxxxxx.com

用了iptables规则把9000~10000端口重定向到443:

-A PREROUTING -i eth0 -p tcp -m multiport --dports 9000:10000 -j REDIRECT --to-ports 443

被封的端口(9346):

10:01:32.034213 IP xxx.xxx.xxx.xx.9346 > yy.yy.yyy.yyy.53302: Flags [S.], seq 3674340596, ack 1773914323, win 43440, options [mss 1460,sackOK,TS val 620465338 ecr 2375169455,nop,wscale 11], length 0
10:01:32.034228 IP xxx.xxx.xxx.xx.9346 > yy.yy.yyy.yyy.53304: Flags [S.], seq 1449986568, ack 808235610, win 43440, options [mss 1460,sackOK,TS val 620465338 ecr 2375169455,nop,wscale 11], length 0
10:01:32.034245 IP xxx.xxx.xxx.xx.9346 > yy.yy.yyy.yyy.53303: Flags [S.], seq 2029816394, ack 4268795181, win 43440, options [mss 1460,sackOK,TS val 620465338 ecr 2375169455,nop,wscale 11], length 0
10:01:32.034255 IP xxx.xxx.xxx.xx.9346 > yy.yy.yyy.yyy.53301: Flags [S.], seq 2869296562, ack 313870430, win 43440, options [mss 1460,sackOK,TS val 620465338 ecr 2375169455,nop,wscale 11], length 0
10:01:33.058186 IP xxx.xxx.xxx.xx.9346 > yy.yy.yyy.yyy.53295: Flags [S.], seq 808081801, ack 2221802051, win 43440, options [mss 1460,sackOK,TS val 620466362 ecr 2375156143,nop,wscale 11], length 0
10:01:33.314198 IP xxx.xxx.xxx.xx.9346 > yy.yy.yyy.yyy.53300: Flags [S.], seq 3399959080, ack 1825842378, win 43440, options [mss 1460,sackOK,TS val 620466618 ecr 2375168687,nop,wscale 11], length 0
10:01:33.860396 IP yy.yy.yyy.yyy.53305 > xxx.xxx.xxx.xx.9346: Flags [S], seq 2221802050, win 65535, options [mss 1360,sackOK,TS val 2375172271 ecr 0,nop,wscale 9], length 0
10:01:33.860500 IP xxx.xxx.xxx.xx.9346 > yy.yy.yyy.yyy.53305: Flags [S.], seq 663986696, ack 2221802051, win 43440, options [mss 1460,sackOK,TS val 620467164 ecr 2375172271,nop,wscale 11], length 0
10:01:34.082245 IP xxx.xxx.xxx.xx.9346 > yy.yy.yyy.yyy.53301: Flags [S.], seq 2869296562, ack 313870430, win 43440, options [mss 1460,sackOK,TS val 620467386 ecr 2375169455,nop,wscale 11], length 0
10:01:34.082290 IP xxx.xxx.xxx.xx.9346 > yy.yy.yyy.yyy.53303: Flags [S.], seq 2029816394, ack 4268795181, win 43440, options [mss 1460,sackOK,TS val 620467386 ecr 2375169455,nop,wscale 11], length 0
10:01:34.082314 IP xxx.xxx.xxx.xx.9346 > yy.yy.yyy.yyy.53304: Flags [S.], seq 1449986568, ack 808235610, win 43440, options [mss 1460,sackOK,TS val 620467386 ecr 2375169455,nop,wscale 11], length 0
10:01:34.082332 IP xxx.xxx.xxx.xx.9346 > yy.yy.yyy.yyy.53302: Flags [S.], seq 3674340596, ack 1773914323, win 43440, options [mss 1460,sackOK,TS val 620467386 ecr 2375169455,nop,wscale 11], length 0
10:01:34.594218 IP xxx.xxx.xxx.xx.9346 > yy.yy.yyy.yyy.52568: Flags [S.], seq 1056730636, ack 1825842378, win 43440, options [mss 1460,sackOK,TS val 620467898 ecr 2375137248,nop,wscale 11], length 0
10:01:34.914168 IP xxx.xxx.xxx.xx.9346 > yy.yy.yyy.yyy.53305: Flags [S.], seq 663986696, ack 2221802051, win 43440, options [mss 1460,sackOK,TS val 620468218 ecr 2375172271,nop,wscale 11], length 0
10:01:35.042182 IP xxx.xxx.xxx.xx.9346 > yy.yy.yyy.yyy.53299: Flags [S.], seq 2953064020, ack 692000629, win 43440, options [mss 1460,sackOK,TS val 620468346 ecr 2375166383,nop,wscale 11], length 0
10:01:35.106199 IP xxx.xxx.xxx.xx.9346 > yy.yy.yyy.yyy.53296: Flags [S.], seq 1515217383, ack 2060058897, win 43440, options [mss 1460,sackOK,TS val 620468410 ecr 2375158191,nop,wscale 11], length 0

端口号加个1就正常了

@yuhan6665
Copy link
Member Author

@hrimfaxi 考虑把服务器 geoip geosite cn 路由到黑洞再试试

@hrimfaxi
Copy link

hrimfaxi commented Nov 2, 2022

服务器配置:

    "outbounds": [
        {
            "protocol": "freedom",
            "streamSettings": {
                "sockopt": {
                    "tcpFastOpen": true
                }
            }
        },
        {
                "protocol": "blackhole",
                "tag": "blackhole"
        }
    ],
    "routing": {
            "domainStrategy": "IPIfNonMatch",
            "rules": [
            {
                "domain": [
                    "geosite:cn"
                ],
                "outboundTag": "blackhole",
                "type": "field"
            },
            {
                "ip": [
                    "geoip:cn"
                ],
                "outboundTag": "blackhole",
                "type": "field"
            }

            ]
    }

这样的目的是什么?用服务器访问国内地址会暴露吗?

Edit: 根据建议,把domain和IP分开写成两个规则

@chika0801
Copy link
Contributor

chika0801 commented Nov 2, 2022

#593 (comment)

@hrimfaxi
Copy link

hrimfaxi commented Nov 2, 2022

#593 (comment)

明白了,谢谢

@yuhan6665
Copy link
Member Author

@hrimfaxi 注意 domain 和 IP 在路由里面要分开写

@lanlandezei
Copy link

报告一下使用表,使用了该端口的情况,第2个端口可以访问,第3个端口被封自己有设置的天表,只有IP,被配置的端口后修改了,白关了,让任何IP都可以访问连接该端口,现在已经没有出问题了,现在已经使用了20天。

昨天刚说今天就封端口...,我是用新的这个 Add XTLS RPRX's Vision (#1235) ,是不是之前那个版本更安全,虽然要频繁刷新。。。

@yuhan6665
Copy link
Member Author

@lanlandezei 你报告的情况我猜测可能是运气?如果有条件的话推荐换一个 IP,把 geoip geosite cn 路由到黑洞再试试,还是测新版 1.6.2

@lanlandezei
Copy link

@lanlandezei你报告的情况我预测可能是运气?

我怀疑可能是昨天 把新的程序下载到本地解压后,通过22 端口SFTP上传的到服务器的,然后被关注了。

@GreatMichaelLee
Copy link

目前用1.6.2发现油管(流媒体)经常卡顿停滞,google play更新软件用不了,换成上个版本就好了,但访问twitter什么的一次性连接的web又没问题,不知道什么原因。我可以肯定这跟新内核相关。

@MIBZORE
Copy link

MIBZORE commented Nov 4, 2022

google play 下载与更新不可用

@yuhan6665
Copy link
Member Author

遇到问题的同学,麻烦你们尽力把出现错误当时的客户端和服务器日志发个 issue。。

@GeorgeRudd
Copy link

google play 下载与更新不可用

ip问题 和协议无关 2dust/v2rayNG#1234 (comment)

@NinjaUmbra
Copy link

google play 下载与更新不可用

这是被送中的IP

@mclovin-2k
Copy link

mclovin-2k commented Nov 8, 2022

1.6.1 的时候,我搭建的 Reverse Proxy 还是正常的。
Server 和 Client 同时更新到 1.6.2/1.6.3 之后,Reverse Proxy 就连不上了。
将 Client 降回 1.6.1,Reverse Proxy 恢复正常。

1.6.1 Xray Client 启动的时候,可以看到最后几行 Reverse Proxy 的 Log

2022/11/08 13:35:37 [Debug] app/stats: create new counter inbound>>>inboundHttp>>>traffic>>>uplink
2022/11/08 13:35:37 [Debug] app/stats: create new counter inbound>>>inboundHttp>>>traffic>>>downlink
2022/11/08 13:35:37 [Debug] app/proxyman/inbound: creating stream worker on 127.0.0.1:6060
2022/11/08 13:35:37 [Debug] app/stats: create new counter inbound>>>inboundHttpRouting>>>traffic>>>uplink
2022/11/08 13:35:37 [Debug] app/stats: create new counter inbound>>>inboundHttpRouting>>>traffic>>>downlink
2022/11/08 13:35:37 [Debug] app/proxyman/inbound: creating stream worker on 0.0.0.0:6061
2022/11/08 13:35:37 [Debug] app/stats: create new counter inbound>>>inboundSocks>>>traffic>>>uplink
2022/11/08 13:35:37 [Debug] app/stats: create new counter inbound>>>inboundSocks>>>traffic>>>downlink
2022/11/08 13:35:37 [Debug] app/proxyman/inbound: creating stream worker on 127.0.0.1:7070
2022/11/08 13:35:37 [Debug] app/stats: create new counter inbound>>>inboundSocksRouting>>>traffic>>>uplink
2022/11/08 13:35:37 [Debug] app/stats: create new counter inbound>>>inboundSocksRouting>>>traffic>>>downlink
2022/11/08 13:35:37 [Debug] app/proxyman/inbound: creating stream worker on 0.0.0.0:7071
2022/11/08 13:35:37 [Debug] app/stats: create new counter outbound>>>outboundFreedom>>>traffic>>>uplink
2022/11/08 13:35:37 [Debug] app/stats: create new counter outbound>>>outboundFreedom>>>traffic>>>downlink
2022/11/08 13:35:37 [Debug] app/stats: create new counter outbound>>>outboundBlackhole>>>traffic>>>uplink
2022/11/08 13:35:37 [Debug] app/stats: create new counter outbound>>>outboundBlackhole>>>traffic>>>downlink
2022/11/08 13:35:37 [Debug] app/stats: create new counter outbound>>>outboundReverseProxyInterconnDefault>>>traffic>>>uplink
2022/11/08 13:35:37 [Debug] transport/internet: dialing to tcp:oc-su.*****:443
2022/11/08 13:35:37 [Debug] transport/internet: dialing to tcp:****:443
2022/11/08 13:35:37 [Debug] transport/internet: dialing to tcp:oc-sj.****:443
2022/11/08 13:35:37 [Debug] transport/internet: dialing to tcp:oc-cc.****:443
2022/11/08 13:35:37 [Debug] transport/internet: dialing to tcp:oc-tk.****:443
2022/11/08 13:35:37 [Debug] transport/internet: dialing to tcp:oc-sg.****:443
2022/11/08 13:35:37 [Info] common/mux: received request for udp:reverse.internal.v2fly.org:0
2022/11/08 13:35:38 [Info] common/mux: received request for udp:reverse.internal.v2fly.org:0
2022/11/08 13:35:38 [Info] common/mux: received request for udp:reverse.internal.v2fly.org:0
2022/11/08 13:35:38 [Info] common/mux: received request for udp:reverse.internal.v2fly.org:0
2022/11/08 13:35:39 [Info] common/mux: received request for udp:reverse.internal.v2fly.org:0
2022/11/08 13:35:41 [Info] common/mux: received request for udp:reverse.internal.v2fly.org:0

1.6.3 Xray Client 启动的时候,Reverse Proxy 的 Log 没有了。

2022/11/08 13:46:28 [Debug] app/stats: create new counter inbound>>>inboundHttp>>>traffic>>>uplink
2022/11/08 13:46:28 [Debug] app/stats: create new counter inbound>>>inboundHttp>>>traffic>>>downlink
2022/11/08 13:46:28 [Debug] app/proxyman/inbound: creating stream worker on 127.0.0.1:6060
2022/11/08 13:46:28 [Debug] app/stats: create new counter inbound>>>inboundHttpRouting>>>traffic>>>uplink
2022/11/08 13:46:28 [Debug] app/stats: create new counter inbound>>>inboundHttpRouting>>>traffic>>>downlink
2022/11/08 13:46:28 [Debug] app/proxyman/inbound: creating stream worker on 0.0.0.0:6061
2022/11/08 13:46:28 [Debug] app/stats: create new counter inbound>>>inboundSocks>>>traffic>>>uplink
2022/11/08 13:46:28 [Debug] app/stats: create new counter inbound>>>inboundSocks>>>traffic>>>downlink
2022/11/08 13:46:28 [Debug] app/proxyman/inbound: creating stream worker on 127.0.0.1:7070
2022/11/08 13:46:28 [Debug] app/stats: create new counter inbound>>>inboundSocksRouting>>>traffic>>>uplink
2022/11/08 13:46:28 [Debug] app/stats: create new counter inbound>>>inboundSocksRouting>>>traffic>>>downlink
2022/11/08 13:46:28 [Debug] app/proxyman/inbound: creating stream worker on 0.0.0.0:7071
2022/11/08 13:46:28 [Debug] app/stats: create new counter outbound>>>outboundFreedom>>>traffic>>>uplink
2022/11/08 13:46:28 [Debug] app/stats: create new counter outbound>>>outboundFreedom>>>traffic>>>downlink
2022/11/08 13:46:28 [Debug] app/stats: create new counter outbound>>>outboundBlackhole>>>traffic>>>uplink
2022/11/08 13:46:28 [Debug] app/stats: create new counter outbound>>>outboundBlackhole>>>traffic>>>downlink
2022/11/08 13:46:28 [Debug] app/stats: create new counter outbound>>>outboundReverseProxyInterconnDefault>>>traffic>>>uplink

@yuhan6665
Copy link
Member Author

@mclovin-2k 感谢反馈 这个问题有点奇怪 你配置的是 xtls 反向代理吗?类似这个https://github.com/XTLS/Xray-examples/tree/main/ReverseProxy/VLESS-TCP-XTLS-WS

@mclovin-2k
Copy link

@mclovin-2k 感谢反馈 这个问题有点奇怪 你配置的是 xtls 反向代理吗?类似这个https://github.com/XTLS/Xray-examples/tree/main/ReverseProxy/VLESS-TCP-XTLS-WS

Server: VLESS + TCP + TLS (xtls-rprx-vision) on 443,然后 fallback 到 Nginx,在 Nginx 里根据 Path 再 proxy_pass 到多个 XRay Reverse Proxy Inbounds (VLESS + WS+ TLS)。
配置有点复杂,不太好贴出来。
如果需要的话,我可以整理一份上传。

@yuhan6665
Copy link
Member Author

@mclovin-2k 感谢反馈 这个问题有点奇怪 你配置的是 xtls 反向代理吗?类似这个https://github.com/XTLS/Xray-examples/tree/main/ReverseProxy/VLESS-TCP-XTLS-WS

Server: VLESS + TCP + TLS (xtls-rprx-vision) on 443,然后 fallback 到 Nginx,在 Nginx 里根据 Path 再 proxy_pass 到多个 XRay Reverse Proxy Inbounds (VLESS + WS+ TLS)。 配置有点复杂,不太好贴出来。 如果需要的话,我可以整理一份上传。

麻烦你贴一下 可以重开一个 issue

@mclovin-2k
Copy link

@mclovin-2k 感谢反馈 这个问题有点奇怪 你配置的是 xtls 反向代理吗?类似这个https://github.com/XTLS/Xray-examples/tree/main/ReverseProxy/VLESS-TCP-XTLS-WS

Server: VLESS + TCP + TLS (xtls-rprx-vision) on 443,然后 fallback 到 Nginx,在 Nginx 里根据 Path 再 proxy_pass 到多个 XRay Reverse Proxy Inbounds (VLESS + WS+ TLS)。 配置有点复杂,不太好贴出来。 如果需要的话,我可以整理一份上传。

麻烦你贴一下 可以重开一个 issue

#1316

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.