Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

VLESS+Reality and intermediate server configuration #4033

Open
4 tasks done
vint2k opened this issue Nov 19, 2024 · 18 comments
Open
4 tasks done

VLESS+Reality and intermediate server configuration #4033

vint2k opened this issue Nov 19, 2024 · 18 comments
Assignees

Comments

@vint2k
Copy link

vint2k commented Nov 19, 2024

Integrity requirements

  • I confirm that I have read the documentation, understand the meaning of all the configuration items I wrote, and did not pile up seemingly useful options or default values.
  • I provided the complete config and logs, rather than just providing the truncated parts based on my own judgment.
  • I searched issues and did not find any similar issues.
  • The problem can be successfully reproduced in the latest Release

Description

When using VLESS+Reality and a configuration with an intermediate server (XRay_Client <- VLESS+Reality -> XRay_Server1 <- VLESS+Reality -> XRay_Server2), some services work very inconsistently.
For example, https://console.firebase.google.com/ refuses to load, or parts of its functionality become unavailable.

Enabling or disabling sniffing, does not change the situation.

However, if the classic configuration with a single XRay server is used (XRay_Client <- VLESS+Reality -> XRay_Server2), such issues do not occur.

Reproduction Method

Create configuration: XRay_Client <- VLESS+Reality -> XRay_Server1 <- VLESS+Reality -> XRay_Server2
and go to https://console.firebase.google.com/

Client config

N/A

Server config

XRay_server1 conf

{
  "inbounds": [
    {
      "listen": "0.0.0.0",
      "port": 443,
      "protocol": "vless",
      "settings": {
        "clients": [
          {
            "email": "client",
            "flow": "xtls-rprx-vision",
            "id": "<- UUID ->"
          }
        ],
        "decryption": "none"
      },
      "streamSettings": {
        "network": "tcp",
        "realitySettings": {
          "dest": "<- dest domain:port ->",
          "maxClient": "",
          "maxTimediff": 0,
          "minClient": "",
          "privateKey": "<- private key ->",
          "serverNames": [
            "<- dest domain ->"
          ],
          "shortIds": [
            ""
          ],
          "show": true,
          "xver": 0
        },
        "security": "reality"
      },
      "tag": "inbound-443"
    }
  ],
  "outbounds": [
    {
      "tag": "xray2",
      "protocol": "vless",
      "settings": {
        "vnext": [
          {
            "address": "<- dest domain/IP ->",
            "port": 443,
            "users": [
              {
                "id": "<- UUID ->",
                "flow": "xtls-rprx-vision",
                "encryption": "none"
              }
            ]
          }
        ]
      },
      "streamSettings": {
        "network": "tcp",
        "security": "reality",
        "realitySettings": {
          "publicKey": "<- public key ->",
          "fingerprint": "chrome",
          "serverName": "<- dest domain ->",
          "shortId": "",
          "spiderX": "/"
        }
      }
    }
  ]
}
XRay_server2 conf

{
  "inbounds": [
    {
      "listen": "0.0.0.0",
      "port": 443,
      "protocol": "vless",
      "settings": {
        "clients": [
          {
            "email": "xray1",
            "flow": "xtls-rprx-vision",
            "id": "<- UUID ->"
          },
          {
            "email": "client",
            "flow": "xtls-rprx-vision",
            "id": "<- UUID ->"
          }
        ],
        "decryption": "none"
      },
      "streamSettings": {
        "network": "tcp",
        "realitySettings": {
          "dest": "<- dest domain:port ->",
          "maxClient": "",
          "maxTimediff": 0,
          "minClient": "",
          "privateKey": "<- private key ->",
          "serverNames": [
            "<- dest domain ->"
          ],
          "shortIds": [
            ""
          ],
          "show": true,
          "xver": 0
        },
        "security": "reality"
      },
      "tag": "inbound-443"
    }
  ],
  "outbounds": [
    {
      "tag": "direct",
      "protocol": "freedom"
    }
  ]
}

Client log

N/A

Server log

N/A

@Fangliding
Copy link
Member

Fangliding commented Nov 20, 2024

尝试在服务器上设置环境变量 xray.buf.splice = disable

@vint2k
Copy link
Author

vint2k commented Nov 20, 2024

I added Environment="XRAY_BUF_SPLICE=false" to systemd service on the servers, but nothing changed.

@vint2k
Copy link
Author

vint2k commented Nov 20, 2024

Error log from XRay_Server2

2024/11/20 08:26:45 [Info] [4170149687] proxy: CopyRawConn readv
2024/11/20 08:26:45 [Info] [1200094941] proxy/vless/inbound: firstLen = 1186
2024/11/20 08:26:45 [Info] [1200094941] proxy/vless/inbound: received request for tcp:console.firebase.google.com:443
2024/11/20 08:26:45 [Info] [1200094941] app/dispatcher: default route for tcp:console.firebase.google.com:443
2024/11/20 08:26:45 [Info] [1200094941] transport/internet/tcp: dialing TCP to tcp:console.firebase.google.com:443
2024/11/20 08:26:45 [Debug] [1200094941] transport/internet: dialing to tcp:console.firebase.google.com:443
2024/11/20 08:26:45 [Info] [1200094941] proxy: Xtls Unpadding new block, content 1097 padding 160 command 0
2024/11/20 08:26:45 [Info] [1200094941] proxy: XtlsFilterTls found tls client hello! 1097
2024/11/20 08:26:45 [Info] [1200094941] proxy: Xtls Unpadding new block, content 640 padding 641 command 0
2024/11/20 08:26:45 [Info] [1200094941] proxy/freedom: connection opened to tcp:console.firebase.google.com:443, local endpoint 192.168.9.7:55678, remote endpoint 64.233.165.102:443
2024/11/20 08:26:45 [Info] [1200094941] proxy: CopyRawConn readv
2024/11/20 08:26:45 [Info] [1200094941] proxy: XtlsFilterTls found tls 1.3! 8192 TLS_AES_128_GCM_SHA256
2024/11/20 08:26:45 [Info] [1200094941] proxy: ReshapeMultiBuffer 133 8059 3623
2024/11/20 08:26:45 [Info] [1200094941] proxy: XtlsPadding 133 1016 0
2024/11/20 08:26:45 [Info] [1200094941] proxy: XtlsPadding 8059 112 0
2024/11/20 08:26:45 [Info] [1200094941] proxy: XtlsPadding 3623 209 2
2024/11/20 08:26:46 [Info] [1200094941] proxy: Xtls Unpadding new block, content 74 padding 899 command 0
2024/11/20 08:26:46 [Info] [1200094941] proxy: Xtls Unpadding new block, content 92 padding 841 command 2
2024/11/20 08:26:46 [Info] [1200094941] proxy: CopyRawConn readv
2024/11/20 08:26:46 [Info] [1200094941] app/proxyman/outbound: app/proxyman/outbound: failed to process outbound traffic > proxy/freedom: connection ends > proxy: failed to process response > read tcp 192.168.9.7:55678->64.233.165.102:443: read: connectio
n reset by peer
2024/11/20 08:26:46 [Info] [1200094941] app/proxyman/inbound: connection ends > proxy/vless/inbound: connection ends > proxy/vless/inbound: failed to transfer response payload > io: read/write on closed pipe
...
2024/11/20 08:30:15 [Info] [3193776322] proxy/vless/inbound: firstLen = 1186
2024/11/20 08:30:15 [Info] [3193776322] proxy/vless/inbound: received request for tcp:waa-pa.clients6.google.com:443
2024/11/20 08:30:15 [Info] [3193776322] app/dispatcher: default route for tcp:waa-pa.clients6.google.com:443
2024/11/20 08:30:15 [Info] [3193776322] transport/internet/tcp: dialing TCP to tcp:waa-pa.clients6.google.com:443
2024/11/20 08:30:15 [Debug] [3193776322] transport/internet: dialing to tcp:waa-pa.clients6.google.com:443
2024/11/20 08:30:15 [Info] [3193776322] proxy: Xtls Unpadding new block, content 1098 padding 172 command 0
2024/11/20 08:30:15 [Info] [3193776322] proxy: XtlsFilterTls found tls client hello! 1098
2024/11/20 08:30:15 [Info] [3193776322] proxy: Xtls Unpadding new block, content 809 padding 489 command 0
2024/11/20 08:30:15 [Info] [3193776322] proxy/freedom: connection opened to tcp:waa-pa.clients6.google.com:443, local endpoint 192.168.9.7:58084, remote endpoint 173.194.221.95:443
2024/11/20 08:30:15 [Info] [3193776322] proxy: CopyRawConn readv
2024/11/20 08:30:15 [Info] [3193776322] proxy: XtlsFilterTls found tls 1.3! 8192 TLS_AES_128_GCM_SHA256
2024/11/20 08:30:15 [Info] [3193776322] proxy: ReshapeMultiBuffer 133 8059 1439
2024/11/20 08:30:15 [Info] [3193776322] proxy: XtlsPadding 133 1236 0
2024/11/20 08:30:15 [Info] [3193776322] proxy: XtlsPadding 8059 112 0
2024/11/20 08:30:15 [Info] [3193776322] proxy: XtlsPadding 1439 178 2
2024/11/20 08:30:15 [Info] [3193776322] proxy: Xtls Unpadding new block, content 64 padding 1265 command 0
2024/11/20 08:30:15 [Info] [3193776322] proxy: Xtls Unpadding new block, content 545 padding 554 command 2
2024/11/20 08:30:15 [Info] [3193776322] proxy: CopyRawConn readv
2024/11/20 08:30:15 [Info] [313257240] proxy/vless/inbound: firstLen = 1186
2024/11/20 08:30:15 [Info] [313257240] proxy/vless/inbound: received request for tcp:waa-pa.clients6.google.com:443
2024/11/20 08:30:15 [Info] [313257240] app/dispatcher: default route for tcp:waa-pa.clients6.google.com:443
2024/11/20 08:30:15 [Info] [313257240] transport/internet/tcp: dialing TCP to tcp:waa-pa.clients6.google.com:443
2024/11/20 08:30:15 [Debug] [313257240] transport/internet: dialing to tcp:waa-pa.clients6.google.com:443
2024/11/20 08:30:15 [Info] [313257240] proxy: Xtls Unpadding new block, content 1098 padding 239 command 0
2024/11/20 08:30:15 [Info] [313257240] proxy: XtlsFilterTls found tls client hello! 1098
2024/11/20 08:30:15 [Info] [313257240] proxy: Xtls Unpadding new block, content 809 padding 99 command 0
2024/11/20 08:30:15 [Info] [313257240] proxy/freedom: connection opened to tcp:waa-pa.clients6.google.com:443, local endpoint 192.168.9.7:34708, remote endpoint 173.194.73.95:443
2024/11/20 08:30:15 [Info] [313257240] proxy: CopyRawConn readv
2024/11/20 08:30:15 [Info] [313257240] proxy: XtlsFilterTls found tls 1.3! 8192 TLS_AES_128_GCM_SHA256
2024/11/20 08:30:15 [Info] [313257240] proxy: ReshapeMultiBuffer 133 8059 1438
2024/11/20 08:30:15 [Info] [313257240] proxy: XtlsPadding 133 772 0
2024/11/20 08:30:15 [Info] [313257240] proxy: XtlsPadding 8059 112 0
2024/11/20 08:30:15 [Info] [313257240] proxy: XtlsPadding 1438 151 2
2024/11/20 08:30:16 [Info] [313257240] proxy: Xtls Unpadding new block, content 64 padding 1311 command 0
2024/11/20 08:30:16 [Info] [313257240] proxy: Xtls Unpadding new block, content 2576 padding 190 command 2
2024/11/20 08:30:16 [Info] [313257240] proxy: CopyRawConn readv
2024/11/20 08:30:16 [Info] [313257240] app/proxyman/outbound: app/proxyman/outbound: failed to process outbound traffic > proxy/freedom: connection ends > proxy: failed to process response > read tcp 192.168.9.7:34708->173.194.73.95:443: read: connection
reset by peer
2024/11/20 08:30:16 [Info] [313257240] app/proxyman/inbound: connection ends > proxy/vless/inbound: connection ends > proxy/vless/inbound: failed to transfer response payload > io: read/write on closed pipe
2024/11/20 08:30:17 [Info] [4067341659] app/proxyman/inbound: connection ends > proxy/vless/inbound: connection ends > context canceled
2024/11/20 08:30:17 [Info] [2957937547] proxy/vless/inbound: firstLen = 1186
2024/11/20 08:30:17 [Info] [2957937547] proxy/vless/inbound: received request for tcp:waa-pa.googleapis.com:443
2024/11/20 08:30:17 [Info] [2957937547] app/dispatcher: default route for tcp:waa-pa.googleapis.com:443
2024/11/20 08:30:17 [Info] [2957937547] transport/internet/tcp: dialing TCP to tcp:waa-pa.googleapis.com:443
2024/11/20 08:30:17 [Debug] [2957937547] transport/internet: dialing to tcp:waa-pa.googleapis.com:443
2024/11/20 08:30:17 [Info] [2957937547] proxy: Xtls Unpadding new block, content 1103 padding 78 command 0
2024/11/20 08:30:17 [Info] [2957937547] proxy: XtlsFilterTls found tls client hello! 1103
2024/11/20 08:30:17 [Info] [2957937547] proxy: Xtls Unpadding new block, content 799 padding 366 command 0
2024/11/20 08:30:17 [Info] [2957937547] proxy/freedom: connection opened to tcp:waa-pa.googleapis.com:443, local endpoint 192.168.9.7:33522, remote endpoint 173.194.220.95:443
2024/11/20 08:30:17 [Info] [2957937547] proxy: CopyRawConn readv
2024/11/20 08:30:17 [Info] [2957937547] proxy: XtlsFilterTls found tls 1.3! 4495 TLS_AES_128_GCM_SHA256
2024/11/20 08:30:17 [Info] [2957937547] proxy: XtlsPadding 4495 90 0
2024/11/20 08:30:17 [Info] [2957937547] proxy: Xtls Unpadding new block, content 64 padding 979 command 0
2024/11/20 08:30:17 [Info] [2957937547] proxy: XtlsPadding 62 1305 2
2024/11/20 08:30:17 [Info] [2957937547] proxy: Xtls Unpadding new block, content 2212 padding 133 command 2
2024/11/20 08:30:17 [Info] [2957937547] proxy: CopyRawConn readv
2024/11/20 08:30:18 [Info] [3673060933] proxy/vless/inbound: firstLen = 1186

@RPRX
Copy link
Member

RPRX commented Nov 25, 2024

@yuhan6665 有空时研究下吧

@vint2k
Copy link
Author

vint2k commented Nov 28, 2024

www.recaptcha.net also time to time doesn't work
please help

@cute
Copy link

cute commented Dec 3, 2024

REALITY requires tls key exchange must be X25519.
The key exchange for www.recaptcha.net is X25519MLKEM768.

Protocol | TLS 1.3
Key exchange | X25519MLKEM768
Server signature | ECDSA with SHA-256
Cipher | AES_128_GCM

www.recaptcha.net also time to time doesn't work please help

@RPRX
Copy link
Member

RPRX commented Dec 3, 2024

看到 @cute 我就知道小火箭的 XHTTP 有希望了

@RPRX
Copy link
Member

RPRX commented Dec 3, 2024

我想了下客户端实现 XHTTP 挺简单的,packet-up 不难,其它两个 stream 更简单,只有 XMUX 复杂一点点

@vint2k
Copy link
Author

vint2k commented Dec 3, 2024

REALITY requires tls key exchange must be X25519. The key exchange for www.recaptcha.net is X25519MLKEM768.

Protocol | TLS 1.3
Key exchange | X25519MLKEM768
Server signature | ECDSA with SHA-256
Cipher | AES_128_GCM

but why does it work well in single XRay server configuration?

@Fangliding
Copy link
Member

REALITY requires tls key exchange must be X25519. The key exchange for www.recaptcha.net is X25519MLKEM768.

Protocol | TLS 1.3
Key exchange | X25519MLKEM768
Server signature | ECDSA with SHA-256
Cipher | AES_128_GCM

www.recaptcha.net also time to time doesn't work please help

唯一的办法是supported groups里不要带X25519Kyber768Draft00 这样对端自然也不会用这个回复 Xray用的utls压根没更新这个算法所以没问题 以后如果有还得pin住指纹版本

@cute
Copy link

cute commented Dec 6, 2024

看到 @cute 我就知道小火箭的 XHTTP 有希望了

@RPRX

写了个demo,目前调试通了,感觉h2/h3还好,h1速度有些不顺畅。

@RPRX
Copy link
Member

RPRX commented Dec 6, 2024

写了个demo,目前调试通了,感觉h2/h3还好,h1速度有些不顺畅。

问题不大,很少有人用 h1

感觉上下行分离比 XMUX 简单很多,还有我今天才发现 stream-one 实际用的 path 是 /yourpath/,必须以 / 结尾

@RPRX
Copy link
Member

RPRX commented Dec 6, 2024

To 群里:

啊?我用stream-one...也没有用/结尾额...🧐还能通

ae62a0f#commitcomment-150004845 意思是你写 /yourpath 但实际用的是 /yourpath/,客户端服务端都会这样所以对上了

@lxhao61
Copy link

lxhao61 commented Dec 6, 2024

是的。我测试就 RPRX 大神所说一样。

@vint2k
Copy link
Author

vint2k commented Dec 16, 2024

The configuration Xray_Client <- VLESS+TCP+REALITY -> Xray_Server1 <- VLESS+TCP+TLS -> Xray_Server2 works well.

waiting fix for REALITY

@vint2k
Copy link
Author

vint2k commented Dec 22, 2024

upd:
isn't problem of REALITY

to reproduce the issue need to use "flow": "xtls-rprx-vision" between Xray_Server1 and Xray_Server2 (VLESS+TCP+TLS/REALITY)
if you use "flow": "none" there is no issue

@RPRX

@RPRX
Copy link
Member

RPRX commented Dec 22, 2024

isn't problem of REALITY

yeah we know that

@islercn
Copy link

islercn commented Dec 30, 2024

也遇到了这个问题,打算把代理转成https在内网共享,死活不通,服务器明明都收到请求了。希望能修复🙏

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

7 participants