sing-box
sing-box copied to clipboard
Published
20 hours ago •
SagerNet
SagerNet
TCP Brutal behavior with ShadowTLS
Operating system
Linux
System version
Ubuntu 22.04 + Kernel 5.15
Installation type
Original sing-box Command Line
If you are using a graphical client, please provide the version of the client.
No response
Version
1.9.4
Description
Thanks for your time!
I am trying to use ShadowTLS with TCP Brutal under sing-box and I followed common ShadowTLS configuration on Google by detouring the ShadowTLS inbound to Shadowsocks inbound.
Since ShadowTLS doesn't support multiplex and inherently brutal, I enabled the brutal at Shadowsocks inbound. Then I start to concern that whether brutal will be set since the socket listing belongs to ShadowTLS.
Then I did a simple experiement to see the TCP_CONGESTION socket option of the ShadowTLS accepted socket by using ss -ti. Unsurprisingly, the socket is using the system default congestion control instead of brutal.
- sing-box shadowtls inbound machine ip 192.168.28.2
- sing-box shadowtls outbound machine ip 192.168.28.3
$ netstat -npta | grep sing
tcp 0 0 127.0.0.1:43081 0.0.0.0:* LISTEN 52911/sing-box
tcp 4026984 0 192.168.28.2:47832 104.21.85.176:443 ESTABLISHED 52911/sing-box
tcp6 0 0 :::443 :::* LISTEN 52911/sing-box
tcp6 0 1585560 192.168.28.2:443 192.168.28.3:58238 ESTABLISHED 52911/sing-box
# ss -ti | rg -C 1 58238
ESTAB 0 1610541 [::ffff:192.168.28.2]:https [::ffff:192.168.28.3]:58238
bbr wscale:8,7 rto:468 rtt:264.915/4.593 ato:40 mss:1448 pmtu:1500 rcvmss:989 advmss:1448 cwnd:5454 bytes_sent:53956654 bytes_retrans:1448 bytes_acked:52380865 bytes_received:2012 segs_out:37631 segs_in:1993 data_segs_out:37625 data_segs_in:8 bbr:(bw:57.9Mbps,mrtt:259.311,pacing_gain:2.88672,cwnd_gain:2.88672) send 238Mbps lastrcv:2240 pacing_rate 238Mbps delivery_rate 57.9Mbps delivered:36532 app_limited busy:9840ms rwnd_limited:4280ms(43.5%) sndbuf_limited:1104ms(11.2%) unacked:1094 retrans:0/1 dsack_dups:1 reordering:68 reord_seen:210 rcv_space:14600 rcv_ssthresh:64076 notsent:36200 minrtt:259.311
I also checked sockets on inbound with directly connected and enabled brutal. ss-ti can show brutal correctly
ss -ti | rg -C 1 brutal
ESTAB 0 0 192.168.28.3:42366 192.168.28.2:20555
brutal wscale:7,8 rto:397 rtt:196.235/12.354 ato:41 mss:1440 pmtu:1500 rcvmss:1440 advmss:1448 cwnd:3402 bytes_sent:74106 bytes_retrans:517 bytes_acked:73590 bytes_received:71910 segs_out:332 segs_in:340 data_segs_out:220 data_segs_in:193 send 200Mbps lastsnd:10735 lastrcv:10735 lastack:10509 pacing_rate 100Mbps delivery_rate 344kbps delivered:220 app_limited busy:24285ms retrans:0/1 reord_seen:29 rcv_rtt:480046 rcv_space:43864 rcv_ssthresh:168594 minrtt:185.109
May I ask how can I enable brutal for ShadowTLS listen socket accepted sockets?
I maybe able to help write some code for this feature.
Thanks a lot again.
Reproduction
Server
{
"log": {
"level": "trace"
},
"inbounds": [
{
"type": "shadowtls",
"listen": "::",
"listen_port": 443,
"tcp_fast_open": true,
"version": 3,
"users": [
{
"name": "test",
"password": "CQqC8d+iVa4Hyw3KP0JW/Q=="
}
],
"handshake": {
"server": "www.douyin.com",
"server_port": 443
},
"strict_mode": true,
"detour": "shadowsocks-in"
},
{
"type": "shadowsocks",
"tag": "shadowsocks-in",
"network": "tcp",
"method": "2022-blake3-aes-128-gcm",
"password": "CQqC8d+iVa4Hyw3KP0JW/Q==",
"multiplex": {
"enabled": true,
"padding": false,
"brutal": {
"enabled": true,
"up_mbps": 200,
"down_mbps": 200
}
}
}
],
"outbounds": [
{
"tag": "direct",
"type": "direct",
"domain_strategy": "ipv4_only"
},
{
"tag": "block",
"type": "block"
},
{
"tag": "dns-out",
"type": "dns"
}
],
"route": {
"auto_detect_interface": true,
"final": "direct"
}
}
Client
{
"log": {
"level": "debug"
},
"inbounds": [
{
"type": "socks",
"listen": "0.0.0.0",
"listen_port": 10808,
"sniff_timeout": "300ms",
"tag": "socks-in"
}
],
"outbounds": [
{
"type": "shadowsocks",
"tag": "shadowsocks-out",
"detour": "shadowtls-out",
"method": "2022-blake3-aes-128-gcm",
"password": "CQqC8d+iVa4Hyw3KP0JW/Q==",
"multiplex": {
"enabled": true,
"max_connections": 1,
"padding": false,
"brutal": {
"enabled": true,
"up_mbps": 200,
"down_mbps": 200
}
}
},
{
"type": "shadowtls",
"tag": "shadowtls-out",
"server": "192.168.28.2",
"server_port": 443,
"version": 3,
"password": "CQqC8d+iVa4Hyw3KP0JW/Q==",
"tls": {
"enabled": true,
"server_name": "www.douyin.com",
"utls": {
"enabled": true,
"fingerprint": "chrome"
}
}
}
],
"route": {
"auto_detect_interface": true,
"rules": [
{
"inbound": [
"socks-in"
],
"outbound": "shadowsocks-out"
}
]
}
}
Logs
No response
Supporter
- [ ] I am a sponsor
Integrity requirements
- [X] I confirm that I have read the documentation, understand the meaning of all the configuration items I wrote, and did not pile up seemingly useful options or default values.
- [X] I confirm that I have provided the server and client configuration files and process that can be reproduced locally, instead of a complicated client configuration file that has been stripped of sensitive data.
- [X] I confirm that I have provided the simplest configuration that can be used to reproduce the error I reported, instead of depending on remote servers, TUN, graphical interface clients, or other closed-source software.
- [X] I confirm that I have provided the complete configuration files and logs, rather than just providing parts I think are useful out of confidence in my own intelligence.
