clash-rs icon indicating copy to clipboard operation
clash-rs copied to clipboard

Published 20 hours ago verified publisher icon Watfaq

feat: hysteria draft

Open eauxxs opened this issue 1 year ago • 16 comments

🤔 This is a ...

  • [x] New feature

🔗 Related issue link

💡 Background and solution

📝 Changelog

☑️ Self-Check before Merge

⚠️ Please check all items below before requesting a reviewing. ⚠️

  • [ ] Doc is updated/provided or not needed
  • [ ] Changelog is provided or not needed

eauxxs avatar Dec 16 '23 11:12 eauxxs

At present, hysteria2 can already perform tcp proxy, mainly udp proxy, brutal congestion, ports hopping has not been implemented, port hopping may be just a small problem. In the process of implementing salamander, I encountered a very confusing problem. The obfuscation can be correctly encrypted and decrypted by both parties, and the quic connection can be established. But when sending h3 authentication, an error will occur. I don’t know if it’s a problem with the h3 library or the obfuscation algorithm itself or something else. I don’t know if you know more about quic and if you have any ideas. @ibigbug @greenhat616 @xmh0511

eauxxs avatar Dec 17 '23 13:12 eauxxs

I'm busy these days. while I am spare, I could take a look.

greenhat616 avatar Dec 18 '23 18:12 greenhat616

I'm busy these days. while I am spare, I could take a look.

thanks, salamander obfs have been fixed, it work now

eauxxs avatar Dec 19 '23 03:12 eauxxs

Hey thank you guys.

I see that you've fixed the problem, is there anything left to be done for this PR?

ibigbug avatar Dec 25 '23 10:12 ibigbug

@eauxxs the build is failed on Windows

ibigbug avatar Dec 25 '23 10:12 ibigbug

@eauxxs the build is failed on Windows

It looks like the problem is with borrowing-ssl, can we remove deps directory, and use boring crate directly, why it is necessary?

eauxxs avatar Dec 28 '23 09:12 eauxxs

@eauxxs the build is failed on Windows

It looks like the problem is with borrowing-ssl, can we remove deps directory, and use boring crate directly, why it is necessary?

the forked boring added aes and this https://github.com/Watfaq/clash-rs/pull/240 removes it

ibigbug avatar Dec 31 '23 16:12 ibigbug

@eauxxs Any blockers for this ?

ibigbug avatar Sep 11 '24 13:09 ibigbug

@ibigbug I'm very sorry that I just saw this news now. One is the problem of my work, and the other is the congestion control algorithm of quic. The other aspects of the protocol have been implemented. . . Regarding congestion control, I can only refer to the implementation of go, but I still don't know how to implement it. If you only use bbr, you can use it directly.

eauxxs avatar Sep 16 '24 08:09 eauxxs

No worries. Thanks for the update. I might be able to take it over when I get some time.

ibigbug avatar Sep 16 '24 17:09 ibigbug

I'm very sorry for taking so long. It's okay, I will rebase to the latest branch first. Then try to make a usable version. I like this project very much. . . I will give you feedback in time if I encounter any problems later.

eauxxs avatar Sep 17 '24 02:09 eauxxs

Much appreciated!

ibigbug avatar Sep 17 '24 07:09 ibigbug

6e4b2a8 这个分支的代码我在我本地 ubuntu22.04 机器上跑了下 hysteria2 代理,发现建立连接时就报错。 通过 wireshaek 抓包后发现, Initial 连接时的 Crypto Frame 包含了 handshake 握手信息, 其中 Extension::signature_algorithms 为空,导致 client 发出的信息不正常。 分析了代码后,我发现可能是 tls_config 这个变量初始化有问题。 在我改了supported_verify_schemes 这个函数后。客户端发出的 handshake 正常,但是服务端的响应,客户端无法正常解析。 [Failed to create decryption context: Secrets are not available]

I ran the hysteria2 proxy on my local Ubuntu 22.04 machine using the code from branch 6e4b2a8, and encountered an error when establishing a connection.

After capturing packets, I found that during the initial connection, the Crypto frame contained handshake information, but the Extension::signature_algorithms field was empty. This caused the client to send abnormal information. After analyzing the code, I found that the issue might be with the initialization of the tls_config variable.

After modifying the supported_verify_schemes function, the handshake sent by the client became normal, but the server’s response could not be correctly parsed by the client. The error message is:

[Failed to create decryption context: Secrets are not available]

lmmqxyx404 avatar Sep 19 '24 14:09 lmmqxyx404

@lmmqxyx404 谢谢你的review。目前这个最新的提交只是基于最新的分支进行rebase。因为rustls,h3-quinn,quinn版本的更新,所以以前的代码也不可用了。这次pr也更新到了相关依赖的最新版本,而且有些方法重写了,但是我还没有时间来得及测试,如果你那边发现了问题,可以在这个分支上提交,一起工作。也可以另开一个分支,重用一些这个pr的代码,如果能用的到的话。

eauxxs avatar Sep 19 '24 16:09 eauxxs

@eauxxs 我倒是挺想把这个功能实现的,不过主要是我能力有限。不知道改的方向,只好做一些琐碎的工作。

如果大哥有什么好的思路,就在这一起讨论下吧,万望不吝赐教。

lmmqxyx404 avatar Sep 20 '24 04:09 lmmqxyx404

我对于服务端的响应理解有误,原始go实现的 hysteria2 服务端响应被抓包后,也是一样会报错。这个问题还需要继续分析

lmmqxyx404 avatar Sep 21 '24 01:09 lmmqxyx404

@eauxxs @ibigbug 我这边修改代码已经让hysteria2 协议跑起来了 总的来说只要改动两处代码。

  1. supported_verify_schemes 前面已经说过了
let any = session
           .congestion_state()
           .into_any()
           .downcast::<DynController>()
           .unwrap();
       any.set_controller(Box::new(Burtal::new(0, session.clone())));

改为

match session
            .congestion_state()
            .into_any()
            .downcast::<DynController>()
        {
            Ok(any) => {
                any.set_controller(Box::new(Burtal::new(0, session.clone())));
            }
            Err(err) => {
                tracing::error!("Failed to downcast congestion controller");
            }
        }

lmmqxyx404 avatar Oct 12 '24 03:10 lmmqxyx404

@eauxxs 看看?

ibigbug avatar Oct 12 '24 07:10 ibigbug

@lmmqxyx404 @ibigbug 这些都是些小问题,主要的问题是拥塞控制,还有一个问题是端口跳跃的问题。目前拥塞控制需要帮助。。

eauxxs avatar Oct 15 '24 15:10 eauxxs

@lmmqxyx404 @ibigbug 这些都是些小问题,主要的问题是拥塞控制,还有一个问题是端口跳跃的问题。目前拥塞控制需要帮助。。

具体是什么问题呢?能不能具体说说,如果容易解决,我最近有空,可以再试着去解决下。

lmmqxyx404 avatar Oct 16 '24 10:10 lmmqxyx404