Xray-core
Xray-core copied to clipboard
XTLS
[Feature] SSH transport
I'm not sure why nobody has recommended this before but isn't it possible to add a SSH transport to xray? GOST had it for a while and it's source is available here. I assume that there is going to be some challenges. For example, are we going to allow SSH transport as incoming transport? In other words, are we going to allow users to run a SSH server? Or are we going to declare a custom channel for our traffic (like GOST)? Or are we going to allow port forwarding?
For the starting point, I think we should implement either of these two:
- SSH server and client and use custom channel to forward traffic. This probably makes the server vulnerable to active probing.
- SSH client only with port forwarding. This might be safer but it's harder to setup. My idea is to just forward the traffic which protocol generates to destination port. So a setup could be something like this:
VLESS + SSH <-> SSH Server <-> VLESS + Raw TCP
I'm not sure why nobody has recommended this before
SSH 翻墙对我们这边来说太复古了,很早以前就流行过,然后它也像 VPN 一样稳定被封了,于是才有了 Shadowsocks 等自制协议
U can try sing-box, it suppurt host key verification:
{ "inbounds": [ { // "type": "mixed", "type": "socks", "listen": "::", "listen_port": 2080 //"tag": "socks-in" } ], "outbounds": [
{
"type": "ssh",
"tag": "ssh-out",
"server": "example.com", "server_port": 22, "user": "root", //"password": "admin", "private_key": "-----BEGIN OPENSSH PRIVATE KEY-----\nb3BlbnI0Q/8\nFgA=\n-----END OPENSSH PRIVATE KEY-----", //"private_key_path": "$HOME/.ssh/id_rsa", "private_key_passphrase": "fuckuuntildaynight", "host_key": [ "ssh-ed25519 AAAACf7 root@OpenWrt" ], "host_key_algorithms": [], "client_version": "SSH-2.0-OpenSSH_7.4p1"
//... // Dial Fields }
] }
ssh的private_key字段不可以直接粘贴原始私钥文本: -----BEGIN OPENSSH PRIVATE KEY----- b3BlbnNzaC1rZXktdjEB0AAAAGAAAABB0 x+/kaulXNbURref+AC3NzaC1lZDI1NTE5AAAAIDRh 6601NH9o+Cw8AoNp6BUdDBsJQJJXDhjH9 pNMxdr/+hMBV+Rldfsf8fRXOTEyLSDFUFJBj WYPKGqx/1SYRb6PbiG/QIDiv7fG ArgK3pmIdG/ZyFWI0Q/8 FgA= -----END OPENSSH PRIVATE KEY----- 需要删除每行结尾的换行替换为\n 这种不方便,建议注释掉 //"private_key": "", 使用路径方式 "private_key_path": "$HOME/.ssh/id_rsa", Windows下面路径需要是双斜杠: "private_key_path": "D:\privateOpenssh",
@RPRX 等等RPRX,我想重新審視這個問題,這個問題是伊朗人發起的,他提到了ssh,但是我和你用了中國的標準回答了這個問題。但是ssh在伊朗還是可以用的,應該說伊朗的網絡是白名單模式,對於伊朗人而言ssh已經算是個好方法了
Wait for RPRX, I want to re-examine this question. This question was initiated by the Iranians. He mentioned ssh, but you and I used Chinese standards to answer this question. ssh can still be used in Iran. Iran's network is a whitelist model. For Iranians, ssh is already a good way.
SSH 并不像 TLS,前者可能会被无差别封锁,如果流行起来,很快它就会被封,甚至可能导致伊朗人失去配置境外服务器的途径。
所以我觉得在现在其它协议还能用的情况下,促使 SSH 代理在伊朗流行开并不妥,你们觉得呢?@nursery01 @HirbodBehnam
SSH翻墙我现在还在用,而且半年了没有封,只不过姿势不一样,我是vps套了warp ipv6,vps主动连接openwrt的openssh server,
openssh支持反向socks代理,虽然不支持udp也无所谓了
跑了几百GB了,啥事没有,warp+ipv6+反向代理加成
gfw封我家宽端口号?或者ipv6?这个完全是ddns的,估计也只能运营商来封吧,gfw可能没有考虑境外主动链接国内的流量
再说了他发现ssh流量掐断了,我是vps连回家,断了重连高位端口一直在变
家宽的动态ipv6,vps的IPv6真要封了,也是随便换
同样的套路xray反向代理也可以,因此这个看起来不是SSH流量特征问题了,是翻墙姿势以及GFW的审查,或许就是纯粹ipv6的墙不高而已
@heygo1345678 很久以前就有“反向连接”的讨论,可以搜一下。看起来至今它还是一种小众 FQ 方式,所以 GFW 并没有针对。
可能只有先有“正向连接”,才会触发预设的一系列审查机制。
@RPRX 对的,我看过那个,在v2fly那边看到有个人提出过,所以不是我第一个这么玩,只是我用ssh这么实验的,也确实没被墙。当时折腾openssh各种隧道包括tun tap组网,想想反着玩玩,结果以家宽为中心的VPN组网就很稳了,不用流量伪装。
@heygo1345678 不过这种方式只是简单钻了 GFW 机制的漏洞,~~其实你可以不用说出来~~,如果用的人多了,漏洞很快就会被修复
我还有印象,有一些方式是扰乱 TCP 的机制,让现有的 GFW 无法理解,同样也是一点就破,小众用还行,但经不起推广
就像目前最好玩的玩具其实是 https://github.com/XTLS/REALITY/pull/2#issuecomment-1455133282 ,~~可惜我不能把它说出来,否则这个玩具就玩不了了~~
SSH翻墙我现在还在用,而且半年了没有封,只不过姿势不一样,我是vps套了warp ipv6,vps主动连接openwrt的openssh server,
openssh支持反向socks代理,虽然不支持udp也无所谓了
跑了几百GB了,啥事没有,warp+ipv6+反向代理加成
gfw封我家宽端口号?或者ipv6?这个完全是ddns的,估计也只能运营商来封吧,gfw可能没有考虑境外主动链接国内的流量
再说了他发现ssh流量掐断了,我是vps连回家,断了重连高位端口一直在变
家宽的动态ipv6,vps的IPv6真要封了,也是随便换
同样的套路xray反向代理也可以,因此这个看起来不是SSH流量特征问题了,是翻墙姿势以及GFW的审查,或许就是纯粹ipv6的墙不高而已
反向代理大规模使用容易导致家宽入站被封。现在的手机移动流量入站就是被封的。 注意是所有外界起始的入站流量。你自己设备起始发出然后收到的返回流量不会被封。 你换多少ip也没用。 现在家宽开放web服务的已经被封了。什么端口都没用,专门有服务来扫你全端口。 很可能将来部署家宽服务仍需要需要使用类似内网穿透的办法,先由家宽对外部中转服务器发出连接,再通过这个连接反向代理回家宽。
@simplerick-simplefun 你厉害,能被针对到这一步,就像群里那位福建的,时不时说一开TLS他的甲骨文就被针对。被盯上了估计
@simplerick-simplefun 你厉害,能被针对到这一步,就像群里那位福建的,时不时说一开TLS他的甲骨文就被针对。被盯上了估计
这也不是我个人被针对啊。现在已经是全国的移动流量入站被封,全国家宽web服务被全端口扫描然后封禁。 家宽入站被封我觉得并不遥远。
@simplerick-simplefun 我家宽Web服务还在用呢,而且还自定义路径搞了个doh。还有一堆服务器呢,如果是443那不可能的了,都是非标端口号。我还有一个宽带有v4公网,也还是好的呀
@simplerick-simplefun 我家宽Web服务还在用呢,而且还自定义路径搞了个doh。还有一堆服务器呢,如果是443那不可能的了,都是非标端口号。我还有一个宽带有v4公网,也还是好的呀
也可能是不同地区情况不一样吧。。。
Adding a comment from iran: Iran uses a mix of protocol , ip and sni filtering. For example after some time of using ssh to a server they will throttle it, and make it hard to connect then the server will have its ssh blocked. On the other hand when dealing with the local servers you can even connect using wireguard without a problem. So they protocol restrictions depends on your target P and sni. Pint is using ssh for traffic is only good if you are planning to pollute new IPs, which many people do, but please don't. Stick to proper protocols and keep your ip clean for as long as possible, the more Ips you burn the harder you make it for other users in your country (many people buy a vps and the ip is already blacklisted because some people change ip daily...)
@RPRX IPv6 seems to be working but I think it is ISP dependent. I successfully used vpns that have ipv6 as their exit nodes before
