v2ray-core icon indicating copy to clipboard operation
v2ray-core copied to clipboard
verified publisher icon v2fly

V2Ray response to SNI detection?

Open JinYi-Tsinghua opened this issue 6 months ago • 2 comments

I've been having excessive issues in the last two weeks across China Mobile / Telecom / Unicom with my server, which utilizes websocket + Cloudflare. The issues began when I carelessly installed and ran Tor and Wireguard with default configs to foreign servers, which probably led to all my connections receiving further scrutiny.

Anyway, I'm wondering if I have to switch to XRay to mitigate the issue, or whether V2ray has its' own equivalent of REALITY.

I'm reluctant to switch to XRay because I prefer not to use software on all my devices thats installation method is "run this shellscript as root".

JinYi-Tsinghua avatar Jun 05 '25 04:06 JinYi-Tsinghua

我不知道自己有没有看明白,按我的理解就是你原来用一个反向代理隐藏了你真正的海外v2ray server,但你有一天不小心直连了海外的v2ray server,现在你的server已经被封掉(这里你没有说清楚遇到了什么问题,我只能猜。又也许你只是担心因此被侵犯隐私)了。 如果你的server确实被封掉的话,那只能换server了。如果你是别的问题,你不妨把情况说得更清楚一点。

tomandjerry27 avatar Jun 06 '25 02:06 tomandjerry27

My servers are not blocked, and even if they were, I use WS+CDN to avoid it. My connections are just under scrutiny because I carelessly made direct connections to the Tor network, so even with V2ray+WS+CDN, connections only work for several minutes at a time, and then are unavailable for several minutes.

Anyway, I am looking at NaïveProxy since it can deal with SNI issues and still work with CDN, but I think it's time that V2ray handles the SNI issues.

JinYi-Tsinghua avatar Jun 06 '25 03:06 JinYi-Tsinghua

There is a protocol that is currently being developed to deal with this issue. But it has not reached a state that would allow me to make a announcement/preview post about it:

https://github.com/xiaokangwang/v2ray-core-1/tree/dev-tlsmirror-wip6 (the last number will increase from the to time).

In the mean time I advise you to try v2ray's "issue" certificate functionality, which was originally developed as a way to MITM connections, but don't works too well to be fair, but I will try to write a redirection based tls like protocol.

here is an example server config:

{
    "log": {
      "error": {
        "level": "Debug",
        "type": "Console"
      },
      "access": {
        "type": "None"
      }
    },
    "outbounds": [
      {
        "protocol": "freedom"
      }
    ],
    "inbounds": [
      {
        "protocol": "vmess",
        "settings": {
          "users": [
            "*****"
          ]
        },
        "listen": "0.0.0.0",
        "port": 27443,
        "streamSettings": {
          "transport": "httpupgrade",
          "transportSettings": {
            "path": "*****"
          },
          "security":"tls",
          "securitySettings":{
            "nextProtocol":["http/1.1"],
            "certificate":[
                {
                    "usage":"AUTHORITY_ISSUE",
                    "certificateFile":"ca.crt",
                    "keyFile":"ca.key"
                }
            ]
          }
        }
      }
    ]
  }

xiaokangwang avatar Jun 29 '25 20:06 xiaokangwang

The protocol to workaround SNI detection and active probing named TLSMirror is currently being developed, in primary branch, since https://github.com/v2fly/v2ray-core/pull/3437.

xiaokangwang avatar Jul 03 '25 10:07 xiaokangwang

This issue is stale because it has been open 120 days with no activity. Remove stale label or comment or this will be closed in 5 days

github-actions[bot] avatar Nov 01 '25 02:11 github-actions[bot]