v2ray / planning Goto Github PK
View Code? Open in Web Editor NEWDeprecated. Please use v2ray-core for feature requests
Deprecated. Please use v2ray-core for feature requests
在 Linux 上,可以通过 setsockopt SOL_SOCKET, SO_MARK 来给 socket 设置一个 mark,之后这个 socket 发出的所有包都会带上设定的 mark 值。
这个值可以在 iptables/tc/ip rule 中用来匹配流量。
使用场景:
我有一个 VPN,想在 V2Ray 中加一个传出连接来使用这个 VPN。
这时我就可以加一个 freedom 的传出连接,把 mark 设定为 123456。
假设 VPN 的接口是 myvpn
,那我可以这么写命令:ip route add default dev myvpn table 114514 && ip rule add fwmark 123456 table 114514
Lets Encrypt is a great tool to establish your own PKI but it is not as secure as commercial CA.
Please add support for "HTTP Public Key Pinning" (RFC 7469) to avoid certain risks like MITM attacks with forged certificates.
In some websites, like weibo (in overseas), bilibili, they use the CDN with same IP/IPs.
For example:
In Hong Kong, www.bilibili.com
, account.bilibili.com
, space.bilibili.com
, etc will be resolved to 47.90.50.109
.
In Shanghai Telecom, comment.bilibili.com
will be resolved to: 101.227.5.220
-101.227.5.227
(= 101.227.5.220/30
+ 101.227.5.224/30
)
Requirement:
Support Wildcard DNS(including Regex Rules), mutli-record(including CIDR).
As people knows V2Ray now have very heavy single-file configuration system which default located /etc/v2ray/config.json
. Since the config shows in directory rather than a single file in /etc/
,maybe it is time to migrate to a multiple file configuration system.
Personnally I recommand the following options.
I. Split the current single file into fixed sections like router.json,inbound.json,outbound.json
, etc, directly put into /etc/v2ray/
II. Split as conf.avail and conf.enabled which would support symbol link and much more feature, and could be better supporting multiple users' system.
for example /etc/v2ray/conf.avail/
could have 10-transport.json, 20-router.json, 21-user1.json, 22-user2.json
,(could be inbound/outbound detour).
which helps switch state and provide a more dynamic environment.
Collected previous code:
The existing DNS logic built into V2Ray core has some defects:
Here is a proposal to split the DNS logic into a standalone program.
Benefits:
Potential risk:
Some public web hosting services limit the number of concurrent connections. It would be great that several proxy requests can share TCP connection.
V2ray seems to be the most promising socks5 proxy framework in terms of modularity. I suppose that V2ray was designed in this way according to this comment. If so, I think it is the right time to take a discussion with other main socks proxy developers, i.e. Shadowsocs devs, to at least make a draft specification of how V2ray framework is made and decide the API for each protocol libraries and plugins. I make this suggestion at this moment for these reasons:
V2ray can keep focus on framework development, and all the protocols (including Vmess, Shadowsocks and other potential protocols) will be able to keep eyes on protocol implementation, rather than building up usable proxy tools and implementing same features like obfs/kcp by themselves. They can simply implement libraries and let v2ray to invoke. It would be easier to implement libvmess, libshadowsocks, libfuturesocks as proxy protocols, and libobfs, libkcp as plugins. V2ray will be a great test bed for them.
Seperating development of framework and protocols / plugins would make future refinement much easier. It is also helpful for developing clients on various platforms.
If the implementations of protocols and plugins strictly follow specifications, it would be less pain in the future to adjust them in v2ray, or even other future frameworks.
Currently, Shadowsocks, the most wide-spread socks proxy protocol, is being in a phase of evolution. While plugins like obfs started just for a short time. It is the best time to talk with other devs and decide how API is made without sacrificing features and/or performance.
The following APIs will be provided:
when i use "domainStrategy": "IPIfNonMatch", strategy, every domain will query remote dns server
if cache some domain fetched from the dns server, it will have a high performance
[RFC] v2ray log auto rotate , keep 30days log seems enough .
Do not let the log file growing and no control
Currently, V2Ray allow an InsecureSkipVerify flag on tls config to be set and forgive the certificate issue. And this feature is documented as "This should be used only for testing." However, with the variety of environment and CA problems presented on host, this flag is too often abused and created an systemic security risk.
Since V2Ray cannot show certificate in question upon the certificate error.(Or even impossible to know the exact reason of error on some Android Client), user may enable this flag to solve connectivity issue(it might some time do and hide underlying issue). This can pose significant problem on the security and invisibility of V2Ray connection and even inflict major damage to user should user entrust v2ray with important traffic.
To counteract this issue, I propose follow change to V2Ray as solution:
The reason for choosing SHA3-512 as hash algo is that currently no tool can automate the process of generating such an hash and user must export it to filesystem before generate the hash, which is not significantly easier than copy the hash of CA or certificate from server, which encourage user to discover certificate issue and found out underlying reason and not comprise long term interest of user in exchange of dangerous convenience.
When using Blackhole
outbound to block access, there's an option "type": "http"
to return a HTTP 403 response. This works great for http requests, browser shows:
You don't have authorization to view this page.
HTTP ERROR 403
but wouldn't work so well for others, for example https requests would get error like
This site can’t provide a secure connection
www.google.com sent an invalid response.
Try running Windows Network Diagnostics.
ERR_SSL_PROTOCOL_ERROR
To workaround this, I had to make a duplication of my routing config (to blackhole) with an addition condition "port": "80"
, so only access to port 80 gets HTTP 403. But although 80 is the common port for http, there are http servers out there using other ports.
So, is it possible to add a new routing condition that is protocol based so it matches http requests on non-80 port as well?
Another usage of this kind of routing I can think of is: when using a unsafe network like public WiFi, direct connects for https while proxy for http to protect privacy.
类似geosite:cn和geoip等,v2ray是通过外置的geosite.dat来列出对应的清单,对于其他域名或地址需要在主配置文件的路由模块中设置,但是需要在配置文件硬编码、数量多时会令配置文件累赘、重启应用才能生效。建议路由模块配置新字段用于建立一个列表文件的路径,程序定时读取文件而获得里面的域名或IP,从而减少主配置文件的大小和应用的重启运行。
代码例子:
"route":{
"strategy": "rules",
"domainStrategy": "AsIs",
"settings": {
"rules": [
{
"type": "field",
"domainFile": "/path/to/domainlist.txt", //域名文件
"outboundTag": "direct"
},
]
}
}
domainlist.txt
www.baidu.com
domain:google.com #允许使用v2ray的域名匹配关键字
...
对于来源IP或目标IP的设置雷同。
embedded web server for serving static files (at least). This make it easier to set up local pac server for browsers.
对于libucl类的配置文件,golang 有自己的支持库。
libucl类配置文件兼容多种配置文件,并且可以比较简单的处理目前正变得更加复杂的配置文件,并且提高配置文件的可读性并降低修改成本。
同时,通过修改配置文件的格式让配置文件的结构和pb定义相同,减少未来在添加新功能时需要的工作量。
[DELETED]
In the VPN scenario, client can't use SOCKS protocol with remote domain resolution, because all the traffic are send as IP packets. The DNS resolution happens before SOCKS.
Due to local DNS cache and DNS poisoning, the client may already have a poisoned DNS result before connecting to VPN. A workaround for this issue is to parse HTTP and HTTPS header to get the domain address of the request, and use the domain instead of the IP for the proxy request.
What is the current state of AppImage
, snap
or flatpak
support? I have raised a similar issue previously via v2ray/v2ray-core#704
From v2ray-core created by lbp0200 : v2ray/v2ray-core#760
你正在使用哪个版本的 V2Ray?3.0.1
你的使用场景是什么?使用 V2Ray自带DNS 路由功能
你看到的不正常的现象是什么?自带DNS解析域名tce.alicdn.com.danuoyi.alicdn.com
到国外
你期待看到的正确表现是怎样的?自带DNS通过google DNS的enet功能,将国内CDN域名根据客户端IP解析到最近的IP,https://developers.google.com/speed/public-dns/docs/dns-over-https
,edns_client_subnet参数
请附上你的配置(提交 Issue 前请隐藏服务器端IP地址)。
客户端配置:
"dns": {
"servers": [
"8.8.8.8",
"8.8.4.4",
"localhost"
]
},
"routing": {
"strategy": "rules",
"settings": {
"domainStrategy": "IPIfNonMatch",
"rules": [
{
"type": "field",
"ip": [
"0.0.0.0/8",
"10.0.0.0/8",
"100.64.0.0/10",
"127.0.0.0/8",
"169.254.0.0/16",
"172.16.0.0/12",
"192.0.0.0/24",
"192.0.2.0/24",
"192.168.0.0/16",
"198.18.0.0/15",
"198.51.100.0/24",
"203.0.113.0/24",
"::1/128",
"fc00::/7",
"fe80::/10"
],
"outboundTag": "direct"
},
{
"type": "chinaip",
"outboundTag": "direct"
}
]
}
}
请附上出错时软件输出的错误日志。在 Linux 中,日志通常在 /var/log/v2ray/error.log
文件中。
请附上访问日志。在 Linux 中,日志通常在 /var/log/v2ray/error.log
文件中。
2017/12/04 13:10:41 [Debug]App|DNS|Server: handling response for id 58305 content: ;; opcode: QUERY, status: NOERROR, id: 58305
;; flags: qr rd ra; QUERY: 1, ANSWER: 9, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;tce.alicdn.com. IN A
;; ANSWER SECTION:
tce.alicdn.com. 188 IN CNAME tce.alicdn.com.danuoyi.alicdn.com.
tce.alicdn.com.danuoyi.alicdn.com. 299 IN A 64.71.142.82
tce.alicdn.com.danuoyi.alicdn.com. 299 IN A 64.71.142.92
tce.alicdn.com.danuoyi.alicdn.com. 299 IN A 64.71.142.81
tce.alicdn.com.danuoyi.alicdn.com. 299 IN A 64.71.142.120
tce.alicdn.com.danuoyi.alicdn.com. 299 IN A 64.71.142.95
tce.alicdn.com.danuoyi.alicdn.com. 299 IN A 64.71.142.91
tce.alicdn.com.danuoyi.alicdn.com. 299 IN A 64.71.142.96
tce.alicdn.com.danuoyi.alicdn.com. 299 IN A 64.71.142.110
日志里面,access用来记录通过v2访问的地址。而Mux是使用v1.mux.cool作为访问地址,然后再上面负载真正需要访问的地址的流量。
但是如果客户端的outbound使用了Mux的话,客户端的access只会记录到v1.mux.cool:0这个访问记录,而无法记录其负载的真正需要访问的地址。虽然可以通过看服务端的access来知道,但这会很麻烦。
所以期望access不要记录这假地址的访问,而是让Mux内部去记录真正访问地址到access的日志中。
如果只是简单的梯子大可不必在意时区问题,但是如果需要把V2ray用于其他用途的时候就不得不去考虑这个因素,让分布于全球不同地区的客户端和服务器全部迁就一个时区,妥协的代价会有些大了
所以能不能提议增加一个offset(本地时间相对GMT的偏差),通过offset校正之后就可以解决以上问题
The following events are planned:
V2Ray is designed to be a flexible network tool for developers. However, in term of developer friendliness it have suffered a bad reputation as being hard to master both for user and third-party developers.
Here, I would like to propose a new stub transport that is intended to reduce the difficulty for developing a transport for V2Ray, and remove the necessity of commitment for development. Pipe transport use operating system’s fork and/or unix domain socket capability. Allowing developer to experiment with new technology of transport with the need of worrying about V2Ray’s internal API change or framework, making it easier to use V2Ray in combination of other tools. For some tool that cannot integrate with V2Ray’s build infrastructure and other quality control constraints, this will make it easier to distribute third-party developer’s work without reducing v2ray-core’s code base standard.
Pipe transport can works as both an inbound transport and an outbound transport.
For inbound transport, only unix domain socket mode is available. V2Ray will listen for an unix domain socket and service at this domain socket. It is possible to set an file mode when specifying this file. An fatal error will be raise if this file location is inaccessible to V2Ray.
For outbound transport, two mode will be available, fork mode and unix domain socket mode. It is always recommended to use unix domain socket mode whenever possible. While in fork mode, a command is executed and use standard input and standard output as a bidirectional pipe. No additional information for host being connected is provided but argument for exec can be specified. Failed to exec the file is an error for V2Ray. When the process quit, the connection is considered ended. For unix domain socket, a unix domain socket file is connected when an outbound transmit is needed. If the connect is failed, a error will be raised.
Because of the absent of support for unix domain socket in windows environment, pipe transport can only act as an outbound transport in windows environment.
Pipe transport can be used as an easy method for configure an transport for experimenting with new technology with V2Ray without risking breaking anything or be forced to match an merging window.
Pipe transport’s behavior is consistent with proxy command or standard domain socket practice. This will help this new transport to use as many existing tool in unix style as possible. (V2Ray pipe should able to work with ncat out of box.)
This RFC have been preliminarily approved by V2Ray’s maintainer.
从目前代码中看,freedom 对 UseIP 的选项下的地址选取是随机从 DNS 解析的结果选一个,而不考虑命中freedom outbound 的路由匹配规则使用的地址。这就会出现写了“若为 ipv6 地址则通过 freedom 发出”的规则,而实际通过 freedom 发出了 ipv4 包。
在国内高校普遍实行 ipv4 收费 ipv6 免费的现状下,有对两种流量分别处理的需求。
提出此 plan 的起因在此处有更详细介绍:v2ray/discussion#36
Currently, different v2ray clients use various formats of vmess://
URL scheme, which caused a lot confusion and incompatibility. It is suggested to provide a standard of vmess://
URL scheme, like Shadowsocks SIP002, in order to enhance exchange of configurations, thus simplify the configuration process. Additionally, it is better to have only connection-related informations in the standard, as most v2ray users may configure routing and other stuffs on their own.
URI = "vmess://" + userInfo + "@" + host + ":" + port + ["/"] + urlParams
userInfo = websafe-base64-encode-utf8(uid ":" alterId)
if alterId = 0, it can be omitted with its leading colon before encode.
name | description |
---|---|
network | tcp/kcp/ws |
tcpHeader | tcp header in JSON |
kcp* | kcp configurations |
kcpHeaderType | kcp header type |
wsPath | WebSocket Path |
wsHost | WebSocket Host |
wsHeaders | WebSocket Headers in JSON |
tls | 0/1, 0 for false and 1 for true |
tlsServerName | TLS server name |
tlsAllowInsecure | 0/1, 0 for false and 1 for true |
It would be nice to have this feature...
If we can fetch data from mutiple server then we can achieve a very high link speed through link aggregation as well as enhance link stability.
In poor network condition, this feature can become very useful.
新版本程式可能带有一些新的 bug 修复、性能提升等;但是“总有用户不喜欢更新”,希望能增加一个在启动 v2ray instance 前检测 v2ray 是否有最新版本,如果有,则进行更新的程序。
对于获取新版本号,可以使用 github API
对于下载不顺畅的地区,可以在 JSON 中增加传递给 v2ray 更新程序的 socks 代理信息(或许可以通过用户已配置在 JSON 中、可用的 inbound socks 代理),v2ray 更新程序通过此代理下载新版程式。
V2Ray will provide SDK in the following languages:
With following functionalities:
HTTP、MTProto、Socks、VMess 等协议都支持多用户配置,同时可以区分用户 Email 统计流量,但是用户都是这些协议单独配置的,如果可以抽象出用户,对用户统一管理,可能会更加符合 V2Ray 的平台的定位。
The website needs to grow as the project grows. Requirements are:
目前v2ray 已经支持了一部分api了, 但是官网上说得实在太简单, 网上也没有什么相关内容。有没有可能做出类似于监听某个端口, 请求127.0.0.1的这个端口就返回所有的数据…就像v2rayX的view config.json只需要访问127.0.0.1:8070/config.json就行了一样?
现在 geoip 是启动时把记录解析为 ip 规则,全部加载到内存中,这样做会耗费较多内存,特别是有好多 geoip 规则的情况,比如下面这个配置:
{
"type": "field",
"ip": [
"geoip:us",
"geoip:jp",
"geoip:gb",
"geoip:de",
"geoip:kr",
"geoip:fr",
"geoip:ca",
"geoip:it",
"geoip:au",
"geoip:nl",
"geoip:ru",
"geoip:in",
"geoip:se"
],
"outboundTag": "proxy"
}
MaxMind 的 geoip 数据库提供了一种二进制数据文件格式:http://maxmind.github.io/MaxMind-DB/ ,用这样的方式去读取性能上对于客户端来说可以满足,也几乎不会耗费内存,对于移动端来说还是很有意义的,golang 也有一些开源的实现,比如这个:https://github.com/oschwald/maxminddb-golang
For illegal requests, return a fake page through fallback like shadowsocks.
Even if it is only supported to connect to the local port, it's useful.
拜读了一下文档和对应的源代码,目前如果想在传输层使用TLS,或者向CA申请一个证书,或者将allowInsecure设置为true。
向CA申请证书大多数是收费的,目前不收费的大概只有letsencrypt一家,但是需要每三个月更新一次证书。
而启用allowInsecure则安全性大打折扣,若遭到中间人攻击则与裸奔无异,无法达到伪装的目的。
查了一下golang的文档,tls.Config是支持自定义根证书库的:
https://golang.org/pkg/crypto/tls/#Config
// RootCAs defines the set of root certificate authorities
// that clients use when verifying server certificates.
// If RootCAs is nil, TLS uses the host's root CA set.
RootCAs *x509.CertPool
用户可以通过程序或openssl工具,自己生成一个根证书,并用它签发一个服务器证书。之后只要在client端设置信任自己生成的根证书,即可同服务器建立TLS连接。
附上自己实现的例子,希望有所帮助:
https://github.com/deadblue/letsgo/tree/master/tls
Shadowsocks obfs plugin uses its own protocol. It would great that V2Ray has an outbound proxy that talks to the plugin.
It will be nice if v2ray can use real-time compression like lz4 to save some bandwidth.
Currently, if the client time differs from the server time, the server will log the error as "invalid user". It would be better to separate this from a real "invalid user" error, to make it easier for debugging, as well as for writing exclusive rules for log parsers like fail2ban.
本提案描述了一个服务商向客户端发送服务器信息的方法。
在一些情况下,服务器的管理员无法直接控制客户端,比如亲友的手机,或者专门的服务提供商。手动通知用户修改配置耗时太长,不利于服务器更新。
本提案提供一种安全的方式,可以让服务器管理员通过自动化工具,将服务器改动通知其用户。
服务器 A 必须提供 HTTPS 的访问,并且配备有效的 TLS 证书。
服务器提供以下的 API:
GET /api/server/endpoint
(未完待续,未完成前不能评论)
vultr全线被pixiv ban了
那帮咸鱼说没法让pixiv的人解封
我已经几个月没去pixiv收图了
要死了
而且路由上的chinadns似乎是存在着隔三差五会使能失败问题
现在SS又已经瘫了
基本上没法指望路由器上有什么搞头了
Shadowsocks decided to add AEAD in SIP004. Any plan to synchronize the changes?
ios 的kitsunebi使用core,会频繁的断,作者说是内存太大,希望core优化,减少内存,能适应ios的使用
有些 IPS 会对流量较大的 UDP 包进行 QoS 1,导致的现象就是 客户端上行100%丢包 下行照常,但是 ping
包倒是能正常到达。
于是我试了试运行多个 ping
以1ms的速度发包,十几分钟后仍然能接收到来自服务器的 ping reply。初步判断这个 ISP 不会对 ICMP echo-reply 进行 QoS。
总结一下 IP包(ICMP 伪装) 的优点:
References:
增加 RequestID/TraceID 后日志看起来或许会像下面这样,这样的好处是可以从日志当中过滤某个代理请求相关的所有日志,调试时比较方便。
[Info] [b9j4bus6fpbhca5rl4u0]: Proxy|Socks: TCP Connect request to tcp:98.138.4.253:443
[Debug] [b9j4bus6fpbhca5rl4tg]: Proxy|Socks: writing back UDP response with 48 bytes
[Debug] [b9j4bus6fpbhca5rl4sg]: Proxy|Socks: writing back UDP response with 53 bytes
[Info] [b9j4bus6fpbhca5rl4u0]: App|Dispatcher: sniffed domain: analytics.query.yahoo.com
[Info] [b9j4bus6fpbhca5rl4u0]: App|Router: looking for IP for domain: analytics.query.yahoo.com
[Debug] []: App|DNS: add pending request id 54127
[Info] [b9j4bus6fpbhca5rl4u0]: App|DNS: dispatch IP lookup process to another request: [b9j4bus6fpbhca5rl4ug]
[Debug] [b9j4bus6fpbhca5rl4ug]: Transport|Internet|UDP: dispatch request to: udp:8.8.8.8:53
[Info] [b9j4bus6fpbhca5rl4ug]: Transport|Internet|UDP: establishing new connection for udp:8.8.8.8:53
[Info] [b9j4bus6fpbhca5rl4ug]: App|Dispatcher: taking detour [proxy] for [udp:8.8.8.8:53]
[Info] [b9j4bus6fpbhca5rl4ug]: App|Proxyman|Mux: dispatching request to udp:8.8.8.8:53
由于Vmess好像不支持多端口呀。
能添加一个根据用户来区分的流量统计功能吗?
由于合租的VPS,又是按流量计费的,大家都用一个端口不好计算谁用的多谁用的少呀
或者添加多端口支持也行,这样Linux下还可以用iptable来进行流量统计
SoftEther VPN has a unique feature called TCP connect aggregation. It will mix multiple physical TCP connection into a logical connection to increase the throughput. I think v2ray should implement this feature to improve connection speed.
For now the dynamic port feature can only transfer settings of another VMess proxy with same stream settings. This feature can be extended to transfer proxies of any protocol and any stream settings.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.