From b4f9588c899ba5290eaa9deb4f5c4e56b715b852 Mon Sep 17 00:00:00 2001 From: Evgeny Nerush Date: Thu, 9 Nov 2023 12:35:40 +0300 Subject: [PATCH] replace grpc by xtls --- ex.sh | 58 +++++----- ...lient.json => template_config_client.jsonc | 65 ++++++------ template_config_server.json | 88 --------------- template_config_server.jsonc | 100 ++++++++++++++++++ 4 files changed, 163 insertions(+), 148 deletions(-) rename template_config_client.json => template_config_client.jsonc (54%) delete mode 100644 template_config_server.json create mode 100644 template_config_server.jsonc diff --git a/ex.sh b/ex.sh index 493a69e..47581e1 100755 --- a/ex.sh +++ b/ex.sh @@ -7,6 +7,19 @@ green='\033[0;32m' yellow='\033[0;33m' normal='\033[0m' +# strip lines with comments from jsonC +jsonc2json () { + if [ ! -v $1 ] + then + filename=$1 + cat $filename | grep -v \/\/ + else + echo "${red}jsonc2json: no argument is given${red}" + exit 1 + fi +} + + export PATH=$PATH:/usr/local/bin/ # for sudo user this can be not in PATH if command -v xray > /dev/null then @@ -111,15 +124,16 @@ containing only digits 0-9 and letters a-f, for instance fi fi echo -e "${bold}Choose a fake site to mimic.${normal} -It is better if it is hosted by your VPS provider -or is in the same country. Better if it is popular. -(1) www.yahoo.com (default) +Better if it is: hosted by your VPS provider, +in the same country, it is popular, +and have only ports 80 (http) and 443 (https) open +(can check with `nmap -T4 hostname`) +(1) www.youtube.com (default) (2) www.microsoft.com (3) www.google.com -(4) www.nvidia.com -(5) www.amd.com -(6) www.samsung.com -(7) your variant" +(4) www.bing.com +(5) www.yahoo.com +(6) your variant" read number if [ ! -v $number ] then @@ -131,26 +145,23 @@ or is in the same country. Better if it is popular. fake_site="www.google.com" elif [ $number -eq 4 ] then - fake_site="www.nvidia.com" + fake_site="www.bing.com" elif [ $number -eq 5 ] then - fake_site="www.amd.com" + fake_site="www.yahoo.com" elif [ $number -eq 6 ] - then - fake_site="www.samsung.com" - elif [ $number -eq 7 ] then echo -e "type your variant:" read fake_site if [ -v $fake_site ] then - fake_site="www.yahoo.com" + fake_site="www.youtube.com" fi else - fake_site="www.yahoo.com" + fake_site="www.youtube.com" fi else - fake_site="www.yahoo.com" + fake_site="www.youtube.com" fi echo -e "${green}mimic ${fake_site}${normal}" email="love@xray.com" @@ -158,7 +169,7 @@ or is in the same country. Better if it is popular. { \"id\": \"${id}\", \"email\": \"${email}\", - \"flow\": \"\" + \"flow\": \"xtls-rprx-vision\" } ]" serverRealitySettings=" { @@ -170,35 +181,32 @@ or is in the same country. Better if it is popular. \"shortIds\": [ \"${short_id}\" ] }" # make server config - cat template_config_server.json | jq ".inbounds[].settings.clients=${clients} | .inbounds[].streamSettings.realitySettings=${serverRealitySettings}" > config_server.json + jsonc2json template_config_server.jsonc | jq ".inbounds[].settings.clients=${clients} | .inbounds[].streamSettings.realitySettings=${serverRealitySettings}" > config_server.json # then make the user (not root) an owner of a file [[ $SUDO_USER ]] && chown "$SUDO_USER:$SUDO_USER" config_server.json vnext=" [ { \"address\": \"${address}\", - \"port\": 50051, + \"port\": 443, \"users\": [ { \"id\": \"${id}\", - \"alterId\": 0, \"email\": \"${email}\", - \"security\": \"auto\", \"encryption\": \"none\", - \"flow\": \"\" + \"flow\": \"xtls-rprx-vision\" } ] } ]" clientRealitySettings=" { - \"serverName\": \"${fake_site}\", \"fingerprint\": \"chrome\", + \"serverName\": \"${fake_site}\", \"show\": false, \"publicKey\": \"${public_key}\", \"shortId\": \"${short_id}\", - \"spiderX\": \"\" }" # make main client config - cat template_config_client.json | jq ".outbounds |= map(if .settings.vnext then .settings.vnext=${vnext} else . end) | .outbounds |= map(if .streamSettings.realitySettings then .streamSettings.realitySettings=${clientRealitySettings} else . end)" > config_client.json + jsonc2json template_config_client.jsonc | jq ".outbounds |= map(if .settings.vnext then .settings.vnext=${vnext} else . end) | .outbounds |= map(if .streamSettings.realitySettings then .streamSettings.realitySettings=${clientRealitySettings} else . end)" > config_client.json # then make the user (not root) an owner of a file [[ $SUDO_USER ]] && chown "$SUDO_USER:$SUDO_USER" config_client.json fi @@ -277,7 +285,7 @@ containing only digits 0-9 and letters a-f, for instance { \"id\": \"${id}\", \"email\": \"${username}@example.com\", - \"flow\": \"\" + \"flow\": \"xtls-rprx-vision\" } " cp config_server.json config_server.json.backup diff --git a/template_config_client.json b/template_config_client.jsonc similarity index 54% rename from template_config_client.json rename to template_config_client.jsonc index 6952ca5..2edd213 100644 --- a/template_config_client.json +++ b/template_config_client.jsonc @@ -1,3 +1,5 @@ +// This config is based on +// https://github.com/XTLS/Xray-examples/blob/main/VLESS-TCP-XTLS-Vision-REALITY/REALITY.ENG.md { "log": { "access": "none", @@ -5,24 +7,25 @@ "loglevel": "warning", "dnsLog": false }, + // client-side inbound configuration "inbounds": [ { "tag": "socks", "port": 800, "listen": "127.0.0.1", "protocol": "socks", + // used to make transparent proxies, see https://xtls.github.io/en/config/inbound.html#sniffingobject "sniffing": { "enabled": true, "destOverride": [ "http", "tls" - ], - "routeOnly": false + ] }, + // settings of inbound `protocol` (see above) "settings": { "auth": "noauth", - "udp": true, - "allowTransparent": false + "udp": true } }, { @@ -30,6 +33,7 @@ "port": 801, "listen": "127.0.0.1", "protocol": "http", + // used to make transparent proxies, see https://xtls.github.io/en/config/inbound.html#sniffingobject "sniffing": { "enabled": true, "destOverride": [ @@ -38,75 +42,66 @@ ], "routeOnly": false }, + // settings of inbound `protocol` (see above) "settings": { "auth": "noauth", - "udp": true, - "allowTransparent": false + "udp": true } } ], + // client-side outbound configuration "outbounds": [ { "tag": "proxy", "protocol": "vless", + // VLESS settings "settings": { "vnext": [ { + // IPv4 or IPv6 address of your xray server, or its domain name "address": "server_address", - "port": 50051, + "port": 443, "users": [ { + // should match server side "id": "client_id", - "alterId": 0, "email": "client_email", - "security": "auto", "encryption": "none", - "flow": "" + "flow": "xtls-rprx-vision" } ] } ] }, + // settings of transport protocol, https://xtls.github.io/en/config/transport.html#streamsettingsobject "streamSettings": { - "network": "grpc", + "network": "tcp", + // transport layer encription, xtls + fallback "security": "reality", "realitySettings": { - "serverName": "www.yahoo.com", + // tls client hello fingerprint; here client appears as chrome to websites "fingerprint": "chrome", + // fake server name which client is attempting to connect in the TLS handshake + "serverName": "www.youtube.com", + // optional; if true, outputs debug information "show": false, + // paired with privateKey from server config "publicKey": "public_key", - "shortId": "short_id", - "spiderX": "" - }, - "grpcSettings": { - "serviceName": "", - "multiMode": false, - "idle_timeout": 60, - "health_check_timeout": 20, - "permit_without_stream": false, - "initial_windows_size": 0 + // user short id + "shortId": "short_id" } - }, - "mux": { - "enabled": false, - "concurrency": -1 } }, { + // this outbound is to guide traffic to local sites not through the server + // but directly from the client; `tag` is just a label of oubound "tag": "direct", "protocol": "freedom", "settings": {} - }, - { - "tag": "block", - "protocol": "blackhole", - "settings": { - "response": { - "type": "http" - } - } } ], + // Forward each inbound connections to corresponding `outboundTag`. If no rules match, + // the traffic is sent out by the first outbound in `outbounds` section. "routing": { "domainStrategy": "AsIs", "rules": [ diff --git a/template_config_server.json b/template_config_server.json deleted file mode 100644 index 4856916..0000000 --- a/template_config_server.json +++ /dev/null @@ -1,88 +0,0 @@ -{ - "log": { - "access": "none", - "error": "", - "loglevel": "warning", - "dnsLog": false - }, - "routing": { - "domainStrategy": "IPIfNonMatch", - "rules": [ - { - "type": "field", - "port": "80", - "network": "udp", - "outboundTag": "block" - }, - { - "type": "field", - "ip": [ - "geoip:private" - ], - "outboundTag": "block" - } - ] - }, - "inbounds": [ - { - "listen": "0.0.0.0", - "port": 50051, - "protocol": "vless", - "settings": { - "clients": [ - { - "id": "client_id", - "email": "client_email", - "flow": "" - } - ], - "decryption": "none" - }, - "streamSettings": { - "network": "grpc", - "security": "reality", - "realitySettings": { - "show": false, - "dest": "www.yahoo.com:443", - "xver": 0, - "serverNames": [ - "www.yahoo.com" - ], - "privateKey": "private_key", - "shortIds": [ - "short_id" - ] - }, - "grpcSettings": { - "serviceName": "" - } - }, - "sniffing": { - "enabled": true, - "destOverride": [ - "http", - "tls", - "quic" - ] - } - } - ], - "outbounds": [ - { - "protocol": "freedom", - "tag": "direct" - }, - { - "protocol": "blackhole", - "tag": "block" - } - ], - "policy": { - "levels": { - "0": { - "handshake": 2, - "connIdle": 120 - } - } - } -} diff --git a/template_config_server.jsonc b/template_config_server.jsonc new file mode 100644 index 0000000..8a0ca64 --- /dev/null +++ b/template_config_server.jsonc @@ -0,0 +1,100 @@ +// This config is based on +// https://github.com/XTLS/Xray-examples/blob/main/VLESS-TCP-XTLS-Vision-REALITY/REALITY.ENG.md +{ + "log": { + "access": "none", + "error": "", + "loglevel": "warning", + "dnsLog": false + }, + // Forward each inbound connections to corresponding `outboundTag`. If no rules match, + // the traffic is sent out by the first outbound in `outbounds` section. + "routing": { + "domainStrategy": "IPIfNonMatch", + "rules": [ + { + "type": "field", + "port": "80", + "network": "udp", + "outboundTag": "block" + }, + { + "type": "field", + "ip": [ + // localhost connections + "geoip:private" + ], + "outboundTag": "block" + } + ] + }, + // server-side inbound configuration + "inbounds": [ + { + "listen": "0.0.0.0", + "port": 443, + "protocol": "vless", + // VLESS settings + "settings": { + "clients": [ + { + // can be generated with `xray uuid` + "id": "client_id", + // some email; appears in logs + "email": "client_email", + // Optional; if specified, clients must enable XTLS. + // XTLS is Xray's original technology, which doesn't encrypt TLS traffic (which is already encrypted), + // providing outstanding performance and no fingerprints of double-encrypted TLS. + // XTLS has the same security as TLS. + // https://xtls.github.io/en/config/transport.html#streamsettingsobject + "flow": "xtls-rprx-vision" + } + ], + "decryption": "none" + }, + // settings of transport protocol, https://xtls.github.io/en/config/transport.html#streamsettingsobject + "streamSettings": { + "network": "tcp", + "security": "reality", + // REALITY fallback options; see also https://xtls.github.io/en/config/features/fallback.html + "realitySettings": { + // optional; if true, outputs debug information + "show": false, + // with failed authentication VLESS will forward traffic to this address + "dest": "www.youtube.com:443", + "xver": 0, + // required; list of server names which client can provide to the server during the handshake + "serverNames": [ + "www.youtube.com" + ], + // required; generate with `xray x25519`; use paired publicKey in client configs + "privateKey": "private_key", + "shortIds": [ + // required, list of shortIds available to clients, can be used to distinguish different clients + "short_id" + ] + } + }, + // used to make transparent proxies, see https://xtls.github.io/en/config/inbound.html#sniffingobject + "sniffing": { + "enabled": true, + "destOverride": [ + "http", + "tls", + "quic" + ] + } + } + ], + // server-side outbound configuration + "outbounds": [ + { + "protocol": "freedom", + "tag": "direct" + }, + { + "protocol": "blackhole", + "tag": "block" + } + ] +}