Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Transport plugin with websocket #139

Closed
madeye opened this issue Jan 7, 2019 · 29 comments
Closed

Transport plugin with websocket #139

madeye opened this issue Jan 7, 2019 · 29 comments

Comments

@madeye
Copy link
Contributor

madeye commented Jan 7, 2019

I tried https://github.com/erebe/wstunnel as a transport plugin recently. By tunneling shadowsocks traffic on websocket and accelerated by CDN, the performance looks quite good.

If anyone interested, a new plugin (written in golang is preferred) with websocket (https://github.com/gorilla/websocket) is welcome.

@Mygod
Copy link
Contributor

Mygod commented Jan 7, 2019

Hmmm, I think connection reuse would be very useful (and more realistic to actual WebSockets IMO) here, especially if considering having CDN. I took a quick look and I don't think any of these implements this feature.

@VictoriaRaymond
Copy link

Why don't you guys even take a look at V2Ray?

@madeye
Copy link
Contributor Author

madeye commented Jan 7, 2019

@VictoriaRaymond Yeah, I knew V2Ray can do this. But it makes no sense to use V2Ray as a plugin of shadowsocks. 😸

@VictoriaRaymond
Copy link

It is possible to run V2Ray in transport mode (i.e., without proxy protocol involved) as a plugin. It can tunnel for example socks <-> websocket, and can do connection reuse as suggested. I am not aware of any other existing software that provides similar functionalities.

@madeye
Copy link
Contributor Author

madeye commented Jan 8, 2019

Okay, it may be not a bad idea to employ v2ray as a transport plugin.

@VictoriaRaymond Any config example for "TCP over websocket" relay?

Tried it locally and worked as expected.

@VictoriaRaymond
Copy link

As a reference, here is a minimum config to run V2Ray as plugin, with mux enabled, and without proxy protocol.

It has the following restrictions:

  • V2Ray is not aware of environment variables defined by ss. It has to run as a standalone plugin.
  • Mux may be enabled on client for connection reuse. In this case, the dokodemo-door on server side must point traffic to v1.mux.cool.
Client config:
{
    "log": {
        // Log level, one of "debug", "info", "warning", "error", "none"
        "loglevel": "info"
      },
    "inbounds": [{
        // port for listening connections from ss
        "port": 9999,
        "listen": "127.0.0.1",
        "protocol": "dokodemo-door",
        "settings": {
            "address": "127.0.0.1",
            "network": "tcp"
        }
    }],
    "outbounds": [{
        "protocol": "freedom",
        "settings": {
            // v2ray server address
            "redirect": "<server_ip>:8888"
        },
        "streamSettings": {
            "network": "ws",
            "wsSettings": {
                // WebSocket path. Must match between client and server.
                "path": "/test",
                "headers": {
                    // Customizable headers.
                    "Host": "v2ray.com"
                }
            }
        },
        "mux": {
            // For connection reuse.
            "enabled": true
        }
    }]
}
Server config:
{
    "log": {
        // Log level, one of "debug", "info", "warning", "error", "none"
        "loglevel": "info"
      },
    "inbounds": [{
        // V2Ray server port.
        "port": 8888,
        "listen": "0.0.0.0",
        "protocol": "dokodemo-door",
        "settings": {
            // This address is required when mux is used on client.
            // dokodemo-door is not aware of mux connections by itself.
            // Change this value to 127.0.0.1 if mux is disabled.
            "address": "v1.mux.cool",
            "network": "tcp"
        },
        "streamSettings": {
            "network": "ws",
            "wsSettings": {
                // WebSocket path
                "path": "/test",
                "headers": {
                    "Host": "v2ray.com"
                }
            }
        }
    }],
    "outbounds": [{
        "protocol": "freedom",
        "settings": {
            // ss server address
            "redirect": "127.0.0.1:7777"
        }
    }]
}

@madeye
Copy link
Contributor Author

madeye commented Jan 9, 2019

Cool!

Just follow @VictoriaRaymond's config and build a SIP003 plugin here: https://github.com/madeye/v2ray-plugin

@madeye
Copy link
Contributor Author

madeye commented Jan 10, 2019

It looks weird that I saw too many open files error, though I enabled mux in the config file and verified mux works with tcpdump.

2019/01/10 01:17:04 http: Accept error: accept tcp [::]:80: accept4: too many open files; retrying in 1s

@VictoriaRaymond Any idea?

@madeye
Copy link
Contributor Author

madeye commented Jan 10, 2019

@VictoriaRaymond It looks v2ray cannot close spider or port scanner's HTTP connections correctly.

~# ss -lp -t -a | grep v2ray | wc -l
255

~# ss -lp -t -a | grep v2ray | head -n 20
ESTAB         0           0                              127.0.0.1:35672                          127.0.0.1:44045   users:(("v2ray-plugin",pid=11210,fd=235))
ESTAB         0           0                              127.0.0.1:35640                          127.0.0.1:44045   users:(("v2ray-plugin",pid=11210,fd=230))
ESTAB         0           0                              127.0.0.1:35660                          127.0.0.1:44045   users:(("v2ray-plugin",pid=11210,fd=248))
ESTAB         0           0                              127.0.0.1:34664                          127.0.0.1:44045   users:(("v2ray-plugin",pid=11210,fd=222))
ESTAB         0           0                              127.0.0.1:32822                          127.0.0.1:44045   users:(("v2ray-plugin",pid=11210,fd=135))
ESTAB         0           0                              127.0.0.1:35644                          127.0.0.1:44045   users:(("v2ray-plugin",pid=11210,fd=241))
ESTAB         0           0                              127.0.0.1:34576                          127.0.0.1:44045   users:(("v2ray-plugin",pid=11210,fd=209))
ESTAB         0           0                              127.0.0.1:35676                          127.0.0.1:44045   users:(("v2ray-plugin",pid=11210,fd=14))
ESTAB         0           0                              127.0.0.1:35680                          127.0.0.1:44045   users:(("v2ray-plugin",pid=11210,fd=224))
LISTEN        0           4096                                   *:http                                   *:*       users:(("v2ray-plugin",pid=11210,fd=3))
ESTAB         0           0                 [::ffff:139.x.x.x]:http             [::ffff:203.78.117.119]:32984   users:(("v2ray-plugin",pid=11210,fd=162))
ESTAB         0           0                 [::ffff:139.x.x.x]:http                [::ffff:37.98.34.79]:55386   users:(("v2ray-plugin",pid=11210,fd=38))
ESTAB         0           0                 [::ffff:139.x.x.x]:http              [::ffff:5.208.229.112]:53698   users:(("v2ray-plugin",pid=11210,fd=264))
ESTAB         0           0                 [::ffff:139.x.x.x]:http             [::ffff:91.133.205.152]:24163   users:(("v2ray-plugin",pid=11210,fd=140))
ESTAB         0           0                 [::ffff:139.x.x.x]:http              [::ffff:5.114.175.252]:18932   users:(("v2ray-plugin",pid=11210,fd=216))
ESTAB         0           0                 [::ffff:139.x.x.x]:http                [::ffff:46.51.88.96]:39544   users:(("v2ray-plugin",pid=11210,fd=211))
ESTAB         0           0                 [::ffff:139.x.x.x]:http            [::ffff:151.235.110.172]:50025   users:(("v2ray-plugin",pid=11210,fd=127))
ESTAB         0           0                 [::ffff:139.x.x.x]:http                [::ffff:5.124.133.9]:48279   users:(("v2ray-plugin",pid=11210,fd=115))
ESTAB         0           0                 [::ffff:139.x.x.x]:http             [::ffff:39.128.207.177]:17342   users:(("v2ray-plugin",pid=11210,fd=13))
ESTAB         0           0                 [::ffff:139.x.x.x]:http            [::ffff:188.159.242.112]:1523    users:(("v2ray-plugin",pid=11210,fd=160))

@VictoriaRaymond
Copy link

There are several timeout settings in your scenarion:

  1. Insufficient HTTP header: infinite net/http: make default configs have better timeouts golang/go#24138
  2. Complete HTTP header, but not WebSocket: connections will be closed immediately
  3. Complete WebSocket header: 8 sec until handshake is done
  4. Full WebSocket handshake: 300 seconds (connIdle) in dokodemo-door, as it doesn't have handshake phase.
  5. After upstream server closes connection: 1 second

I guess you are hitting either case 1 or 4. I will fix case 1 soon.

@madeye
Copy link
Contributor Author

madeye commented Jan 10, 2019

Yeah, it looks related to case 1. Looking forward to the fix.

@VictoriaRaymond
Copy link

Case 1 is fixed in v2ray/v2ray-core@6146366

@Mygod
Copy link
Contributor

Mygod commented Jan 10, 2019

So I guess we are officially collaborating with @v2ray now? Very cool. 🤣 I'm very excited to give the new plugin a spin, especially QUIC and TLS. I will probably do it a few days later when I get the time to do so.

Reading the docs, I'm confused by the obfuscation type in QUIC transport. Isn't QUIC transport supposed to mimic the traffic of QUIC? How does it mimic other types of traffic at the same time? Also why is there a key field in QuicObject? Isn't Diffie-Hellman (or similar key exchange protocol) used to generate a fresh key for every connection for forward security?

@VictoriaRaymond
Copy link

  1. Obfuscation is mainly for QoS. It is possible an ISP treats one kind of UDP traffic nicer than another.
  2. The extra encryption is to prevent Quic traffic being sniff'ed. The SNI attack in TLS 1.2 is still possible. Until the standard is finalized and SNI is protected by Quic protocol, this is an easy way to deal with SNI attack.

Both settings are optional btw. You may use pure Quic by leaving both settings unset.

@Mygod

This comment has been minimized.

@VictoriaRaymond

This comment has been minimized.

@Mygod

This comment has been minimized.

@VictoriaRaymond

This comment has been minimized.

@Mygod
Copy link
Contributor

Mygod commented Jan 10, 2019

Alright, sorry about having been off-topic. I hided the off-topic comments (this is a great feature) and moved the discussions (my points at least) to v2ray/discussion. Anyway, I'll check this v2ray-plugin sometime. Good work, everyone. 😅

@madeye
Copy link
Contributor Author

madeye commented Jan 11, 2019

Just add a new Android plugin here: https://github.com/madeye/v2ray-plugin-android

@madeye
Copy link
Contributor Author

madeye commented Jan 14, 2019

I think we can close this now.

@madeye madeye closed this as completed Jan 14, 2019
@Mygod
Copy link
Contributor

Mygod commented Jan 14, 2019

Can we also deprecate simple-obfs (meaning add a notice and archive simple-obfs and simple-obfs-android) as well? That code is quite an eyesore. For anyone that's interested, failover can be implemented at HTTP server side using something like proxy.

@madeye
Copy link
Contributor Author

madeye commented Jan 14, 2019

Yes, we should deprecate simple-obfs.

Maybe v2ray already do failover with some configs.

@Mygod
Copy link
Contributor

Mygod commented Jan 14, 2019

Hmmm, I don't think so.

@VictoriaRaymond
Copy link

Don't know what failover is. Assuming the plugin would tunnel traffic to another endpoint, if it is not a valid ss traffic.

V2Ray doesn't have such functionality. Instead, V2Ray relies on a Web server (caddy for example, as mentioned by @Mygod ) to filter out invalid requests.

There is a feature request for this.

@madeye
Copy link
Contributor Author

madeye commented Jan 15, 2019

Given the typical usage of this plugin is with a CDN, the failover feature is not a must-have here.

Just enable the CDN's URL overwrite feature and routing default path to some "common" website.

@Mygod
Copy link
Contributor

Mygod commented Jan 15, 2019

Well just in case my point wasn't clear, I meant to say there is no need to include failover feature in v2ray-plugin. 😅

@Mygod
Copy link
Contributor

Mygod commented Jan 15, 2019

Here's a basic example of setting it up behind caddy just in case. v2ray-plugin options:

  • fast-open;host=example.shadowsocks.org;path=/video;tls
  • fast-open;host=example.shadowsocks.org;path=/video;server
https://example.shadowsocks.org {
 root /var/www/html/
 log access.log
 tls {
  dns cloudflare
 }

 proxy /video http://localhost:1984 {
  websocket
  transparent
 }
}

Note that server operates in HTTP mode and client in TLS.

@UjuiUjuMandan
Copy link

@madeye

Yes, we should deprecate simple-obfs.

Sorry for late, but what about Session Ticket obfuscation? V2Ray never implemented it.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

4 participants