tobyxdd / Hysteria
Projects that are alternatives of or similar to Hysteria
Hysteria is a set of relay & proxy utilities that are specifically optimized for harsh network environments (commonly seen in connecting to overseas servers from China). It's based on a modified version of the QUIC protocol, and can be considered a sequel to my previous (abandoned) project https://github.com/dragonite-network/dragonite-java
Quick Start
(See the advanced usage section for the exact meaning of each argument)
Proxy
Server:
./cmd_linux_amd64 proxy server -listen :36712 -cert example.crt -key example.key -obfs BlueberryFaygo
A TLS certificate (not necessarily issued by a trusted CA) is required on the server side. If you are using a self-issued certificate, use -ca to specify your own CA file on clients, or -insecure to ignore all certificate errors (not recommended)
Client:
./cmd_linux_amd64 proxy client -server example.com:36712 -socks5-addr localhost:1080 -up-mbps 10 -down-mbps 50 -obfs BlueberryFaygo
This will start a SOCKS5 proxy server on the client's localhost TCP 1080 available for use by other programs.
In addition to SOCKS5, it also supports HTTP proxy (-http-addr & -http-timeout). Both modes can be turned on simultaneously on different ports.
-up-mbps 10 -down-mbps 50 tells the server that your bandwidth is 50 Mbps down, 10 Mbps up. Properly setting the client's upload and download speeds based on your network conditions is essential for it to work at optimal performance!
Relay
Suppose you have a TCP program on your server at localhost:8080 that you want to forward.
Server:
./cmd_linux_amd64 relay server -listen :36712 -remote localhost:8080 -cert example.crt -key example.key
Client:
./cmd_linux_amd64 relay client -server example.com:36712 -listen localhost:8080 -up-mbps 10 -down-mbps 50
All connections to client's localhost TCP 8080 will pass through the relay and connect to the server's localhost:8080
Some users may attempt to forward other encrypted proxy protocols such as Shadowsocks with relay. While this totally works, it's not optimal from a performance standpoint - our protocol itself uses TLS, considering that the proxy protocols being forwarded are also encrypted, and the fact that users mainly use them for HTTPS connections nowadays, you are essentially doing triple encryption. If you need a proxy, use our proxy mode.
Comparison
Proxy Client: Guangzhou, China Mobile Broadband 100 Mbps
Proxy Server: AWS US West Oregon (us-west-2)
Advanced usage
The command line program supports loading configurations from both JSON files and arguments. Use -config to specify a JSON file. Config loaded from it can also be overwritten or extended with command line arguments.
Proxy server
| Description | JSON config field | CLI argument |
|---|---|---|
| Server listen address | listen | -listen |
| Disable UDP support | disable_udp | -disable-udp |
| Access control list | acl | -acl |
| TLS certificate file | cert | -cert |
| TLS key file | key | -key |
| Authentication file | auth | -auth |
| Max upload speed per client in Mbps | up_mbps | -up-mbps |
| Max download speed per client in Mbps | down_mbps | -down-mbps |
| Max receive window size per connection | recv_window_conn | -recv-window-conn |
| Max receive window size per client | recv_window_client | -recv-window-client |
| Max simultaneous connections allowed per client | max_conn_client | -max-conn-client |
| Obfuscation key | obfs | -obfs |
Proxy client
| Description | JSON config field | CLI argument |
|---|---|---|
| SOCKS5 listen address | socks5_addr | -socks5-addr |
| SOCKS5 connection timeout in seconds | socks5_timeout | -socks5-timeout |
| Disable SOCKS5 UDP support | socks5_disable_udp | -socks5-disable-udp |
| SOCKS5 auth username | socks5_user | -socks5-user |
| SOCKS5 auth password | socks5_password | -socks5-password |
| HTTP listen address | http_addr | -http-addr |
| HTTP connection timeout in seconds | http_timeout | -http-timeout |
| HTTP basic auth username | http_user | -http-user |
| HTTP basic auth password | http_password | -http-password |
| HTTPS certificate file | https_cert | -http-cert |
| HTTPS key file | https_key | -http-key |
| Access control list | acl | -acl |
| Server address | server | -server |
| Authentication username | username | -username |
| Authentication password | password | -password |
| Ignore TLS certificate errors | insecure | -insecure |
| Specify a trusted CA file | ca | -ca |
| Upload speed in Mbps | up_mbps | -up-mbps |
| Download speed in Mbps | down_mbps | -down-mbps |
| Max receive window size per connection | recv_window_conn | -recv-window-conn |
| Max receive window size | recv_window | -recv-window |
| Obfuscation key | obfs | -obfs |
About SOCKS5
Supports TCP (CONNECT) and UDP (ASSOCIATE) commands. BIND is not supported and is not planned to be supported.
About ACL
About proxy authentication
Proxy supports username and password authentication (sent encrypted with TLS). If the server starts with an authentication file, it will check for the existence of the corresponding username and password in this file when each user connects. A valid authentication file is a text file with a pair of username and password per line (separated by a space). Example:
admin K2MfcwyZNJy3
shady_hacker smokeweed420
This line is invalid and will be ignored
Changes to the file take effect immediately while the server is running.
About obfuscation
To prevent firewalls from potentially detecting & blocking the protocol, a simple XOR-based packet obfuscation mechanism has been built in. Note that clients and servers with different obfuscation settings are not be able to communicate at all.
Relay server
| Description | JSON config field | CLI argument |
|---|---|---|
| Server listen address | listen | -listen |
| Remote relay address | remote | -remote |
| TLS certificate file | cert | -cert |
| TLS key file | key | -key |
| Max upload speed per client in Mbps | up_mbps | -up-mbps |
| Max download speed per client in Mbps | down_mbps | -down-mbps |
| Max receive window size per connection | recv_window_conn | -recv-window-conn |
| Max receive window size per client | recv_window_client | -recv-window-client |
| Max simultaneous connections allowed per client | max_conn_client | -max-conn-client |
| Obfuscation key | obfs | -obfs |
Relay client
| Description | JSON config field | CLI argument |
|---|---|---|
| TCP listen address | listen | -listen |
| Server address | server | -server |
| Client name presented to the server | name | -name |
| Ignore TLS certificate errors | insecure | -insecure |
| Specify a trusted CA file | ca | -ca |
| Upload speed in Mbps | up_mbps | -up-mbps |
| Download speed in Mbps | down_mbps | -down-mbps |
| Max receive window size per connection | recv_window_conn | -recv-window-conn |
| Max receive window size | recv_window | -recv-window |
| Obfuscation key | obfs | -obfs |
Logs
By default, the program outputs DEBUG level, text format logs via stdout.
To change the logging level, set LOGGING_LEVEL environment variable, which supports panic, fatal, error, warn, info, debug, trace
To print JSON instead, set LOGGING_FORMATTER to json
To change the logging timestamp format, set LOGGING_TIMESTAMP_FORMAT