中文 README

Hysteria is a set of relay & proxy utilities that are specifically optimized for harsh network environments (commonly seen in connecting to overseas servers from China). It's based on a modified version of the QUIC protocol, and can be considered a sequel to my previous (abandoned) project https://github.com/dragonite-network/dragonite-java

(See the advanced usage section for the exact meaning of each argument)

Server:

./cmd_linux_amd64 proxy server -listen :36712 -cert example.crt -key example.key -obfs BlueberryFaygo

A TLS certificate (not necessarily issued by a trusted CA) is required on the server side. If you are using a self-issued certificate, use -ca to specify your own CA file on clients, or -insecure to ignore all certificate errors (not recommended)

Client:

./cmd_linux_amd64 proxy client -server example.com:36712 -socks5-addr localhost:1080 -up-mbps 10 -down-mbps 50 -obfs BlueberryFaygo

This will start a SOCKS5 proxy server on the client's localhost TCP 1080 available for use by other programs.

In addition to SOCKS5, it also supports HTTP proxy (-http-addr & -http-timeout). Both modes can be turned on simultaneously on different ports.

-up-mbps 10 -down-mbps 50 tells the server that your bandwidth is 50 Mbps down, 10 Mbps up. Properly setting the client's upload and download speeds based on your network conditions is essential for it to work at optimal performance!

Suppose you have a TCP program on your server at localhost:8080 that you want to forward.

Server:

./cmd_linux_amd64 relay server -listen :36712 -remote localhost:8080 -cert example.crt -key example.key

Client:

./cmd_linux_amd64 relay client -server example.com:36712 -listen localhost:8080 -up-mbps 10 -down-mbps 50

All connections to client's localhost TCP 8080 will pass through the relay and connect to the server's localhost:8080

Some users may attempt to forward other encrypted proxy protocols such as Shadowsocks with relay. While this totally works, it's not optimal from a performance standpoint - our protocol itself uses TLS, considering that the proxy protocols being forwarded are also encrypted, and the fact that users mainly use them for HTTPS connections nowadays, you are essentially doing triple encryption. If you need a proxy, use our proxy mode.

Proxy Client: Guangzhou, China Mobile Broadband 100 Mbps

Proxy Server: AWS US West Oregon (us-west-2)

The command line program supports loading configurations from both JSON files and arguments. Use -config to specify a JSON file. Config loaded from it can also be overwritten or extended with command line arguments.

Supports TCP (CONNECT) and UDP (ASSOCIATE) commands. BIND is not supported and is not planned to be supported.

ACL File Format

Proxy supports username and password authentication (sent encrypted with TLS). If the server starts with an authentication file, it will check for the existence of the corresponding username and password in this file when each user connects. A valid authentication file is a text file with a pair of username and password per line (separated by a space). Example:

admin K2MfcwyZNJy3
shady_hacker smokeweed420

This line is invalid and will be ignored

Changes to the file take effect immediately while the server is running.

To prevent firewalls from potentially detecting & blocking the protocol, a simple XOR-based packet obfuscation mechanism has been built in. Note that clients and servers with different obfuscation settings are not be able to communicate at all.

By default, the program outputs DEBUG level, text format logs via stdout.

To change the logging level, set LOGGING_LEVEL environment variable, which supports panic, fatal, error, warn, info, debug, trace

To print JSON instead, set LOGGING_FORMATTER to json

To change the logging timestamp format, set LOGGING_TIMESTAMP_FORMAT