Transport plugin with websocket

[madeye]

I tried https://github.com/erebe/wstunnel as a transport plugin recently. By tunneling shadowsocks traffic on websocket and accelerated by CDN, the performance looks quite good.

If anyone interested, a new plugin (written in golang is preferred) with websocket (https://github.com/gorilla/websocket) is welcome.

[Mygod]

Hmmm, I think connection reuse would be very useful (and more realistic to actual WebSockets IMO) here, especially if considering having CDN. I took a quick look and I don't think any of these implements this feature.

[VictoriaRaymond]

Why don't you guys even take a look at V2Ray?

[madeye]

@VictoriaRaymond Yeah, I knew V2Ray can do this. But it makes no sense to use V2Ray as a plugin of shadowsocks. 😸

[VictoriaRaymond]

It is possible to run V2Ray in transport mode (i.e., without proxy protocol involved) as a plugin. It can tunnel for example socks <-> websocket, and can do connection reuse as suggested. I am not aware of any other existing software that provides similar functionalities.

[madeye]

Okay, it may be not a bad idea to employ v2ray as a transport plugin.

@VictoriaRaymond Any config example for "TCP over websocket" relay?

Tried it locally and worked as expected.

[VictoriaRaymond]

As a reference, here is a minimum config to run V2Ray as plugin, with mux enabled, and without proxy protocol.

It has the following restrictions:

• V2Ray is not aware of environment variables defined by ss. It has to run as a standalone plugin.
• Mux may be enabled on client for connection reuse. In this case, the dokodemo-door on server side must point traffic to v1.mux.cool.

Client config:

{
    "log": {
        // Log level, one of "debug", "info", "warning", "error", "none"
        "loglevel": "info"
      },
    "inbounds": [{
        // port for listening connections from ss
        "port": 9999,
        "listen": "127.0.0.1",
        "protocol": "dokodemo-door",
        "settings": {
            "address": "127.0.0.1",
            "network": "tcp"
        }
    }],
    "outbounds": [{
        "protocol": "freedom",
        "settings": {
            // v2ray server address
            "redirect": "<server_ip>:8888"
        },
        "streamSettings": {
            "network": "ws",
            "wsSettings": {
                // WebSocket path. Must match between client and server.
                "path": "/test",
                "headers": {
                    // Customizable headers.
                    "Host": "v2ray.com"
                }
            }
        },
        "mux": {
            // For connection reuse.
            "enabled": true
        }
    }]
}

Server config:

{
    "log": {
        // Log level, one of "debug", "info", "warning", "error", "none"
        "loglevel": "info"
      },
    "inbounds": [{
        // V2Ray server port.
        "port": 8888,
        "listen": "0.0.0.0",
        "protocol": "dokodemo-door",
        "settings": {
            // This address is required when mux is used on client.
            // dokodemo-door is not aware of mux connections by itself.
            // Change this value to 127.0.0.1 if mux is disabled.
            "address": "v1.mux.cool",
            "network": "tcp"
        },
        "streamSettings": {
            "network": "ws",
            "wsSettings": {
                // WebSocket path
                "path": "/test",
                "headers": {
                    "Host": "v2ray.com"
                }
            }
        }
    }],
    "outbounds": [{
        "protocol": "freedom",
        "settings": {
            // ss server address
            "redirect": "127.0.0.1:7777"
        }
    }]
}

[madeye]

Cool!

Just follow @VictoriaRaymond's config and build a SIP003 plugin here: https://github.com/madeye/v2ray-plugin

[madeye]

It looks weird that I saw too many open files error, though I enabled mux in the config file and verified mux works with tcpdump.

2019/01/10 01:17:04 http: Accept error: accept tcp [::]:80: accept4: too many open files; retrying in 1s

@VictoriaRaymond Any idea?

[madeye]

@VictoriaRaymond It looks v2ray cannot close spider or port scanner's HTTP connections correctly.

~# ss -lp -t -a | grep v2ray | wc -l
255

~# ss -lp -t -a | grep v2ray | head -n 20
ESTAB         0           0                              127.0.0.1:35672                          127.0.0.1:44045   users:(("v2ray-plugin",pid=11210,fd=235))
ESTAB         0           0                              127.0.0.1:35640                          127.0.0.1:44045   users:(("v2ray-plugin",pid=11210,fd=230))
ESTAB         0           0                              127.0.0.1:35660                          127.0.0.1:44045   users:(("v2ray-plugin",pid=11210,fd=248))
ESTAB         0           0                              127.0.0.1:34664                          127.0.0.1:44045   users:(("v2ray-plugin",pid=11210,fd=222))
ESTAB         0           0                              127.0.0.1:32822                          127.0.0.1:44045   users:(("v2ray-plugin",pid=11210,fd=135))
ESTAB         0           0                              127.0.0.1:35644                          127.0.0.1:44045   users:(("v2ray-plugin",pid=11210,fd=241))
ESTAB         0           0                              127.0.0.1:34576                          127.0.0.1:44045   users:(("v2ray-plugin",pid=11210,fd=209))
ESTAB         0           0                              127.0.0.1:35676                          127.0.0.1:44045   users:(("v2ray-plugin",pid=11210,fd=14))
ESTAB         0           0                              127.0.0.1:35680                          127.0.0.1:44045   users:(("v2ray-plugin",pid=11210,fd=224))
LISTEN        0           4096                                   *:http                                   *:*       users:(("v2ray-plugin",pid=11210,fd=3))
ESTAB         0           0                 [::ffff:139.x.x.x]:http             [::ffff:203.78.117.119]:32984   users:(("v2ray-plugin",pid=11210,fd=162))
ESTAB         0           0                 [::ffff:139.x.x.x]:http                [::ffff:37.98.34.79]:55386   users:(("v2ray-plugin",pid=11210,fd=38))
ESTAB         0           0                 [::ffff:139.x.x.x]:http              [::ffff:5.208.229.112]:53698   users:(("v2ray-plugin",pid=11210,fd=264))
ESTAB         0           0                 [::ffff:139.x.x.x]:http             [::ffff:91.133.205.152]:24163   users:(("v2ray-plugin",pid=11210,fd=140))
ESTAB         0           0                 [::ffff:139.x.x.x]:http              [::ffff:5.114.175.252]:18932   users:(("v2ray-plugin",pid=11210,fd=216))
ESTAB         0           0                 [::ffff:139.x.x.x]:http                [::ffff:46.51.88.96]:39544   users:(("v2ray-plugin",pid=11210,fd=211))
ESTAB         0           0                 [::ffff:139.x.x.x]:http            [::ffff:151.235.110.172]:50025   users:(("v2ray-plugin",pid=11210,fd=127))
ESTAB         0           0                 [::ffff:139.x.x.x]:http                [::ffff:5.124.133.9]:48279   users:(("v2ray-plugin",pid=11210,fd=115))
ESTAB         0           0                 [::ffff:139.x.x.x]:http             [::ffff:39.128.207.177]:17342   users:(("v2ray-plugin",pid=11210,fd=13))
ESTAB         0           0                 [::ffff:139.x.x.x]:http            [::ffff:188.159.242.112]:1523    users:(("v2ray-plugin",pid=11210,fd=160))

[VictoriaRaymond]

There are several timeout settings in your scenarion:

1. Insufficient HTTP header: infinite net/http: make default configs have better timeouts golang/go#24138
2. Complete HTTP header, but not WebSocket: connections will be closed immediately
3. Complete WebSocket header: 8 sec until handshake is done
4. Full WebSocket handshake: 300 seconds (connIdle) in dokodemo-door, as it doesn't have handshake phase.
5. After upstream server closes connection: 1 second

I guess you are hitting either case 1 or 4. I will fix case 1 soon.

[madeye]

Yeah, it looks related to case 1. Looking forward to the fix.

[VictoriaRaymond]

Case 1 is fixed in v2ray/v2ray-core@6146366

[Mygod]

So I guess we are officially collaborating with @v2ray now? Very cool. 🤣 I'm very excited to give the new plugin a spin, especially QUIC and TLS. I will probably do it a few days later when I get the time to do so.

Reading the docs, I'm confused by the obfuscation type in QUIC transport. Isn't QUIC transport supposed to mimic the traffic of QUIC? How does it mimic other types of traffic at the same time? Also why is there a key field in QuicObject? Isn't Diffie-Hellman (or similar key exchange protocol) used to generate a fresh key for every connection for forward security?

[VictoriaRaymond]

1. Obfuscation is mainly for QoS. It is possible an ISP treats one kind of UDP traffic nicer than another.
2. The extra encryption is to prevent Quic traffic being sniff'ed. The SNI attack in TLS 1.2 is still possible. Until the standard is finalized and SNI is protected by Quic protocol, this is an easy way to deal with SNI attack.

Both settings are optional btw. You may use pure Quic by leaving both settings unset.

[Mygod]

Alright, sorry about having been off-topic. I hided the off-topic comments (this is a great feature) and moved the discussions (my points at least) to v2ray/discussion. Anyway, I'll check this v2ray-plugin sometime. Good work, everyone. 😅

[madeye]

Just add a new Android plugin here: https://github.com/madeye/v2ray-plugin-android

[madeye]

I think we can close this now.

[Mygod]

Can we also deprecate simple-obfs (meaning add a notice and archive simple-obfs and simple-obfs-android) as well? That code is quite an eyesore. For anyone that's interested, failover can be implemented at HTTP server side using something like proxy.

[madeye]

Yes, we should deprecate simple-obfs.

Maybe v2ray already do failover with some configs.

[Mygod]

Hmmm, I don't think so.

[VictoriaRaymond]

Don't know what failover is. Assuming the plugin would tunnel traffic to another endpoint, if it is not a valid ss traffic.

V2Ray doesn't have such functionality. Instead, V2Ray relies on a Web server (caddy for example, as mentioned by @Mygod ) to filter out invalid requests.

There is a feature request for this.

[madeye]

Given the typical usage of this plugin is with a CDN, the failover feature is not a must-have here.

Just enable the CDN's URL overwrite feature and routing default path to some "common" website.

[Mygod]

Well just in case my point wasn't clear, I meant to say there is no need to include failover feature in v2ray-plugin. 😅

[Mygod]

Here's a basic example of setting it up behind caddy just in case. v2ray-plugin options:

• fast-open;host=example.shadowsocks.org;path=/video;tls
• fast-open;host=example.shadowsocks.org;path=/video;server

https://example.shadowsocks.org {
 root /var/www/html/
 log access.log
 tls {
  dns cloudflare
 }

 proxy /video http://localhost:1984 {
  websocket
  transparent
 }
}

Note that server operates in HTTP mode and client in TLS.

[UjuiUjuMandan]

@madeye

Yes, we should deprecate simple-obfs.

Sorry for late, but what about Session Ticket obfuscation? V2Ray never implemented it.