Hysteria2 in sslh-ev

[Saleh-Mumtaz]

Hello,
I am using ev version as service, defined two listen 443 and 443 is_udp.
Tried udp forward in expample.cfg(regex pattern hello), anyprot, anyprot with is_udp.
For all of them, service status shows UDP not supported in fork mode(yet?) twice. One time a white line, second one in red.
The only protocol which has fork switch is ssh, first defined protocol in protocol section.
I am trying to forward Hysteria2, which is based on udp, however it has tls and obfs features which I don't understand how it implemented them in udp.

[Saleh-Mumtaz]

#466 (comment)

That said, if you're not share UDP 443 with another protocol, why not simply have your Web server listen to UDP 443, while sslh listens to TCP 443?

[Saleh-Mumtaz]

Although it solved my problem, and services are all running on 443, why does it show udp not supported in fork mode? I am using ev, is this some kind of warning?

[yrutschle]

The message "UDP not (yet?) supported in sslh-fork" is printed by sslh-fork, so it shouldn't be possible to see if with sslh-ev. Please report your configuration file and the command line you use to run it...

[Saleh-Mumtaz]

my sslh-ev compiling and installing

After make then make install, copied the sslh-ev output to the sslh location.
Service file of my own server

[Unit]
Description=SSL/SSH multiplexer
After=network.target
Documentation=man:sslh(8)

[Service]
User=sslh
RuntimeDirectory=sslh
ExecStart=/usr/sbin/sslh --foreground -n --config /etc/sslh.cfg
PIDFile=/run/sslh/sslh.pid
KillMode=control-group
#Hardening
PrivateTmp=true
CapabilityBoundingSet=CAP_SETGID CAP_SETUID CAP_NET_BIND_SERVICE
AmbientCapabilities=CAP_NET_BIND_SERVICE
SecureBits=noroot-locked
ProtectSystem=strict
ProtectHome=true
ProtectKernelModules=true
ProtectKernelTunables=true
ProtectControlGroups=true
MountFlags=private
NoNewPrivileges=true
PrivateDevices=true
RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX
MemoryDenyWriteExecute=true
DynamicUser=true

[Install]
WantedBy=multi-user.target

Configuration file

timeout: 2;
pidfile: "/run/sslh/sslh.pid";
# Listen on public port 443 for incoming connections
listen:
(
    { host: "0.0.0.0"; port: "443"; }
);

# Protocol definitions
protocols:
(

    # Forward SSH traffic to the local SSH server on port 22
    { name: "ssh"; host: "127.0.0.1"; port: "22"; keepalive: true; fork: true; tfo_ok: true },

    #MTProto Proxy Fake-TLS
    { name: "tls"; host: "127.0.0.1"; port: "5443"; sni_hostnames: [ "**********.ir" ]; keepalive: true; tfo_ok: true },

    # Forward anything else to XRAY
    { name: "anyprot"; host: "127.0.0.1"; port: "4443"; }
);

Also, I wanted to know, if I move keepalive: true; tfo_ok: true to the TCP 443 listen, and remove them from protocols, would it apply to all connections on TCP 443 ?

[Saleh-Mumtaz]

@yrutschle Should I close this issue?

[yrutschle]

Not unless it's solved :-)

I wanted to know, if I move keepalive: true; tfo_ok: true to the TCP 443 listen, and remove them from protocols, would it apply to all connections on TCP 443 ?

No. keepalive can be set for each listen protocol AND each target protocol (as shown in example.cfg. I suppose we could have a global option, but it would create empty traffic in many situations where it's not necessary, as usually you only want it when going through an annoying firewall. tfo_ok is necessarily on the client side; I am not sure what happens when using TFO on a server that does not support it, but it could be investigated.

For the rest, I am a bit confused. Literally, the "UDP not supported" string is in sslh-fork.c, and not included in my sslh-ev binary:

$ strings sslh-ev | grep "UDP" 
timed out UDP %d
received %ld UDP from %d:%s
UDP probed: %d
At least one UDP target protocol must be specified.
Out of hash space for new incoming UDP connection -- increase udp_max_connections
UDP hash size: %d
Wireguard works only with UDP
Number of concurrent UDP connections
IPPROTO_UDP
IPPROTO_UDPLITE

[Saleh-Mumtaz]

If it is there, and not in fork, then either I am running sslh fork, or compiled ev in a wrong way. I explained what I did for compiling in the link I provided before.
For the first possibility, I used -V , gave sslh-ev, for the second only you can determine whether I did it wrong or not.
I can give you the ip port and user pass of the server. Turned of the sslh, but all files and system service files are available.
Server is under high load because of xray public config.
Ssh has no problem but better to use it 3AM Iran/Tehran time. Server usage drops significantly.

[yrutschle]

The only potential flaw I see here is depending on $PATH, your call to sslh -V might catch one that is not /usr/sbin/sslh. That still would not explain the issue, as the systemd file uses the same absolute path as the cp you use to install.

I suppose you can try to investigate:

• which sslh to check which binary is picked up
• Something to check the state of $PATH in the systemd environment rather than your root environment (something that can trick people in crontabs)
• Maybe also check string /usr/sbin/sslh, and/or in the systemd file:
  ExecStart=/usr/sbin/sslh -V > /tmp/sslhver ; strings /usr/sbin/sslh >> /tmp/sslhver ; /usr/sbin/sslh --foreground -n --config /etc/sslh.cfg to check the assumptions...

[Saleh-Mumtaz]

Found the problem, cp did not replace the sslh in /usr/sbin, sslh-ev was in /usr/local/sbin as sslh . rm the sslh in /usr/sbin and cp ev from the /usr/local/sbin to it.

timeout: 2;
pidfile: "/run/sslh/sslh.pid";
# Listen on public port 443 for incoming connections
listen:
(
    { host: "0.0.0.0"; port: "4943"; },

    { host: "0.0.0.0"; is_udp: true; port: "4943"; }
);

# Protocol definitions
protocols:
(

    # Forward SSH traffic to the local SSH server on port 2789
    { name: "ssh"; host: "127.0.0.1"; port: "922"; keepalive: true; fork: true; tfo_ok: true },

    #MTProto Proxy
    { name: "tls"; host: "127.0.0.1"; port: "9443"; sni_hostnames: [ "anten.ir" ]; keepalive: true; tfo_ok: true },

    # Forward HTTPS (TLS) traffic to Xray on localhost:4443
    { name: "tls"; host: "127.0.0.1"; port: "42443"; sni_hostnames: [ "*****", "www.google.com" ]; keepalive: true; tfo_ok: true },

    # Forward anything else to XRAY
    { name: "anyprot"; host: "127.0.0.1"; is_udp: true; port: "42442"; }
);

[yrutschle]

Sometimes the best of us commit the oldest mistakes in the book... :-)

[Saleh-Mumtaz]

I know the issue closed, and i read the docs once, but I don't remember exactly, ev is for large setup. But does ev perform better than fork in all scenarios?