Oat_Milky

Oat_Milky

mastodon
telegram
HomeArchives图文

hysteria2 Protocol Server Configuration File Record

64
AI Translation
This post is translated from Chinese into English through AI.View Original
AI-generated summary
The main VPN tool currently being used is hysteria2, which has been running smoothly for over a month. The server configuration file has been gradually improved to meet specific needs. Deploying hysteria2 protocol on a VPS is relatively simple, with plenty of tutorial videos on YouTube and clear explanations in the official documentation. This article documents some personal custom configurations added to the current setup.

Currently, the main ladder used for crossing the wall is hysteria2, which has been running stably for over a month. The configuration file on the server has also been gradually improved according to the needs. Overall, deploying the hysteria2 protocol on a VPS is relatively simple. On the one hand, there are many introduction videos about this protocol on YouTube, and on the other hand, the official website documentation explains the functions of each part of the configuration file clearly. This article is to record some of my personal custom configurations.

Note 1: This article mainly records some content added to the current configuration document and part of the tutorial. For detailed tutorials, you can search by yourself or refer to the official website configuration document address: https://v2.hysteria.network/zh/docs/advanced/Full-Server-Config/

Note 2: The latest version of hysteria at the time of publication is 2.5.0

Basic Configuration#

# Listening port, can be modified, default is 443
listen: :443

# Self-signed certificate
tls:
  cert: /etc/hysteria/server.crt
  key: /etc/hysteria/server.key

# Acquire certificate through acme dns
acme:
  domains:
    - "*.example.com"
  email: your@email.address
  type: dns
  dns:
    name: cloudflare
    config:
      cloudflare_api_token: your token

# Authentication method
auth:
  type: password
  password: 123456 # Set authentication password, pay attention to password strength

# Disguise method
masquerade:
  type: proxy
  proxy:
    url: https://bing.com # Disguise URL
    rewriteHost: true

Both self-signed and CA certificates can be used as the certificates required by the server, but there can only be one in the configuration file. Choose the appropriate method according to your actual situation and delete the other from the configuration file to complete the basic server configuration.

Self-signed method#

Generate a self-signed certificate using the following command

openssl req -x509 -nodes -newkey ec:<(openssl ecparam -name prime256v1) -keyout /etc/hysteria/server.key -out /etc/hysteria/server.crt -subj "/CN=bing.com" -days 36500 && sudo chown hysteria /etc/hysteria/server.key && sudo chown hysteria /etc/hysteria/server.crt

Complete configuration file

listen: :443

tls:
  cert: /etc/hysteria/server.crt
  key: /etc/hysteria/server.key

auth:
  type: password
  password: fdsgfdgfrty63

masquerade:
  type: proxy
  proxy:
    url: https://bing.com
    rewriteHost: true

CA certificate#

You can obtain a CA certificate through acme dns, provided that you have your own domain name. The service provider I personally chose is cloudflare. The complete configuration is as follows:

listen: :443

acme:
  domains:
    - "xxx.xxxxxxxx.xxx"
  email: xxxxxxxx@xxx.xxx
  type: dns
  dns:
    name: cloudflare
    config:
      cloudflare_api_token: hSxxxxxOlxxxxxxxn8U9-pxxxxxxw7

auth:
  type: password
  password: sldkjfdsnduhf

masquerade:
  type: proxy
  proxy:
    url: https://bing.com
    rewriteHost: true

How to obtain cloudflare_api_token:

  1. First log in to your personal cloudflare account
  2. Go to the personal profile page https://dash.cloudflare.com/profile
  3. Create an API token, use the Edit Zone DNS template, and obtain the API token

Outbound Rules#

Hysteria2 supports three types of outbound: direct, socks5, and http.

image-20240731103002393

In general, no configuration is needed. However, if your server IP cannot access certain websites normally, you can use the socks5 proxy of warp and the ACL function in hysteria2 to achieve outbound traffic diversion.

You can refer to the following content for the part in the configuration file:

outbounds:
  - name: warp
    type: socks5
    socks5:
      addr: 127.0.0.1:40000

acl:
  inline:
   - warp(geosite:google)
   - direct(all)

First, I opened the warp socks5 proxy on port 40000 on the server, and then configured an outbound rule named "warp" in the outbounds section. In this way, by adding - warp(xxxx) in the acl section according to the document format, you can let the traffic go through the warp proxy for outbound, and the purpose of - direct(all) is to let the remaining traffic go directly outbound.

Protocol Sniffing#

This is a feature added in the latest version 2.5.0, which solves the problem that the outbound rules in my previous server configuration cannot take effect. The reference configuration provided by the official is as follows, you can modify the ports:

sniff:
  enable: true
  timeout: 2s
  rewriteDomain: false
  tcpPorts: 80,443,8000-9000
  udpPorts: all

Summary#

This is my first time writing this kind of blog, and there are already many related tutorials, so this article is just a record and sharing of the functions I have used personally. There are still many functions that can be configured, and I will continue to update this article in the future with version updates and personal usage experience.

Loading...
Ownership of this post data is guaranteed by blockchain and smart contracts to the creator alone.