banner
Geek

Geek

🧠在家居士 | 🥦素食者 | 🏃🏻马拉松爱好者 | 📡AI降临派 | 过🪜技术资深学者 | 🤖科技狂 | 📤更新狂🆅 https://www.igeekbb.com/
twitter
github

Counter QoS Blocking & Throttling Hysteria2 Port Hopping Configuration

Updated on October 9, 2023#

  • Added IPV6 settings

UDP Throttling#

It is certain that the three major operators block and throttle UDP traffic, at least with QoS restrictions. At first, I thought that Southern Unicom was more tolerant, but it turns out they are all the same. In my case, I encountered blocking, which is manifested as "continuous downloading or running large traffic for about 3 minutes, then it is directly blocked, and the connection is restored after a few minutes". These restrictions are usually only for individual ports. This article will discuss how to set up Hysteria2 port hopping to counteract the blocking and throttling of operators.


Setting up Hysteria 2#

For the setup of Hysteria2 nodes, you can refer to the previous issue "Hysteria2 & VLESS-gRPC-uTLS-REALITY Comparison Test"


Implementing Port Hopping with Iptables#

According to the Hysteria official website, the Hysteria server cannot listen on multiple ports at the same time, so the above format cannot be used as the listening address on the server. It is recommended to use DNAT of iptables to forward the port to the server's listening port. [Source]

Here is a demonstration using my Hysteria 2: Port 5353 hops between ports 20000-50000.

Install iptables-persistent#

apt install iptables-persistent

Press YES and ENTER throughout.

image

IPV4 Settings#

Clear default rules and add custom rules#
iptables -F
iptables -X
Allow local access#
iptables -A INPUT -i lo -j ACCEPT
Open SSH port (default 22)#
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
Open HTTP / HTTPS ports#
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -j ACCEPT
Open UDP port (replace 5353 with your Hysteria listening port)#
iptables -A INPUT -p udp --dport 5353 -j ACCEPT
Open UDP port hopping range (port range is 20000-50000)#
iptables -A INPUT -p udp --dport 20000:50000 -j ACCEPT
Allow incoming data after accepting local requests#
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
Deny all other inbound traffic#
iptables -P INPUT DROP
Allow all outbound traffic#
iptables -P OUTPUT ACCEPT
View open ports#
iptables -L

Redirect UDP packets with destination ports between 20000 and 50000 to port 5353 of the local server

iptables -t nat -A PREROUTING -p udp --dport 20000:50000 -j DNAT --to-destination :5353
View NAT rules#
iptables -t nat -nL --line

image

IPV6 Settings#

Clear default rules and add custom rules#
ip6tables -F
ip6tables -X
Allow local access#
ip6tables -A INPUT -i lo -j ACCEPT
Open SSH port (default 22)#
ip6tables -A INPUT -p tcp --dport 22 -j ACCEPT
Open HTTP / HTTPS ports#
ip6tables -A INPUT -p tcp --dport 80 -j ACCEPT
ip6tables -A INPUT -p tcp --dport 443 -j ACCEPT
Open UDP port (replace 5353 with your Hysteria listening port)#
ip6tables -A INPUT -p udp --dport 5353 -j ACCEPT
Open UDP port hopping range (port range is 20000-50000)#
ip6tables -A INPUT -p udp --dport 20000:50000 -j ACCEPT
Allow incoming data after accepting local requests#
ip6tables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
Deny all other inbound traffic#
ip6tables -P INPUT DROP
Allow all outbound traffic#
ip6tables -P OUTPUT ACCEPT
View open ports#
ip6tables -L

Redirect UDP packets with destination ports between 20000 and 50000 to port 5353 of the local server

ip6tables -t nat -A PREROUTING -p udp --dport 20000:50000 -j DNAT --to-destination :5353
View NAT rules#
ip6tables -t nat -nL --line

Save iptables rules#

netfilter-persistent save

If you make a mistake, you can use the following command to delete iptables rules

Delete iptables rules#

Delete specified NAT rule:

iptables -t nat -D PREROUTING <line number>

Delete all NAT rules:

iptables -t nat -F
# Delete all rules
sudo ip6tables -F

# Delete all rules in the INPUT chain
sudo ip6tables -F INPUT

# Delete the first rule in the INPUT chain
sudo ip6tables -D INPUT 1

# Disable the first rule in the INPUT chain
sudo ip6tables -I INPUT 1 -j DROP

Server Configuration File#

Domain Name Version#

cat << EOF > /etc/hysteria/config.yaml
listen: :5353 # Listening port

# Use CA certificate
acme:
  domains:
    - www.igeekbb.com # Your domain, needs to be resolved to the server IP first
  email: [email protected]

# Use self-signed certificate
# tls:
#   cert: /etc/hysteria/server.crt
#   key: /etc/hysteria/server.key

auth:
  type: password
  password: 123456 # Set authentication password

masquerade:
  type: proxy
  proxy:
    url: https://bing.com # Masquerade URL
    rewriteHost: true
EOF

Self-Signed Certificate Version without Domain Name#

Generate self-signed certificate#
openssl req -x509 -nodes -newkey ec:<(openssl ecparam -name prime256v1) -keyout /etc/hysteria/server.key -out /etc/hysteria/server.crt -subj "/CN=bing.com" -days 36500 && sudo chown hysteria /etc/hysteria/server.key && sudo chown hysteria /etc/hysteria/server.crt
cat << EOF > /etc/hysteria/config.yaml
listen: :5353 # Listening port

# Use CA certificate
# acme:
#   domains:
#     - www.igeekbb.com # Your domain, needs to be resolved to the server IP first
#   email: [email protected]

# Use self-signed certificate
tls:
  cert: /etc/hysteria/server.crt
  key: /etc/hysteria/server.key

auth:
  type: password
  password: 123456 # Set authentication password

masquerade:
  type: proxy
  proxy:
    url: https://bing.com # Masquerade URL
    rewriteHost: true
EOF

Here is an example of how to fill in the PassWall client

image


The following are the steps to uninstall Iptables

Uninstall Iptables#

1. Stop the iptables service#

sudo systemctl stop iptables

2. Disable the iptables service#

sudo systemctl disable iptables

3. Uninstall the iptables package#

For Debian-based systems#
sudo apt-get remove iptables
For CentOS-based systems#
sudo yum remove iptables
  1. Delete iptables configuration files and rules
sudo rm -r /etc/iptables/
sudo iptables -F
sudo iptables -X

References: https://github.com/TinrLin/sing-box_-tutorial/tree/main/Hysteria2

Loading...
Ownership of this post data is guaranteed by blockchain and smart contracts to the creator alone.