Project V for SagerNet

Important changes

Rewritten DNS

• added DNS Over TLS and QUIC support

example:

tls://dns.google
quic://dns.adguard.com

All available DNS schemes:

tcp
tcp+local
udp
udp+local
tls
tls+local
https
https+local
quic
quic+local

• multiple DNS now share the cache.
• concurrent query support

{
  "dns": [
    {
      "address": "tls://1.0.0.1",
      "concurrency": true
    }
  ]
}

Other

• concurrency option for outbound observation

{
  "observatory": {
    "enableConcurrency": true
  }
}

• DNS sniffer

{
  "routing": {
    "rules": [
      {
        "type": "field",
        "protocol": "dns",
        "outbound": "dns-out"
      }
    ]
  }
}

• disableExpire dns option

{
  "dns": {
    "disableExpire": true
  }
}

• removed FakeDNS

FakeDNS is a bad idea, and v2ray's current implementation
causes memory leaks, whether enabled or not.

• wireguard outbound

WireGuard outbound supports proxy ping requests.

{
  "outbounds": [
    {
      "protocol": "wireguard",
      "settings": {
        "address": "engage.cloudflareclient.com",
        "localAddresses": [
          "<ipv4 address>",
          "<ipv6 address>"
        ],
        "peerPublicKey": "<public key>",
        "port": 2408,
        "preSharedKey": "<psk>",
        "privateKey": "<private key>",
        "mtu": 1500,
        "userLevel": 0
      }
    }
  ]
}

• ssh outbound

{
  "outbounds": [
    {
      "protocol": "ssh",
      "settings": {
        "address": "<your ip>",
        "port": 22,
        "user": "root",
        "password": "<password or passphrase of private key>",
        "privateKey": "<x509 private key>",
        "publicKey": "<public key to verify server>",
        "clientVersion": "SSH-2.0-OpenSSH_114514 (random if empty)",
        "hostKeyAlgorithms": [
          "ssh-ed25519",
          "any u want"
        ],
        "userLevel": 0
      }
    }
  ]
}

• add domainStrategy to outbound & preferIPv4/6 to domainStrategy

{
  "outbounds": [
    {
      "protocol": "shadowsocks",
      "settings": {
        ...
      },
      "domainStrategy": "AsIs/UseIP/UseIPv[4/6]/PreferIPv[4/6]"
    }
  ]
}

• shadowsocks AEAD 2022 ciphers

{
  "outbounds": [
    {
      "protocol": "shadowsocks",
      "settings": {
        "servers": [
          {
            "address": "127.0.0.1",
            "port": 1234,
            "method": "2022-blake3-aes-128-gcm",
            "password": "<psk>"
          }
        ]
      }
    }
  ]
}

• shadowsocks stream ciphers and xchacha-ietf-poly1305

supported cipher list:

none

2022-blake3-aes-128-gcm
2022-blake3-aes-256-gcm
2022-blake3-chacha20-poly1305

aes-128-gcm
aes-192-gcm
aes-256-gcm
chacha20-ietf-poly1305
xchacha20-ietf-poly1305

rc4
rc4-md5
aes-128-ctr
aes-192-ctr
aes-256-ctr
aes-128-cfb
aes-192-cfb
aes-256-cfb
aes-128-cfb8
aes-192-cfb8
aes-256-cfb8
aes-128-ofb
aes-192-ofb
aes-256-ofb
bf-cfb
cast5-cfb
des-cfb
idea-cfb
rc2-cfb
seed-cfb
camellia-128-cfb
camellia-192-cfb
camellia-256-cfb
camellia-128-cfb8
camellia-192-cfb8
camellia-256-cfb8
salsa20
chacha20
chacha20-ietf
xchacha20

• shadowsocks SIP003 plugin

{
  "outbounds": [
    {
      "protocol": "shadowsocks",
      "settings": {
        ...
        "plugin": "path to plugin",
        "pluginOpts": "args;args2",
        "pluginArgs": [
          "--arg1=true"
        ]
      }
    }
  ]
}

• embed v2ray-plugin for shadowsocks

{
  "outbounds": [
    {
      "protocol": "shadowsocks",
      "settings": {
        ...
        "plugin": "v2ray-plugin",
        "pluginOpts": "host=shadow.v2fly.org"
      }
    }
  ]
}

• trojan_sing outbound

high performance trojan outbound.

notice: only the origin trojan (tls) protocol is supported.

{
  "outbounds": [
    {
      "protocol": "trojan_sing",
      "settings": {
        "address": "my.address",
        "serverName": "my.domain",
        "port": 443,
        "password": "my password",
        "insecure": false
      }
    }
  ]
}

• route only sniffing option

Allows the sniffed domain to be used for routing only, 
without overriding the destination address. 
This improves the routing accuracy of AsIs, 
and provides the expected connection behavior of the client 
(not resolving the domain name again on the server side)

{
  "inbounds": [
    {
      ...
      "sniffing": {
        "destOverride": [
          "http",
          "tls",
          "quic"
        ],
        "enabled": true,
        "routeOnly": true
      },
      "tag": "socks"
    }
  ]
}

• endpoint independent mapping support (aka full cone NAT)

for protocols other than v*ess, no configuration is required.

{
  "outbounds": [
    {
      "protocol": "v[m/l]ess",
      "settings": {
        "vnext": ...,
        "packetEncoding": "[none/packet/xudp]"
        // none: disabled
        // packet: requires v2ray/v2ray-core v5.0.2+ or SagerNet/v2ray-core
        // xudp: requires XTLS/Xray-core or SagerNet/v2ray-core
      },
      "mux": {
        "enabled": true,
        "packetEncoding": "[none/packet/xudp]"
        // packetEncoding for mux
      }
    }
  ]
}

• ping proxy support

{
  "ping": {
    "protocol": "<default/unprivileged>",
    "gateway4": "<0.0.0.0>",
    "gateway6": "<::>",
    "disableIPv6": true
  }
}

protocol: udp connection with port 7.

• XTLS protocol compatibility for vless and trojan

• gRPC multi/raw mode

License

GPL v3

Credits

This repo relies on the following projects:

• v2fly/v2ray-core
• XTLS/Xray-core
• Shadowsocks-NET/v2ray-go