Finalmask: Add Realm (UDP hole punching in Hysteria v2.9.1) by LjhAUMEM · Pull Request #6137 · XTLS/Xray-core

LjhAUMEM · 2026-05-15T12:48:23Z

refer to hysteria 2.9.1

现在用的 net.DefaultResolver + http.DefaultClient，建议自建 realm 以及搭配 keepAlivePeriod 食用

"finalmask": {
  "udp": [
    {
      "type": "realm",
      "settings": {
        "url": "",
        "stunServers": [],
        "tlsConfig": {}
      }
    }
  ]
}

{
  "log": { "loglevel": "debug" },
  "inbounds": [
    {
      "listen": "127.0.0.1",
      "port": 1080,
      "protocol": "socks",
      "settings": {
        "auth": "noauth",
        "udp": true
      }
    }
  ],
  "outbounds": [
    {
      "protocol": "hysteria",
      "settings": {
        "version": 2,
        "address": "127.0.0.1",
        "port": 1081
      },
      "streamSettings": {
        "network": "hysteria",
        "hysteriaSettings": {
          "version": 2,
          "auth": "5783a3e7-e373-51cd-8642-c83782b807c5"
        },
        "security": "tls",
        "tlsSettings": {
          "pinnedPeerCertSha256": "f166838b984afe614cba418bf2ace575189d822e94c751428e41bb6a7b6f1465"
        },
        "finalmask": {
          "udp": [
            {
              "type": "realm",
              "settings": {
                "url": "realm://public@realm.hy2.io/57f9be7c-2810-4f5b-8cb9-260bc84d6c90",
                "stunServers": [
                  "stun.nextcloud.com:3478",
                  "global.stun.twilio.com:3478"
                ]
              }
            }
          ],
          "quicParams": {
            "keepAlivePeriod": 10
          }
        }
      }
    }
  ]
}

{
  "log": { "loglevel": "debug" },
  "inbounds": [
    {
      // "listen": "127.0.0.1",
      "port": 54321,
      "protocol": "hysteria",
      "settings": {
        "version": 2,
        "clients": [
          {
            "auth": "5783a3e7-e373-51cd-8642-c83782b807c5"
          }
        ]
      },
      "streamSettings": {
        "network": "hysteria",
        "hysteriaSettings": {
          "version": 2
        },
        "security": "tls",
        "tlsSettings": {
          "alpn": ["h3"],
          "certificates": [
            {
              "certificate": [
                "-----BEGIN CERTIFICATE-----",
                "MIIBnTCCAUKgAwIBAgIRAKKw0E+MG4CqeIxeCZtyfWMwCgYIKoZIzj0EAwIwJjER",
                "MA8GA1UEChMIWHJheSBJbmMxETAPBgNVBAMTCFhyYXkgSW5jMB4XDTI2MDQxMTE0",
                "NDg1OFoXDTI2MDcxMDE1NDg1OFowJjERMA8GA1UEChMIWHJheSBJbmMxETAPBgNV",
                "BAMTCFhyYXkgSW5jMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEpRY9GoCoKoKx",
                "bp0xH9OQiHmBhogW7nCRh7TtGvTwfyef6DSqUl26Ql3LxTAqNsK84g6EOO5hXkgN",
                "PYRhOnYRiKNRME8wDgYDVR0PAQH/BAQDAgWgMBMGA1UdJQQMMAoGCCsGAQUFBwMB",
                "MAwGA1UdEwEB/wQCMAAwGgYDVR0RBBMwEYIPd3d3LmV4YW1wbGUuY29tMAoGCCqG",
                "SM49BAMCA0kAMEYCIQC81N1lTIzfSsR6K8W2C3NKaR+iqyjYGo+L2mskYVQAVQIh",
                "APeXowIRcyk1ABfptJZ1DPRcAHpJ8H3antwzwh0okJ/e",
                "-----END CERTIFICATE-----"
              ],
              "key": [
                "-----BEGIN RSA PRIVATE KEY-----",
                "MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgaqqaEdlBoohy3xLT",
                "yjdJowGv8zU7NckAO8+fK1x2GqChRANCAASlFj0agKgqgrFunTEf05CIeYGGiBbu",
                "cJGHtO0a9PB/J5/oNKpSXbpCXcvFMCo2wrziDoQ47mFeSA09hGE6dhGI",
                "-----END RSA PRIVATE KEY-----"
              ]
            }
          ]
        },
        "finalmask": {
          "udp": [
            {
              "type": "realm",
              "settings": {
                "url": "realm://public@realm.hy2.io/57f9be7c-2810-4f5b-8cb9-260bc84d6c90",
                "stunServers": [
                  "stun.nextcloud.com:3478",
                  "global.stun.twilio.com:3478"
                ]
              }
            }
          ]
        }
      }
    }
  ],
  "outbounds": [
    {
      "protocol": "freedom"
    }
  ]
}

Fangliding · 2026-05-15T13:24:48Z

call的依赖似乎有点多了
以及它也许应该作为一个udpmask(?)

LjhAUMEM · 2026-05-15T13:47:58Z

call的依赖似乎有点多了

go mod 吗，~~wlynxg/anet 似乎和新版 go 不兼容~~

以及它也许应该作为一个udpmask(?)

~~没有多路复打什么洞~~

LjhAUMEM · 2026-05-15T13:52:10Z

话说写 port: 0 行为居然不是 pickport 吗

RPRX · 2026-05-17T07:54:18Z

~~没有多路复打什么洞~~

Mux 也快该修整了，有这种打洞的东西最好还是弄成通用的吧，比如 KCP、WG 也能用上，~~话说为啥非要 realm~~

LjhAUMEM · 2026-05-17T10:05:09Z

Mux 也快该修整了，有这种打洞的东西最好还是弄成通用的吧，比如 KCP、WG 也能用上

没有 mux 对于 realm 服务器是不小的负载，真弄了搞不好给 hy 公共牵线搞掉了，我还是偏向给 quic，~~后续有谁想基于这个 pr 移到 mask 我也不管了~~

话说为啥非要 realm

就作为 client 使用来说感觉还是极简的，realm 还没看过

RPRX · 2026-05-22T22:06:51Z

~~Surge 的 Ponte 危，话说我寻思 realm 这名字不是一个隧道软件的吗咋被 Hy2 夺舍了~~

按 @tobyxdd 的想法也是 UDP 通用的，最好弄成通用的吧，~~另外它迟早有需要走代理的需求，所以需要 dialerProxy~~

LjhAUMEM · 2026-05-23T11:12:51Z

行吧，~~希望 hy 公共牵线能撑住，等了这么久怎么没别的公共出来~~

移到 mask 需要点时间，准备再糊个 ech 上去

dialerProxy 现在不支持 b.UDP，对 realm 没啥作用

LjhAUMEM · 2026-05-24T09:44:42Z

应该 ready 了，安卓那个可能要在 ldflags 加个 -checklinkname=0

Fangliding · 2026-05-24T09:48:55Z

为啥这东西要 -checklinkname=0

LjhAUMEM · 2026-05-24T09:55:25Z

根据报错看的，只引用一个 stun 库带来七八个小库，有个小库使用了 go:linkname

LjhAUMEM · 2026-05-24T10:00:05Z

https://github.com/wlynxg/anet/blob/5501d401a269290292909e6cc75f105571f97cfa/interface_android.go#L164

https://github.com/wlynxg/anet/blob/5501d401a269290292909e6cc75f105571f97cfa/interface_android.go#L167

RPRX · 2026-05-28T19:47:49Z

~~所以要怎么解决~~

LjhAUMEM · 2026-05-29T03:24:42Z

~~所以要怎么解决~~

CI release 针对 Android 改 ldflags，不适合在这个 pr 改

类似

https://github.com/apernet/hysteria/blob/c3a806b5cbbb20fe72099529573da26b1a2e9f22/.github/workflows/release.yml#L54

https://github.com/apernet/hysteria/blob/c3a806b5cbbb20fe72099529573da26b1a2e9f22/hyperbole.py#L270-L275

RPRX · 2026-05-29T05:52:35Z

CI release 针对 Android 改 ldflags，不适合在这个 pr 改

就在这个 PR 一起改了吧，目前已经有一些平台特定编译参数了，你参考下

RPRX · 2026-05-29T05:54:46Z

@LjhAUMEM README 那个 Reproducible Releases 记得也加一条，加到 32-bit MIPS/MIPSLE 上面

LjhAUMEM · 2026-05-29T06:36:34Z

done

RPRX · 2026-05-29T06:44:23Z

~~你这 CGO_ENABLED=1 确定是 reproducible 的吗，跟 CI 里的指令也不一样啊~~

LjhAUMEM · 2026-05-29T06:47:21Z

~~写在上面了吧~~

Xray-core/.github/workflows/release.yml

Lines 174 to 184 in 4dcf802

    
                   if: matrix.goos == 'android' 
        
                   run: | 
        
                     wget -qO android-ndk.zip https://dl.google.com/android/repository/android-ndk-r28b-linux.zip 
        
                     unzip android-ndk.zip 
        
                     rm android-ndk.zip 
        
                     declare -A arches=( 
        
                       ["amd64"]="x86_64-linux-android24-clang" 
        
                       ["arm64"]="aarch64-linux-android24-clang" 
        
                     ) 
        
                     echo CC="$(realpath android-ndk-*/toolchains/llvm/prebuilt/linux-x86_64/bin)/${arches[${{ matrix.goarch }}]}" >> $GITHUB_ENV 
        
                     echo CGO_ENABLED=1 >> $GITHUB_ENV

RPRX · 2026-05-29T07:21:39Z

~~那没事了，指定的版本是一样的吧，不过有 CGO 的存在是否还 reproducible 有点难说~~

Fangliding · 2026-05-29T07:33:43Z

可以stub掉安卓支持不要了

RPRX · 2026-05-29T07:34:54Z

~~主要是 termux/magisk 这些需要 Android 版吧~~

Fangliding · 2026-05-29T07:37:15Z

它们用的好像反而是Linux arm

MoRanYue · 2026-05-29T16:11:53Z

（tlsConfig对象是否与tlsSettings相同呢？基本上可指定连接牵线服务器时TLS配置，诸如fingerprint、echConfig、serverName、pinnedPeerCertSha256之类。

不过，应如何决定连接牵线服务器是否使用HTTPS呢？使用realm://协议代表HTTP，realms://代表HTTPS嘛？）

tobyxdd · 2026-05-29T20:42:40Z

（tlsConfig对象是否与tlsSettings相同呢？基本上可指定连接牵线服务器时TLS配置，诸如fingerprint、echConfig、serverName、pinnedPeerCertSha256之类。

不过，应如何决定连接牵线服务器是否使用HTTPS呢？使用realm://协议代表HTTP，realms://代表HTTPS嘛？）

https://hysteria.network/docs/advanced/Realms/#realm-address

MoRanYue · 2026-05-30T01:22:30Z

（奇怪，居然不是realm://与realms://，而是realm+http://和realm://）

LjhAUMEM · 2026-05-30T03:12:45Z

tlsConfig对象是否与tlsSettings相同呢？

相同的，主要是为了蹭 ech，其他字段你也可以试试

Fixes #6137

null added 7 commits May 24, 2026 15:16

realm

986cd98

clean

179601c

client punch

20cba50

fix bug

da9bb99

better log

d6579c8

restore & move to mask

16ff93b

restore

58548c7

LjhAUMEM force-pushed the realm branch from 966686b to 34a17cd Compare May 24, 2026 07:17

LjhAUMEM marked this pull request as draft May 24, 2026 07:31

infra & fix bug

37b47b2

LjhAUMEM force-pushed the realm branch from 34a17cd to 37b47b2 Compare May 24, 2026 09:35

LjhAUMEM marked this pull request as ready for review May 24, 2026 09:47

CI & md

fafd9c6

RPRX changed the title ~~feat(quicParams): realm client/server~~ Finalmask: Add Realm (UDP hole punching, Hysteria v2.9) May 29, 2026

RPRX changed the title ~~Finalmask: Add Realm (UDP hole punching, Hysteria v2.9)~~ Finalmask: Add Realm (UDP hole punching in Hysteria v2.9.1) May 29, 2026

RPRX merged commit 3630369 into XTLS:main May 29, 2026
39 checks passed

RPRX pushed a commit that referenced this pull request May 30, 2026

Realm finalmask: Fix client punch peers (#6213)

ba53861

Fixes #6137

Conversation

LjhAUMEM commented May 15, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

Fangliding commented May 15, 2026

Uh oh!

LjhAUMEM commented May 15, 2026

Uh oh!

LjhAUMEM commented May 15, 2026

Uh oh!

RPRX commented May 17, 2026

Uh oh!

LjhAUMEM commented May 17, 2026

Uh oh!

RPRX commented May 22, 2026

Uh oh!

LjhAUMEM commented May 23, 2026

Uh oh!

LjhAUMEM commented May 24, 2026

Uh oh!

Fangliding commented May 24, 2026

Uh oh!

LjhAUMEM commented May 24, 2026

Uh oh!

LjhAUMEM commented May 24, 2026

Uh oh!

RPRX commented May 28, 2026

Uh oh!

LjhAUMEM commented May 29, 2026

Uh oh!

RPRX commented May 29, 2026

Uh oh!

RPRX commented May 29, 2026

Uh oh!

LjhAUMEM commented May 29, 2026

Uh oh!

RPRX commented May 29, 2026

Uh oh!

LjhAUMEM commented May 29, 2026

Uh oh!

RPRX commented May 29, 2026

Uh oh!

Fangliding commented May 29, 2026

Uh oh!

RPRX commented May 29, 2026

Uh oh!

Fangliding commented May 29, 2026

Uh oh!

Uh oh!

MoRanYue commented May 29, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

tobyxdd commented May 29, 2026

Uh oh!

MoRanYue commented May 30, 2026

Uh oh!

LjhAUMEM commented May 30, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

5 participants

LjhAUMEM commented May 15, 2026 •

edited

Loading

MoRanYue commented May 29, 2026 •

edited

Loading