From dc75931858cf96d95525faa22b7ffa0cea3e7d68 Mon Sep 17 00:00:00 2001 From: "rui.zheng" Date: Wed, 25 Jan 2017 12:21:04 +0800 Subject: [PATCH] fix ss udp OTA --- README.md | 17 ++++++++++++++--- README_en.md | 16 +++++++++++++--- cmd/gost/vendor/github.com/ginuerzh/gost/ss.go | 2 +- cmd/gost/vendor/vendor.json | 6 +++--- ss.go | 7 +------ 5 files changed, 32 insertions(+), 16 deletions(-) diff --git a/README.md b/README.md index 70a5a38..031eb1b 100644 --- a/README.md +++ b/README.md @@ -12,7 +12,7 @@ gost - GO Simple Tunnel * 支持标准HTTP/HTTPS/SOCKS5代理协议 * SOCKS5代理支持TLS协商加密 * Tunnel UDP over TCP -* 支持Shadowsocks协议 (OTA: 2.2+) +* 支持Shadowsocks协议 (OTA: 2.2+,UDP: 2.4+) * 支持本地/远程端口转发 (2.1+) * 支持HTTP 2.0 (2.2+) * 实验性支持QUIC (2.3+) @@ -50,7 +50,9 @@ protocol: 代理协议类型(http, socks5, shadowsocks), transport: 数据传输 > tls - HTTPS/SOCKS5代理,使用tls传输数据: tls://:443 -> ss - Shadowsocks代理,ss://aes-256-cfb:123456@:8338 +> ss - Shadowsocks代理,ss://chacha20:123456@:8338 + +> ssu - Shadowsocks UDP relay,ssu://chacha20:123456@:8338 > quic - QUIC代理,quic://:6121 @@ -291,7 +293,7 @@ gost -L=:8080 -F=socks://server_ip:1080 如果两端都是gost(如上)则数据传输会被加密(协商使用tls或tls-auth方法),否则使用标准SOCKS5进行通讯(no-auth或user/pass方法)。 -**注:** 如果transport已经支持加密(wss, tls, http2),则SOCKS5不会再使用加密方法,防止不必要的双重加密。 +**注:** 如果transport已经支持加密(wss, tls, http2, kcp),则SOCKS5不会再使用加密方法,防止不必要的双重加密。 #### Shadowsocks gost对shadowsocks的支持是基于[shadowsocks-go](https://github.com/shadowsocks/shadowsocks-go)库。 @@ -305,6 +307,15 @@ gost -L=ss://aes-128-cfb:123456@:8338?ota=1 gost -L=:8080 -F=ss://aes-128-cfb:123456@server_ip:8338?ota=1 ``` +##### Shadowsocks UDP relay + +目前仅服务端支持UDP,且仅支持OTA模式。 + +服务端: +```bash +gost -L=ssu://aes-128-cfb:123456@:8338 +``` + #### TLS gost内置了TLS证书,如果需要使用其他TLS证书,有两种方法: * 在gost运行目录放置cert.pem(公钥)和key.pem(私钥)两个文件即可,gost会自动加载运行目录下的cert.pem和key.pem文件。 diff --git a/README_en.md b/README_en.md index 16ba00e..b7c0e7f 100644 --- a/README_en.md +++ b/README_en.md @@ -10,7 +10,7 @@ Features * Standard HTTP/HTTPS/SOCKS5 proxy protocols support * TLS encryption via negotiation support for SOCKS5 proxy * Tunnel UDP over TCP -* Shadowsocks protocol support (OTA: 2.2+) +* Shadowsocks protocol support (OTA: 2.2+, UDP: 2.4+) * Local/remote port forwarding (2.1+) * HTTP 2.0 support (2.2+) * Experimental QUIC support (2.3+) @@ -50,7 +50,9 @@ transport: data transmission mode (ws, wss, tls, http2, quic, kcp), may be used > tls - HTTPS/SOCKS5 over tls: tls://:443 -> ss - standard shadowsocks proxy, ss://aes-256-cfb:123456@:8338 +> ss - standard shadowsocks proxy, ss://chacha20:123456@:8338 + +> ssu - shadowsocks UDP relay,ssu://chacha20:123456@:8338 > quic - standard QUIC proxy, quic://:6121 @@ -295,7 +297,7 @@ gost -L=:8080 -F=socks://server_ip:1080 If both ends are gosts (as example above), the data transfer will be encrypted (using tls or tls-auth). Otherwise, use standard SOCKS5 for communication (no-auth or user/pass). -**NOTE:** If transport already supports encryption (wss, tls, http2), SOCKS5 will no longer use the encryption method to prevent unnecessary double encryption. +**NOTE:** If transport already supports encryption (wss, tls, http2, kcp), SOCKS5 will no longer use the encryption method to prevent unnecessary double encryption. #### Shadowsocks Support for shadowsocks is based on library [shadowsocks-go](https://github.com/shadowsocks/shadowsocks-go). @@ -309,6 +311,14 @@ Client (The OTA mode can be enabled by the ota parameter): gost -L=:8080 -F=ss://aes-128-cfb:123456@server_ip:8338?ota=1 ``` +##### Shadowsocks UDP relay +Currently, only the server supports UDP, and only OTA mode is supported. + +Server: +```bash +gost -L=ssu://aes-128-cfb:123456@:8338 +``` + #### TLS There is built-in TLS certificate in gost, if you need to use other TLS certificate, there are two ways: * Place two files cert.pem (public key) and key.pem (private key) in the current working directory, gost will automatically load them. diff --git a/cmd/gost/vendor/github.com/ginuerzh/gost/ss.go b/cmd/gost/vendor/github.com/ginuerzh/gost/ss.go index 3959ad2..37e2a0b 100644 --- a/cmd/gost/vendor/github.com/ginuerzh/gost/ss.go +++ b/cmd/gost/vendor/github.com/ginuerzh/gost/ss.go @@ -270,7 +270,7 @@ func (s *ShadowUdpServer) ListenAndServe() error { continue } - if b[3]&ss.OneTimeAuthMask > 0 { + if b[3]&ss.OneTimeAuthMask == 0 { glog.V(LWARNING).Infof("[ssu] %s -> %s : client does not support OTA", addr, laddr) continue } diff --git a/cmd/gost/vendor/vendor.json b/cmd/gost/vendor/vendor.json index 58ba5da..c601cbc 100644 --- a/cmd/gost/vendor/vendor.json +++ b/cmd/gost/vendor/vendor.json @@ -21,10 +21,10 @@ "revisionTime": "2017-01-19T05:34:58Z" }, { - "checksumSHA1": "2kMuCJwcxppxWtk9dX1WtWZMGB4=", + "checksumSHA1": "tzE0IZDLN5ft/BfJmSMpvWnSjJM=", "path": "github.com/ginuerzh/gost", - "revision": "8861ffba01779f3a9f44b205b38d626fce71dff3", - "revisionTime": "2017-01-24T13:01:52Z" + "revision": "10487dc3def07efaa603beca7b9613db999ad37a", + "revisionTime": "2017-01-24T13:41:57Z" }, { "checksumSHA1": "URsJa4y/sUUw/STmbeYx9EKqaYE=", diff --git a/ss.go b/ss.go index 3959ad2..cf5eb47 100644 --- a/ss.go +++ b/ss.go @@ -270,12 +270,7 @@ func (s *ShadowUdpServer) ListenAndServe() error { continue } - if b[3]&ss.OneTimeAuthMask > 0 { - glog.V(LWARNING).Infof("[ssu] %s -> %s : client does not support OTA", addr, laddr) - continue - } - b[3] &= ss.AddrMask - + b[3] &= ss.AddrMask // remove OTA flag dgram, err := gosocks5.ReadUDPDatagram(bytes.NewReader(b[:n+3])) if err != nil { glog.V(LWARNING).Infof("[ssu] %s -> %s : %s", addr, laddr, err)