Skip to content

Comments

Finalmask UDP: Support WireGuard & Shadowsocks AEAD/2022#5643

Merged
RPRX merged 3 commits intoXTLS:mainfrom
LjhAUMEM:wg-ss-mask
Feb 4, 2026
Merged

Finalmask UDP: Support WireGuard & Shadowsocks AEAD/2022#5643
RPRX merged 3 commits intoXTLS:mainfrom
LjhAUMEM:wg-ss-mask

Conversation

@LjhAUMEM
Copy link
Contributor

@LjhAUMEM LjhAUMEM commented Feb 3, 2026
edited
Loading

研究了一下搞懂了 wireguard 的配置,peer 原来填的是对端的 publickey,不过似乎解码有点问题导致只能用 hex string

然后看了一天 wireguard fullcone 决定不看了,有点看不懂

让 wireguard ss/2022 udp 出入套上 mask

wireguard 示例

{
  "log": { "loglevel": "debug" },
  "inbounds": [
    {
      "listen": "127.0.0.1",
      "port": 1080,
      "protocol": "socks",
      "settings": {
        "auth": "noauth",
        "udp": true
      }
    }
  ],
  "outbounds": [
    {
      "protocol": "wireguard",
      "settings": {
        "secretKey": "e033637bda4eeaed6b5ccf99da283e1003daece5ced305e8b06aa163f0320479",
        "address": ["10.1.1.1", "fd59:7153:2388:b5fd:0000:0000:1234:0001"],
        "peers": [
          {
            "publicKey": "bacc8f85656bc591995fa5c0fb5e8f23a75671f4b46851fbb53da1e859ac0331",
            "endpoint": "127.0.0.1:1081"
          }
        ],
        "noKernelTun": true
      },
      "streamSettings": {
        "finalmask": {
          "udp": [
            {
              "type": "salamander",
              "settings": {
                "password": "1234"
              }
            }
          ]
        }
      }
    }
  ]
}
{
  "log": { "loglevel": "debug" },
  "inbounds": [
    {
      "tag": "wg-in",
      "listen": "127.0.0.1",
      "port": 1081,
      "protocol": "wireguard",
      "settings": {
        "secretKey": "4886d27320c3eda9a9de83a2eeb85b91d6feae92aa7ca030f0d7137c2354c643",
        "peers": [
          {
            "publicKey": "cb5f25b2f3ea0040e4ddfac4ca09d52019d9f4be833db6916d7db226a9bae26c"
          }
        ]
      },
      "streamSettings": {
        "finalmask": {
          "udp": [
            {
              "type": "salamander",
              "settings": {
                "password": "1234"
              }
            }
          ]
        }
      }
    }
  ],
  "outbounds": [
    {
      "protocol": "freedom"
    }
  ]
}

@Fangliding
Copy link
Member

Fangliding commented Feb 3, 2026

这样不会和之前KCP里面套的那层mask重叠吗

@LjhAUMEM
Copy link
Contributor Author

LjhAUMEM commented Feb 3, 2026
edited
Loading

不会,这是原生 udp 传输层的 dialer,kcp 是传输层有自己的 dialer,不过监听部分是共享的

@RPRX
Copy link
Member

RPRX commented Feb 3, 2026

配置示例改成 Salamander

@RPRX
Copy link
Member

RPRX commented Feb 3, 2026

配置示例改成 Salamander

这个你测试过能用吗

@LjhAUMEM
Copy link
Contributor Author

LjhAUMEM commented Feb 3, 2026

这个你测试过能用吗

刚刚改完就出门了,之前测的没问题,我再测试下

@RPRX
Copy link
Member

RPRX commented Feb 3, 2026

test 挂了修一下

@LjhAUMEM
Copy link
Contributor Author

LjhAUMEM commented Feb 3, 2026

我再测试下

嗯,还是没问题,任一一方去掉 finalmask 都会连不上

但是发现个新的问题,目前这种套法无法与 sockopt.dialerProxy 共存,不过又伪装又 dialerProxy 也会失去伪装的意义,但是别人来 dialerProxy 它是可以的

@RPRX
Copy link
Member

RPRX commented Feb 3, 2026

但是发现个新的问题,目前这种套法无法与 sockopt.dialerProxy 共存,不过又伪装又 dialerProxy 也会失去伪装的意义,但是别人来 dialerProxy 它是可以的

这个不急

@RPRX
Copy link
Member

RPRX commented Feb 3, 2026

UDP dialer 那个 stat.Connection(conn) 删掉了会不会有问题

@RPRX
Copy link
Member

RPRX commented Feb 3, 2026

我觉得还是别删吧,包一下就包一下,省得哪里断言出问题,虽然 Xray 里 UDP 似乎没有这种东西,TCP 的比较多

@RPRX
Copy link
Member

RPRX commented Feb 4, 2026

先合了看看吧,希望别有问题

@RPRX RPRX changed the title finalmask/udp for wireguard & ss/2022 Finalmask UDP: Support WireGuard & Shadowsocks AEAD/2022 Feb 4, 2026
@RPRX RPRX merged commit 888c0d2 into XTLS:main Feb 4, 2026
39 checks passed
@LjhAUMEM
Copy link
Contributor Author

LjhAUMEM commented Feb 4, 2026

UDP dialer 那个 stat.Connection(conn) 删掉了会不会有问题

这倒不会,这么一问我有点怀疑自己了,不过想了一下还是没问题

看了下 raw 的 http header 在有 reality 的时候是跑在 reality 内层,如果要移到 finalmask 是不是应该放外层

@BrewTestBot BrewTestBot mentioned this pull request Feb 4, 2026
Merged
1 task
@RPRX
Copy link
Member

RPRX commented Feb 4, 2026

看了下 raw 的 http header 在有 reality 的时候是跑在 reality 内层,如果要移到 finalmask 是不是应该放外层

RAW 的那个 HTTP header 就先别动了吧,机场用得比较多而且 VLESS fallbacks 也用到了,finalmask 加个 header-custom 比它强

@BrewTestBot BrewTestBot mentioned this pull request Feb 6, 2026
Merged
1 task
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@LjhAUMEM @Fangliding @RPRX