XHTTP transport: New options for bypassing CDN's potential detection #5414 & Finalmask: Add XICMP, XDNS (relies on mKCP, like DNSTT), header-*, mkcp-*
为了捍卫通信自由,本次重点更新内容:
- XHTTP 新增了一些选项以对绕过潜在的 CDN 检测(尚未定型,不建议第三方实现现在跟进),详见 #5414
- Finalmask 新增了 XICMP、XDNS、header-*、mkcp-*,分享链接标准 #716 已更新
fm、pcs、vcn - TLS 移除了
allowInsecure配置项,请使用pinnedPeerCertSha256和verifyPeerCertByName代替,详见 2c92339 - 进一步降低了 Xray-core 启动时的瞬时内存占用 #5581 ,对于 iOS/router 请测试 #5505
https://t.me/projectXtls/1464 此外我们将于下个月推出 XDRIVE 传输层与 XICMP 伪装层,前者可利用网盘、S3 stores 等服务传输数据,不需要自有公网 IP,而是通过潜在的白名单 IP 进行代理,
或者境外能访问到境内的服务也行
https://t.me/projectXtls/1473 定义已经清晰,“最终伪装层”是最底层的一个“不可靠的传输层”,比如对于 UDP 它只做每个包的伪装而不会确保可靠传输(依赖上层 mKCP/QUIC/WG,或者代理协议就是想要原生 UDP 特性),另一方面它放的那些东西天马行空、不具备抗检测的鲁棒性但可能就是有奇效,比如现在已有的 XICMP、XDNS、header-*、mkcp-*、Salamander,后续还会把 TCP/TLS fragment、UDP noises 移过来,它们都支持分享,以及据称有用的 ASCII、gfw-killer 想要的在 TCP 流开头加自定义数据等,
还可能加 MC 等游戏伪装,如果你有天马行空的 idea 也可以提出分两种情况,一种是只加 header 一种是真的通过那个东西传输数据,第一种会被命名为 header-*,第二种会被命名为 X*,
懒得起名了,另外 TCP 的那些伪装可以通过 VLESS fallbacks offload 给别的程序
https://t.me/projectXtls/1478 不在乎主动探测的话其实最简单的方法就是 REALITY 加随便填 SNI,服务端允许的值和客户端填写的值对得上就行,不需要自签再 pin 那么麻烦,且几乎所有客户端都支持 REALITY 及其分享,
这不比自签强吗
Sponsors
Donation & NFTs
Collect a Project X NFT to support the development of Project X!
- TRX(Tron)/USDT/USDC:
TNrDh5VSfwd4RPrwsohr6poyNTfFefNYan - TON:
UQApeV-u2gm43aC1uP76xAC1m6vCylstaN1gpfBmre_5IyTH - BTC:
1JpqcziZZuqv3QQJhZGNGBVdCBrGgkL6cT - XMR:
4ABHQZ3yJZkBnLoqiKvb3f8eqUnX4iMPb6wdant5ZLGQELctcerceSGEfJnoCk6nnyRZm73wrwSgvZ2WmjYLng6R7sR67nq - SOL/USDT/USDC:
3x5NuXHzB5APG6vRinPZcsUv5ukWUY1tBGRSJiEJWtZa - ETH/USDT/USDC:
0xDc3Fe44F0f25D13CACb1C4896CD0D321df3146Ee - Project X NFT: https://opensea.io/item/ethereum/0x5ee362866001613093361eb8569d59c4141b76d1/1
- VLESS NFT: https://opensea.io/collection/vless
- REALITY NFT: https://opensea.io/item/ethereum/0x5ee362866001613093361eb8569d59c4141b76d1/2
- Related links: VLESS Post-Quantum Encryption, XHTTP: Beyond REALITY, Announcement of NFTs by Project X
该版本升级了一些依赖,并使用 Go 1.25.6 拉满 inline 编译,已 tag v1.260202.0,感谢所有贡献者,详见下方 change log
What's Changed
- TUN inbound: Disable RACK/TLP recovery to fix connection stalls by @KiGamji in #5600
- TUN inbound: Enhance Darwin interface support by @Owersun in #5598
- Hysteria transport: Support range & random for
intervalinudphopas well by @LjhAUMEM in #5603 - Geodat: Reduce peak memory usage by @Meo597 in #5581
- TUN inbound: Add iOS support by @evozi-team in #5612
- VMess inbound: Optimize replay filter by @Fangliding in #5562
- README.md: Add Egern & Quantumult X to Others by @nasaboy in #5624
- Upgrade gVisor to latest version v0.0.0-20260122175437-89a5d21be8f0 by @RPRX in 9c46a2d
- TLS config:
allowInsecure->pinnedPeerCertSha256;verifyPeerCertInNames->verifyPeerCertByNameby @RPRX in 2c92339 - Commands: Print leaf cert's SHA256 in
tls pingby @Fangliding @RPRX in #5628 - MPH domian matcher: Support building & using cache directly (instead of building from geosite.dat when Xray starts) by @hossinasaadi in #5505
- XHTTP transport: New options for bypassing CDN's potential detection by @paqx @Fangliding in #5414
- Finalmask: Add XDNS (relies on mKCP, like DNSTT), header-*, mkcp-* by @LjhAUMEM in #5560
- XHTTP transport: Fix "auto" mode with REALITY by @paqx in #5638
- Finalmask: Add XICMP (relies on mKCP/QUIC or WireGuard) by @LjhAUMEM in #5633
New Contributors
- @KiGamji made their first contribution in #5600
- @evozi-team made their first contribution in #5612
- @nasaboy made their first contribution in #5624
- @paqx made their first contribution in #5414
Full Changelog: v26.1.23...v26.2.2