Finalmask, mKCP, Hysteria, XHTTP, REALITY, TLS ECH, WireGuard, VLESS Reverse Proxy, HTTP headers' browser masquerading, Others
本次重点更新内容过多
- 从双重标准到“大新闻”:浅谈代理协议设计与实现上的一些本质问题与优先级区别
- XTLS/BBS#21 (comment)
- BlancVPN 正式成为赞助方之一,
依旧面向俄罗斯人,这家默默赞助几个月了,还赞助了些其它开源项目
Finalmask
- 新增 header-custom (TCP & UDP)、Sudoku (TCP & UDP),拷贝了 Direct/Freedom 出站的 fragment (TCP)、noise (UDP),最终的自定义流量外观拥有了更多可能,且均支持通过
fm参数分享,基于 Xray-core 的 GUI 应尽快更新 Finalmask(类似 XHTTP extra) - 支持了 dialer-proxy,补上了 XHTTP/3,加上一众 TCP 协议/传输层,至此 Xray 产生的所有代理流量均能被 Finalmask
- 修复了 XICMP、XDNS 潜在的 panic,XDNS 相较于 DNSTT/Slipstream 可以通过更多 DNS,且支持代理 UDP
mKCP
- 修复了 ACKs 可能超出 MTU 限制的问题,使 XDNS 更加稳定
- 将 TTI 限制由 10~100 毫秒改为了 10~5000 毫秒
- #716 分享链接标准新增
mtu、tti两项,还是为了 XDNS
Hysteria
- 新增 Hysteria 2 入站与传输层,
至此 Xray 支持了完整的 Hysteria 2,甚至 Finalmask 不只有 Salamander - 注意若要使用端口跳跃,入站应当只监听一个端口,并使用 iptables 转发其它端口的流量
- 将
congestion、brutalUp、brutalDown、udpHop等 QUIC 参数移到了 Finalmask 的quicParams
XHTTP
- XHTTP/3 拥塞控制改为默认 BBR ,同样支持通过 Finalmask 的
quicParams设置 "force-brutal"、udpHop等 - 修复了上个版本新增 obfuscations 所引入的一些问题,比如 broken Browser Dialer,以及一些增强
- 优化了一些代码与内存占用,
测测 iOS
REALITY
- 基于前段时间的经验,非 443 端口、“偷苹果”极易导致服务器 IP 被封锁,故对这两个行为输出警告信息
- 服务端启动时对 target 的 maxUselessRecords 进行四档自动探测并应用于自身,默认 32
- 其它一些修复,比如修复了服务端进入双向拷贝状态后,服务端与 target 间可能未及时关闭连接的问题
TLS ECH
- 避免了 WSS & HUS 的 outer ALPN 仍为 http/1.1,
虽然这一行为与浏览器不同但 ALPN http/1.1 会被重点关照所以 - 修改了
echForceQuery的默认值为 "full",即默认只允许以 ECH 发起连接 - 顺便升级了 uTLS 库更新了新版 Firefox、Safari 指纹,支持 X25519MLKEM768,就像 Chrome
WireGuard
- 支持了 UDP FullCone,提醒一下结合 Finalmask 后它拥有比其它 WireGuard 变种更强大的伪装能力
- 修复了出站 multi-peer 不可用的问题
- 修复了入站潜在的路由问题
VLESS Reverse Proxy
- VLESS 出站的
reverse(实际上是一个入站)添加完整的sniffing配置项与功能支持 - VLESS 入站建立新的反向 mux 连接(可能同时新建出站)后立即检查 burstObservatory
HTTP headers' browser masquerading
- 上个版本加的“Xray-core HTTP 请求的 User-Agent 均由 Go 改为动态 Chrome”扩展到了更多 headers
- XHTTP、WS、HU、gRPC 传输层可设置
headersUser-Agent来指定 "chrome"/"firefox"/"edge"
Others
- 该版本升级了一些依赖,并使用 Go 1.26.1 拉满 inline 编译,已 tag v1.260327.0
- 其它一些改进与修复,感谢所有贡献者,详见下方完整 change log
Sponsors
Donation & NFTs
Collect a Project X NFT to support the development of Project X!
- TRX(Tron)/USDT/USDC:
TNrDh5VSfwd4RPrwsohr6poyNTfFefNYan - TON:
UQApeV-u2gm43aC1uP76xAC1m6vCylstaN1gpfBmre_5IyTH - BTC:
1JpqcziZZuqv3QQJhZGNGBVdCBrGgkL6cT - XMR:
4ABHQZ3yJZkBnLoqiKvb3f8eqUnX4iMPb6wdant5ZLGQELctcerceSGEfJnoCk6nnyRZm73wrwSgvZ2WmjYLng6R7sR67nq - SOL/USDT/USDC:
3x5NuXHzB5APG6vRinPZcsUv5ukWUY1tBGRSJiEJWtZa - ETH/USDT/USDC:
0xDc3Fe44F0f25D13CACb1C4896CD0D321df3146Ee - Project X NFT: https://opensea.io/item/ethereum/0x5ee362866001613093361eb8569d59c4141b76d1/1
- VLESS NFT: https://opensea.io/collection/vless
- REALITY NFT: https://opensea.io/item/ethereum/0x5ee362866001613093361eb8569d59c4141b76d1/2
- Related links: VLESS Post-Quantum Encryption, XHTTP: Beyond REALITY, Announcement of NFTs by Project X
What's Changed
- Build: Remove Windows ARM 32-bit build by @KobeArthurScofield in #4584
- Chore: Migrate to Go 1.26 by @Fangliding in #5680
- core/core.go: Replace "Custom" with vcs info if available by @Fangliding in #5665
- HTTPUpgrade server: Fix certain stuck in Handle() by @Fangliding in #5661
- Proxy: Add Hysteria 2 inbound & transport (supports listening port range, Salamander finalmask) by @LjhAUMEM in #5679
- gRPC client: Strip "grpc-go/version" suffix from User-Agent header by @RPRX in #5689
- README.md: Add NetProxy-Magisk to Magisk & Android Clients by @Fanju6 @RPRX in #5708
- README.md: Add GenyConnect to Windows & Linux & Android Clients by @thecompez in #5713
- README.md: Add XrayFA to Android Clients by @Q7DF1 in #5715
- VLESS config: Remove "with no flow" warning for now by @M03ED in #5671
- VLESS Encryption: Check 17
17000 -> Check 1716640 by @OneMiny in #5698 - Routing: Add
webhooktorulesby @kastov in #5722 - API: Fix Online Map by @kastov in #5732
- XHTTP transport: Bugfixes for obfuscations by @26X23 in #5720
- XHTTP transport: Add "bbr" (default) and "force-brutal" congestion control for H3 by @Katze-942 in #5711
- mKCP config: Check TTI 10
100 -> Check TTI 105000 by @patterniha @Fangliding in #5755 - mKCP transport: Make sure ACKs are limited within MTU by @LjhAUMEM in #5773
- Finalmask: Add header-custom (TCP & UDP), fragment (TCP), noise (UDP); Support dialer-proxy, XHTTP/3; Fix XDNS, XICMP potential panic by @LjhAUMEM in #5657
- Finalmask: Add Sudoku (TCP & UDP) by @saba-futai in #5685
- Update github.com/apernet/quic-go to 20260217092621 by @LjhAUMEM in #5782
- Hysteria & XHTTP/3: Unified Finalmask's
quicParamsto setcongestion,brutalUp,brutalDown,udpHop(ports&interval), etc. by @LjhAUMEM in #5772 - TLS ECH: Avoid outer ALPN http/1.1 for WSS & HUS; Change
echForceQuery's default value to "full"; Update github.com/refraction-networking/utls to 20260301010127; Add irrelevant tests for uTLS-REALITY by @Fangliding in #5725 - TUN inbound: Generate deterministic GUID on Windows by @Fangliding in #5811
- API: Fix potential nil pointer dereference in executeAddRules() by @WASDetchan @Fangliding in #5749
- REALITY config: Fix client's ·shortId· length check by @OfficialKatana in #5738
- Commands:
x25519outputs "Password" -> "Password (PublicKey)" by @matthew-abg @RPRX in #5759 - Finalmask: Refactor header conns to avoid multiple-copy; Add
randRangeto "header-custom" (TCP & UDP) by @LjhAUMEM in #5812 - VLESS Reverse Proxy: Check burstObservatory immediately after inbound adds new reverse-mux to reverse-outbound by @Fangliding @RPRX in #5752
- Xray-core: More robust browser header masquerading (chrome, firefox, edge) by @PoneyClairDeLune in #5802
- XHTTP transport: Some optimizations by @Fangliding @ozeranskii @rufsieus in #5803
- REALITY config: Print Warning when user is choosing apple/icloud as the target or listening on non-443 ports by @RPRX in 157e65b
- README.md: Add BlancVPN to Sponsors by @RPRX in e0ab00f
- Update github.com/xtls/reality to 20260322125925 by @RPRX in 2320416
- README.md: Add INCY to iOS & macOS Clients by @JustYay in #5832
- README.md: Add CELERITY to Web Panel by @ClickDevTech in #5834
- WireGuard: Implement UDP FullCone NAT by @LjhAUMEM @RPRX in #5833
- XTLS Vision: Defer Splice handoff until write completes by @HeXis-YS in #5737
- OpenBSD: Disable readV by @Fangliding in #5786
- WireGuard outbound: Fix multi-peer's readQueue issue by @RPRX in #5554
- VLESS Reverse Proxy: Add
sniffingto outbound'sreverse(which is actually an inbound) by @RPRX in #5837 - Loopback outbound: Fix potential nil InboundFromContext by @Fangliding in #5836
- Finalmask: Add
randRangeto "noise" (UDP), as the same as "header-custom"'s (TCP & UDP) by @LjhAUMEM in #5850 - WireGuard inbound: Fix multi-peer; Fix potential routing issue by @LjhAUMEM in #5843
New Contributors
- @Fanju6 made their first contribution in #5708
- @thecompez made their first contribution in #5713
- @Q7DF1 made their first contribution in #5715
- @OneMiny made their first contribution in #5698
- @26X23 made their first contribution in #5720
- @Katze-942 made their first contribution in #5711
- @saba-futai made their first contribution in #5685
- @WASDetchan made their first contribution in #5749
- @OfficialKatana made their first contribution in #5738
- @matthew-abg made their first contribution in #5759
- @JustYay made their first contribution in #5832
- @ClickDevTech made their first contribution in #5834
- @HeXis-YS made their first contribution in #5737
Full Changelog: v26.2.6...v26.3.27