From 8d044232af34f82adbd36dbca4c29d5009d700f1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E4=B8=96=E7=95=8C?= Date: Fri, 9 Sep 2022 15:40:35 +0800 Subject: [PATCH] Update documentation --- constant/version.go | 2 +- docs/changelog.md | 43 +++++++++++++++++++++ docs/configuration/inbound/tun.md | 19 ++++++--- docs/configuration/inbound/tun.zh.md | 15 ++++--- docs/configuration/outbound/wireguard.md | 12 ++++++ docs/configuration/outbound/wireguard.zh.md | 12 ++++++ docs/configuration/route/index.md | 13 ++++++- docs/configuration/route/index.zh.md | 13 ++++++- docs/configuration/shared/dial.md | 15 +++++-- docs/configuration/shared/dial.zh.md | 14 +++++++ docs/configuration/shared/listen.md | 27 +++++++++---- docs/configuration/shared/listen.zh.md | 29 ++++++++++---- 12 files changed, 180 insertions(+), 34 deletions(-) diff --git a/constant/version.go b/constant/version.go index f90a74f3d0..594d8c1228 100644 --- a/constant/version.go +++ b/constant/version.go @@ -1,6 +1,6 @@ package constant var ( - Version = "1.0.1" + Version = "1.1-beta1" Commit = "" ) diff --git a/docs/changelog.md b/docs/changelog.md index 525026878f..a6937bff9d 100644 --- a/docs/changelog.md +++ b/docs/changelog.md @@ -1,3 +1,46 @@ +#### 1.1-beta1 + +* Add support for use with android VPNService **1** +* Add tun support for WireGuard outbound **2** +* Add system tun stack **3** +* Add comment filter for config **4** +* Add option for allow optional proxy protocol header +* Add half close for smux +* Set UDP DF by default **5** +* Set default tun mtu to 9000 +* Update gVisor to 20220905.0 + +*1*: + +In previous versions, Android VPN would not work with tun enabled. + +The usage of tun over VPN and VPN over tun is now supported, see [Tun Inbound](/configuration/inbound/tun#auto_route). + +*2*: + +In previous releases, WireGuard outbound support was backed by the lower performance gVisor virtual interface. + +It achieves the same performance as wireguard-go by providing automatic system interface support. + +*3*: + +It does not depend on gVisor and has better performance in some cases. + +It is less compatible and may not be available in some environments. + +*4*: + +Annotated json configuration files are now supported. + +*5*: + +UDP fragmentation is now blocked by default. + +Including shadowsocks-libev, shadowsocks-rust and quic-go all disable segmentation by default. + +See [Dial Fields](/configuration/shared/dial#udp_fragment) +and [Listen Fields](/configuration/shared/listen#udp_fragment). + #### 1.0.1 * Fix match 4in6 address in ip_cidr diff --git a/docs/configuration/inbound/tun.md b/docs/configuration/inbound/tun.md index 8d7666f72f..76074aa1c5 100644 --- a/docs/configuration/inbound/tun.md +++ b/docs/configuration/inbound/tun.md @@ -12,7 +12,7 @@ "interface_name": "tun0", "inet4_address": "172.19.0.1/30", "inet6_address": "fdfe:dcba:9876::1/128", - "mtu": 1500, + "mtu": 9000, "auto_route": true, "strict_route": true, "endpoint_independent_nat": false, @@ -80,6 +80,10 @@ Set the default route to the Tun. To avoid traffic loopback, set `route.auto_detect_interface` or `route.default_interface` or `outbound.bind_interface` +!!! note "Use with Android VPN" + + By default, VPN takes precedence over tun. To make tun go through VPN, enable `route.override_android_vpn`. + #### strict_route Enforce strict routing rules in Linux when `auto_route` is enabled: @@ -92,6 +96,10 @@ not be accessible by others. #### endpoint_independent_nat +!!! info "" + + This item is only available on the gvisor stack, other stacks are endpoint-independent NAT by default. + Enable endpoint-independent NAT. Performance may degrade slightly, so it is not recommended to enable on when it is not needed. @@ -104,10 +112,11 @@ UDP NAT expiration time in seconds, default is 300 (5 minutes). TCP/IP stack. -| Stack | Upstream | Status | -|------------------|-----------------------------------------------------------------------|-------------------| -| gVisor (default) | [google/gvisor](https://github.com/google/gvisor) | recommended | -| LWIP | [eycorsican/go-tun2socks](https://github.com/eycorsican/go-tun2socks) | upstream archived | +| Stack | Description | Status | +|------------------|--------------------------------------------------------------------------------|-------------------| +| gVisor (default) | Based on [google/gvisor](https://github.com/google/gvisor) | recommended | + | system | Less compatibility and sometimes better performance. | recommended | +| LWIP | Based on [eycorsican/go-tun2socks](https://github.com/eycorsican/go-tun2socks) | upstream archived | !!! warning "" diff --git a/docs/configuration/inbound/tun.zh.md b/docs/configuration/inbound/tun.zh.md index b85b345060..7e5491ae96 100644 --- a/docs/configuration/inbound/tun.zh.md +++ b/docs/configuration/inbound/tun.zh.md @@ -12,7 +12,7 @@ "interface_name": "tun0", "inet4_address": "172.19.0.1/30", "inet6_address": "fdfe:dcba:9876::1/128", - "mtu": 1500, + "mtu": 9000, "auto_route": true, "strict_route": true, "endpoint_independent_nat": false, @@ -80,6 +80,10 @@ tun 接口的 IPv6 前缀。 为避免流量环回,请设置 `route.auto_detect_interface` 或 `route.default_interface` 或 `outbound.bind_interface`。 +!!! note "与 Android VPN 一起使用" + + VPN 默认优先于 tun。要使 tun 经过 VPN,启用 `route.override_android_vpn`。 + #### strict_route 在 Linux 中启用 `auto_route` 时执行严格的路由规则。 @@ -103,10 +107,11 @@ UDP NAT 过期时间,以秒为单位,默认为 300(5 分钟)。 TCP/IP 栈。 -| 栈 | 上游 | 状态 | -|------------------|-----------------------------------------------------------------------|-------| -| gVisor (default) | [google/gvisor](https://github.com/google/gvisor) | 推荐 | -| LWIP | [eycorsican/go-tun2socks](https://github.com/eycorsican/go-tun2socks) | 上游已存档 | +| 栈 | 描述 | 状态 | +|------------------|--------------------------------------------------------------------------|-------| +| gVisor (default) | 基于 [google/gvisor](https://github.com/google/gvisor) | 推荐 | +| system | 兼容性较差,有时性能更好。 | 推荐 | +| LWIP | 基于 [eycorsican/go-tun2socks](https://github.com/eycorsican/go-tun2socks) | 上游已存档 | !!! warning "" diff --git a/docs/configuration/outbound/wireguard.md b/docs/configuration/outbound/wireguard.md index bdba7bc93a..ca6abf589d 100644 --- a/docs/configuration/outbound/wireguard.md +++ b/docs/configuration/outbound/wireguard.md @@ -7,6 +7,8 @@ "server": "127.0.0.1", "server_port": 1080, + "system_interface": false, + "interface_name": "wg0", "local_address": [ "10.0.0.2/32" ], @@ -38,6 +40,16 @@ The server address. The server port. +#### system_interface + +Use system tun support. + +Requires privileges and cannot conflict with system interfaces. + +#### interface_name + +Custom device name when `system_interface` enabled. + #### local_address ==Required== diff --git a/docs/configuration/outbound/wireguard.zh.md b/docs/configuration/outbound/wireguard.zh.md index f98ce75f48..e7b0c62792 100644 --- a/docs/configuration/outbound/wireguard.zh.md +++ b/docs/configuration/outbound/wireguard.zh.md @@ -7,6 +7,8 @@ "server": "127.0.0.1", "server_port": 1080, + "system_interface": false, + "interface_name": "wg0", "local_address": [ "10.0.0.2/32" ], @@ -38,6 +40,16 @@ 服务器端口。 +#### system_interface + +使用系统 tun 支持。 + +需要特权且不能与系统接口冲突。 + +#### interface_name + +启用 `system_interface` 时的自定义设备名称。 + #### local_address ==必填== diff --git a/docs/configuration/route/index.md b/docs/configuration/route/index.md index 0b541c76f7..7440f2bbc3 100644 --- a/docs/configuration/route/index.md +++ b/docs/configuration/route/index.md @@ -10,6 +10,7 @@ "rules": [], "final": "", "auto_detect_interface": false, + "override_android_vpn": false, "default_interface": "en0", "default_mark": 233 } @@ -34,17 +35,25 @@ Default outbound tag. the first outbound will be used if empty. Only supported on Linux, Windows and macOS. -Bind outbound connections to the default NIC by default to prevent routing loops under Tun. +Bind outbound connections to the default NIC by default to prevent routing loops under tun. Takes no effect if `outbound.bind_interface` is set. +#### override_android_vpn + +!!! error "" + + Only supported on Android. + +Accept Android VPN as upstream NIC when `auto_detect_interface` enabled. + #### default_interface !!! error "" Only supported on Linux, Windows and macOS. -Bind outbound connections to the specified NIC by default to prevent routing loops under Tun. +Bind outbound connections to the specified NIC by default to prevent routing loops under tun. Takes no effect if `auto_detect_interface` is set. diff --git a/docs/configuration/route/index.zh.md b/docs/configuration/route/index.zh.md index 443186a606..e0bbe9173a 100644 --- a/docs/configuration/route/index.zh.md +++ b/docs/configuration/route/index.zh.md @@ -10,6 +10,7 @@ "rules": [], "final": "", "auto_detect_interface": false, + "override_android_vpn": false, "default_interface": "en0", "default_mark": 233 } @@ -34,17 +35,25 @@ 仅支持 Linux、Windows 和 macOS。 -默认将出站连接绑定到默认网卡,以防止在 Tun 下出现路由环路。 +默认将出站连接绑定到默认网卡,以防止在 tun 下出现路由环路。 如果设置了 `outbound.bind_interface` 设置,则不生效。 +#### override_android_vpn + +!!! error "" + + 仅支持 Android。 + +启用 `auto_detect_interface` 时接受 Android VPN 作为上游网卡。 + #### default_interface !!! error "" 仅支持 Linux、Windows 和 macOS。 -默认将出站连接绑定到指定网卡,以防止在 Tun 下出现路由环路。 +默认将出站连接绑定到指定网卡,以防止在 tun 下出现路由环路。 如果设置了 `auto_detect_interface` 设置,则不生效。 diff --git a/docs/configuration/shared/dial.md b/docs/configuration/shared/dial.md index 45cb3e072e..2794ffd3b7 100644 --- a/docs/configuration/shared/dial.md +++ b/docs/configuration/shared/dial.md @@ -9,6 +9,7 @@ "reuse_addr": false, "connect_timeout": "5s", "tcp_fast_open": false, + "udp_fragment": false, "domain_strategy": "prefer_ipv6", "fallback_delay": "300ms" } @@ -16,9 +17,9 @@ ### Fields -| Field | Available Context | -|-----------------------------------------------------------------------------------|-------------------| -| `bind_interface` /`bind_address` /`routing_mark` /`reuse_addr` /`connect_timeout` | `detour` not set | +| Field | Available Context | +|---------------------------------------------------------------------------------------------------------------------|-------------------| +| `bind_interface` /`bind_address` /`routing_mark` /`reuse_addr` / `tcp_fast_open`/ `udp_fragment` /`connect_timeout` | `detour` not set | #### detour @@ -44,6 +45,14 @@ Set netfilter routing mark. Reuse listener address. +#### tcp_fast_open + +Enable TCP Fast Open. + +#### udp_fragment + +Enable UDP fragmentation. + #### connect_timeout Connect timeout, in golang's Duration format. diff --git a/docs/configuration/shared/dial.zh.md b/docs/configuration/shared/dial.zh.md index b150164c66..6bb19a0d94 100644 --- a/docs/configuration/shared/dial.zh.md +++ b/docs/configuration/shared/dial.zh.md @@ -9,6 +9,7 @@ "reuse_addr": false, "connect_timeout": "5s", "tcp_fast_open": false, + "udp_fragment": false, "domain_strategy": "prefer_ipv6", "fallback_delay": "300ms" } @@ -16,6 +17,11 @@ ### 字段 +| 字段 | 可用上下文 | +|---------------------------------------------------------------------------------------------------------------------|--------------| +| `bind_interface` /`bind_address` /`routing_mark` /`reuse_addr` / `tcp_fast_open`/ `udp_fragment` /`connect_timeout` | `detour` 未设置 | + + #### detour 上游出站的标签。 @@ -42,6 +48,14 @@ 重用监听地址。 +#### tcp_fast_open + +启用 TCP Fast Open。 + +#### udp_fragment + +启用 UDP 分段。 + #### connect_timeout 连接超时,采用 golang 的 Duration 格式。 diff --git a/docs/configuration/shared/listen.md b/docs/configuration/shared/listen.md index 67ac75f859..85d3e3675d 100644 --- a/docs/configuration/shared/listen.md +++ b/docs/configuration/shared/listen.md @@ -5,24 +5,27 @@ "listen": "::", "listen_port": 5353, "tcp_fast_open": false, + "udp_fragment": false, "sniff": false, "sniff_override_destination": false, "domain_strategy": "prefer_ipv6", "udp_timeout": 300, "proxy_protocol": false, + "proxy_protocol_accept_no_header": false, "detour": "another-in" } ``` ### Fields -| Field | Available Context | -|------------------|-------------------------------------------------------------------| -| `listen` | Needs to listen on TCP or UDP. | -| `listen_port` | Needs to listen on TCP or UDP. | -| `tcp_fast_open` | Needs to listen on TCP. | -| `udp_timeout` | Needs to assemble UDP connections, currently Tun and Shadowsocks. | -| `proxy_protocol` | Needs to listen on TCP. | +| Field | Available Context | +|-----------------------------------|-------------------------------------------------------------------| +| `listen` | Needs to listen on TCP or UDP. | +| `listen_port` | Needs to listen on TCP or UDP. | +| `tcp_fast_open` | Needs to listen on TCP. | +| `udp_timeout` | Needs to assemble UDP connections, currently Tun and Shadowsocks. | +| `proxy_protocol` | Needs to listen on TCP. | +| `proxy_protocol_accept_no_header` | When `proxy_protocol` enabled | #### listen @@ -36,7 +39,11 @@ Listen port. #### tcp_fast_open -Enable tcp fast open for listener. +Enable TCP Fast Open. + +#### udp_fragment + +Enable UDP fragmentation. #### sniff @@ -66,6 +73,10 @@ UDP NAT expiration time in seconds, default is 300 (5 minutes). Parse [Proxy Protocol](https://www.haproxy.org/download/1.8/doc/proxy-protocol.txt) in the connection header. +#### proxy_protocol_accept_no_header + +Accept connections without Proxy Protocol header. + #### detour If set, connections will be forwarded to the specified inbound. diff --git a/docs/configuration/shared/listen.zh.md b/docs/configuration/shared/listen.zh.md index bf8a9638a7..46b97bef81 100644 --- a/docs/configuration/shared/listen.zh.md +++ b/docs/configuration/shared/listen.zh.md @@ -5,21 +5,26 @@ "listen": "::", "listen_port": 5353, "tcp_fast_open": false, + "udp_fragment": false, "sniff": false, "sniff_override_destination": false, "domain_strategy": "prefer_ipv6", "udp_timeout": 300, + "proxy_protocol": false, + "proxy_protocol_accept_no_header": false, "detour": "another-in" } ``` -| 字段 | 可用上下文 | -|------------------|-------------------------------------| -| `listen` | 需要监听 TCP 或 UDP。 | -| `listen_port` | 需要监听 TCP 或 UDP。 | -| `tcp_fast_open` | 需要监听 TCP。 | -| `udp_timeout` | 需要组装 UDP 连接, 当前为 Tun 和 Shadowsocks。 | -| `proxy_protocol` | 需要监听 TCP。 | + +| 字段 | 可用上下文 | +|-----------------------------------|-------------------------------------| +| `listen` | 需要监听 TCP 或 UDP。 | +| `listen_port` | 需要监听 TCP 或 UDP。 | +| `tcp_fast_open` | 需要监听 TCP。 | +| `udp_timeout` | 需要组装 UDP 连接, 当前为 Tun 和 Shadowsocks。 | +| `proxy_protocol` | 需要监听 TCP。 | +| `proxy_protocol_accept_no_header` | `proxy_protocol` 启用时 | ### 字段 @@ -35,7 +40,11 @@ #### tcp_fast_open -为监听器启用 TCP 快速打开。 +启用 TCP Fast Open。 + +#### udp_fragment + +启用 UDP 分段。 #### sniff @@ -65,6 +74,10 @@ UDP NAT 过期时间,以秒为单位,默认为 300(5 分钟)。 解析连接头中的 [代理协议](https://www.haproxy.org/download/1.8/doc/proxy-protocol.txt)。 +#### proxy_protocol_accept_no_header + +接受没有代理协议标头的连接。 + #### detour 如果设置,连接将被转发到指定的入站。