Hysteria Science Internet Brief

Almost every few years, the wall will improve a little, and the road will be taller and the devil will be taller. My self-built xray service has not been very stable recently. Tests show serious packet loss. From the mtr results, the packet loss rate for this hop of 101.95.209.65 is as high as 93%, which means that the external IP address of the server is almost useless.

There is Israel besieging Pakistan in the Middle East, and Gaza is the largest open-air prison in the world today. Little did they know that mainland China can be regarded as an Internet prison, undoubtedly the largest in the world. Pakistanis use tunnels to obtain supplies, while Chinese netizens climb over the wall to obtain information. Almost half a pound.

You cannot change the external environment, you can only change yourself.

Shadowrock on iOS supports the Hysteria2 protocol. After browsing the official website, there are 2 attractive features.

• 1. ⚡ Fast as lightning

Through the modified QUIC protocol driver, Hysteria can provide unparalleled performance even in the most unstable and packet loss-prone network environments.

Isn't this just timely rain and snow? 😊 Song Gongming acted for heaven...

• 2. ✊ Anti-blockade ability

The protocol is designed to disguise itself as standard HTTP/3 traffic, making it difficult to distinguish and block, regardless of man-in-the-middle or active detection.

Personally, I feel that anti-detection is extremely important. When dealing with the enemy, daily counter-reconnaissance can minimize losses!

This article uses the simplest deployment method to save worry and comfort.

Server

Install or upgrade to the latest version:

1bash <(curl -fsSL https://get.hy2.sh/)

Personally, I suggest you take a look at what is in the script https://get.hy2.sh/. If a Trojan horse is planted (the social environment is bad, everyone looks like a spy 😅), be careful. I looked at it during the installation and found no problems.

• Configuration file

Just look at my example:

 1root@tokyo:~# cat /etc/hysteria/config.yaml
 2listen: :443
 3
 4tls:
 5   cert: /data/tls/certificates/acme-v02.api.letsencrypt.org-directory/stock.mephisto.cc/stock.mephisto.cc.crt
 6   key: /data/tls/certificates/acme-v02.api.letsencrypt.org-directory/stock.mephisto.cc/stock.mephisto.cc.key
 7
 8auth:
 9   type: password
10   password: set_your_passwd_at_here
11
12masquerade:
13   type: proxy
14   proxy:
15     url: https://mephisto.cc
16     rewriteHost: true

For the certificate, I directly used the one from my website https://stock.mephisto.cc, and caddy automatically applied for it.

Everyone knows the password and there is no need to explain it.

To disguise, I chose to disguise to this website https://mephisto.cc.

If you don’t understand configuration, it is recommended to read the official documentation first.

The above automatic installation script for Linux environment will help you set up systemd. If you encounter a certificate reading error, it is most likely that the permissions are incorrect.

See below User and Group are root, because my certificate is also root. Readers can change the user according to their own situation, as long as they can read the certificate.

 1root@tokyo:~# cat /etc/systemd/system/hysteria-server.service
 2[Unit]
 3Description=Hysteria Server Service (config.yaml)
 4After=network.target
 5
 6[Service]
 7Type=simple
 8ExecStart=/usr/local/bin/hysteria server --config /etc/hysteria/config.yaml
 9WorkingDirectory=~
10User=root
11Group=root
12Environment=HYSTERIA_LOG_LEVEL=info
13CapabilityBoundingSet=CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_RAW
14AmbientCapabilities=CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_RAW
15NoNewPrivileges=true
16
17[Install]
18WantedBy=multi-user.target

In addition, hysteria startup mode is divided into server and client. If you want to run it under a Linux client, remember to change the startup command parameter to client.

After starting, you will find that hysteria is listening on udp 443 port (how to prevent caddy from listening on udp 443, see the following article)

1root@tokyo:~# ss -lnp | grep :443
2udp UNCONN 0 0 *:443 *:* users:(("hysteria",pid=14103,fd=3))
3tcp LISTEN 0 4096 *:443 *:* users:(("caddy",pid=14008,fd=7))

Client

I mainly browse Twitter and YouTube on my iPhone and iPad. So just a simple setup on Shadowrock.

As shown in the picture below:

I have to say it is simpler than xray.

Actual measurement

After my actual testing, the effect is still good. Accessing Google services on mobile phones is a little faster than xray. Readers who don’t believe it can try it themselves.

Hysteria coexists with existing sites

Before writing this tutorial, this site was running on caddy. The new version of caddy has supported http3 for a long time, which means that it will listen to udp port 443 by default.

In this way, the ports will conflict. If you want the two to coexist and the conditions are similar, you can consider using this solution.

Just turn off http3 support in the Caddyfile global configuration (h3 is missing from protocols).

The part that works is the services section (acme_dns and stoage are irrelevant to this article).

1{
2acme_dns cloudflare your_cf_token
3storage file_system /data/tls
4servers :443 {
5protocols h1 h2 h2c
6}
7}

In this way, caddy2 only listens on tcp port 443, and there is no conflict between the two.

My site is static, hung in cloudflare, http3 support is provided by it, and does not affect the return to the origin.

If you don't want to do this, you can change the hysteria server to listen on 8443 or other ports, or use other more reasonable methods.

At present, this meets my needs. I don’t want to worry too much, and I will feel tired after sitting in jail for a long time.

Finally, if the IP is completely blocked, we have to start a long march and strategic shift. We don’t need to go to northern Shaanxi, we just need to change it. It’s similar to the late emperor’s guerrilla warfare. If you can’t defeat it, just run away😅.