Stream
{
"transport":"tcp",
"transportSettings":{},
"security":"none",
"securitySettings":{}
}
transport: name of<transport>
transportSettings: settings of<transport>
security: name of<security>
It has to be one of supported Security Protocol.
securitySettings: settings of<security>
socketSettings: SocketConfigObject
Supported Streams
TLS
- Name:
tls - Type: Security Protocol
- ID:
security.tls
serverName: string
The server name indication domain name for TLS connection.
nextProtocol: [string]
The ALPN for TLS connections.
disableSystemRoot: true | false
Whether system level Certificate Authority Store should be trusted.
pinnedPeerCertificateChainSha256: [string]
Pinned Peer Certificate Chain SHA256 Hash. Should be represented in base64 format.
You can generate this value with ./v2ray tls certChainHash --cert <cert.pem> (v5.18.0+)
allowInsecureIfPinnedPeerCertificate: bool
This option allow TLS certificate verification to be turned off if the pinnedPeerCertificateChainSha256 is set. If pinnedPeerCertificateChainSha256 is not set, this option is ignored.
certificate: [CertificateObject]
CertificateObject
usage: string
The purpose of the certificate.
"ENCIPHERMENT": The certificate is used for TLS authentication and encryption."AUTHORITY_VERIFY": The certificate is used to verify the remote TLS certificate. When using this option, the current certificate must be a CA certificate."AUTHORITY_VERIFY_CLIENT": : The certificate is used to verify the remote TLS client certificate. When using this option, the current certificate must be a CA certificate."AUTHORITY_ISSUE": The certificate is used to issue other certificates. When using this option, the current certificate must be a CA certificate.
Certificate: string
The Certificate file in PEM format.
Key: string
The Certificate private key file in PEM format.
certificateFile: string
The path for the Certificate file.
keyFile: string
The path for the Certificate private key file.
uTLS
- Name:
utls - Type: Security Protocol
- ID:
security.utls
uTLS is a fork of TLS aimed at trying to imitate the client hello fingerprint of popular TLS implementation to hide the client identity of a Go language program. (v5.2.0+)
It is only supports client mode and in certain transports. If you use it in a context where it is not supported, the process will crash.
uTLS is supported in the following transports:
- TCP
- WebSocket
When you are using uTLS in some transport, the APLN will be overridden for its correct function. It may be a slightly different fingerprint than specified.
tlsConfig: TLSConfig
The Embedded TLS Setting for uTLS connections. Only some of its field are effective.
Supported Fields:
- Certificate Authority Settings (allowInsecure is ignored)
imitate: string
The TLS client fingerprint to use for the uTLS connection.
randomizedrandomizedalpnrandomizednoalpnfirefox_autofirefox_55firefox_56firefox_63firefox_65firefox_99firefox_102firefox_105chrome_autochrome_58chrome_62chrome_70chrome_72chrome_83chrome_87chrome_96chrome_100chrome_102ios_autoios_11_1ios_12_1ios_13ios_14android_11_okhttpedge_autoedge_85edge_106safari_autosafari_16_0360_auto360_7_5360_11_0qq_autoqq_11_1
noSNI: bool
Do not send Server Name Indication in the client hello. This may result in failed connection.
forceAlpn: "TRANSPORT_PREFERENCE_TAKE_PRIORITY" | "NO_ALPN" | "UTLS_PRESET"
Controls data source for Application-Layer Protocol Negotiation (ALPN) extension. You can use this setting to make connect resemble the imitated program better. In correct setting will result in connection failure. (v5.3.0+)
TRANSPORT_PREFERENCE_TAKE_PRIORITY: Default value. If user have set an ALPN at TLS setting, use that. Otherwise the default from transport will be used.NO_ALPN: Do not send ALPN TLS extension.UTLS_PRESET: Use value from uTLS template.
SocketConfigObject
{
"mark": 0,
"tcpFastOpen": false,
"tcpFastOpenQueueLength": 4096,
"tproxy": "off",
"tcpKeepAliveInterval": 0,
"bindToDevice": "eth0",
"mptcp": false
}
mark: number
An integer. When its value is non-zero, mark SO_MARK on the outbound connection.
- Only applicable to Linux systems.
- Requires CAP_NET_ADMIN permission.
tcpFastOpen: true | false
Whether to enable TCP Fast Open. When its value is true, TFO is forcibly turned on; when its value is false, TFO is forcibly turned off; when this item does not exist, the system default setting is used. Can be used for inbound and outbound connections.
- Only available in the following versions (or later versions) of the operating system:
- Windows 10 (1604)
- Mac OS 10.11 / iOS 9
- Linux 3.16: The system is turned on by default and no configuration is required.
- FreeBSD 10.3
tcpFastOpenQueueLength: number
TCP Fast Open queue length for inbound connections. Default value is 4096. Only available in Linux.
tproxy: "redirect" | "tproxy" | "off"
Whether to enable transparent proxy (only for Linux).
"redirect": Transparent proxy using Redirect mode. Only TCP/IPv4 and UDP connections are supported."tproxy": Use TProxy mode transparent proxy. Supports TCP and UDP connections."off": Turn off the transparent proxy.
Transparent proxy requires Root or CAP_NET_ADMIN authority.
TIP
When followRedirect is specified in Dokodemo-door and sockopt.tproxy is empty, the value of sockopt.tproxy will be set to "redirect".
tcpKeepAliveInterval: number
The interval in seconds between sending TCP keep-alive packets (only for Linux).
0 means keep the default value.
bindToDevice: string
Bind the connection to the specified network device (Linux: v5.0.6+, Windows/Darwin: v5.2.0+).
mptcp: true | false
Whether to enable Multipath TCP (only for Linux).
true: MPTCP is turned on. If the host on the other side doesn't support MPTCP, MPTCP will fall back to using TCP.false: MPTCP is turned off.
When this item does not exist, the system default setting is used. Can be used for inbound and outbound connections.