September 15, 2023
In this post you pass a WireGuard connection through a Hysteria2 tunnel. This disguises the WireGuard connection as HTTP/3.
Hysteria2 uses a custom version of the QUIC (Quick UDP Internet Connections) protocol to deliver unparalleled performance over unreliable or lossy networks. The protocol is designed to masquerade as standard HTTP/3 traffic, making it difficult to detect and block without widespread collateral damage. Hysteria2 is almost a complete rewrite of the original Hysteria, with a new protocol and new features. Version 2 documentation is at https://v2.hysteria.network. Hysteria2 is not compatible with the original Hysteria, so users must choose either version 1 or version 2 for both client and server.
You will need a server, a domain name, and a hostname DNS A record (or AAAA or IPv6). Our example domain name will be example.com, and our example hostname will be vps6.example.com.
Open ports tcp/80, tcp/443, and udp/443 in the server firewall. Note that Hysteria uses UDP.
Calculate your WireGuard AllowedIPs for the client side using the calculator at https://www.procustodibus.com/blog/2021/03/wireguard-allowedips-calculator. The initial value of Allowed IPs should be 0.0.0.0/0, ::/0. The Disallowed IPs should be YOUR.SERVER.IP.ADDRESS. Press Calculate to get your AllowedIPs. You'll feed it into the script in a moment.
Update server:
apt update && apt upgrade -yInstall WireGuard using the script from https://github.com/angristan/wireguard-install:
curl -O https://raw.githubusercontent.com/angristan/wireguard-install/master/wireguard-install.shchmod +x wireguard-install.sh./wireguard-install.shWhen prompted:
51820AllowedIPsExample:
IPv4 or IPv6 public address: YOUR.SERVER.IP.ADDRESS Public interface: ens3 WireGuard interface name: wg0 Server WireGuard IPv4: 10.66.66.1 Server WireGuard IPv6: fd42:42:42::1 Server WireGuard port [1-65535]: 51820 First DNS resolver to use for the clients: 1.1.1.1 Second DNS resolver to use for the clients (optional): 1.0.0.1 WireGuard uses a parameter called AllowedIPs to determine what is routed over the VPN. Allowed IPs list for generated clients (leave default to route everything): 0.0.0.0/1, 128.0.0.0/3, ... etc., ::/0 Okay, that was all I needed. We are ready to setup your WireGuard server now. You will be able to generate a client at the end of the installation. Press any key to continue...
Give your first client a name. For example:
Client name: windows Client WireGuard IPv4: 10.66.66.2 Client WireGuard IPv6: fd42:42:42::2
The script completes and informs you that your client configuration file is in /root/wg0-client-windows.conf (in our example).
The WireGuard install script opens port udp/51820 in iptables. If you want to conceal your server, close this port by manually editing /etc/wireguard/wg0.conf. Remove the PostUp and PostDown lines for udp/51820.
Reboot the server.
Install Hysteria on the server using script provided by the Hysteria developers:
bash <(curl -fsSL https://get.hy2.sh)The systemd service file is created in /etc/systemd/system/hysteria-server.service. Optionally set the log level by editing the file /etc/systemd/system/hysteria-server.service:
Environment=HYSTERIA_LOG_LEVEL=debugIf you make this change, then after saving the file also do:
systemctl daemon-reloadEdit the server configuration file at /etc/hysteria/config.yaml using an editor such as vi or nano. Specify your server hostname, your email, and your password. Optionally you can also change the masquerade URL. See the Hysteria version 2 documentation.
# listen: :443
acme:
domains:
- vps6.example.com
email: cscot@example.com
auth:
type: password
password: JHMd94CcfsDpAYqFRW8hSNT3
masquerade:
type: proxy
proxy:
url: https://news.ycombinator.com/
rewriteHost: true
Start your Hysteria server with:
systemctl start hysteria-serverConfigure Hysteria to start on system boot with:
systemctl enable hysteria-serverCheck the status of the service:
systemctl status hysteria-serverYou can view the server log at any time with:
journalctl -u hysteria-serverExit SSH session with server:
exitDownload the latest Hysteria for Windows from https://github.com/apernet/hysteria/releases. The file you want for most Windows PCs will be hysteria-windows-amd64.exe.
Create a configuration file config.yaml in the same directory as hysteria-windows-amd64.exe. Make it match your server configuration and your other requirements. For example:
server: vps6.example.com:443
auth: JHMd94CcfsDpAYqFRW8hSNT3
bandwidth:
up: 10 mbps
down: 20 mbps
socks5:
listen: 127.0.0.1:10808
http:
listen: 127.0.0.1:10809
udpForwarding:
- listen: 127.0.0.1:51820
remote: 127.0.0.1:51820
timeout: 20s
See the Hysteria version 2 documentation for details of the client configuration.
Start the program running with your configuration file by opening a Command Prompt window and changing to your Downloads directory. Optionally set the debug level:
set HYSTERIA_LOG_LEVEL=debugStart the program with the configuration file config.yaml:
.\hysteria-windows-amd64.exeLeave the Command Prompt window open with Hysteria running in it.
In PowerShell, securely download the generated client configuration file from the server, e.g.:
scp root@vps6.example.com:/root/wg0-client-windows.conf DownloadsEdit Downloads\wg0-client-windows.conf. Change the Endpoint from YOUR.SERVER.IP.ADDRESS:51820 to be 127.0.0.1 port 51820:
Endpoint = 127.0.0.1:51820Save the file.
If you have not already done so, install the WireGuard client from https://www.wireguard.com/install.
Import the tunnel defined in your revised client configuration file Downloads\wg0-client-windows.conf.
**Uncheck the block untunneled traffic (kill-switch) check box.**
Activate the tunnel.