A Stable & Secure Tunnel based on KCP with N:M multiplexing and FEC. Available for ARM, MIPS, 386 and AMD64。KCPプロトコルに基づく安全なトンネル。KCP 프로토콜을 기반으로 하는 보안 터널입니다。

Overview

kcptun

Release Powered MIT licensed Build Status Go Report Card Downloads Docker

kcptun

Disclaimer: kcptun maintains a single website — github.com/xtaci/kcptun. Any websites other than github.com/xtaci/kcptun are not endorsed by xtaci.

Requirements

Target Minimum Recommended
System aix darwin dragonfly freebsd linux netbsd openbsd solaris windows linux
Memory >20MB >32MB
CPU ANY amd64 with AES-NI & AVX2

QuickStart

Increase the number of open files on your server, as:

ulimit -n 65535, or write it in ~/.bashrc.

Suggested sysctl.conf parameters for better handling of UDP packets:

net.core.rmem_max=26214400 // BDP - bandwidth delay product
net.core.rmem_default=26214400
net.core.wmem_max=26214400
net.core.wmem_default=26214400
net.core.netdev_max_backlog=2048 // proportional to -rcvwnd

You can also increase the per-socket buffer by adding parameter(default 4MB):

-sockbuf 16777217

for slow processors, increasing this buffer is CRITICAL to receive packets properly.

Download a corresponding one from precompiled Releases.

KCP Client: ./client_darwin_amd64 -r "KCP_SERVER_IP:4000" -l ":8388" -mode fast3 -nocomp -autoexpire 900 -sockbuf 16777217 -dscp 46
KCP Server: ./server_linux_amd64 -t "TARGET_IP:8388" -l ":4000" -mode fast3 -nocomp -sockbuf 16777217 -dscp 46

The above commands will establish port forwarding channel for 8388/tcp as:

Application -> KCP Client(8388/tcp) -> KCP Server(4000/udp) -> Target Server(8388/tcp)

which tunnels the original connection:

Application -> Target Server(8388/tcp)

Build from source

$ git clone https://github.com/xtaci/kcptun.git
$ cd kcptun
$ ./build-release.sh
$ cd build

All precompiled releases are genereated from build-release.sh script.

Performance

fast.com

bandwidth

flame

Practical bandwidth graph with parameters: -mode fast3 -ds 10 -ps 3

Basic Tuning Guide

Improving Thoughput

Q: I have a high speed network link, how to reach the maximum bandwidth?

A: Increase -rcvwnd on KCP Client and -sndwnd on KCP Server simultaneously & gradually, the mininum one decides the maximum transfer rate of the link, as wnd * mtu / rtt; Then try downloading something and to see if it meets your requirements. (mtu is adjustable by -mtu)

Improving Latency

Q: I'm using kcptun for game, I don't want any lag happening.

A: Lag means packet loss for most of the time, lags can be improved by changing -mode.

eg: -mode fast3

Aggresiveness/Responsiveness on retransmission for embeded modes are:

fast3 > fast2 > fast > normal > default

HOLB

Since streams are multiplexed into a single physical channel, head of line blocking may appear under certain circumstances, by increasing -smuxbuf to a larger value (default 4MB) may mitigate this problem, obviously this will costs more memory.

For versions >= v20190924, you can switch to smux version 2, smux v2 has options to limit per-stream memory usage, now set -smuxver 2 to enable smux v2, and adjust -streambuf to limit per-stream memory usage, eg: -streambuf 2097152 can limit per-stream memory usage to 2MB. By limiting stream buffer on the receiver side, a back-pressure will be conducted to the sender and limits reading, and finally prevent source from sending too much data to occupy every bits of buffer along the link. (Setting -smuxver MUST be IDENTICAL on both side, default is 1. )

Slow Devices

kcptun made use of ReedSolomon-Codes to recover lost packets, which requires massive amount of computation, a low-end ARM device cannot satisfy kcptun well. To unleash the full potential of kcptun, a multi-core x86 homeserver CPU like AMD Opteron is recommended. If you insist on running under some ARM routers, you'd better turn off FEC and use salsa20 as the encryption method.

Expert Tuning Guide

Overview

params

Usage

➜  ~ ./client_linux_amd64 -h
NAME:
   kcptun - client(with SMUX)

USAGE:
   client_linux_amd64 [global options] command [command options] [arguments...]

VERSION:
   20190924

COMMANDS:
   help, h  Shows a list of commands or help for one command

GLOBAL OPTIONS:
   --localaddr value, -l value      local listen address (default: ":12948")
   --remoteaddr value, -r value     kcp server address (default: "vps:29900")
   --key value                      pre-shared secret between client and server (default: "it's a secrect") [$KCPTUN_KEY]
   --crypt value                    aes, aes-128, aes-192, salsa20, blowfish, twofish, cast5, 3des, tea, xtea, xor, sm4, none (default: "aes")
   --mode value                     profiles: fast3, fast2, fast, normal, manual (default: "fast")
   --conn value                     set num of UDP connections to server (default: 1)
   --autoexpire value               set auto expiration time(in seconds) for a single UDP connection, 0 to disable (default: 0)
   --scavengettl value              set how long an expired connection can live (in seconds) (default: 600)
   --mtu value                      set maximum transmission unit for UDP packets (default: 1350)
   --sndwnd value                   set send window size(num of packets) (default: 128)
   --rcvwnd value                   set receive window size(num of packets) (default: 512)
   --datashard value, --ds value    set reed-solomon erasure coding - datashard (default: 10)
   --parityshard value, --ps value  set reed-solomon erasure coding - parityshard (default: 3)
   --dscp value                     set DSCP(6bit) (default: 0)
   --nocomp                         disable compression
   --sockbuf value                  per-socket buffer in bytes (default: 4194304)
   --smuxver value                  specify smux version, available 1,2 (default: 1)
   --smuxbuf value                  the overall de-mux buffer in bytes (default: 4194304)
   --streambuf value                per stream receive buffer in bytes, smux v2+ (default: 2097152)
   --keepalive value                seconds between heartbeats (default: 10)
   --snmplog value                  collect snmp to file, aware of timeformat in golang, like: ./snmp-20060102.log
   --snmpperiod value               snmp collect period, in seconds (default: 60)
   --log value                      specify a log file to output, default goes to stderr
   --quiet                          to suppress the 'stream open/close' messages
   --tcp                            to emulate a TCP connection(linux)
   -c value                         config from json file, which will override the command from shell
   --help, -h                       show help
   --version, -v                    print the version
   
➜  ~ ./server_linux_amd64 -h
NAME:
   kcptun - server(with SMUX)

USAGE:
   server_linux_amd64 [global options] command [command options] [arguments...]

VERSION:
   20190924

COMMANDS:
   help, h  Shows a list of commands or help for one command

GLOBAL OPTIONS:
   --listen value, -l value         kcp server listen address (default: ":29900")
   --target value, -t value         target server address, or path/to/unix_socket (default: "127.0.0.1:12948")
   --key value                      pre-shared secret between client and server (default: "it's a secrect") [$KCPTUN_KEY]
   --crypt value                    aes, aes-128, aes-192, salsa20, blowfish, twofish, cast5, 3des, tea, xtea, xor, sm4, none (default: "aes")
   --mode value                     profiles: fast3, fast2, fast, normal, manual (default: "fast")
   --mtu value                      set maximum transmission unit for UDP packets (default: 1350)
   --sndwnd value                   set send window size(num of packets) (default: 1024)
   --rcvwnd value                   set receive window size(num of packets) (default: 1024)
   --datashard value, --ds value    set reed-solomon erasure coding - datashard (default: 10)
   --parityshard value, --ps value  set reed-solomon erasure coding - parityshard (default: 3)
   --dscp value                     set DSCP(6bit) (default: 0)
   --nocomp                         disable compression
   --sockbuf value                  per-socket buffer in bytes (default: 4194304)
   --smuxver value                  specify smux version, available 1,2 (default: 1)
   --smuxbuf value                  the overall de-mux buffer in bytes (default: 4194304)
   --streambuf value                per stream receive buffer in bytes, smux v2+ (default: 2097152)
   --keepalive value                seconds between heartbeats (default: 10)
   --snmplog value                  collect snmp to file, aware of timeformat in golang, like: ./snmp-20060102.log
   --snmpperiod value               snmp collect period, in seconds (default: 60)
   --pprof                          start profiling server on :6060
   --log value                      specify a log file to output, default goes to stderr
   --quiet                          to suppress the 'stream open/close' messages
   --tcp                            to emulate a TCP connection(linux)
   -c value                         config from json file, which will override the command from shell
   --help, -h                       show help
   --version, -v                    print the version

Forward Error Correction

In coding theory, the Reed–Solomon code belongs to the class of non-binary cyclic error-correcting codes. The Reed–Solomon code is based on univariate polynomials over finite fields.

It is able to detect and correct multiple symbol errors. By adding t check symbols to the data, a Reed–Solomon code can detect any combination of up to t erroneous symbols, or correct up to ⌊t/2⌋ symbols. As an erasure code, it can correct up to t known erasures, or it can detect and correct combinations of errors and erasures. Furthermore, Reed–Solomon codes are suitable as multiple-burst bit-error correcting codes, since a sequence of b + 1 consecutive bit errors can affect at most two symbols of size b. The choice of t is up to the designer of the code, and may be selected within wide limits.

FED

DSCP

Differentiated services or DiffServ is a computer networking architecture that specifies a simple, scalable and coarse-grained mechanism for classifying and managing network traffic and providing quality of service (QoS) on modern IP networks. DiffServ can, for example, be used to provide low-latency to critical network traffic such as voice or streaming media while providing simple best-effort service to non-critical services such as web traffic or file transfers.

DiffServ uses a 6-bit differentiated services code point (DSCP) in the 8-bit differentiated services field (DS field) in the IP header for packet classification purposes. The DS field and ECN field replace the outdated IPv4 TOS field.

setting each side with -dscp value, Here are some Commonly used DSCP values.

Cryptanalysis

kcptun is shipped with builtin packet encryption powered by various block encryption algorithms and works in Cipher Feedback Mode, for each packet to be sent, the encryption process will start from encrypting a nonce from the system entropy, so encryption to same plaintexts never leads to a same ciphertexts thereafter.

The contents of the packets are completely anonymous with encryption, including the headers(FEC,KCP), checksums and contents. Note that, no matter which encryption method you choose on you upper layer, if you disable encryption by specifying -crypt none to kcptun, the transmit will be insecure somehow, since the header is PLAINTEXT to everyone it would be susceptible to header tampering, such as jamming the sliding window size, round-trip time, FEC property and checksums. aes-128 is suggested for minimal encryption since modern CPUs are shipped with AES-NI instructions and performs even better than salsa20(check the table below).

Other possible attacks to kcptun includes: a) traffic analysis, dataflow on specific websites may have pattern while interchanging data, but this type of eavesdropping has been mitigated by adapting smux to mix data streams so as to introduce noises, perfect solution to this has not appeared yet, theroretically by shuffling/mixing messages on larger scale network may mitigate this problem. b) replay attack, since the asymmetrical encryption has not been introduced into kcptun for some reason, capturing the packets and replay them on a different machine is possible, (notice: hijacking the session and decrypting the contents is still impossible), so upper layers should contain a asymmetrical encryption system to guarantee the authenticity of each message(to process message exactly once), such as HTTPS/OpenSSL/LibreSSL, only by signing the requests with private keys can eliminate this type of attack.

Important:

  1. -crypt and -key must be the same on both KCP Client & KCP Server.
  2. -crypt xor is also insecure and vulnerable to known-plaintext attack, do not use this unless you know what you are doing. (cryptanalysis note: any type of counter mode is insecure in packet encryption due to the shorten of counter period and leads to iv/nonce collision)

Benchmarks for crypto algorithms supported by kcptun:

BenchmarkSM4-4                 	   50000	     32087 ns/op	  93.49 MB/s	       0 B/op	       0 allocs/op
BenchmarkAES128-4              	  500000	      3274 ns/op	 916.15 MB/s	       0 B/op	       0 allocs/op
BenchmarkAES192-4              	  500000	      3587 ns/op	 836.34 MB/s	       0 B/op	       0 allocs/op
BenchmarkAES256-4              	  300000	      3828 ns/op	 783.60 MB/s	       0 B/op	       0 allocs/op
BenchmarkTEA-4                 	  100000	     15359 ns/op	 195.32 MB/s	       0 B/op	       0 allocs/op
BenchmarkXOR-4                 	20000000	        90.2 ns/op	33249.02 MB/s	       0 B/op	       0 allocs/op
BenchmarkBlowfish-4            	   50000	     26885 ns/op	 111.58 MB/s	       0 B/op	       0 allocs/op
BenchmarkNone-4                	30000000	        45.8 ns/op	65557.11 MB/s	       0 B/op	       0 allocs/op
BenchmarkCast5-4               	   50000	     34370 ns/op	  87.29 MB/s	       0 B/op	       0 allocs/op
Benchmark3DES-4                	   10000	    117893 ns/op	  25.45 MB/s	       0 B/op	       0 allocs/op
BenchmarkTwofish-4             	   50000	     33477 ns/op	  89.61 MB/s	       0 B/op	       0 allocs/op
BenchmarkXTEA-4                	   30000	     45825 ns/op	  65.47 MB/s	       0 B/op	       0 allocs/op
BenchmarkSalsa20-4             	  500000	      3282 ns/op	 913.90 MB/s	       0 B/op	       0 allocs/op

Benchmark result from openssl

$ openssl speed -evp aes-128-cfb
Doing aes-128-cfb for 3s on 16 size blocks: 157794127 aes-128-cfb's in 2.98s
Doing aes-128-cfb for 3s on 64 size blocks: 39614018 aes-128-cfb's in 2.98s
Doing aes-128-cfb for 3s on 256 size blocks: 9971090 aes-128-cfb's in 2.99s
Doing aes-128-cfb for 3s on 1024 size blocks: 2510877 aes-128-cfb's in 2.99s
Doing aes-128-cfb for 3s on 8192 size blocks: 310865 aes-128-cfb's in 2.98s
OpenSSL 1.0.2p  14 Aug 2018
built on: reproducible build, date unspecified
options:bn(64,64) rc4(ptr,int) des(idx,cisc,16,int) aes(partial) idea(int) blowfish(idx)
compiler: clang -I. -I.. -I../include  -fPIC -fno-common -DOPENSSL_PIC -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -arch x86_64 -O3 -DL_ENDIAN -Wall -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM -DECP_NISTZ256_ASM
The 'numbers' are in 1000s of bytes per second processed.
type             16 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes
aes-128-cfb     847216.79k   850770.86k   853712.05k   859912.39k   854565.80k

The encrytion performance in kcptun is as fast as in openssl library(if not faster).

Memory Control

Routers, mobile devices are susceptible to memory consumption; by setting GOGC environment(eg: GOGC=20) will make the garbage collector to recycle faster. Reference: https://blog.golang.org/go15gc

Primary memory allocation are done from a global buffer pool xmit.Buf, in kcp-go, when we need to allocate some bytes, we can get from that pool, and a fixed-capacity 1500 bytes(mtuLimit) will be returned, the rx queue, tx queue and fec queue all receive bytes from there, and they will return the bytes to the pool after using to prevent unnecessary zer0ing of bytes. The pool mechanism maintained a high watermark for slice objects, these in-flight objects from the pool will survive from the perodical garbage collection, meanwhile the pool kept the ability to return the memory to runtime if in idle, -sndwnd,-rcvwnd,-ds, -ps, these parameters affect this high watermark, the larger the value, the bigger the memory consumption will be.

-smuxbuf also affects the maximum memory consumption, this parameter maintains a subtle balance between concurrency and resource, you can increase this value(default 4MB) to boost concurrency if you have many clients to serve and you get a powerful server at the same time, and also you can decrease this value to serve only 1 or 2 clients and hope this program can run under some embeded SoC system with limited memory and only you can access. (Notice that the -smuxbuf value is not proprotional to concurrency, you need to test.)

Compression

kcptun has builtin snappy algorithms for compressing streams:

Snappy is a compression/decompression library. It does not aim for maximum compression, or compatibility with any other compression library; instead, it aims for very high speeds and reasonable compression. For instance, compared to the fastest mode of zlib, Snappy is an order of magnitude faster for most inputs, but the resulting compressed files are anywhere from 20% to 100% bigger.

Reference: http://google.github.io/snappy/

Compression may save bandwidth for PLAINTEXT data, it's quite useful for specific scenarios as cross-datacenter replications, by compressing the redologs in dbms or kafka-like message queues and then transfer the data streams across the continent can be much faster.

Compression is enabled by default, you can disable it by setting -nocomp on BOTH KCP Client & KCP Server MUST be IDENTICAL.

SNMP

type Snmp struct {
    BytesSent        uint64 // bytes sent from upper level
    BytesReceived    uint64 // bytes received to upper level
    MaxConn          uint64 // max number of connections ever reached
    ActiveOpens      uint64 // accumulated active open connections
    PassiveOpens     uint64 // accumulated passive open connections
    CurrEstab        uint64 // current number of established connections
    InErrs           uint64 // UDP read errors reported from net.PacketConn
    InCsumErrors     uint64 // checksum errors from CRC32
    KCPInErrors      uint64 // packet iput errors reported from KCP
    InPkts           uint64 // incoming packets count
    OutPkts          uint64 // outgoing packets count
    InSegs           uint64 // incoming KCP segments
    OutSegs          uint64 // outgoing KCP segments
    InBytes          uint64 // UDP bytes received
    OutBytes         uint64 // UDP bytes sent
    RetransSegs      uint64 // accmulated retransmited segments
    FastRetransSegs  uint64 // accmulated fast retransmitted segments
    EarlyRetransSegs uint64 // accmulated early retransmitted segments
    LostSegs         uint64 // number of segs infered as lost
    RepeatSegs       uint64 // number of segs duplicated
    FECRecovered     uint64 // correct packets recovered from FEC
    FECErrs          uint64 // incorrect packets recovered from FEC
    FECParityShards  uint64 // FEC segments received
    FECShortShards   uint64 // number of data shards that's not enough for recovery
}

Sending a SIGUSR1 signal to KCP Client or KCP Server will dump SNMP information to console, just like /proc/net/snmp. You can use this information to do fine-grained tuning.

Manual Control

https://github.com/skywind3000/kcp/blob/master/README.en.md#protocol-configuration

-mode manual -nodelay 1 -interval 20 -resend 2 -nc 1

Low-level KCP configuration can be altered by using manual mode like above, make sure you really UNDERSTAND what these means before doing ANY manual settings.

Identical Parmeters

These parameters MUST be IDENTICAL on BOTH side:

  1. -key
  2. -crypt
  3. -nocomp
  4. -smuxver

References

  1. https://github.com/skywind3000/kcp -- KCP - A Fast and Reliable ARQ Protocol.
  2. https://github.com/xtaci/kcp-go/ -- A Production-Grade Reliable-UDP Library for golang
  3. https://github.com/klauspost/reedsolomon -- Reed-Solomon Erasure Coding in Go.
  4. https://en.wikipedia.org/wiki/Differentiated_services -- DSCP.
  5. http://google.github.io/snappy/ -- A fast compressor/decompressor.
  6. https://www.backblaze.com/blog/reed-solomon/ -- Reed-Solomon Explained.
  7. http://www.qualcomm.cn/products/raptorq -- RaptorQ Forward Error Correction Scheme for Object Delivery.
  8. https://en.wikipedia.org/wiki/PBKDF2 -- Key stretching.
  9. http://blog.appcanary.com/2016/encrypt-or-compress.html -- Should you encrypt or compress first?
  10. https://github.com/hashicorp/yamux -- Connection multiplexing library.
  11. https://tools.ietf.org/html/rfc6937 -- Proportional Rate Reduction for TCP.
  12. https://tools.ietf.org/html/rfc5827 -- Early Retransmit for TCP and Stream Control Transmission Protocol (SCTP).
  13. http://http2.github.io/ -- What is HTTP/2?
  14. http://www.lartc.org/ -- Linux Advanced Routing & Traffic Control
  15. https://en.wikipedia.org/wiki/Noisy-channel_coding_theorem -- Noisy channel coding theorem
  16. https://zhuanlan.zhihu.com/p/53849089 -- kcptun开发小记

(注意:我没有任何社交网站的账号,请小心骗子。)

Comments
  • CPU & MEM & BPS

    CPU & MEM & BPS

    请看截图,LAN1口接的是一台kcptun中转的本地服务器,用的是20160808 linux arm的kcptun版本。

    蓝色uplink流量是远端的VPS发往本地kcptun中转服务器的UDP流量,橙色download的流量是kcptun解包还原后发往客户端的实际数据流量。两者波动基本同步,这是合理的。

    请教一下作者,这种波动是正常的吗?是否可以通过优化kcptun的参数,平滑波动? 另外本地收到的UDP流量和解包后的实际流量,差不多是2:1的关系。kcptun本身的系统开销应该没有这么大吧?那这是不是代表本地收到的UDP包中有将近一半的包是重复的的或者错误的?谢谢!

    kcptun

    opened by bettermanbao 98
  • BufferBloat?RepeatSegs?

    BufferBloat?RepeatSegs?

    BufferBloat 问题, RepeatSegs/InSegs 过高,可以在此讨论。 BufferBloat相关资料:

    • https://en.wikipedia.org/wiki/Bufferbloat
    • http://blog.csdn.net/dog250/article/details/52879457
    • http://blog.csdn.net/dog250/article/details/52830576
    • http://blog.csdn.net/dog250/article/details/54171687
    • http://blog.csdn.net/dog250/article/details/54424751
    • http://anagranroberts.blogspot.jp/2011/07/bufferbloat-impact-on-response-time.html
    opened by xtaci 96
  • FEC问题讨论贴

    FEC问题讨论贴

    1. 下载文件speedtest基本上下载2-3MB之后就会断开。
    2. 视频有时断有时不断,另外视频的status里面显示的connection speed也不正常,我只有10mbps的宽带,但是他能飙到60多k。
    3. 在视频播放视频的同时打开其他网站会很困难。

    我之前用的版本印象中没有出现过以上问题,应该是 https://github.com/xtaci/kcptun/commit/a79537f9c6d959a107d1646fe338dff4d8bfd0dc 这个版本。

    mode fast2 mtu 1464 mtu试过默认也没用 sndwnd和rcvwnd都是默认,服务端和客户端的版本、参数都是一样的 另外我是配合ss-libev一起用

    下载断开时服务端的错误信息

    2016/05/21 09:38:31 [ERR] yamux: Failed to read header: broken pipe
    2016/05/21 09:38:31 broken pipe
    2016/05/21 09:38:31 stream closed
    2016/05/21 09:38:33 i/o timeout
    

    下载断开时客户端的错误信息

    2016/05/21 09:39:00 [ERR] yamux: keepalive failed: i/o deadline reached
    2016/05/21 09:39:01 [ERR] yamux: Failed to read stream data: broken pipe
    2016/05/21 09:39:01 [WARN] yamux: failed to send go away: session shutdown
    
    enhancement 
    opened by ghost 94
  • 近两个月kcptun非常不稳定

    近两个月kcptun非常不稳定

    以前我都是长年ss+kcptun, 包括下载和youtube, 近期发现常掉线后升级过几次, 直到最近, 已经沦落到不可用的地步, 为此特地在网上搜索配置经验, 更改参数, 都无效

    表现在好好的网站就打不开了, 下载的话启动半分钟就掉线了, 然后我就是不断地ctrl+c, 再重连(当然放任它不管也会自己在某个时候又连回去) 目前用kcptun下载已经废了, 只能切回ss, 那个下载速度啊....

    由于已经升级过几次, 具体版本可不考了, 现在用的是5/15版

    P.S. 打字这当口, 又断了

    配置和日志如下:

    server:

    key:  xxx
    crypt:  aes-192
    mode:  manual
    mtu:  1400
    sndwnd:  128
    rcvwnd:  1024
    datashard:  30
    parityshard:  15
    dscp:  46
    nocomp:  false
    quiet:  false
    interval:  20
    resend:  2
    nc:  1
    acknodelay:  false
    sockbuf:  4194304
    keepalive:  10
    

    client:

    "nocomp" : false,
    "key" : "xxx",
    "crypt" : "aes-192",
    "conn" : 1,
    "quiet" : true,
    "mode": "manual",
    "mtu": 1400,
    "sndwnd": 1024,
    "rcvwnd": 1024,
    "datashard": 30,
    "parityshard": 15,
    "dscp": 46,
    "acknodelay": false,
    "nodelay": 0,
    "interval": 20,
    "resend": 2,
    "nc": 1,
    "sockbuf": 4194304,
    "keepalive": 10,
    "autoexpire": -1
    

    client启动后的日志永远如下:

    2019/06/12 15:34:54 connection: 0.0.0.0:64480 -> my_server:port
    2019/06/12 15:35:33 session marked as expired <nil>
    2019/06/12 15:35:33 connection: 0.0.0.0:59008 -> my_server:port
    2019/06/12 15:35:33 session normally closed <nil>
    2019/06/12 15:36:33 session marked as expired <nil>
    2019/06/12 15:36:33 connection: 0.0.0.0:63213 -> my_server:port
    2019/06/12 15:36:33 session normally closed <nil>
    2019/06/12 15:37:33 session marked as expired <nil>
    2019/06/12 15:37:33 connection: 0.0.0.0:63982 -> my_server:port
    2019/06/12 15:37:33 session normally closed <nil>
    2019/06/12 15:38:33 session marked as expired <nil>
    2019/06/12 15:38:33 connection: 0.0.0.0:60969 -> my_server:port
    2019/06/12 15:38:33 session normally closed <nil>
    2019/06/12 15:39:33 session marked as expired <nil>
    2019/06/12 15:39:33 connection: 0.0.0.0:62457 -> my_server:port
    2019/06/12 15:39:33 session normally closed <nil>
    2019/06/12 15:41:06 session marked as expired <nil>
    2019/06/12 15:41:06 connection: 0.0.0.0:55234 -> my_server:port
    2019/06/12 15:41:06 session normally closed <nil>
    2019/06/12 15:42:06 session marked as expired <nil>
    2019/06/12 15:42:06 connection: 0.0.0.0:58081 -> my_server:port
    2019/06/12 15:42:06 session normally closed <nil>
    
    opened by walkerwzy 72
  • 参数组合分享贴

    参数组合分享贴

    { "localaddr": "127.0.0.1:1080", "remoteaddr": "SERVERIP:4000", "key": "x", "crypt": "aes-128", "mode": "manual", "conn": 1, "autoexpire": 300, "mtu": 1400, "sndwnd": 128, "rcvwnd": 1024, "datashard": 30, "parityshard": 15, "dscp": 46, "nocomp": true, "acknodelay": false, "nodelay": 0, "interval": 20, "resend": 2, "nc": 1, "sockbuf": 4194304, "keepalive": 10, "log": "/var/log/kcptun.log" }

    { "listen": ":4000", "target": "127.0.0.1:1080", "key": "x", "crypt": "aes-128", "mode": "manual", "mtu": 1400, "sndwnd": 1024, "rcvwnd": 1024, "datashard": 30, "parityshard": 15, "dscp": 46, "nocomp": true, "acknodelay": false, "nodelay": 0, "interval": 20, "resend": 2, "nc": 1, "sockbuf": 4194304, "keepalive": 10 }

    特点: 30/15的fec比例,33%以下的丢包率可以基本还原

    PARAMS 
    opened by xtaci 70
  • 手动参数设定探讨

    手动参数设定探讨

    策略1: 通过超时重传+快速重传,响应速度优先(最大化响应时间): -mode manual -nodelay 1 -resend 2 -nc 1 -interval 20

    策略2: 仅仅通过超时重传, 带宽效率优先(有效载比优先)。 -mode manual -nodelay 1 -resend 0 -nc 1 -interval 40 或 -mode manual -nodelay 0 -resend 0 -nc 1 -interval 20

    策略3: 尽可能通过FEC纠删,最大化传输速度(推荐): -mode fast -datashard 5 -parityshard 5

    question FAQ DSCP MTU PARAMS 
    opened by xtaci 70
  • Kcp用着用着偶尔就会断开{伪解决方案}

    Kcp用着用着偶尔就会断开{伪解决方案}

    VPS:搬瓦工 OS :Debian 7.0 x86_64 客户端版本=服务器版本 :0922 ssr版本:3.7.4.1 问题描述:最近这几天当我打开KCP和SS配合翻墙观看youtube视频时,开始没有什么问题,网速也很快,但是过了大概十分钟左右后,突然就不能翻墙了,此时我切换ss直连vps, 经测试连接没有问题。在这种无法使用kcp的情况下,经过大概半小时 我再测试使用kcp配合翻墙,发现又可以使用了。请问这是为什么呢? PS: 我在网上查询相关问题时 有不少人遇到和我类似的问题,有人说是isp封锁了UDP端口 (不知道对错)

    谢谢您的帮助,感激不尽 (客户端参数未调整,只是用的ssr版本的shadowsocks,把UDP over TCP 勾选后(见楼下图),经过我接近三个小时的youtube视频播放测试,之前的视频播放一段时间就断开现象没有遇到,之后的几天,该问题也没有遇到。所以我认为这应该算是一个解决方案吧。逃) update:最近我的ssr即使打开 UDP over TCP 也是会看一会视频就断开 过几天试试降低MTU值

    ISP 
    opened by feizhenzhuang 57
  • server端没响应

    server端没响应

    ubuntu12.04 64bit,0922的版本 使用最简单方式运行 服务端:./server_linux_amd64 -t "127.0.0.1:443" -l : -mode fast2 客户端:./client_windows_amd64 -l :2100 -r x.x.x.x:2219 -mode fast2 ,其他参数默认,检查过两边一致。 服务端防火墙2219打开,客户端ss监听127.0.0.1:2100,还是没法上网 客户端出现 “λ .\client_windows_amd64.exe -l :2100 -r x.x.x.x:2219 -mode fast2 2016/09/30 23:01:06 version: 20160922 2016/09/30 23:01:06 listening on: [::]:2100 2016/09/30 23:01:06 encryption: aes 2016/09/30 23:01:06 nodelay parameters: 1 20 2 1 2016/09/30 23:01:06 remote address: 52.192.229.192:2219 2016/09/30 23:01:06 sndwnd: 128 rcvwnd: 1024 2016/09/30 23:01:06 compression: true 2016/09/30 23:01:06 mtu: 1350 2016/09/30 23:01:06 datashard: 10 parityshard: 3 2016/09/30 23:01:06 acknodelay: false 2016/09/30 23:01:06 dscp: 0 2016/09/30 23:01:06 sockbuf: 4194304 2016/09/30 23:01:06 keepalive: 10 2016/09/30 23:01:06 conn: 1 2016/09/30 22:56:18 stream opened 2016/09/30 22:56:19 stream opened 2016/09/30 22:56:20 stream opened 2016/09/30 22:56:21 stream opened 2016/09/30 22:56:30 session scavenged 2016/09/30 22:56:46 stream opened 2016/09/30 22:56:48 stream closed 2016/09/30 22:56:48 stream closed 2016/09/30 22:56:48 stream closed ” 服务端没反应 0 14:53:23 version: 20160922 2016/09/30 14:53:23 listening on: [::]:2219 2016/09/30 14:53:23 target: 127.0.0.1:443 2016/09/30 14:53:23 encryption: aes 2016/09/30 14:53:23 nodelay parameters: 1 20 2 1 2016/09/30 14:53:23 sndwnd: 1024 rcvwnd: 1024 2016/09/30 14:53:23 compression: true 2016/09/30 14:53:23 mtu: 1350 2016/09/30 14:53:23 datashard: 10 parityshard: 3 2016/09/30 14:53:23 acknodelay: false 2016/09/30 14:53:23 dscp: 0 2016/09/30 14:53:23 sockbuf: 4194304 2016/09/30 14:53:23 keepalive: 10

    另外,git clone 后运行build_realse.sh,生成一些空的tar.gz压缩文件

    opened by wvyan 57
  • 关闭FEC后,内存使用大幅降低。

    关闭FEC后,内存使用大幅降低。

    刚才抽空试了一些参数组合,偶尔发现FEC才是内存大量占用的元凶。

    先说明一下我这边的的情况:

    1. 魔都电信100M宽带,每天上午直连国外网站速度还行,下午开始到晚上访问国外网站速度很慢。
    2. kcptun部署在MT7620 + 64M内存的路由器上配合SS透明代理使用,使用的是20161105版kcptun。
    3. VPS是sentris的,流量一大就会被封。测试下来rcvwnd和sndwnd设置128长时间运行不会被封。

    参数如下,速度可以稳定在2.5Mbps以上,youtube 720p非常流畅,1080p基本流畅。 因为我这边电信不同时段的丢包率差别很大,所以尝试把FEC关了,用fast2模式。FEC固定的带宽开销在丢包率低的情况下比较浪费带宽。不容让丢失的包直接用fast2的快速重传找回,这样动态带宽利用率更高。因为本身window只是128,所以带宽很宝贵。

    于是关闭FEC后,发现原先64M内存的路由器看一段时间视频后,可用内存必定会降到1-2M之间,现在可用内存永远维持在14M以上。CPU使用率也略微降低,但传输速度仍维持原水平。

    "crypt": "salsa20",
    "mode": "fast2",
    "autoexpire": 300,
    "sndwnd": 128,
    "rcvwnd": 128,
    "datashard": 0,
    "parityshard": 0,
    "dscp": 46,
    "nocomp": true,
    

    所以为题来了,开FEC后的大量内存占用是正常情况吗?

    BTW, 下面这组加密耗时的评估源码能否提供下?我想看看在MIPS平台下运行的结果,谢谢!

    BenchmarkAES128-4 200000 11182 ns/op BenchmarkAES192-4 200000 12699 ns/op BenchmarkAES256-4 100000 13757 ns/op BenchmarkTEA-4 50000 26441 ns/op BenchmarkSimpleXOR-4 3000000 441 ns/op BenchmarkBlowfish-4 30000 48036 ns/op BenchmarkNone-4 20000000 106 ns/op BenchmarkCast5-4 20000 60222 ns/op BenchmarkTripleDES-4 2000 878759 ns/op BenchmarkTwofish-4 20000 68501 ns/op BenchmarkXTEA-4 20000 77417 ns/op BenchmarkSalsa20-4 300000 4998 ns/op

    MEM 
    opened by bettermanbao 54
  • kcptun windows客户端配置管理

    kcptun windows客户端配置管理

    闲来无事,写了一个windows下的kcptun客户端配置管理程序,界面如下: kcptun

    这个程序不需要在控制台中手工输入命令行,所有的命令行参数都转为界面配置,并保存在附带的xml文件中;可同时运行管理多个kcptun客户端,点击左侧节点,与节点对应的kcptun客户端控制台输出直接显示在界面上。

    用法:首先需要指定kcptun的windows客户端路径(32位或64位,可拖动文件到界面),添加一个客户端,输入正确的基础参数(本地侦听端口、服务器IP地址或域名及端口),如果需要,可以点选参数名称前的复选框,输入自定义参数,输入的参数会自动写入xml文件,最后点击“启动”即可。点击窗口的最小化或关闭按钮,程序会退到托盘栏处;在托盘栏上的图标右键,点击“退出”可彻底关闭本程序;如果在程序退出时有已启动的kcptun客户端,则在退出前自动关闭kcptun客户端。

    说明:点击“程序开机自启”,会在HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run下写入启动项“KCPTun 客户端配置管理工具”,由于程序没有请求UAC,所以在win7或win10下需要以系统管理员身份运行( 只是这个写注册表需要系统管理员权限,平常情况下并不需要管理员权限)。

    请在这里下载最新的kcptun客户端配置管理软件

    2016-09-27 1.0.12版 1.UAC提权; 2.加入自动重连功能。 —————————————————————————————————————————————

    2016-09-16 1.0.11版 1.加入从JSON参数文件导入功能; 2.减小exe文件体积; 3.界面细节调整。 —————————————————————————————————————————————

    2016-09-08 1.0.10版 1.修复导出到JSON文件内容错误的bug; 2.界面细节调整。 —————————————————————————————————————————————

    2016-09-07 1.09版 1.修复v1.08版本号称已经修复的bug:sweat:; 2.界面细节调整。 —————————————————————————————————————————————

    2016-09-05 1.08版 1.修复KCPTun Client进程异常退出后,界面上依旧显示进程为启动状态的bug; 2.界面细节调整。 ————————————————————————————————————————————— 2016-09-04 1.07版 1.支持-c参数; 2.客户端列表加入右键支持,可进行启动、停止、复制、删除、导出到JSON操作; 3.启动时如果exe路径下没有参数文件,会新建空白配参xml文件; 4.界面细节调整。 —————————————————————————————————————————————

    2016-09-01 1.06版 1.鼠标悬停提示修改为参数的默认值; 2.KCPTun服务器的填写支持使用域名; 3.调整界面细节。 —————————————————————————————————————————————

    2016-08-30 1.05版 1.实现“全部启动”和“全部停止”功能(同时在右键菜单中加入这两项功能); 2.去除“启动时运行所有KCPTun客户端”选项(启动时会根据上一次退出时的状态来决定是否运行节点); 3.调整界面细节。 —————————————————————————————————————————————

    2016-08-29 1.04版 1.修复界面控制的bug。 —————————————————————————————————————————————

    2016-08-29 1.03版 1.修复修改基础参数后,节点名称不随之变动的bug。 —————————————————————————————————————————————

    2016-08-28 1.02版 1.调整界面尺寸; 2.修改部分界面控制; 3.如果某一个参数被选中,但没有填写参数值,此参数不在命令行中出现。 —————————————————————————————————————————————

    2016-08-28 1.01版 1.界面加入原始参数名称。 —————————————————————————————————————————————

    2016-08-27 1.00版 1.实现基本功能。

    GUI 
    opened by dfdragon 46
  • 近两日出现断流现象(小的MTU?)

    近两日出现断流现象(小的MTU?)

    11期间在ss-libev(服务器端监听443端口)基础上加了kcptun,放假期间一切正常,vps到拨号电信的电脑之间速度大概2mbyte/s到4mbyte/s。近两日出现一个问题,只要一段时间不使用(几分钟到十几分钟不等)就会断流,客户端有stream open/closed,服务器端没有,偶尔出现remote address或broken pipe。手机电信、联通移动网络正常,路由器重新拨号后电脑恢复。请问出现这种现象可能是什么原因?可否通过调整参数避免?

    另外服务器端和客户端正常情况下stream open/close是否每次配对出现?

    版本为161009,两端参数: .\client_windows_amd64.exe --localaddr 127.0.0.1:8388 --remoteaddr VPS:554 --key PASSKEY --crypt aes --mode normal --conn 1 --autoexpire 0 --mtu 1350 --sndwnd 128 --rcvwnd 1024 --datashard 10 --parityshard 3 --dscp 0

    /kcptun/server_linux_amd64 --listen 0.0.0.0:554 --target 127.0.0.1:443 --key PASSKEY --crypt aes --mode normal --mtu 1350 --sndwnd 1024 --rcvwnd 1024 --datashard 10 --parityshard 3 --dscp 0

    ISP MTU 
    opened by peakvision 42
  • Connection terminate from client to server

    Connection terminate from client to server

    After some minutes (5-10) with keepalive setting 30 sec we have a many service UDP packets in the traffic and stoped communication between client and server. The traffic in the attached image https://ibb.co/B6Gf8jh Before termination we got some ICMP packet with Destination unreachable message.

    opened by ITmining 1
  • 默认就是加密传输的吗?

    默认就是加密传输的吗?

    首页的用法是不是加密传输了? 电信能不能看到我们的数据内容?

    KCP Client: ./client_darwin_amd64 -r "KCP_SERVER_IP:4000" -l ":8388" -mode fast3 -nocomp -autoexpire 900 -sockbuf 16777217 -dscp 46 KCP Server: ./server_linux_amd64 -t "TARGET_IP:8388" -l ":4000" -mode fast3 -nocomp -sockbuf 16777217 -dscp 46

    opened by viponedream 1
  • 如何设置参数以承载大流量?

    如何设置参数以承载大流量?

    网络环境: LA机房 1000M上下行,用脚本实测speedtest到LA测速点可以达到800+M,到国内华东地区可以到300-500M 本地中国电信1000M 下行,30M上行,speedtest实测可以满速 ping值140-180之间,丢包率10%左右

     Node Name        Upload Speed      Download Speed      Latency
     Speedtest.net    835.34 Mbps       813.86 Mbps         0.47 ms
     Los Angeles, US  836.33 Mbps       745.76 Mbps         0.91 ms
     Dallas, US       815.17 Mbps       88.43 Mbps          28.96 ms
     Montreal, CA     749.69 Mbps       351.87 Mbps         68.01 ms
     Paris, FR        597.86 Mbps       251.41 Mbps         141.26 ms
     Amsterdam, NL    559.64 Mbps       125.67 Mbps         142.29 ms
     Shanghai, CN     471.90 Mbps       291.49 Mbps         172.21 ms
     Nanjing, CN      501.38 Mbps       256.98 Mbps         153.30 ms
     Guangzhou, CN    13.30 Mbps        90.20 Mbps          175.36 ms
     Hongkong, CN     525.32 Mbps       590.96 Mbps         155.85 ms
     Seoul, KR        511.75 Mbps       333.88 Mbps         126.42 ms
     Singapore, SG    496.31 Mbps       17.35 Mbps          161.50 ms
     Tokyo, JP        743.58 Mbps       124.24 Mbps         99.12 ms
    

    科学上网工具配置:1)ss+kcptun 2)xray + xtls kcptun配置:

    {
      "localaddr": ":8080",
      "remoteaddr": remote,
      "key": pass,
      "crypt": "xor",
      "mode": "fast2",
      "mtu": 1450,
      "sndwnd": 512,
      "rcvwnd": 4096,
      "datashard": 40,
      "parityshard": 10,
      "dscp": 46,
      "nocomp": true,
      "tcp": false
    }
    

    ss加密方式选用chacha20-ietf-poly1305

    测试结果(fast.com 和speedtest.net) 1)ss+kcptun 根据网络拥堵情况在 60-160Mbps之间 2)xray + xtls 根据网络拥堵情况在 40-350M+bps之间

    总体上看ss+kcptun克服网络拥堵能力较强,但是最大流量比xray+xtls显著要小很多,并且在跑到160Mbps是单核vps的cpu已经跑满,主要由kcptun的线程占用

    请问有没有什么调整方法可以让ss+kcptun承载更大的流量?

    opened by szhangcn 7
  • how to speed up download from a web server using kcptune?

    how to speed up download from a web server using kcptune?

    Hi,

    I am getting 2.1 MB/s at kcptun same as normal download without kcptun on port 80. but when I use python3 simple http server python3 -m http.server on port 8000, download rate drops to 500 KB/s at kcptun. I am not sure what is going on.

    Server(From Aliyun):

    OS: Ubuntu 20.04.3 LTS
    kcptun :  20210922
    web server: apache2
    

    Client

    OS: windows 10 Version 21H2  ( Build 19044.1645)
    kcptun :  20210922
    

    kcptun configs for python server (port 8000):

    in client:

    client_windows_amd64.exe -r "<server-ip>:30000" -l ":8000" -mode fast3 -nocomp -autoexpire 900 -sockbuf 16777217 -dscp 46

    in server

    ./server_linux_amd64 -t "127.0.0.1:8000" -l ":30000" -mode fast3 -nocomp -sockbuf 16777217 -dscp 46

    kcptun configs for apache2 web server (port 80):

    in client:

    client_windows_amd64.exe -r "<server-ip>:30000" -l ":80" -mode fast3 -nocomp -autoexpire 900 -sockbuf 16777217 -dscp 46

    in server

    ./server_linux_amd64 -t "127.0.0.1:80" -l ":30000" -mode fast3 -nocomp -sockbuf 16777217 -dscp 46

    Any help would be appreciated.

    opened by FRSiL3nT 0
Releases(v20220628)
Owner
xtaci
自心取自心,非幻成幻法。
xtaci
A Crypto-Secure, Production-Grade Reliable-UDP Library for golang with FEC

Introduction kcp-go is a Production-Grade Reliable-UDP library for golang. This library intents to provide a smooth, resilient, ordered, error-checked

xtaci 3.4k Sep 22, 2022
GO Simple Tunnel - a simple tunnel written in golang

GO Simple Tunnel GO语言实现的安全隧道 English README !!!V3版本已经可用,欢迎抢先体验!!! 特性 多端口监听 可设置转发代理,支持多级转发(代理链) 支持标准HTTP/HTTPS/HTTP2/SOCKS4(A)/SOCKS5代理协议 Web代理支持探测防御 支

ginuerzh 9.7k Sep 26, 2022
wire protocol for multiplexing connections or streams into a single connection, based on a subset of the SSH Connection Protocol

qmux qmux is a wire protocol for multiplexing connections or streams into a single connection. It is based on the SSH Connection Protocol, which is th

Jeff Lindsay 191 Sep 25, 2022
Go network programming framework, supports multiplexing, synchronous and asynchronous IO mode, modular design, and provides flexible custom interfaces

Go network programming framework, supports multiplexing, synchronous and asynchronous IO mode, modular design, and provides flexible custom interfaces。The key is the transport layer, application layer protocol has nothing to do

rick.wu 10 Jun 27, 2022
network multiplexing and framing protocol for RPC

TChannel Network multiplexing and framing protocol for RPC Read the Docs Languages: Node.js, Python, Go, Java Questions: Open a Github issue Uber's OS

Uber Open Source 1.2k Sep 4, 2022
Golang connection multiplexing library

Yamux Yamux (Yet another Multiplexer) is a multiplexing library for Golang. It relies on an underlying connection to provide reliability and ordering,

HashiCorp 1.8k Sep 24, 2022
kcp is a prototype of a Kubernetes API server that is not a Kubernetes cluster - a place to create, update, and maintain Kube-like APis with controllers above or without clusters.

kcp is a minimal Kubernetes API server How minimal exactly? kcp doesn't know about Pods or Nodes, let alone Deployments, Services, LoadBalancers, etc.

Prototype of Future Kubernetes Ideas 1.6k Sep 21, 2022
Netkit - A type parameter(generics) net kit, support tcp kcp, customize packet

Netkit Netkit is a type parameter(generics) golang package Get Started Need Go i

null 1 Jan 12, 2022
A very cool and stable VCP with 0 points of failure

network A VPC written in golang. Assign internal IP addresses to servers where all traffic sent internally is encrypted. OS Building Linux go build .

null 2 Nov 8, 2021
the pluto is a gateway new time, high performance, high stable, high availability, easy to use

pluto the pluto is a gateway new time, high performance, high stable, high availability, easy to use Acknowledgments thanks nbio for providing low lev

mobus 2 Sep 19, 2021
Clash - A rule-based tunnel in Go.

Clash A rule-based tunnel in Go. Features Local HTTP/HTTPS/SOCKS server with authentication support VMess, Shadowsocks, Trojan, Snell protocol support

Dreamacro 31.2k Sep 22, 2022
A rule-based tunnel in Go with experimental features

Experimental-Clash A rule-based tunnel in Go with experimental features. Features Local HTTP/HTTPS/SOCKS server with authentication support VMess, Sha

Clash .NET 126 Sep 15, 2022
A deployable proxy server and tunnel written in go

Tunnelify Tunnelify is a deployable proxy server and tunnel written in go Installing | Quickstart | Configuration Installing Direct download You can i

Kofo Okesola 31 Sep 9, 2022
Gogrok is a self hosted, easy to use alternative to ngrok. It uses SSH as a base protocol, using channels and existing functionality to tunnel requests to an endpoint.

gogrok A simple, easy to use ngrok alternative (self hosted!) The server and client can also be easily embedded into your applications, see the 'serve

Tyler Stuyfzand 5 Jun 15, 2022
Chisel is a fast TCP/UDP tunnel, transported over HTTP, secured via SSH.

Chisel is a fast TCP/UDP tunnel, transported over HTTP, secured via SSH. Single executable including both client and server. Written in Go (golang). Chisel is mainly useful for passing through firewalls, though it can also be used to provide a secure endpoint into your network.

Jaime Pillora 7.8k Sep 19, 2022
Toy gRPC Tunnel over CloudFlare (Proof of Concept)

gun You know what it means. Guide Server Go to your domain in CloudFlare. In "Network" tab, turn on gRPC.

Qv2ray Workgroup 143 Sep 20, 2022
Simple HTTP tunnel using SSH remote port forwarding

Simple HTTP tunnel using SSH remote port forwarding

Skye L. 21 Aug 8, 2022
Cloud Native Tunnel

inlets is a Cloud Native Tunnel written in Go Expose your local endpoints to the Internet or within a remote network, without touching firewalls. Foll

inlets 8.4k Jan 4, 2022
An anonymous, encrypted Point-to-Point (Layer 3) tunnel between two peers.

NKN-Link An anonymous, encrypted Point-to-Point (Layer 3) tunnel between two peers. NKN-Link Table of Contents Preface Description Install Setup Run P

HAH! Sun 7 Apr 6, 2022