chika0801/Xray-examples

Question about `UDP` block rule.

hawshemi opened this issue · 6 comments

I noticed this rule in some xray example configs. mainly on GRPC and H2 with Reality configurations.
Can you explain why this rule exists?

        "rules": [
            {
                "type": "field",
                "port": "443",
                "network": "udp",
                "outboundTag": "block"
            },

What it does is block you from connecting to the sites you visit without using the QUIC protocol to connect.

The VLESS protocol in Xray, which has a number of configuration parameters actively blocking UDP: port 443, is designed to not use QUIC (HTTP3) to connect to websites.

The specific reason for this is, simply put, that using a QUIC connection for access, the request itself is then proxied and is not very fast.

You can refer to https://v2.hysteria.network/docs/misc/About-HTTP3/ for an explanation.

If you use VISION flow control, the parameter "flow": "xtls-rprx-vision" blocks UDP443 by default.

If you use the parameter

        "mux": {
            "enabled": true,
            "concurrency": -1,
            "xudpConcurrency": 16,
            "xudpProxyUDP443": "reject"
        }

Also blocks UDP443.

I added this paragraph on the server side in the gRPC/HTTP2 example, because VISON flow control is not used (not supported) in this combination.

Of course you would say that QUIC doesn't necessarily have to use UDP443, it could be another port. So UDP443 blocks it and is a rough example.

So in short, it's for speed reasons?
What happens if I delete that rule and start using it?

So in short, it's for speed reasons?

yes

What happens if I delete that rule and start using it?

Let's say you're now using the gRPC/HTTP2 configuration combo protocol, and you remove it from the server-side configuration after restarting the server-side Xray to make sure it takes effect.

You can visit youtube, press F12 and look at the certificates in the security tab, there should be one that shows the type as QUIC. or go to https://quic.nginx.org/ and check that QUIC should be through.

PS: The advance is that your client for example is windows and you used sing-box in TUN mode and did the transparent proxy correctly.

Of course you have to work out how to save the client. HTTP/socks proxies usually can't proxy UDP, so QUIC is not working either.

PSPS: For example, if your client directly accesses the QUIC website without opening the proxy programme (environment), QUIC should work.

Thanks.
And there are no down-side for that?

Do you mean there is a downside to using QUIC and being proxied when you ask? If that's what's being asked, there's not much downside. (It's just that watching videos on youtube displays a bit slower.)

Yep. Thanks.