feat: support vless encryption

Author: wwqgtxx

adapter/outbound/vless.go

@@ -3,10 +3,14 @@ package outbound
 import (
 	"context"
 	"crypto/tls"
+	"encoding/base64"
+	"errors"
 	"fmt"
 	"net"
 	"net/http"
 	"strconv"
+	"strings"
+	"time"
 
 	"github.com/metacubex/mihomo/common/convert"
 	N "github.com/metacubex/mihomo/common/net"
@@ -19,6 +23,7 @@ import (
 	C "github.com/metacubex/mihomo/constant"
 	"github.com/metacubex/mihomo/transport/gun"
 	"github.com/metacubex/mihomo/transport/vless"
+	"github.com/metacubex/mihomo/transport/vless/encryption"
 	"github.com/metacubex/mihomo/transport/vmess"
 
 	vmessSing "github.com/metacubex/sing-vmess"
@@ -31,6 +36,8 @@ type Vless struct {
 	client *vless.Client
 	option *VlessOption
 
+	encryption *encryption.ClientInstance
+
 	// for gun mux
 	gunTLSConfig *tls.Config
 	gunConfig    *gun.Config
@@ -53,6 +60,7 @@ type VlessOption struct {
 	PacketAddr        bool              `proxy:"packet-addr,omitempty"`
 	XUDP              bool              `proxy:"xudp,omitempty"`
 	PacketEncoding    string            `proxy:"packet-encoding,omitempty"`
+	Encryption        string            `proxy:"encryption,omitempty"`
 	Network           string            `proxy:"network,omitempty"`
 	ECHOpts           ECHOptions        `proxy:"ech-opts,omitempty"`
 	RealityOpts       RealityOptions    `proxy:"reality-opts,omitempty"`
@@ -164,6 +172,12 @@ func (v *Vless) streamConnContext(ctx context.Context, c net.Conn, metadata *C.M
 		done := N.SetupContextForConn(ctx, c)
 		defer done(&err)
 	}
+	if v.encryption != nil {
+		c, err = v.encryption.Handshake(c)
+		if err != nil {
+			return
+		}
+	}
 	if metadata.NetWork == C.UDP {
 		if v.option.PacketAddr {
 			metadata = &C.Metadata{
@@ -442,6 +456,36 @@ func NewVless(option VlessOption) (*Vless, error) {
 		option: &option,
 	}
 
+	if s := strings.Split(option.Encryption, "-mlkem768client-"); len(s) == 2 {
+		var minutes uint32
+		if s[0] != "1rtt" {
+			t := strings.TrimSuffix(s[0], "min")
+			if t == s[0] {
+				return nil, fmt.Errorf("invaild vless encryption value: %s", option.Encryption)
+			}
+			i, err := strconv.Atoi(t)
+			if err != nil {
+				return nil, fmt.Errorf("invaild vless encryption value: %s", option.Encryption)
+			}
+			minutes = uint32(i)
+		}
+		b, err := base64.RawURLEncoding.DecodeString(s[1])
+		if err != nil {
+			return nil, fmt.Errorf("invaild vless encryption value: %s", option.Encryption)
+		}
+		if len(b) == 1184 {
+			v.encryption = &encryption.ClientInstance{}
+			if err := v.encryption.Init(b, time.Duration(minutes)*time.Minute); err != nil {
+				return nil, fmt.Errorf("failed to use mlkem768seed: %w", err)
+			}
+		} else {
+			return nil, fmt.Errorf("invaild vless encryption value: %s", option.Encryption)
+		}
+		if option.Flow != "" {
+			return nil, errors.New(`VLESS users: "encryption" doesn't support "flow" yet`)
+		}
+	}
+
 	v.realityConfig, err = v.option.RealityOpts.Parse()
 	if err != nil {
 		return nil, err

component/generater/cmd.go

@@ -5,13 +5,14 @@ import (
 	"fmt"
 
 	"github.com/metacubex/mihomo/component/ech"
+	"github.com/metacubex/mihomo/transport/vless/encryption"
 
 	"github.com/gofrs/uuid/v5"
 )
 
 func Main(args []string) {
 	if len(args) < 1 {
-		panic("Using: generate uuid/reality-keypair/wg-keypair/ech-keypair")
+		panic("Using: generate uuid/reality-keypair/wg-keypair/ech-keypair/vless-mlkem768")
 	}
 	switch args[0] {
 	case "uuid":
@@ -45,5 +46,16 @@ func Main(args []string) {
 		}
 		fmt.Println("Config:", configBase64)
 		fmt.Println("Key:", keyPem)
+	case "vless-mlkem768":
+		var seed string
+		if len(args) > 1 {
+			seed = args[1]
+		}
+		seedBase64, pubBase64, err := encryption.GenMLKEM768(seed)
+		if err != nil {
+			panic(err)
+		}
+		fmt.Println("Seed: " + seedBase64)
+		fmt.Println("Client: " + pubBase64)
 	}
 }

docs/config.yaml

@@ -632,6 +632,16 @@ proxies: # socks5
     # fingerprint: xxxx
     # skip-cert-verify: true
 
+  - name: "vless-encryption"
+    type: vless
+    server: server
+    port: 443
+    uuid: uuid
+    network: tcp
+    encryption: "8min-mlkem768client-bas64RawURLEncoding" # 复用八分钟后协商新的 sharedKey，需小于服务端的值
+    tls: false #可以不开启tls
+    udp: true
+
   - name: "vless-reality-vision"
     type: vless
     server: server
@@ -1336,6 +1346,7 @@ listeners:
         flow: xtls-rprx-vision
     # ws-path: "/" # 如果不为空则开启 websocket 传输层
     # grpc-service-name: "GunService" # 如果不为空则开启 grpc 传输层
+    # decryption: "10min-mlkem768seed-bas64RawURLEncoding" # 同时允许 1-RTT 模式与十分钟复用的 0-RTT 模式
     # 下面两项如果填写则开启 tls（需要同时填写）
     # certificate: ./server.crt
     # private-key: ./server.key
@@ -1364,7 +1375,7 @@ listeners:
         after-bytes: 0 # 传输指定字节后开始限速
         bytes-per-sec: 0 # 基准速率（字节/秒）
         burst-bytes-per-sec: 0 # 突发速率（字节/秒），大于 bytesPerSec 时生效
-    ### 注意，对于vless listener, 至少需要填写 “certificate和private-key” 或 “reality-config” 的其中一项 ###
+    ### 注意，对于vless listener, 至少需要填写 “certificate和private-key” 或 “reality-config” 或 “decryption” 的其中一项 ###
 
   - name: anytls-in-1
     type: anytls

go.mod

@@ -35,7 +35,7 @@ require (
 	github.com/metacubex/sing-wireguard v0.0.0-20250503063753-2dc62acc626f
 	github.com/metacubex/smux v0.0.0-20250503055512-501391591dee
 	github.com/metacubex/tfo-go v0.0.0-20250516165257-e29c16ae41d4
-	github.com/metacubex/utls v1.8.0
+	github.com/metacubex/utls v1.8.1-0.20250810142204-d0e55ab2e852
 	github.com/metacubex/wireguard-go v0.0.0-20240922131502-c182e7471181
 	github.com/miekg/dns v1.1.63 // lastest version compatible with golang1.20
 	github.com/mroth/weightedrand/v2 v2.1.0

go.sum

@@ -141,6 +141,8 @@ github.com/metacubex/tfo-go v0.0.0-20250516165257-e29c16ae41d4 h1:j1VRTiC9JLR4nU
 github.com/metacubex/tfo-go v0.0.0-20250516165257-e29c16ae41d4/go.mod h1:l9oLnLoEXyGZ5RVLsh7QCC5XsouTUyKk4F2nLm2DHLw=
 github.com/metacubex/utls v1.8.0 h1:mSYi6FMnmc5riARl5UZDmWVy710z+P5b7xuGW0lV9ac=
 github.com/metacubex/utls v1.8.0/go.mod h1:FdjYzVfCtgtna19hX0ER1Xsa5uJInwdQ4IcaaI98lEQ=
+github.com/metacubex/utls v1.8.1-0.20250810142204-d0e55ab2e852 h1:MLHUGmASNH7/AeoGmSrVM2RutRZAqIDSbQWBp0P7ItE=
+github.com/metacubex/utls v1.8.1-0.20250810142204-d0e55ab2e852/go.mod h1:FdjYzVfCtgtna19hX0ER1Xsa5uJInwdQ4IcaaI98lEQ=
 github.com/metacubex/wireguard-go v0.0.0-20240922131502-c182e7471181 h1:hJLQviGySBuaynlCwf/oYgIxbVbGRUIKZCxdya9YrbQ=
 github.com/metacubex/wireguard-go v0.0.0-20240922131502-c182e7471181/go.mod h1:phewKljNYiTVT31Gcif8RiCKnTUOgVWFJjccqYM8s+Y=
 github.com/miekg/dns v1.1.63 h1:8M5aAw6OMZfFXTT7K5V0Eu5YiiL8l7nUAkyN6C9YwaY=

listener/config/vless.go

@@ -17,6 +17,7 @@ type VlessServer struct {
 	Enable          bool
 	Listen          string
 	Users           []VlessUser
+	Decryption      string
 	WsPath          string
 	GrpcServiceName string
 	Certificate     string

listener/inbound/vless.go

@@ -12,6 +12,7 @@ import (
 type VlessOption struct {
 	BaseOption
 	Users           []VlessUser   `inbound:"users"`
+	Decryption      string        `inbound:"decryption,omitempty"`
 	WsPath          string        `inbound:"ws-path,omitempty"`
 	GrpcServiceName string        `inbound:"grpc-service-name,omitempty"`
 	Certificate     string        `inbound:"certificate,omitempty"`
@@ -58,6 +59,7 @@ func NewVless(options *VlessOption) (*Vless, error) {
 			Enable:          true,
 			Listen:          base.RawAddress(),
 			Users:           users,
+			Decryption:      options.Decryption,
 			WsPath:          options.WsPath,
 			GrpcServiceName: options.GrpcServiceName,
 			Certificate:     options.Certificate,

listener/inbound/vless_test.go

@@ -7,6 +7,7 @@ import (
 
 	"github.com/metacubex/mihomo/adapter/outbound"
 	"github.com/metacubex/mihomo/listener/inbound"
+	"github.com/metacubex/mihomo/transport/vless/encryption"
 	"github.com/stretchr/testify/assert"
 )
 
@@ -87,6 +88,21 @@ func TestInboundVless_TLS(t *testing.T) {
 	})
 }
 
+func TestInboundVless_Encryption(t *testing.T) {
+	seedBase64, pubBase64, err := encryption.GenMLKEM768("")
+	if err != nil {
+		t.Fatal(err)
+		return
+	}
+	inboundOptions := inbound.VlessOption{
+		Decryption: "10min-mlkem768seed-" + seedBase64,
+	}
+	outboundOptions := outbound.VlessOption{
+		Encryption: "8min-mlkem768client-" + pubBase64,
+	}
+	testInboundVless(t, inboundOptions, outboundOptions)
+}
+
 func TestInboundVless_Wss1(t *testing.T) {
 	inboundOptions := inbound.VlessOption{
 		Certificate: tlsCertificate,

listener/sing_vless/server.go

@@ -2,11 +2,15 @@ package sing_vless
 
 import (
 	"context"
+	"encoding/base64"
 	"errors"
+	"fmt"
 	"net"
 	"net/http"
 	"reflect"
+	"strconv"
 	"strings"
+	"time"
 	"unsafe"
 
 	"github.com/metacubex/mihomo/adapter/inbound"
@@ -19,6 +23,7 @@ import (
 	"github.com/metacubex/mihomo/listener/sing"
 	"github.com/metacubex/mihomo/log"
 	"github.com/metacubex/mihomo/transport/gun"
+	"github.com/metacubex/mihomo/transport/vless/encryption"
 	mihomoVMess "github.com/metacubex/mihomo/transport/vmess"
 
 	"github.com/metacubex/sing-vmess/vless"
@@ -45,10 +50,11 @@ func init() {
 }
 
 type Listener struct {
-	closed    bool
-	config    LC.VlessServer
-	listeners []net.Listener
-	service   *vless.Service[string]
+	closed     bool
+	config     LC.VlessServer
+	listeners  []net.Listener
+	service    *vless.Service[string]
+	decryption *encryption.ServerInstance
 }
 
 func New(config LC.VlessServer, tunnel C.Tunnel, additions ...inbound.Addition) (sl *Listener, err error) {
@@ -80,7 +86,34 @@ func New(config LC.VlessServer, tunnel C.Tunnel, additions ...inbound.Addition)
 			return it.Flow
 		}))
 
-	sl = &Listener{false, config, nil, service}
+	sl = &Listener{config: config, service: service}
+
+	if s := strings.Split(config.Decryption, "-mlkem768seed-"); len(s) == 2 {
+		var minutes uint32
+		if s[0] != "1rtt" {
+			t := strings.TrimSuffix(s[0], "min")
+			if t == s[0] {
+				return nil, fmt.Errorf("invaild vless decryption value: %s", config.Decryption)
+			}
+			i, err := strconv.Atoi(t)
+			if err != nil {
+				return nil, fmt.Errorf("invaild vless decryption value: %s", config.Decryption)
+			}
+			minutes = uint32(i)
+		}
+		b, err := base64.RawURLEncoding.DecodeString(s[1])
+		if err != nil {
+			return nil, fmt.Errorf("invaild vless decryption value: %s", config.Decryption)
+		}
+		if len(b) == 64 {
+			sl.decryption = &encryption.ServerInstance{}
+			if err = sl.decryption.Init(b, time.Duration(minutes)*time.Minute); err != nil {
+				return nil, fmt.Errorf("failed to use mlkem768seed: %w", err)
+			}
+		} else {
+			return nil, fmt.Errorf("invaild vless decryption value: %s", config.Decryption)
+		}
+	}
 
 	tlsConfig := &tlsC.Config{}
 	var realityBuilder *reality.Builder
@@ -149,8 +182,8 @@ func New(config LC.VlessServer, tunnel C.Tunnel, additions ...inbound.Addition)
 			} else {
 				l = tlsC.NewListener(l, tlsConfig)
 			}
-		} else {
-			return nil, errors.New("disallow using Vless without both certificates/reality config")
+		} else if sl.decryption == nil {
+			return nil, errors.New("disallow using Vless without any certificates/reality/decryption config")
 		}
 		sl.listeners = append(sl.listeners, l)
 
@@ -201,6 +234,13 @@ func (l *Listener) AddrList() (addrList []net.Addr) {
 
 func (l *Listener) HandleConn(conn net.Conn, tunnel C.Tunnel, additions ...inbound.Addition) {
 	ctx := sing.WithAdditions(context.TODO(), additions...)
+	if l.decryption != nil {
+		var err error
+		conn, err = l.decryption.Handshake(conn)
+		if err != nil {
+			return
+		}
+	}
 	err := l.service.NewConnection(ctx, conn, metadata.Metadata{
 		Protocol: "vless",
 		Source:   metadata.SocksaddrFromNet(conn.RemoteAddr()),