Proxies - FrankoonG/hy2scale GitHub Wiki
π English | δΈζ | νκ΅μ΄
Proxies
HY2 SCALE exposes seven proxy / VPN protocols from a single tabbed interface. Every protocol authenticates against the same user database, and every user honours the same per-user exit_via routing.
Protocol overview
| Protocol | Default port | Auth | Native client | Requires host network |
|---|---|---|---|---|
| Hysteria 2 | 5565/udp+tcp | Shared / per-user | Hysteria 2 client | No |
| SOCKS5 | configurable (1080) | RFC 1929 user/pass | Any SOCKS5 client | No |
| HTTP | configurable (8080) | Basic auth | Any HTTP(S) proxy client | No |
| Shadowsocks | configurable (8388) | Per-user AEAD key | SS client | No |
| L2TP/IPsec | 1701+500+4500/udp | MSCHAPv2 | Built-in OS VPN | Yes (or compat mode) |
| IKEv2/IPsec | 500+4500/udp | EAP-MSCHAPv2 or PSK | Built-in OS VPN | Yes (or compat mode) |
| WireGuard | 51820/udp | Public key | WireGuard / QR-code import | No |
Hysteria 2
The core protocol. Every node runs a Hysteria 2 QUIC server on port 5565 that handles both mesh relay traffic and the web UI.
Configuration
The server listen address and TLS material are configured from the Edit Self modal on the Nodes page; the Proxies β Hysteria 2 tab only exposes the Allow User Auth switch.
- disabled (default): a single shared server password authenticates every QUIC client.
- enabled: Hysteria 2 clients authenticate with their own username / password. Each user's traffic follows their assigned exit route, and traffic accounting is per-user.
SOCKS5
A standard SOCKS5 proxy with RFC 1929 username/password auth.
| Field | Description |
|---|---|
| Listen | bind address (e.g. 0.0.0.0:1080) |
| Enabled | toggle on/off |
| TLS cert | optional β wraps SOCKS5 in TLS (SOCKS5-over-TLS) |
- IPv4, IPv6, and hostname targets are all supported.
- Active connections are visible in the Active Devices panel on the Users page.
HTTP
A combined HTTP forward proxy and CONNECT tunnel, both authenticated via HTTP Basic.
| Field | Description |
|---|---|
| Listen | bind address (e.g. 0.0.0.0:8080) |
| Enabled | toggle on/off |
| TLS cert | optional β turns the listener into HTTPS-proxy-over-TLS |
Any client that speaks HTTP proxy (browsers, curl, every major OS) will authenticate with an HY2 SCALE user, then its request is forwarded through that user's exit route.
Shadowsocks
AEAD-encrypted SS server. Users authenticate by successful decryption β the server tries each enabled user's key.
| Method | Description |
|---|---|
aes-128-gcm |
AES-128 GCM |
aes-256-gcm |
AES-256 GCM |
chacha20-ietf-poly1305 |
ChaCha20-Poly1305 |
none |
unencrypted (testing only) |
Hot reload: restarts cleanly on config change, drops active connections.
L2TP/IPsec
L2TP/IPsec VPN using the OS built-in VPN client β no third-party app required. Requires --network host on Linux or Compat mode on iKuai / OpenWrt.
| Field | Default | Description |
|---|---|---|
| Enabled | false |
toggle on/off |
| Listen port | 1701 |
UDP port for L2TP |
| IP Pool | 192.168.25.1/24 |
client IP range |
| PSK | (generated) | IPsec pre-shared key |
| MTU | 1280 |
PPP MTU |
Architecture
VPN Client (iOS / macOS / Windows / Android)
β L2TP/IPsec (UDP 500 + 4500 + 1701)
strongSwan (IKEv1 IPsec) + xl2tpd
β PPP / MSCHAPv2
pppd assigns IP from pool
β
Transparent proxy (iptables DNAT) β mesh exit routing
Each L2TP user's traffic is routed through their assigned exit_via. The PPP ip-up hook maps freshly-assigned PPP IPs back to usernames.
Client
- Enable L2TP, note the PSK.
- Create an L2TP VPN connection on your device; server = node's IP/hostname, account = HY2 SCALE username, secret/PSK = the generated value.
- Connect.
Hot reload: supported.
IKEv2/IPsec
IKEv2 VPN using strongSwan. Two auth modes:
| Mode | Auth | Certificate | Client setup |
|---|---|---|---|
| MSCHAPv2 | EAP-MSCHAPv2 + server cert | Yes (CA recommended) | Install CA cert on device |
| PSK | Pre-shared key | No | Enter PSK in VPN profile |
Configuration
| Field | Default | Description |
|---|---|---|
| Enabled | false |
toggle on/off |
| Mode | psk |
mschapv2 or psk |
| Local ID | (node name) | server identity (leftid) |
| Address Pool | 192.168.26.1/24 |
client IP range |
| MTU | 1400 |
tunnel MTU |
| Server cert | β | required in mschapv2 mode |
| PSK | (generated) | required in psk mode |
| PSK User Mode | false |
also require user auth in PSK mode |
MSCHAPv2 (recommended)
- On the TLS page, generate or import a CA.
- Enable IKEv2 in MSCHAPv2 mode and select the CA. HY2 SCALE auto-mints a server cert from the CA whose CN/SAN matches
local_id. - Export the CA cert and install it on every client device.
- Clients authenticate with their HY2 SCALE username + password.
PSK mode
Simpler. Clients connect with just the PSK, or PSK + username when PSK User Mode is enabled.
Client (iOS / macOS)
- Install the CA cert (MSCHAPv2 only) via email / AirDrop β Settings β Profile.
- Create an IKEv2 VPN connection; server = node, remote ID =
local_id, username = HY2 SCALE user.
Hot reload: supported.
WireGuard
Userspace WireGuard (wireguard-go + gvisor netstack) β no kernel module required, works on every OS.
Server
| Field | Default | Description |
|---|---|---|
| Enabled | false |
toggle on/off |
| Listen port | 51820 |
UDP port |
| Private key | (auto-generated) | server's WireGuard private key |
| Address | 10.0.0.1/24 |
server IP + subnet |
| MTU | 1420 |
tunnel MTU |
Peers
WireGuard uses per-peer public-key auth instead of the shared user database. Each peer is one client device.
| Field | Description |
|---|---|
| Name | display name |
| Public key | client public key β leave blank to generate a key pair |
| Allowed IPs | client tunnel IP, typically 10.0.0.N/32 |
| Keepalive | persistent keepalive in seconds (0 = disabled) |
| Exit via | route this peer's traffic through a mesh node chain |
Key generation
Click the key button next to the Public key field to generate a fresh key pair. The public key is stored server-side; the private key is included in the downloaded client config (and only shown once β save it).
Client config
- Download β
.conffile compatible with every WireGuard client. - QR β QR code for mobile WireGuard apps.
The exported config contains server endpoint, DNS, allowed IPs, MTU, and the peer private key.
Selecting and editing peers
The peer table follows the same select-then-act pattern as Nodes / Users / Rules / TLS:
- Single-click a peer row to select it β a green Edit button appears in the card actions, between Import and + Add Peer, when exactly one row is selected.
- The leading checkbox cell is the entire padded area, not just the small input; clicks on it add to multi-select.
- A click on any blank area outside the card body clears a single-row selection. Multi-select is sticky; clicks on buttons / inputs / open modals never deselect.
- With one or more peers checked, a Bulk Delete button appears next to Import.
The peer name column is still a link that opens the per-peer config / QR detail modal β clicking it doesn't toggle row selection.
Hot reload
- config change β full WireGuard restart (brief disconnection)
- peer add / remove β hot peer management, no server restart