v1.0.0

2025-04-30 17:38:41 +00:00 · 2020-11-25 19:01:53 +08:00 · 2020-11-25 19:01:53 +08:00 · c7f7c08ead
commit c7f7c08ead
parent 47d23e9972
711 changed files with 82154 additions and 2 deletions
--- a/transport/internet/quic/config.go
+++ b/transport/internet/quic/config.go
@ -0,0 +1,49 @@
+// +build !confonly
+
+package quic
+
+import (
+	"crypto/aes"
+	"crypto/cipher"
+	"crypto/sha256"
+
+	"github.com/xtls/xray-core/v1/common"
+	"github.com/xtls/xray-core/v1/common/protocol"
+	"github.com/xtls/xray-core/v1/transport/internet"
+	"golang.org/x/crypto/chacha20poly1305"
+)
+
+func getAuth(config *Config) (cipher.AEAD, error) {
+	security := config.Security.GetSecurityType()
+	if security == protocol.SecurityType_NONE {
+		return nil, nil
+	}
+
+	salted := []byte(config.Key + "xray-quic-salt")
+	key := sha256.Sum256(salted)
+
+	if security == protocol.SecurityType_AES128_GCM {
+		block, err := aes.NewCipher(key[:16])
+		common.Must(err)
+		return cipher.NewGCM(block)
+	}
+
+	if security == protocol.SecurityType_CHACHA20_POLY1305 {
+		return chacha20poly1305.New(key[:])
+	}
+
+	return nil, newError("unsupported security type")
+}
+
+func getHeader(config *Config) (internet.PacketHeader, error) {
+	if config.Header == nil {
+		return nil, nil
+	}
+
+	msg, err := config.Header.GetInstance()
+	if err != nil {
+		return nil, err
+	}
+
+	return internet.CreatePacketHeader(msg)
+}
--- a/transport/internet/quic/config.pb.go
+++ b/transport/internet/quic/config.pb.go
@ -0,0 +1,190 @@
+// Code generated by protoc-gen-go. DO NOT EDIT.
+// versions:
+// 	protoc-gen-go v1.25.0
+// 	protoc        v3.14.0
+// source: transport/internet/quic/config.proto
+
+package quic
+
+import (
+	proto "github.com/golang/protobuf/proto"
+	protocol "github.com/xtls/xray-core/v1/common/protocol"
+	serial "github.com/xtls/xray-core/v1/common/serial"
+	protoreflect "google.golang.org/protobuf/reflect/protoreflect"
+	protoimpl "google.golang.org/protobuf/runtime/protoimpl"
+	reflect "reflect"
+	sync "sync"
+)
+
+const (
+	// Verify that this generated code is sufficiently up-to-date.
+	_ = protoimpl.EnforceVersion(20 - protoimpl.MinVersion)
+	// Verify that runtime/protoimpl is sufficiently up-to-date.
+	_ = protoimpl.EnforceVersion(protoimpl.MaxVersion - 20)
+)
+
+// This is a compile-time assertion that a sufficiently up-to-date version
+// of the legacy proto package is being used.
+const _ = proto.ProtoPackageIsVersion4
+
+type Config struct {
+	state         protoimpl.MessageState
+	sizeCache     protoimpl.SizeCache
+	unknownFields protoimpl.UnknownFields
+
+	Key      string                   `protobuf:"bytes,1,opt,name=key,proto3" json:"key,omitempty"`
+	Security *protocol.SecurityConfig `protobuf:"bytes,2,opt,name=security,proto3" json:"security,omitempty"`
+	Header   *serial.TypedMessage     `protobuf:"bytes,3,opt,name=header,proto3" json:"header,omitempty"`
+}
+
+func (x *Config) Reset() {
+	*x = Config{}
+	if protoimpl.UnsafeEnabled {
+		mi := &file_transport_internet_quic_config_proto_msgTypes[0]
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		ms.StoreMessageInfo(mi)
+	}
+}
+
+func (x *Config) String() string {
+	return protoimpl.X.MessageStringOf(x)
+}
+
+func (*Config) ProtoMessage() {}
+
+func (x *Config) ProtoReflect() protoreflect.Message {
+	mi := &file_transport_internet_quic_config_proto_msgTypes[0]
+	if protoimpl.UnsafeEnabled && x != nil {
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		if ms.LoadMessageInfo() == nil {
+			ms.StoreMessageInfo(mi)
+		}
+		return ms
+	}
+	return mi.MessageOf(x)
+}
+
+// Deprecated: Use Config.ProtoReflect.Descriptor instead.
+func (*Config) Descriptor() ([]byte, []int) {
+	return file_transport_internet_quic_config_proto_rawDescGZIP(), []int{0}
+}
+
+func (x *Config) GetKey() string {
+	if x != nil {
+		return x.Key
+	}
+	return ""
+}
+
+func (x *Config) GetSecurity() *protocol.SecurityConfig {
+	if x != nil {
+		return x.Security
+	}
+	return nil
+}
+
+func (x *Config) GetHeader() *serial.TypedMessage {
+	if x != nil {
+		return x.Header
+	}
+	return nil
+}
+
+var File_transport_internet_quic_config_proto protoreflect.FileDescriptor
+
+var file_transport_internet_quic_config_proto_rawDesc = []byte{
+	0x0a, 0x24, 0x74, 0x72, 0x61, 0x6e, 0x73, 0x70, 0x6f, 0x72, 0x74, 0x2f, 0x69, 0x6e, 0x74, 0x65,
+	0x72, 0x6e, 0x65, 0x74, 0x2f, 0x71, 0x75, 0x69, 0x63, 0x2f, 0x63, 0x6f, 0x6e, 0x66, 0x69, 0x67,
+	0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x12, 0x1c, 0x78, 0x72, 0x61, 0x79, 0x2e, 0x74, 0x72, 0x61,
+	0x6e, 0x73, 0x70, 0x6f, 0x72, 0x74, 0x2e, 0x69, 0x6e, 0x74, 0x65, 0x72, 0x6e, 0x65, 0x74, 0x2e,
+	0x71, 0x75, 0x69, 0x63, 0x1a, 0x21, 0x63, 0x6f, 0x6d, 0x6d, 0x6f, 0x6e, 0x2f, 0x73, 0x65, 0x72,
+	0x69, 0x61, 0x6c, 0x2f, 0x74, 0x79, 0x70, 0x65, 0x64, 0x5f, 0x6d, 0x65, 0x73, 0x73, 0x61, 0x67,
+	0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x1a, 0x1d, 0x63, 0x6f, 0x6d, 0x6d, 0x6f, 0x6e, 0x2f,
+	0x70, 0x72, 0x6f, 0x74, 0x6f, 0x63, 0x6f, 0x6c, 0x2f, 0x68, 0x65, 0x61, 0x64, 0x65, 0x72, 0x73,
+	0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x22, 0x96, 0x01, 0x0a, 0x06, 0x43, 0x6f, 0x6e, 0x66, 0x69,
+	0x67, 0x12, 0x10, 0x0a, 0x03, 0x6b, 0x65, 0x79, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x03,
+	0x6b, 0x65, 0x79, 0x12, 0x40, 0x0a, 0x08, 0x73, 0x65, 0x63, 0x75, 0x72, 0x69, 0x74, 0x79, 0x18,
+	0x02, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x24, 0x2e, 0x78, 0x72, 0x61, 0x79, 0x2e, 0x63, 0x6f, 0x6d,
+	0x6d, 0x6f, 0x6e, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x63, 0x6f, 0x6c, 0x2e, 0x53, 0x65, 0x63,
+	0x75, 0x72, 0x69, 0x74, 0x79, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x52, 0x08, 0x73, 0x65, 0x63,
+	0x75, 0x72, 0x69, 0x74, 0x79, 0x12, 0x38, 0x0a, 0x06, 0x68, 0x65, 0x61, 0x64, 0x65, 0x72, 0x18,
+	0x03, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x20, 0x2e, 0x78, 0x72, 0x61, 0x79, 0x2e, 0x63, 0x6f, 0x6d,
+	0x6d, 0x6f, 0x6e, 0x2e, 0x73, 0x65, 0x72, 0x69, 0x61, 0x6c, 0x2e, 0x54, 0x79, 0x70, 0x65, 0x64,
+	0x4d, 0x65, 0x73, 0x73, 0x61, 0x67, 0x65, 0x52, 0x06, 0x68, 0x65, 0x61, 0x64, 0x65, 0x72, 0x42,
+	0x79, 0x0a, 0x20, 0x63, 0x6f, 0x6d, 0x2e, 0x78, 0x72, 0x61, 0x79, 0x2e, 0x74, 0x72, 0x61, 0x6e,
+	0x73, 0x70, 0x6f, 0x72, 0x74, 0x2e, 0x69, 0x6e, 0x74, 0x65, 0x72, 0x6e, 0x65, 0x74, 0x2e, 0x71,
+	0x75, 0x69, 0x63, 0x50, 0x01, 0x5a, 0x34, 0x67, 0x69, 0x74, 0x68, 0x75, 0x62, 0x2e, 0x63, 0x6f,
+	0x6d, 0x2f, 0x78, 0x74, 0x6c, 0x73, 0x2f, 0x78, 0x72, 0x61, 0x79, 0x2d, 0x63, 0x6f, 0x72, 0x65,
+	0x2f, 0x76, 0x31, 0x2f, 0x74, 0x72, 0x61, 0x6e, 0x73, 0x70, 0x6f, 0x72, 0x74, 0x2f, 0x69, 0x6e,
+	0x74, 0x65, 0x72, 0x6e, 0x65, 0x74, 0x2f, 0x71, 0x75, 0x69, 0x63, 0xaa, 0x02, 0x1c, 0x58, 0x72,
+	0x61, 0x79, 0x2e, 0x54, 0x72, 0x61, 0x6e, 0x73, 0x70, 0x6f, 0x72, 0x74, 0x2e, 0x49, 0x6e, 0x74,
+	0x65, 0x72, 0x6e, 0x65, 0x74, 0x2e, 0x51, 0x75, 0x69, 0x63, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74,
+	0x6f, 0x33,
+}
+
+var (
+	file_transport_internet_quic_config_proto_rawDescOnce sync.Once
+	file_transport_internet_quic_config_proto_rawDescData = file_transport_internet_quic_config_proto_rawDesc
+)
+
+func file_transport_internet_quic_config_proto_rawDescGZIP() []byte {
+	file_transport_internet_quic_config_proto_rawDescOnce.Do(func() {
+		file_transport_internet_quic_config_proto_rawDescData = protoimpl.X.CompressGZIP(file_transport_internet_quic_config_proto_rawDescData)
+	})
+	return file_transport_internet_quic_config_proto_rawDescData
+}
+
+var file_transport_internet_quic_config_proto_msgTypes = make([]protoimpl.MessageInfo, 1)
+var file_transport_internet_quic_config_proto_goTypes = []interface{}{
+	(*Config)(nil),                  // 0: xray.transport.internet.quic.Config
+	(*protocol.SecurityConfig)(nil), // 1: xray.common.protocol.SecurityConfig
+	(*serial.TypedMessage)(nil),     // 2: xray.common.serial.TypedMessage
+}
+var file_transport_internet_quic_config_proto_depIdxs = []int32{
+	1, // 0: xray.transport.internet.quic.Config.security:type_name -> xray.common.protocol.SecurityConfig
+	2, // 1: xray.transport.internet.quic.Config.header:type_name -> xray.common.serial.TypedMessage
+	2, // [2:2] is the sub-list for method output_type
+	2, // [2:2] is the sub-list for method input_type
+	2, // [2:2] is the sub-list for extension type_name
+	2, // [2:2] is the sub-list for extension extendee
+	0, // [0:2] is the sub-list for field type_name
+}
+
+func init() { file_transport_internet_quic_config_proto_init() }
+func file_transport_internet_quic_config_proto_init() {
+	if File_transport_internet_quic_config_proto != nil {
+		return
+	}
+	if !protoimpl.UnsafeEnabled {
+		file_transport_internet_quic_config_proto_msgTypes[0].Exporter = func(v interface{}, i int) interface{} {
+			switch v := v.(*Config); i {
+			case 0:
+				return &v.state
+			case 1:
+				return &v.sizeCache
+			case 2:
+				return &v.unknownFields
+			default:
+				return nil
+			}
+		}
+	}
+	type x struct{}
+	out := protoimpl.TypeBuilder{
+		File: protoimpl.DescBuilder{
+			GoPackagePath: reflect.TypeOf(x{}).PkgPath(),
+			RawDescriptor: file_transport_internet_quic_config_proto_rawDesc,
+			NumEnums:      0,
+			NumMessages:   1,
+			NumExtensions: 0,
+			NumServices:   0,
+		},
+		GoTypes:           file_transport_internet_quic_config_proto_goTypes,
+		DependencyIndexes: file_transport_internet_quic_config_proto_depIdxs,
+		MessageInfos:      file_transport_internet_quic_config_proto_msgTypes,
+	}.Build()
+	File_transport_internet_quic_config_proto = out.File
+	file_transport_internet_quic_config_proto_rawDesc = nil
+	file_transport_internet_quic_config_proto_goTypes = nil
+	file_transport_internet_quic_config_proto_depIdxs = nil
+}
--- a/transport/internet/quic/config.proto
+++ b/transport/internet/quic/config.proto
@ -0,0 +1,16 @@
+syntax = "proto3";
+
+package xray.transport.internet.quic;
+option csharp_namespace = "Xray.Transport.Internet.Quic";
+option go_package = "github.com/xtls/xray-core/v1/transport/internet/quic";
+option java_package = "com.xray.transport.internet.quic";
+option java_multiple_files = true;
+
+import "common/serial/typed_message.proto";
+import "common/protocol/headers.proto";
+
+message Config {
+  string key = 1;
+  xray.common.protocol.SecurityConfig security = 2;
+  xray.common.serial.TypedMessage header = 3;
+}
--- a/transport/internet/quic/conn.go
+++ b/transport/internet/quic/conn.go
@ -0,0 +1,187 @@
+// +build !confonly
+
+package quic
+
+import (
+	"crypto/cipher"
+	"crypto/rand"
+	"errors"
+	"time"
+
+	"github.com/lucas-clemente/quic-go"
+	"github.com/xtls/xray-core/v1/common"
+	"github.com/xtls/xray-core/v1/common/buf"
+	"github.com/xtls/xray-core/v1/common/net"
+	"github.com/xtls/xray-core/v1/transport/internet"
+)
+
+type sysConn struct {
+	conn   net.PacketConn
+	header internet.PacketHeader
+	auth   cipher.AEAD
+}
+
+func wrapSysConn(rawConn net.PacketConn, config *Config) (*sysConn, error) {
+	header, err := getHeader(config)
+	if err != nil {
+		return nil, err
+	}
+	auth, err := getAuth(config)
+	if err != nil {
+		return nil, err
+	}
+	return &sysConn{
+		conn:   rawConn,
+		header: header,
+		auth:   auth,
+	}, nil
+}
+
+var errInvalidPacket = errors.New("invalid packet")
+
+func (c *sysConn) readFromInternal(p []byte) (int, net.Addr, error) {
+	buffer := getBuffer()
+	defer putBuffer(buffer)
+
+	nBytes, addr, err := c.conn.ReadFrom(buffer)
+	if err != nil {
+		return 0, nil, err
+	}
+
+	payload := buffer[:nBytes]
+	if c.header != nil {
+		if len(payload) <= int(c.header.Size()) {
+			return 0, nil, errInvalidPacket
+		}
+		payload = payload[c.header.Size():]
+	}
+
+	if c.auth == nil {
+		n := copy(p, payload)
+		return n, addr, nil
+	}
+
+	if len(payload) <= c.auth.NonceSize() {
+		return 0, nil, errInvalidPacket
+	}
+
+	nonce := payload[:c.auth.NonceSize()]
+	payload = payload[c.auth.NonceSize():]
+
+	p, err = c.auth.Open(p[:0], nonce, payload, nil)
+	if err != nil {
+		return 0, nil, errInvalidPacket
+	}
+
+	return len(p), addr, nil
+}
+
+func (c *sysConn) ReadFrom(p []byte) (int, net.Addr, error) {
+	if c.header == nil && c.auth == nil {
+		return c.conn.ReadFrom(p)
+	}
+
+	for {
+		n, addr, err := c.readFromInternal(p)
+		if err != nil && err != errInvalidPacket {
+			return 0, nil, err
+		}
+		if err == nil {
+			return n, addr, nil
+		}
+	}
+}
+
+func (c *sysConn) WriteTo(p []byte, addr net.Addr) (int, error) {
+	if c.header == nil && c.auth == nil {
+		return c.conn.WriteTo(p, addr)
+	}
+
+	buffer := getBuffer()
+	defer putBuffer(buffer)
+
+	payload := buffer
+	n := 0
+	if c.header != nil {
+		c.header.Serialize(payload)
+		n = int(c.header.Size())
+	}
+
+	if c.auth == nil {
+		nBytes := copy(payload[n:], p)
+		n += nBytes
+	} else {
+		nounce := payload[n : n+c.auth.NonceSize()]
+		common.Must2(rand.Read(nounce))
+		n += c.auth.NonceSize()
+		pp := c.auth.Seal(payload[:n], nounce, p, nil)
+		n = len(pp)
+	}
+
+	return c.conn.WriteTo(payload[:n], addr)
+}
+
+func (c *sysConn) Close() error {
+	return c.conn.Close()
+}
+
+func (c *sysConn) LocalAddr() net.Addr {
+	return c.conn.LocalAddr()
+}
+
+func (c *sysConn) SetDeadline(t time.Time) error {
+	return c.conn.SetDeadline(t)
+}
+
+func (c *sysConn) SetReadDeadline(t time.Time) error {
+	return c.conn.SetReadDeadline(t)
+}
+
+func (c *sysConn) SetWriteDeadline(t time.Time) error {
+	return c.conn.SetWriteDeadline(t)
+}
+
+type interConn struct {
+	stream quic.Stream
+	local  net.Addr
+	remote net.Addr
+}
+
+func (c *interConn) Read(b []byte) (int, error) {
+	return c.stream.Read(b)
+}
+
+func (c *interConn) WriteMultiBuffer(mb buf.MultiBuffer) error {
+	mb = buf.Compact(mb)
+	mb, err := buf.WriteMultiBuffer(c, mb)
+	buf.ReleaseMulti(mb)
+	return err
+}
+
+func (c *interConn) Write(b []byte) (int, error) {
+	return c.stream.Write(b)
+}
+
+func (c *interConn) Close() error {
+	return c.stream.Close()
+}
+
+func (c *interConn) LocalAddr() net.Addr {
+	return c.local
+}
+
+func (c *interConn) RemoteAddr() net.Addr {
+	return c.remote
+}
+
+func (c *interConn) SetDeadline(t time.Time) error {
+	return c.stream.SetDeadline(t)
+}
+
+func (c *interConn) SetReadDeadline(t time.Time) error {
+	return c.stream.SetReadDeadline(t)
+}
+
+func (c *interConn) SetWriteDeadline(t time.Time) error {
+	return c.stream.SetWriteDeadline(t)
+}
--- a/transport/internet/quic/dialer.go
+++ b/transport/internet/quic/dialer.go
@ -0,0 +1,218 @@
+// +build !confonly
+
+package quic
+
+import (
+	"context"
+	"sync"
+	"time"
+
+	"github.com/lucas-clemente/quic-go"
+	"github.com/xtls/xray-core/v1/common"
+	"github.com/xtls/xray-core/v1/common/net"
+	"github.com/xtls/xray-core/v1/common/task"
+	"github.com/xtls/xray-core/v1/transport/internet"
+	"github.com/xtls/xray-core/v1/transport/internet/tls"
+)
+
+type sessionContext struct {
+	rawConn *sysConn
+	session quic.Session
+}
+
+var errSessionClosed = newError("session closed")
+
+func (c *sessionContext) openStream(destAddr net.Addr) (*interConn, error) {
+	if !isActive(c.session) {
+		return nil, errSessionClosed
+	}
+
+	stream, err := c.session.OpenStream()
+	if err != nil {
+		return nil, err
+	}
+
+	conn := &interConn{
+		stream: stream,
+		local:  c.session.LocalAddr(),
+		remote: destAddr,
+	}
+
+	return conn, nil
+}
+
+type clientSessions struct {
+	access   sync.Mutex
+	sessions map[net.Destination][]*sessionContext
+	cleanup  *task.Periodic
+}
+
+func isActive(s quic.Session) bool {
+	select {
+	case <-s.Context().Done():
+		return false
+	default:
+		return true
+	}
+}
+
+func removeInactiveSessions(sessions []*sessionContext) []*sessionContext {
+	activeSessions := make([]*sessionContext, 0, len(sessions))
+	for _, s := range sessions {
+		if isActive(s.session) {
+			activeSessions = append(activeSessions, s)
+			continue
+		}
+		if err := s.session.CloseWithError(0, ""); err != nil {
+			newError("failed to close session").Base(err).WriteToLog()
+		}
+		if err := s.rawConn.Close(); err != nil {
+			newError("failed to close raw connection").Base(err).WriteToLog()
+		}
+	}
+
+	if len(activeSessions) < len(sessions) {
+		return activeSessions
+	}
+
+	return sessions
+}
+
+func openStream(sessions []*sessionContext, destAddr net.Addr) *interConn {
+	for _, s := range sessions {
+		if !isActive(s.session) {
+			continue
+		}
+
+		conn, err := s.openStream(destAddr)
+		if err != nil {
+			continue
+		}
+
+		return conn
+	}
+
+	return nil
+}
+
+func (s *clientSessions) cleanSessions() error {
+	s.access.Lock()
+	defer s.access.Unlock()
+
+	if len(s.sessions) == 0 {
+		return nil
+	}
+
+	newSessionMap := make(map[net.Destination][]*sessionContext)
+
+	for dest, sessions := range s.sessions {
+		sessions = removeInactiveSessions(sessions)
+		if len(sessions) > 0 {
+			newSessionMap[dest] = sessions
+		}
+	}
+
+	s.sessions = newSessionMap
+	return nil
+}
+
+func (s *clientSessions) openConnection(destAddr net.Addr, config *Config, tlsConfig *tls.Config, sockopt *internet.SocketConfig) (internet.Connection, error) {
+	s.access.Lock()
+	defer s.access.Unlock()
+
+	if s.sessions == nil {
+		s.sessions = make(map[net.Destination][]*sessionContext)
+	}
+
+	dest := net.DestinationFromAddr(destAddr)
+
+	var sessions []*sessionContext
+	if s, found := s.sessions[dest]; found {
+		sessions = s
+	}
+
+	if true {
+		conn := openStream(sessions, destAddr)
+		if conn != nil {
+			return conn, nil
+		}
+	}
+
+	sessions = removeInactiveSessions(sessions)
+
+	rawConn, err := internet.ListenSystemPacket(context.Background(), &net.UDPAddr{
+		IP:   []byte{0, 0, 0, 0},
+		Port: 0,
+	}, sockopt)
+	if err != nil {
+		return nil, err
+	}
+
+	quicConfig := &quic.Config{
+		ConnectionIDLength: 12,
+		HandshakeTimeout:   time.Second * 8,
+		MaxIdleTimeout:     time.Second * 30,
+	}
+
+	conn, err := wrapSysConn(rawConn, config)
+	if err != nil {
+		rawConn.Close()
+		return nil, err
+	}
+
+	session, err := quic.DialContext(context.Background(), conn, destAddr, "", tlsConfig.GetTLSConfig(tls.WithDestination(dest)), quicConfig)
+	if err != nil {
+		conn.Close()
+		return nil, err
+	}
+
+	context := &sessionContext{
+		session: session,
+		rawConn: conn,
+	}
+	s.sessions[dest] = append(sessions, context)
+	return context.openStream(destAddr)
+}
+
+var client clientSessions
+
+func init() {
+	client.sessions = make(map[net.Destination][]*sessionContext)
+	client.cleanup = &task.Periodic{
+		Interval: time.Minute,
+		Execute:  client.cleanSessions,
+	}
+	common.Must(client.cleanup.Start())
+}
+
+func Dial(ctx context.Context, dest net.Destination, streamSettings *internet.MemoryStreamConfig) (internet.Connection, error) {
+	tlsConfig := tls.ConfigFromStreamSettings(streamSettings)
+	if tlsConfig == nil {
+		tlsConfig = &tls.Config{
+			ServerName:    internalDomain,
+			AllowInsecure: true,
+		}
+	}
+
+	var destAddr *net.UDPAddr
+	if dest.Address.Family().IsIP() {
+		destAddr = &net.UDPAddr{
+			IP:   dest.Address.IP(),
+			Port: int(dest.Port),
+		}
+	} else {
+		addr, err := net.ResolveUDPAddr("udp", dest.NetAddr())
+		if err != nil {
+			return nil, err
+		}
+		destAddr = addr
+	}
+
+	config := streamSettings.ProtocolSettings.(*Config)
+
+	return client.openConnection(destAddr, config, tlsConfig, streamSettings.SocketSettings)
+}
+
+func init() {
+	common.Must(internet.RegisterTransportDialer(protocolName, Dial))
+}
--- a/transport/internet/quic/errors.generated.go
+++ b/transport/internet/quic/errors.generated.go
@ -0,0 +1,9 @@
+package quic
+
+import "github.com/xtls/xray-core/v1/common/errors"
+
+type errPathObjHolder struct{}
+
+func newError(values ...interface{}) *errors.Error {
+	return errors.New(values...).WithPathObj(errPathObjHolder{})
+}
--- a/transport/internet/quic/hub.go
+++ b/transport/internet/quic/hub.go
@ -0,0 +1,140 @@
+// +build !confonly
+
+package quic
+
+import (
+	"context"
+	"time"
+
+	"github.com/lucas-clemente/quic-go"
+	"github.com/xtls/xray-core/v1/common"
+	"github.com/xtls/xray-core/v1/common/net"
+	"github.com/xtls/xray-core/v1/common/protocol/tls/cert"
+	"github.com/xtls/xray-core/v1/common/signal/done"
+	"github.com/xtls/xray-core/v1/transport/internet"
+	"github.com/xtls/xray-core/v1/transport/internet/tls"
+)
+
+// Listener is an internet.Listener that listens for TCP connections.
+type Listener struct {
+	rawConn  *sysConn
+	listener quic.Listener
+	done     *done.Instance
+	addConn  internet.ConnHandler
+}
+
+func (l *Listener) acceptStreams(session quic.Session) {
+	for {
+		stream, err := session.AcceptStream(context.Background())
+		if err != nil {
+			newError("failed to accept stream").Base(err).WriteToLog()
+			select {
+			case <-session.Context().Done():
+				return
+			case <-l.done.Wait():
+				if err := session.CloseWithError(0, ""); err != nil {
+					newError("failed to close session").Base(err).WriteToLog()
+				}
+				return
+			default:
+				time.Sleep(time.Second)
+				continue
+			}
+		}
+
+		conn := &interConn{
+			stream: stream,
+			local:  session.LocalAddr(),
+			remote: session.RemoteAddr(),
+		}
+
+		l.addConn(conn)
+	}
+}
+
+func (l *Listener) keepAccepting() {
+	for {
+		conn, err := l.listener.Accept(context.Background())
+		if err != nil {
+			newError("failed to accept QUIC sessions").Base(err).WriteToLog()
+			if l.done.Done() {
+				break
+			}
+			time.Sleep(time.Second)
+			continue
+		}
+		go l.acceptStreams(conn)
+	}
+}
+
+// Addr implements internet.Listener.Addr.
+func (l *Listener) Addr() net.Addr {
+	return l.listener.Addr()
+}
+
+// Close implements internet.Listener.Close.
+func (l *Listener) Close() error {
+	l.done.Close()
+	l.listener.Close()
+	l.rawConn.Close()
+	return nil
+}
+
+// Listen creates a new Listener based on configurations.
+func Listen(ctx context.Context, address net.Address, port net.Port, streamSettings *internet.MemoryStreamConfig, handler internet.ConnHandler) (internet.Listener, error) {
+	if address.Family().IsDomain() {
+		return nil, newError("domain address is not allows for listening quic")
+	}
+
+	tlsConfig := tls.ConfigFromStreamSettings(streamSettings)
+	if tlsConfig == nil {
+		tlsConfig = &tls.Config{
+			Certificate: []*tls.Certificate{tls.ParseCertificate(cert.MustGenerate(nil, cert.DNSNames(internalDomain), cert.CommonName(internalDomain)))},
+		}
+	}
+
+	config := streamSettings.ProtocolSettings.(*Config)
+	rawConn, err := internet.ListenSystemPacket(context.Background(), &net.UDPAddr{
+		IP:   address.IP(),
+		Port: int(port),
+	}, streamSettings.SocketSettings)
+
+	if err != nil {
+		return nil, err
+	}
+
+	quicConfig := &quic.Config{
+		ConnectionIDLength:    12,
+		HandshakeTimeout:      time.Second * 8,
+		MaxIdleTimeout:        time.Second * 45,
+		MaxIncomingStreams:    32,
+		MaxIncomingUniStreams: -1,
+	}
+
+	conn, err := wrapSysConn(rawConn, config)
+	if err != nil {
+		conn.Close()
+		return nil, err
+	}
+
+	qListener, err := quic.Listen(conn, tlsConfig.GetTLSConfig(), quicConfig)
+	if err != nil {
+		conn.Close()
+		return nil, err
+	}
+
+	listener := &Listener{
+		done:     done.New(),
+		rawConn:  conn,
+		listener: qListener,
+		addConn:  handler,
+	}
+
+	go listener.keepAccepting()
+
+	return listener, nil
+}
+
+func init() {
+	common.Must(internet.RegisterTransportListener(protocolName, Listen))
+}
--- a/transport/internet/quic/pool.go
+++ b/transport/internet/quic/pool.go
@ -0,0 +1,23 @@
+// +build !confonly
+
+package quic
+
+import (
+	"sync"
+
+	"github.com/xtls/xray-core/v1/common/bytespool"
+)
+
+var pool *sync.Pool
+
+func init() {
+	pool = bytespool.GetPool(2048)
+}
+
+func getBuffer() []byte {
+	return pool.Get().([]byte)
+}
+
+func putBuffer(p []byte) {
+	pool.Put(p)
+}
--- a/transport/internet/quic/quic.go
+++ b/transport/internet/quic/quic.go
@ -0,0 +1,25 @@
+// +build !confonly
+
+package quic
+
+import (
+	"github.com/xtls/xray-core/v1/common"
+	"github.com/xtls/xray-core/v1/transport/internet"
+)
+
+//go:generate go run github.com/xtls/xray-core/v1/common/errors/errorgen
+
+// Here is some modification needs to be done before update quic vendor.
+// * use bytespool in buffer_pool.go
+// * set MaxReceivePacketSize to 1452 - 32 (16 bytes auth, 16 bytes head)
+//
+//
+
+const protocolName = "quic"
+const internalDomain = "quic.internal.example.com"
+
+func init() {
+	common.Must(internet.RegisterProtocolConfigCreator(protocolName, func() interface{} {
+		return new(Config)
+	}))
+}
--- a/transport/internet/quic/quic_test.go
+++ b/transport/internet/quic/quic_test.go
@ -0,0 +1,223 @@
+package quic_test
+
+import (
+	"context"
+	"crypto/rand"
+	"testing"
+	"time"
+
+	"github.com/google/go-cmp/cmp"
+
+	"github.com/xtls/xray-core/v1/common"
+	"github.com/xtls/xray-core/v1/common/buf"
+	"github.com/xtls/xray-core/v1/common/net"
+	"github.com/xtls/xray-core/v1/common/protocol"
+	"github.com/xtls/xray-core/v1/common/protocol/tls/cert"
+	"github.com/xtls/xray-core/v1/common/serial"
+	"github.com/xtls/xray-core/v1/testing/servers/udp"
+	"github.com/xtls/xray-core/v1/transport/internet"
+	"github.com/xtls/xray-core/v1/transport/internet/headers/wireguard"
+	"github.com/xtls/xray-core/v1/transport/internet/quic"
+	"github.com/xtls/xray-core/v1/transport/internet/tls"
+)
+
+func TestQuicConnection(t *testing.T) {
+	port := udp.PickPort()
+
+	listener, err := quic.Listen(context.Background(), net.LocalHostIP, port, &internet.MemoryStreamConfig{
+		ProtocolName:     "quic",
+		ProtocolSettings: &quic.Config{},
+		SecurityType:     "tls",
+		SecuritySettings: &tls.Config{
+			Certificate: []*tls.Certificate{
+				tls.ParseCertificate(
+					cert.MustGenerate(nil,
+						cert.DNSNames("www.example.com"),
+					),
+				),
+			},
+		},
+	}, func(conn internet.Connection) {
+		go func() {
+			defer conn.Close()
+
+			b := buf.New()
+			defer b.Release()
+
+			for {
+				b.Clear()
+				if _, err := b.ReadFrom(conn); err != nil {
+					return
+				}
+				common.Must2(conn.Write(b.Bytes()))
+			}
+		}()
+	})
+	common.Must(err)
+
+	defer listener.Close()
+
+	time.Sleep(time.Second)
+
+	dctx := context.Background()
+	conn, err := quic.Dial(dctx, net.TCPDestination(net.LocalHostIP, port), &internet.MemoryStreamConfig{
+		ProtocolName:     "quic",
+		ProtocolSettings: &quic.Config{},
+		SecurityType:     "tls",
+		SecuritySettings: &tls.Config{
+			ServerName:    "www.example.com",
+			AllowInsecure: true,
+		},
+	})
+	common.Must(err)
+	defer conn.Close()
+
+	const N = 1024
+	b1 := make([]byte, N)
+	common.Must2(rand.Read(b1))
+	b2 := buf.New()
+
+	common.Must2(conn.Write(b1))
+
+	b2.Clear()
+	common.Must2(b2.ReadFullFrom(conn, N))
+	if r := cmp.Diff(b2.Bytes(), b1); r != "" {
+		t.Error(r)
+	}
+
+	common.Must2(conn.Write(b1))
+
+	b2.Clear()
+	common.Must2(b2.ReadFullFrom(conn, N))
+	if r := cmp.Diff(b2.Bytes(), b1); r != "" {
+		t.Error(r)
+	}
+}
+
+func TestQuicConnectionWithoutTLS(t *testing.T) {
+	port := udp.PickPort()
+
+	listener, err := quic.Listen(context.Background(), net.LocalHostIP, port, &internet.MemoryStreamConfig{
+		ProtocolName:     "quic",
+		ProtocolSettings: &quic.Config{},
+	}, func(conn internet.Connection) {
+		go func() {
+			defer conn.Close()
+
+			b := buf.New()
+			defer b.Release()
+
+			for {
+				b.Clear()
+				if _, err := b.ReadFrom(conn); err != nil {
+					return
+				}
+				common.Must2(conn.Write(b.Bytes()))
+			}
+		}()
+	})
+	common.Must(err)
+
+	defer listener.Close()
+
+	time.Sleep(time.Second)
+
+	dctx := context.Background()
+	conn, err := quic.Dial(dctx, net.TCPDestination(net.LocalHostIP, port), &internet.MemoryStreamConfig{
+		ProtocolName:     "quic",
+		ProtocolSettings: &quic.Config{},
+	})
+	common.Must(err)
+	defer conn.Close()
+
+	const N = 1024
+	b1 := make([]byte, N)
+	common.Must2(rand.Read(b1))
+	b2 := buf.New()
+
+	common.Must2(conn.Write(b1))
+
+	b2.Clear()
+	common.Must2(b2.ReadFullFrom(conn, N))
+	if r := cmp.Diff(b2.Bytes(), b1); r != "" {
+		t.Error(r)
+	}
+
+	common.Must2(conn.Write(b1))
+
+	b2.Clear()
+	common.Must2(b2.ReadFullFrom(conn, N))
+	if r := cmp.Diff(b2.Bytes(), b1); r != "" {
+		t.Error(r)
+	}
+}
+
+func TestQuicConnectionAuthHeader(t *testing.T) {
+	port := udp.PickPort()
+
+	listener, err := quic.Listen(context.Background(), net.LocalHostIP, port, &internet.MemoryStreamConfig{
+		ProtocolName: "quic",
+		ProtocolSettings: &quic.Config{
+			Header: serial.ToTypedMessage(&wireguard.WireguardConfig{}),
+			Key:    "abcd",
+			Security: &protocol.SecurityConfig{
+				Type: protocol.SecurityType_AES128_GCM,
+			},
+		},
+	}, func(conn internet.Connection) {
+		go func() {
+			defer conn.Close()
+
+			b := buf.New()
+			defer b.Release()
+
+			for {
+				b.Clear()
+				if _, err := b.ReadFrom(conn); err != nil {
+					return
+				}
+				common.Must2(conn.Write(b.Bytes()))
+			}
+		}()
+	})
+	common.Must(err)
+
+	defer listener.Close()
+
+	time.Sleep(time.Second)
+
+	dctx := context.Background()
+	conn, err := quic.Dial(dctx, net.TCPDestination(net.LocalHostIP, port), &internet.MemoryStreamConfig{
+		ProtocolName: "quic",
+		ProtocolSettings: &quic.Config{
+			Header: serial.ToTypedMessage(&wireguard.WireguardConfig{}),
+			Key:    "abcd",
+			Security: &protocol.SecurityConfig{
+				Type: protocol.SecurityType_AES128_GCM,
+			},
+		},
+	})
+	common.Must(err)
+	defer conn.Close()
+
+	const N = 1024
+	b1 := make([]byte, N)
+	common.Must2(rand.Read(b1))
+	b2 := buf.New()
+
+	common.Must2(conn.Write(b1))
+
+	b2.Clear()
+	common.Must2(b2.ReadFullFrom(conn, N))
+	if r := cmp.Diff(b2.Bytes(), b1); r != "" {
+		t.Error(r)
+	}
+
+	common.Must2(conn.Write(b1))
+
+	b2.Clear()
+	common.Must2(b2.ReadFullFrom(conn, N))
+	if r := cmp.Diff(b2.Bytes(), b1); r != "" {
+		t.Error(r)
+	}
+}