Add udp mask

EN Add udp mask

RU Add udp mask

Prettified Code!

Author: Fangliding

docs/config/transport.md

@@ -20,6 +20,9 @@
   "grpcSettings": {},
   "wsSettings": {},
   "httpupgradeSettings": {},
+  "finalmask": {
+    "udp": []
+  },
   "sockopt": {
     "mark": 0,
     "tcpMaxSeg": 1440,
@@ -102,6 +105,10 @@ Reality 是目前最安全的传输加密方案, 且外部看来流量类型和
 
 透明代理相关的具体配置。
 
+> `finalmask`: [FinalMaskObject](#finalmaskobject)
+
+FinalMask 配置，用于对流量进行通用伪装。
+
 ### TLSObject
 
 ```json
@@ -901,3 +908,110 @@ RFC-8305 中的 "First Address Family count", 默认值为 1. 它定义了对不
 > `maxConcurrentTry`: number
 
 最大并发数量，用于防止解析出的IP过多且均未成功时候核心也对这些IP产生大量连接。默认为4, 设置为0代表禁用 happyEyeballs.
+
+### FinalMaskObject
+
+FinalMask 在核心处理完包括 TLS/REALITY 在内的传输层加密后，对流量进行最后一层伪装。
+
+目前仅有 UDP 支持。
+
+```json
+{
+  "udp": [
+    {
+      "type": "header-dns",
+      "settings": {
+        "domain": "www.baidu.com"
+      }
+    }
+  ]
+}
+```
+
+> `udp`: \[ list \]
+
+一个数组，表示应用于 UDP 流量的伪装列表。多个伪装会按顺序一层层应用。
+
+settings 根据伪装类型不同，见下。
+
+> `mkcp-original`
+
+mKCP 曾经默认应用的简单混淆，你可能需要配置它来连接以前的 mKCP 服务器。无额外配置。
+
+> `mkcp-aes128gcm`
+
+对应原 mKCP 的 `seed` 功能。使用 AES-128-GCM 进行混淆。
+
+- `settings`:
+  ```json
+  {
+    "password": "your-password"
+  }
+  ```
+
+`password` 为加密密码，服务端客户端需一致。
+
+> `header-dns`
+
+对应原 mKCP 的 DNS 伪装。
+
+- `settings`:
+  ```json
+  {
+    "domain": "www.example.com"
+  }
+  ```
+
+`domain` 为用于伪装的域名。
+
+> `header-dtls`
+
+对应原 mKCP 的 DTLS 伪装。无额外配置。
+
+> `header-srtp`
+
+对应原 mKCP 的 SRTP 伪装。无额外配置。
+
+> `header-utp`
+
+对应原 mKCP 的 uTP 伪装。无额外配置。
+
+> `header-wechat`
+
+对应原 mKCP 的 WeChat Video 伪装。无额外配置。
+
+> `header-wireguard`
+
+对应原 mKCP 的 WireGuard 伪装。无额外配置。
+
+> `xdns`
+
+实验性功能，利用 DNS 查询来传输数据（类似 DNSTT）。它将执行标准的 DNS TXT 查询来传输载荷。
+
+由于技术限制，它给出的 MTU 非常小，无法使用 QUIC，建议搭配 mKCP 使用。推荐的 MTU 值：客户端 130，服务端 900。
+
+- `settings`:
+  ```json
+  {
+    "domain": "www.example.com"
+  }
+  ```
+
+`domain` 为用于查询的域名。
+
+因为执行的查询是标准的，它可以透过任何 UDP DNS 服务器进行转发，尽管效率可能十分不理想。
+
+要使用这个功能，需要服务端监听 53 端口，然后代理协议将目标指向一个 DNS 服务器（如 8.8.8.8:53），并且你拥有 `domain` 的域名，然后将其 NS 记录指向服务端。
+
+> `salamander`
+
+Salamander 混淆。（来自 Hysteria2）
+
+- `settings`:
+  ```json
+  {
+    "password": "your-password"
+  }
+  ```
+
+`password` 为混淆密码，服务端客户端需一致。

docs/config/transports/mkcp.md

@@ -20,15 +20,16 @@ mKCP 牺牲带宽来降低延迟。传输同样的内容，mKCP 一般比 TCP 
   "downlinkCapacity": 20,
   "congestion": false,
   "readBufferSize": 1,
-  "writeBufferSize": 1,
-  "header": {
-    "type": "none",
-    "domain": "example.com"
-  },
-  "seed": "Password"
+  "writeBufferSize": 1
 }
 ```
 
+::: TIP
+`header` 和 `seed` 字段已被移除，请使用 [FinalMask](../transport.md#finalmaskobject) 进行配置。
+
+并且曾经默认的 mKCP 混淆也被移除，要连接旧版服务端，需要在 FinalMask 中配置 `mkcp-original`。
+:::
+
 > `mtu`: number
 
 最大传输单元（maximum transmission unit）
@@ -91,43 +92,6 @@ mKCP 牺牲带宽来降低延迟。传输同样的内容，mKCP 一般比 TCP 
 在网速不超过 20MB/s 时，默认值 1MB 可以满足需求；超过之后，可以适当增加 `readBufferSize` 和 `writeBufferSize` 的值，然后手动平衡速度和内存的关系。
 :::
 
-> `header`: [HeaderObject](#headerobject)
-
-数据包头部伪装设置
-
-> `seed`: string
-
-可选的混淆密码，使用 AES-128-GCM 算法混淆流量数据，客户端和服务端需要保持一致。
-
-本混淆机制不能用于保证通信内容的安全，但可能可以对抗部分封锁。
-
-> 目前测试环境下开启此设置后没有出现原版未混淆版本的封端口现象
-
-### HeaderObject
-
-```json
-{
-  "type": "none",
-  "domain": "example.com"
-}
-```
-
-> `type`: string
-
-伪装类型，可选的值有：
-
-- `"none"`：默认值，不进行伪装，发送的数据是没有特征的数据包。
-- `"srtp"`：伪装成 SRTP 数据包，会被识别为视频通话数据（如 FaceTime）。
-- `"utp"`：伪装成 uTP 数据包，会被识别为 BT 下载数据。
-- `"wechat-video"`：伪装成微信视频通话的数据包。
-- `"dtls"`：伪装成 DTLS 1.2 数据包。
-- `"wireguard"`：伪装成 WireGuard 数据包。（并不是真正的 WireGuard 协议）
-- `"dns"`：某些校园网在未登录的情况下允许DNS查询，给KCP添加DNS头，把流量伪装成dns请求，可以绕过某些校园网登录。
-
-> `domain`: string
-
-配合伪装类型 `"dns"` 使用，可随便填一个域名。
-
 ## 鸣谢
 
 - [@skywind3000](https://github.com/skywind3000) 发明并实现了 KCP 协议。

docs/en/config/transport.md

@@ -20,6 +20,9 @@ Transport specifies a stable method for data transmission. Generally, both ends
   "grpcSettings": {},
   "wsSettings": {},
   "httpupgradeSettings": {},
+  "finalmask": {
+    "udp": []
+  },
   "sockopt": {
     "mark": 0,
     "tcpMaxSeg": 1440,
@@ -101,6 +104,10 @@ Hysteria configuration for the current connection. Only valid when this connecti
 
 Specific configurations related to transparent proxying.
 
+> `finalmask`: [FinalMaskObject](#finalmaskobject)
+
+FinalMask configuration, used for general traffic obfuscation.
+
 ### TLSObject
 
 ```json
@@ -888,3 +895,100 @@ E.g., waiting IP queue sorted as 46464646 (set to 1), 44664466 (set to 2).
 > `maxConcurrentTry`: number
 
 Max concurrent attempts. Prevents core from making massive connections if many IPs resolve but fail. Default 4. Set to 0 to disable happyEyeballs.
+
+### FinalMaskObject
+
+FinalMask applies a final layer of obfuscation to the traffic after the core has processed transport layer encryption, including TLS/REALITY. Currently, only UDP is supported.
+
+```json
+{
+  "udp": [
+    {
+      "type": "header-dns",
+      "settings": {
+        "domain": "[www.baidu.com](https://www.baidu.com)"
+      }
+    }
+  ]
+}
+```
+
+> `udp`: \[ list \]
+
+An array representing the list of obfuscations applied to UDP traffic. Multiple obfuscations will be applied sequentially, layer by layer. The `settings` vary depending on the obfuscation type; see below.
+
+> `mkcp-original`
+
+The simple obfuscation that was previously applied by default in mKCP. You may need to configure this to connect to legacy mKCP servers. No additional configuration required.
+
+> `mkcp-aes128gcm`
+
+Corresponds to the original mKCP `seed` feature. Uses AES-128-GCM for obfuscation.
+
+- `settings`:
+  ```json
+  {
+    "password": "your-password"
+  }
+  ```
+
+`password` is the encryption password; it must be consistent between the server and the client.
+
+> `header-dns`
+
+Corresponds to the original mKCP DNS obfuscation.
+
+- `settings`:
+  ```json
+  {
+    "domain": "[www.example.com](https://www.example.com)"
+  }
+  ```
+
+`domain` is the domain name used for obfuscation.
+
+> `header-dtls`
+
+Corresponds to the original mKCP DTLS obfuscation. No additional configuration required.
+
+> `header-srtp`
+
+Corresponds to the original mKCP SRTP obfuscation. No additional configuration required.
+
+> `header-utp`
+
+Corresponds to the original mKCP uTP obfuscation. No additional configuration required.
+
+> `header-wechat`
+
+Corresponds to the original mKCP WeChat Video obfuscation. No additional configuration required.
+
+> `header-wireguard`
+
+Corresponds to the original mKCP WireGuard obfuscation. No additional configuration required.
+
+> `xdns`
+
+Experimental feature. Utilizes DNS queries to transport data (similar to DNSTT). It performs standard DNS TXT queries to transport the payload. Due to technical limitations, the resulting MTU is very small, making it incompatible with QUIC; it is recommended to use it with mKCP. Recommended MTU values: Client 130, Server 900.
+
+- `settings`:
+  ```json
+  {
+    "domain": "[www.example.com](https://www.example.com)"
+  }
+  ```
+
+`domain` is the domain name used for queries. Since the queries performed are standard, they can be forwarded through any UDP DNS server, although efficiency may be very suboptimal. To use this feature, the server needs to listen on port 53, and the proxy protocol should direct the target to a DNS server (e.g., 8.8.8.8:53). Additionally, you must own the domain specified in `domain` and point its NS record to your server.
+
+> `salamander`
+
+Salamander obfuscation (from Hysteria2).
+
+- `settings`:
+  ```json
+  {
+    "password": "your-password"
+  }
+  ```
+
+`password` is the obfuscation password; it must be consistent between the server and the client.

docs/en/config/transports/mkcp.md

@@ -20,15 +20,16 @@ Please ensure that the firewall configuration on the host is correct.
   "downlinkCapacity": 20,
   "congestion": false,
   "readBufferSize": 1,
-  "writeBufferSize": 1,
-  "header": {
-    "type": "none",
-    "domain": "example.com"
-  },
-  "seed": "Password"
+  "writeBufferSize": 1
 }
 ```
 
+::: TIP
+The `header` and `seed` fields have been removed. Please use [FinalMask](../transport.md#finalmaskobject) for configuration.
+
+Additionally, the previously default mKCP obfuscation has also been removed. To connect to a legacy server, you need to configure `mkcp-original` in FinalMask.
+:::
+
 > `mtu`: number
 
 Maximum Transmission Unit.
@@ -91,43 +92,6 @@ When high-speed transmission is required, specifying larger `readBufferSize` and
 When the network speed does not exceed 20MB/s, the default value of 1MB can meet the demand; beyond that, you can appropriately increase the values of `readBufferSize` and `writeBufferSize`, and then manually balance the relationship between speed and memory.
 :::
 
-> `header`: [HeaderObject](#headerobject)
-
-Packet header camouflage settings.
-
-> `seed`: string
-
-Optional obfuscation password. Uses the AES-128-GCM algorithm to obfuscate traffic data. Must be consistent between the client and the server.
-
-This obfuscation mechanism cannot be used to guarantee the security of communication content, but it may help mitigate some forms of blocking.
-
-> Currently, in test environments, no port blocking phenomena have been observed after enabling this setting compared to the original unobfuscated version.
-
-### HeaderObject
-
-```json
-{
-  "type": "none",
-  "domain": "example.com"
-}
-```
-
-> `type`: string
-
-Camouflage type. Optional values are:
-
-- `"none"`: Default value. No camouflage is performed; sent data is a packet without characteristics.
-- `"srtp"`: Disguised as SRTP packets, recognized as video call data (e.g., FaceTime).
-- `"utp"`: Disguised as uTP packets, recognized as BT download data.
-- `"wechat-video"`: Disguised as WeChat video call packets.
-- `"dtls"`: Disguised as DTLS 1.2 packets.
-- `"wireguard"`: Disguised as WireGuard packets. (Not the real WireGuard protocol).
-- `"dns"`: Some campus networks allow DNS queries without logging in. Adding a DNS header to KCP allows traffic to be disguised as DNS requests, potentially bypassing login requirements on some campus networks.
-
-> `domain`: string
-
-Used with the camouflage type `"dns"`. You can fill in any domain name.
-
 ## Credits
 
 - [@skywind3000](https://github.com/skywind3000) Invented and implemented the KCP protocol.