From d4d8b43c721d8f6a5dbc18cf7375bacee73141c4 Mon Sep 17 00:00:00 2001 From: "sijie.sun" Date: Sun, 19 Apr 2026 19:05:33 +0800 Subject: [PATCH] lazy p2p --- .vitepress/config/cn.ts | 2 +- en/guide/network/configurations.md | 94 ++++++++++----------- en/guide/network/p2p-optimize.md | 126 +++++++++++++++++++++++++++-- guide/network/configurations.md | 94 ++++++++++----------- guide/network/p2p-optimize.md | 75 ++++++++++++++++- 5 files changed, 292 insertions(+), 99 deletions(-) diff --git a/.vitepress/config/cn.ts b/.vitepress/config/cn.ts index 11497ee..1d55a23 100644 --- a/.vitepress/config/cn.ts +++ b/.vitepress/config/cn.ts @@ -33,7 +33,7 @@ export const cn = defineConfig({ { text: '无 TUN 模式(免 Root 权限)', link: '/guide/network/no-root' }, { text: 'SOCKS5', link: '/guide/network/socks5' }, { text: '搭建共享节点', link: '/guide/network/host-public-server' }, - { text: '改善 P2P', link: '/guide/network/p2p-optimize' }, + { text: 'P2P 优化', link: '/guide/network/p2p-optimize' }, { text: '魔法 DNS', link: '/guide/network/magic-dns' }, { text: 'ACL', link: '/guide/config/acl' }, ] }, diff --git a/en/guide/network/configurations.md b/en/guide/network/configurations.md index 0350f04..659984a 100644 --- a/en/guide/network/configurations.md +++ b/en/guide/network/configurations.md @@ -56,52 +56,54 @@ You can use `easytier-core --help` to view all configuration options. ### Other Settings -| Parameter | Description | -| ------------------------------------ | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -| `--hostname` | Hostname used to identify this device [env: ET_HOSTNAME=] | -| `-m, --instance-name` | Instance name, used to identify this VPN node on the same machine [env: ET_INSTANCE_NAME=] | -| `--vpn-portal` | Define the URL of the VPN portal, allowing other VPN clients to connect. E.g.: `wg://0.0.0.0:11010/10.14.14.0/24` [env: ET_VPN_PORTAL=] | -| `--default-protocol` | Default protocol used when connecting to peer nodes [env: ET_DEFAULT_PROTOCOL=] | -| `-u, --disable-encryption` | Disable encryption for peer node communication, default is false, must be the same as peer nodes [env: ET_DISABLE_ENCRYPTION=] | -| `--encryption-algorithm` | Encryption algorithm to use, supported: '', 'xor', 'chacha20', 'aes-gcm', 'aes-gcm-256', 'openssl-aes128-gcm', 'openssl-aes256-gcm', 'openssl-chacha20' [env: ET_ENCRYPTION_ALGORITHM=] | -| `--multi-thread` | Use multi-threaded runtime, default is single-threaded [env: ET_MULTI_THREAD=] | -| `--multi-thread-count` | The number of threads to use, default is 2, only effective when multi-thread is enabled, must be greater than 2 [env: ET_MULTI_THREAD_COUNT=] | -| `--disable-ipv6` | Don't use IPv6 [env: ET_DISABLE_IPV6=] | -| `--dev-name` | Optional TUN interface name [env: ET_DEV_NAME=] | -| `--mtu` | MTU of TUN device, default is 1380 when not encrypted, 1360 when encrypted [env: ET_MTU=] | -| `--latency-first` | Latency priority mode, will try to use the lowest latency path to forward traffic, default uses shortest path [env: ET_LATENCY_FIRST=] | -| `--exit-nodes` | Exit nodes for forwarding all traffic, virtual IPv4 addresses, priority determined by list order [env: ET_EXIT_NODES=] | -| `--enable-exit-node` | Allow this node to become an exit node [env: ET_ENABLE_EXIT_NODE=] | -| `--proxy-forward-by-system` | Forward subnet proxy packets through system kernel, disable built-in NAT [env: ET_PROXY_FORWARD_BY_SYSTEM=] | -| `--no-tun` | Don't create TUN device, can use subnet proxy to access nodes [env: ET_NO_TUN=] | -| `--use-smoltcp` | Enable smoltcp stack for subnet proxy and KCP proxy [env: ET_USE_SMOLTCP=] | -| `--manual-routes` | Manually assign route CIDR, will disable subnet proxy and wireguard routes propagated from peer nodes. E.g.: `192.168.0.0/16` [env: ET_MANUAL_ROUTES=] | -| `--relay-network-whitelist` | Only forward traffic from whitelisted networks, supports wildcard strings. Multiple network names can be separated by English spaces. [env: ET_RELAY_NETWORK_WHITELIST=] | -| `--disable-p2p` | Disable P2P communication, only forward packets through nodes specified by `--peers` [env: ET_DISABLE_P2P=] | -| `--p2p-only` | Only communicate with peers that already establish p2p connection [env: ET_P2P_ONLY=] | -| `--disable-tcp-hole-punching` | Disable TCP hole punching function [env: ET_DISABLE_TCP_HOLE_PUNCHING=] | -| `--disable-udp-hole-punching` | Disable UDP hole punching function [env: ET_DISABLE_UDP_HOLE_PUNCHING=] | -| `--disable-sym-hole-punching` | If true, disable UDP NAT hole punching for symmetric NAT (NAT4), which is based on birthday attack and may be blocked by ISP [env: ET_DISABLE_SYM_HOLE_PUNCHING=] | -| `--relay-all-peer-rpc` | Forward RPC packets from all peer nodes, even if peer nodes are not in the relay network whitelist. [env: ET_RELAY_ALL_PEER_RPC=] | -| `--socks5` | Enable socks5 server, allowing socks5 clients to access virtual network. Format: ``, e.g.: `1080` [env: ET_SOCKS5=] | -| `--compression` | Compression algorithm to use, supports `none`, `zstd`. Default is `none` [env: ET_COMPRESSION=] | -| `--bind-device` | Bind the connector's socket to a physical device to avoid routing issues. [env: ET_BIND_DEVICE=] | -| `--enable-kcp-proxy` | Use KCP proxy for TCP streams, improving latency and throughput on UDP packet loss networks. [env: ET_ENABLE_KCP_PROXY=] | -| `--disable-kcp-input` | Don't allow other nodes to use KCP proxy TCP streams to this node. [env: ET_DISABLE_KCP_INPUT=] | -| `--enable-quic-proxy` | Use QUIC proxy for TCP streams, improving latency and throughput on UDP packet loss networks. [env: ET_ENABLE_QUIC_PROXY=] | -| `--disable-quic-input` | Don't allow other nodes to use QUIC proxy TCP streams to this node. [env: ET_DISABLE_QUIC_INPUT=] | -| `--quic-listen-port` | The port to listen for QUIC connections, default is 0 (random port) [env: ET_QUIC_LISTEN_PORT=] | -| `--port-forward` | Forward local ports to remote ports in virtual network. E.g.: `udp://0.0.0.0:12345/10.126.126.1:23456` [env: ET_PORT_FORWARD=] | -| `--accept-dns` | If true, enable Magic DNS. With Magic DNS, you can use domain names to access other nodes, e.g.: `.et.net` [env: ET_ACCEPT_DNS=] | -| `--tld-dns-zone` | Specify the top-level DNS zone for Magic DNS. If not provided, use the dns_server module default (et.net.). Used only when accept_dns is true. [env: ET_TLD_DNS_ZONE=] | -| `--private-mode` | If true, don't allow nodes using different network names and passwords from this network to handshake or relay through this node [env: ET_PRIVATE_MODE=] | -| `--foreign-relay-bps-limit` | Limit bandwidth for relayed traffic [env: ET_FOREIGN_RELAY_BPS_LIMIT=] | -| `--tcp-whitelist` | TCP port whitelist. Supports single ports (80) and ranges (8000-9000) [env: ET_TCP_WHITELIST=] | -| `--udp-whitelist` | UDP port whitelist. Supports single ports (53) and ranges (5000-6000) [env: ET_UDP_WHITELIST=] | -| `--disable-relay-kcp` | If true, disable relay KCP packets. Avoid consuming too many bandwidth. Default is false [env: ET_DISABLE_RELAY_KCP=] | -| `--enable-relay-foreign-network-kcp` | If true, allow relay KCP packets from foreign network. Default is false [env: ET_ENABLE_RELAY_FOREIGN_NETWORK_KCP=] | -| `--stun-servers` | Override default STUN servers; If configured but empty, STUN servers are not used [env: ET_STUN_SERVERS=] | -| `--stun-servers-v6` | Override default STUN servers, IPv6; If configured but empty, IPv6 STUN servers are not used [env: ET_STUN_SERVERS_V6=] | +| Parameter | Description | +| ------------------------------------ | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| `--hostname` | Hostname used to identify this device [env: ET_HOSTNAME=] | +| `-m, --instance-name` | Instance name, used to identify this VPN node on the same machine [env: ET_INSTANCE_NAME=] | +| `--vpn-portal` | Define the URL of the VPN portal, allowing other VPN clients to connect. E.g.: `wg://0.0.0.0:11010/10.14.14.0/24` [env: ET_VPN_PORTAL=] | +| `--default-protocol` | Default protocol used when connecting to peer nodes [env: ET_DEFAULT_PROTOCOL=] | +| `-u, --disable-encryption` | Disable encryption for peer node communication, default is false, must be the same as peer nodes [env: ET_DISABLE_ENCRYPTION=] | +| `--encryption-algorithm` | Encryption algorithm to use, supported: '', 'xor', 'chacha20', 'aes-gcm', 'aes-gcm-256', 'openssl-aes128-gcm', 'openssl-aes256-gcm', 'openssl-chacha20' [env: ET_ENCRYPTION_ALGORITHM=] | +| `--multi-thread` | Use multi-threaded runtime, default is single-threaded [env: ET_MULTI_THREAD=] | +| `--multi-thread-count` | The number of threads to use, default is 2, only effective when multi-thread is enabled, must be greater than 2 [env: ET_MULTI_THREAD_COUNT=] | +| `--disable-ipv6` | Don't use IPv6 [env: ET_DISABLE_IPV6=] | +| `--dev-name` | Optional TUN interface name [env: ET_DEV_NAME=] | +| `--mtu` | MTU of TUN device, default is 1380 when not encrypted, 1360 when encrypted [env: ET_MTU=] | +| `--latency-first` | Latency priority mode, will try to use the lowest latency path to forward traffic, default uses shortest path [env: ET_LATENCY_FIRST=] | +| `--exit-nodes` | Exit nodes for forwarding all traffic, virtual IPv4 addresses, priority determined by list order [env: ET_EXIT_NODES=] | +| `--enable-exit-node` | Allow this node to become an exit node [env: ET_ENABLE_EXIT_NODE=] | +| `--proxy-forward-by-system` | Forward subnet proxy packets through system kernel, disable built-in NAT [env: ET_PROXY_FORWARD_BY_SYSTEM=] | +| `--no-tun` | Don't create TUN device, can use subnet proxy to access nodes [env: ET_NO_TUN=] | +| `--use-smoltcp` | Enable smoltcp stack for subnet proxy and KCP proxy [env: ET_USE_SMOLTCP=] | +| `--manual-routes` | Manually assign route CIDR, will disable subnet proxy and wireguard routes propagated from peer nodes. E.g.: `192.168.0.0/16` [env: ET_MANUAL_ROUTES=] | +| `--relay-network-whitelist` | Only forward traffic from whitelisted networks, supports wildcard strings. Multiple network names can be separated by English spaces. [env: ET_RELAY_NETWORK_WHITELIST=] | +| `--disable-p2p` | Disable ordinary automatic P2P. The node still establishes P2P with peers marked `need-p2p`, and ordinary peers should not proactively connect to this node. See [P2P Optimization](/en/guide/network/p2p-optimize) [env: ET_DISABLE_P2P=] | +| `--p2p-only` | Only communicate with peers that already establish P2P connections. When combined with `lazy-p2p`, the first access to a peer without a direct link may need to wait until P2P is established. [env: ET_P2P_ONLY=] | +| `--lazy-p2p` | Only try to establish P2P when traffic actually needs the peer. Peers marked `need-p2p` are still connected proactively. See [P2P Optimization](/en/guide/network/p2p-optimize) [env: ET_LAZY_P2P=] | +| `--need-p2p` | Announce that other peers should proactively establish P2P connections to this node even when they enable `lazy-p2p`. When combined with `disable-p2p`, it becomes an explicit opt-in P2P mode. See [P2P Optimization](/en/guide/network/p2p-optimize) [env: ET_NEED_P2P=] | +| `--disable-tcp-hole-punching` | Disable TCP hole punching function [env: ET_DISABLE_TCP_HOLE_PUNCHING=] | +| `--disable-udp-hole-punching` | Disable UDP hole punching function [env: ET_DISABLE_UDP_HOLE_PUNCHING=] | +| `--disable-sym-hole-punching` | If true, disable UDP NAT hole punching for symmetric NAT (NAT4), which is based on birthday attack and may be blocked by ISP [env: ET_DISABLE_SYM_HOLE_PUNCHING=] | +| `--relay-all-peer-rpc` | Forward RPC packets from all peer nodes, even if peer nodes are not in the relay network whitelist. [env: ET_RELAY_ALL_PEER_RPC=] | +| `--socks5` | Enable socks5 server, allowing socks5 clients to access virtual network. Format: ``, e.g.: `1080` [env: ET_SOCKS5=] | +| `--compression` | Compression algorithm to use, supports `none`, `zstd`. Default is `none` [env: ET_COMPRESSION=] | +| `--bind-device` | Bind the connector's socket to a physical device to avoid routing issues. [env: ET_BIND_DEVICE=] | +| `--enable-kcp-proxy` | Use KCP proxy for TCP streams, improving latency and throughput on UDP packet loss networks. [env: ET_ENABLE_KCP_PROXY=] | +| `--disable-kcp-input` | Don't allow other nodes to use KCP proxy TCP streams to this node. [env: ET_DISABLE_KCP_INPUT=] | +| `--enable-quic-proxy` | Use QUIC proxy for TCP streams, improving latency and throughput on UDP packet loss networks. [env: ET_ENABLE_QUIC_PROXY=] | +| `--disable-quic-input` | Don't allow other nodes to use QUIC proxy TCP streams to this node. [env: ET_DISABLE_QUIC_INPUT=] | +| `--quic-listen-port` | The port to listen for QUIC connections, default is 0 (random port) [env: ET_QUIC_LISTEN_PORT=] | +| `--port-forward` | Forward local ports to remote ports in virtual network. E.g.: `udp://0.0.0.0:12345/10.126.126.1:23456` [env: ET_PORT_FORWARD=] | +| `--accept-dns` | If true, enable Magic DNS. With Magic DNS, you can use domain names to access other nodes, e.g.: `.et.net` [env: ET_ACCEPT_DNS=] | +| `--tld-dns-zone` | Specify the top-level DNS zone for Magic DNS. If not provided, use the dns_server module default (et.net.). Used only when accept_dns is true. [env: ET_TLD_DNS_ZONE=] | +| `--private-mode` | If true, don't allow nodes using different network names and passwords from this network to handshake or relay through this node [env: ET_PRIVATE_MODE=] | +| `--foreign-relay-bps-limit` | Limit bandwidth for relayed traffic [env: ET_FOREIGN_RELAY_BPS_LIMIT=] | +| `--tcp-whitelist` | TCP port whitelist. Supports single ports (80) and ranges (8000-9000) [env: ET_TCP_WHITELIST=] | +| `--udp-whitelist` | UDP port whitelist. Supports single ports (53) and ranges (5000-6000) [env: ET_UDP_WHITELIST=] | +| `--disable-relay-kcp` | If true, disable relay KCP packets. Avoid consuming too many bandwidth. Default is false [env: ET_DISABLE_RELAY_KCP=] | +| `--enable-relay-foreign-network-kcp` | If true, allow relay KCP packets from foreign network. Default is false [env: ET_ENABLE_RELAY_FOREIGN_NETWORK_KCP=] | +| `--stun-servers` | Override default STUN servers; If configured but empty, STUN servers are not used [env: ET_STUN_SERVERS=] | +| `--stun-servers-v6` | Override default STUN servers, IPv6; If configured but empty, IPv6 STUN servers are not used [env: ET_STUN_SERVERS_V6=] | ### Logging Settings diff --git a/en/guide/network/p2p-optimize.md b/en/guide/network/p2p-optimize.md index ed463d2..52e4179 100644 --- a/en/guide/network/p2p-optimize.md +++ b/en/guide/network/p2p-optimize.md @@ -1,21 +1,137 @@ # P2P Optimization -If you want EasyTier to establish P2P connections with other nodes more easily, you can optimize it in the following ways. +This document covers two ways to optimize the P2P experience in EasyTier: + +1. **Control P2P connection behavior**: Adjust whether nodes proactively build direct links, use on-demand hole punching, or stay quiet. +2. **Improve P2P success rate**: Configure the network environment (IPv6, NAT optimization, public port mapping, etc.) to help nodes establish direct connections more easily. + +## Control P2P Connection Behavior + +By default, EasyTier actively attempts to establish P2P direct connections with all ordinary nodes in the background. If you want to change this behavior, you can adjust it on demand with the following three parameters. + +### On-demand hole punching: `--lazy-p2p` + +By default, EasyTier actively tries to punch holes to all nodes. After enabling `--lazy-p2p`, the node no longer actively punches holes in the background. **P2P is only triggered when there is real traffic destined for the peer**. + +Actual effect: + +- In the initial stage, communication goes through relay first, and the route cost may be `2`. +- After real traffic appears, a direct connection is gradually established, and the route cost becomes `1`. + +Suitable for: + +- Networks with many nodes where not all nodes need frequent direct connections with each other. +- Reducing background hole-punching attempts and idle resource consumption. + +### Prioritize being directly connected: `--need-p2p` + +`--need-p2p` signals to other nodes "please prioritize establishing P2P with me". Even if the other side has `--lazy-p2p` enabled, it will still actively connect to this node. + +Suitable for: + +- Game servers/hosts, fixed entry nodes, or latency-sensitive endpoints. +- Scenarios where you want a direct link formed quickly instead of waiting for relay "warm-up". + +### Reduce automatic hole punching: `--disable-p2p` + +`--disable-p2p` causes this node to **opt out of ordinary automatic hole punching**: + +- No longer proactively initiates P2P attempts to ordinary nodes. +- Ordinary nodes will not proactively connect to this node either. +- However, it will still establish P2P with nodes that have `--need-p2p` enabled. +- Traffic can still continue to be forwarded via relay without impact. + +Suitable for: + +- Only wanting direct links with a few key nodes, not automatically connecting with all nodes. +- Turning P2P into an "on-demand whitelist" mode. + +### Combined usage recommendations + +| Your need | Recommended parameters | +|-----------|------------------------| +| Many nodes, want to save resources, don't mind first packet going through relay | `--lazy-p2p` | +| I am a server/host and want others to directly connect to me quickly | `--need-p2p` | +| Only want P2P with specific nodes, don't want to be bothered by ordinary nodes | `--disable-p2p` + `--need-p2p` | +| Completely quiet, only use relay, don't build any P2P | `--disable-p2p` (without `--need-p2p`) | + +### P2P direct only: `--p2p-only` + +`--p2p-only` requires all traffic to use only established P2P direct connections. If there is no P2P direct link with a node yet, traffic destined for it will be dropped directly and will not be relayed. + +Suitable for: Security-sensitive environments where all traffic must be end-to-end direct and cannot be forwarded through third-party relay nodes. + +::: warning Note +If you enable both `--lazy-p2p` and `--p2p-only`, the first attempt to reach a node without an established direct connection may fail (because `p2p-only` does not allow relay). The failure itself triggers on-demand hole punching; subsequent communication resumes after the direct link is built. Therefore, do not use this combination for highly real-time traffic. If low latency is required, enable `--need-p2p` on the destination node to establish the direct link in advance. +::: + +### Disable specific hole-punching methods + +If you find that a particular hole-punching method frequently fails or is unstable in your current network environment, you can disable it individually to avoid wasting resources on ineffective attempts. + +| Parameter | Effect | Suitable for | +|-----------|--------|--------------| +| `--disable-udp-hole-punching` | Completely disable UDP hole punching | Networks that completely block UDP (e.g., some corporate firewalls), or where UDP hole punching frequently fails | +| `--disable-tcp-hole-punching` | Completely disable TCP hole punching | Networks where TCP hole punching is unstable | +| `--disable-sym-hole-punching` | Disable UDP hole punching for symmetric NAT (NAT4) | Symmetric NAT hole punching is based on port prediction (birthday attack principle) and may be identified and blocked by ISPs in some networks. After enabling, symmetric NAT nodes will no longer attempt UDP hole punching with each other (traffic will go through relay), but symmetric NAT nodes can still punch holes with cone NAT nodes using normal logic | ## IPv6 -EasyTier supports P2P communication between nodes via IPv6. By default, EasyTier will randomly listen on an IPv6 UDP port. +EasyTier supports P2P communication between nodes via both IPv4 and IPv6. By default, EasyTier listens on both IPv4 and IPv6 addresses on each listener. -In some cases, specifying the listening IPv6 address and port may be more beneficial for P2P communication between nodes. -You can use the `-l` option to configure the IPv6 listener. For example: +As long as the listener address is `0.0.0.0`, EasyTier will automatically listen on the IPv6 address as well. This behavior can be disabled with the `--disable-ipv6` parameter. + +You can also manually configure listening on IPv6 addresses only. For example: ```sh easytier-core -l 'tcp://[::]:12345' -l 'udp://[::]:12345' ``` +If your nodes all have public IPv6 addresses and can accept inbound connections (i.e., accessible from the external network), you can establish P2P connections through the listener address plus the default listening port (11010). + +If your nodes all have public IPv6 addresses but cannot accept inbound connections (i.e., not accessible from the external network), you can use EasyTier's IPv6 hole-punching feature (version 2.3.0 and above) for P2P connections. This feature is enabled by default. + +Of course, if you can modify the public IPv6 firewall to allow inbound connections, the P2P success rate can also be greatly improved. + +If your IPv6 uses NAT66 (network address translation), you can refer to the IPv4 section. If possible, it is recommended to disable NAT66. + +## IPv4 + +If your nodes have public IPv4 addresses and can accept inbound connections (i.e., accessible from the external network), you can establish P2P connections through the listener address plus the default listening port (11010). + +If your nodes have public IPv4 addresses but cannot accept inbound connections (i.e., not accessible from the external network), you can use EasyTier's IPv4 hole-punching feature for P2P connections. This feature is enabled by default. + +If your nodes are on ordinary home broadband without a public IPv4 address, you need to modify the NAT type to improve the P2P success rate. The following situations apply (you can search online for how to modify NAT types): + +For NAT type knowledge, please refer to this article: [Explanation of Various NAT Types](https://nacldragon.top/2023/NAT-Type/) + +**NAT1 (In RFC3489: Full Cone NAT; In RFC5780: Endpoint-Independent Mapping + Endpoint-Independent Filtering)** + +For EasyTier, if your device is NAT1 type, the peer's NAT type can be NAT1, NAT2, NAT3, or NAT4 when establishing a P2P connection. + +**NAT2 (In RFC3489: Restricted Cone NAT; In RFC5780: Endpoint-Independent Mapping + Address-Dependent Filtering)** + +For EasyTier, if your device is NAT2 type, the peer's NAT type can be NAT1, NAT2, NAT3, or NAT4 when establishing a P2P connection. + +**NAT3 (In RFC3489: Port Restricted Cone NAT; In RFC5780: Endpoint-Independent Mapping + Address and Port-Dependent Filtering)** + +For EasyTier, if your device is NAT3 type, the peer's NAT type can be NAT1, NAT2, NAT3, or NAT4 when establishing a P2P connection. + +**NAT4 (In RFC3489: Symmetric NAT; In RFC5780: Address and Port-Dependent Mapping + Address and Port-Dependent Filtering)** + +For EasyTier, if your device is NAT4 type, the peer's NAT type can be NAT1, NAT2, NAT3, or NAT4 (partially). + +Note: For NAT4 type, due to certain reasons, some NAT4 devices use incrementally or decrementally allocated ports for each connection. P2P can be achieved through port prediction technology. This type of NAT4 can be referred to as NAT4E / Symmetric Incremental. + +::: warning Note +Due to certain firewall policies, commonly found in schools and companies, even if the NAT type is 1, 2, or 3, P2P connections may not be established. +Some regional ISPs may adopt policies to block P2P connections, even if the NAT type is 1, P2P connections may not be possible! +IPv6 with NAT66 enabled behaves the same as IPv4 NAT44 and also falls into the above types. +::: + ## Specify Public IP and Port -In some cases, the node has a public IP and port, but EasyTier cannot correctly identify them (e.g., NAT host). You can use the `--mapped-listeners` option to configure the public IP and port. For example: +In some cases, a node has a public IP and port, but EasyTier cannot correctly identify them (e.g., NAT host). You can use the `--mapped-listeners` option to configure the public IP and port. For example: ```sh easytier-core --mapped-listeners tcp://8.8.8.8:12345 -l tcp://0.0.0.0:11010 diff --git a/guide/network/configurations.md b/guide/network/configurations.md index 4e18867..5e2f55d 100644 --- a/guide/network/configurations.md +++ b/guide/network/configurations.md @@ -56,52 +56,54 @@ ### 其他设置 -| 参数 | 说明 | -| ------------------------------------ | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -| `--hostname` | 用于标识此设备的主机名 [env: ET_HOSTNAME=] | -| `-m, --instance-name` | 实例名称,用于在同一台机器上标识此VPN节点 [env: ET_INSTANCE_NAME=] | -| `--vpn-portal` | 定义VPN门户的URL,允许其他VPN客户端连接。例如:`wg://0.0.0.0:11010/10.14.14.0/24` [env: ET_VPN_PORTAL=] | -| `--default-protocol` | 连接到对等节点时使用的默认协议 [env: ET_DEFAULT_PROTOCOL=] | -| `-u, --disable-encryption` | 禁用对等节点通信的加密,默认为false,必须与对等节点相同 [env: ET_DISABLE_ENCRYPTION=] | -| `--encryption-algorithm` | 要使用的加密算法,支持:''(默认aes-gcm)、'xor'、'chacha20'、'aes-gcm'、'aes-gcm-256'、'openssl-aes128-gcm'、'openssl-aes256-gcm'、'openssl-chacha20' [env: ET_ENCRYPTION_ALGORITHM=] | -| `--multi-thread` | 使用多线程运行时,默认为单线程 [env: ET_MULTI_THREAD=] | -| `--multi-thread-count` | 使用的线程数,默认为2,仅在多线程模式下有效。取值必须大于2 [env: ET_MULTI_THREAD_COUNT=] | -| `--disable-ipv6` | 不使用IPv6 [env: ET_DISABLE_IPV6=] | -| `--dev-name` | 可选的TUN接口名称 [env: ET_DEV_NAME=] | -| `--mtu` | TUN设备的MTU,默认为非加密时为1380,加密时为1360 [env: ET_MTU=] | -| `--latency-first` | 延迟优先模式,将尝试使用最低延迟路径转发流量,默认使用最短路径 [env: ET_LATENCY_FIRST=] | -| `--exit-nodes` | 转发所有流量的出口节点,虚拟IPv4地址,优先级由列表顺序决定 [env: ET_EXIT_NODES=] | -| `--enable-exit-node` | 允许此节点成为出口节点 [env: ET_ENABLE_EXIT_NODE=] | -| `--proxy-forward-by-system` | 通过系统内核转发子网代理数据包,禁用内置NAT [env: ET_PROXY_FORWARD_BY_SYSTEM=] | -| `--no-tun` | 不创建TUN设备,可以使用子网代理访问节点 [env: ET_NO_TUN=] | -| `--use-smoltcp` | 为子网代理和 KCP 代理启用smoltcp堆栈 [env: ET_USE_SMOLTCP=] | -| `--manual-routes` | 手动分配路由CIDR,将禁用子网代理和从对等节点传播的wireguard路由。例如:`192.168.0.0/16` [env: ET_MANUAL_ROUTES=] | -| `--relay-network-whitelist` | 仅转发白名单网络的流量,支持通配符字符串。多个网络名称间可以使用英文空格间隔。 [env: ET_RELAY_NETWORK_WHITELIST=] | -| `--p2p-only` | 仅与已经建立P2P连接的对等节点通信 [env: ET_P2P_ONLY=] | -| `--disable-p2p` | 禁用P2P通信,只通过`--peers`指定的节点转发数据包 [env: ET_DISABLE_P2P=] | -| `--disable-tcp-hole-punching` | 禁用TCP打洞功能 [env: ET_DISABLE_TCP_HOLE_PUNCHING=] | -| `--disable-udp-hole-punching` | 禁用UDP打洞功能 [env: ET_DISABLE_UDP_HOLE_PUNCHING=] | -| `--disable-sym-hole-punching` | 如果为true,则禁用基于生日攻击的对称NAT (NAT4) UDP 打洞功能,该打洞方式可能会被运营商封锁 [env: ET_DISABLE_SYM_HOLE_PUNCHING=] | -| `--relay-all-peer-rpc` | 转发所有对等节点的RPC数据包,即使对等节点不在转发网络白名单中。 [env: ET_RELAY_ALL_PEER_RPC=] | -| `--socks5` | 启用 socks5 服务器,允许 socks5 客户端访问虚拟网络。格式: `<端口>`,例如:`1080` [env: ET_SOCKS5=] | -| `--compression` | 要使用的压缩算法,支持 `none`、`zstd`。默认为 `none` [env: ET_COMPRESSION=] | -| `--bind-device` | 将连接器的套接字绑定到物理设备以避免路由问题。 [env: ET_BIND_DEVICE=] | -| `--enable-kcp-proxy` | 使用 KCP 代理 TCP 流,提高在 UDP 丢包网络上的延迟和吞吐量。 [env: ET_ENABLE_KCP_PROXY=] | -| `--disable-kcp-input` | 不允许其他节点使用 KCP 代理 TCP 流到此节点。 [env: ET_DISABLE_KCP_INPUT=] | -| `--enable-quic-proxy` | 使用 QUIC 代理 TCP 流,提高在 UDP 丢包网络上的延迟和吞吐量。 [env: ET_ENABLE_QUIC_PROXY=] | -| `--disable-quic-input` | 不允许其他节点使用 QUIC 代理 TCP 流到此节点。 [env: ET_DISABLE_QUIC_INPUT=] | -| `--quic-listen-port` | 监听 QUIC 连接的端口,默认值为0(随机端口)。 [env: ET_QUIC_LISTEN_PORT=] | -| `--port-forward` | 将本地端口转发到虚拟网络中的远程端口。例如:`udp://0.0.0.0:12345/10.126.126.1:23456` [env: ET_PORT_FORWARD=] | -| `--accept-dns` | 如果为true,则启用魔法DNS。使用魔法DNS,您可以使用域名访问其他节点,例如:`.et.net` [env: ET_ACCEPT_DNS=] | -| `--tld-dns-zone` | 指定魔法DNS的顶级域名区域。如果未提供,默认使用dns_server模块中的值(et.net.)。仅在accept_dns为true时使用。 [env: ET_TLD_DNS_ZONE=] | -| `--private-mode` | 如果为true,则不允许使用了与本网络不相同的网络名称和密码的节点通过本节点进行握手或中转 [env: ET_PRIVATE_MODE=] | -| `--foreign-relay-bps-limit` | 限制转发流量的带宽 [env: ET_FOREIGN_RELAY_BPS_LIMIT=] | -| `--tcp-whitelist` | TCP 端口白名单。支持单个端口(80)和范围(8000-9000) [env: ET_TCP_WHITELIST=] | -| `--udp-whitelist` | UDP 端口白名单。支持单个端口(53)和范围(5000-6000) [env: ET_UDP_WHITELIST=] | -| `--disable-relay-kcp` | 如果为true,则禁止节点转发 KCP 数据包,防止过度消耗流量。默认值为false [env: ET_DISABLE_RELAY_KCP=] | -| `--enable-relay-foreign-network-kcp` | 如果为true,则作为共享节点时也可以转发其他网络的 KCP 数据包。默认值为false(不转发) [env: ET_ENABLE_RELAY_FOREIGN_NETWORK_KCP=] | -| `--stun-servers` | 覆盖内置的默认 STUN server 列表;如果设置了但是为空,则不使用 STUN servers;如果没设置,则使用默认 STUN server 列表 [env: ET_STUN_SERVERS=] | -| `--stun-servers-v6` | 覆盖内置的默认 IPv6 STUN server 列表;如果设置了但是为空,则不使用 IPv6 STUN servers;如果没设置,则使用默认 IPv6 STUN server 列表 [env: ET_STUN_SERVERS_V6=] | +| 参数 | 说明 | +| ------------------------------------ | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | +| `--hostname` | 用于标识此设备的主机名 [env: ET_HOSTNAME=] | +| `-m, --instance-name` | 实例名称,用于在同一台机器上标识此VPN节点 [env: ET_INSTANCE_NAME=] | +| `--vpn-portal` | 定义VPN门户的URL,允许其他VPN客户端连接。例如:`wg://0.0.0.0:11010/10.14.14.0/24` [env: ET_VPN_PORTAL=] | +| `--default-protocol` | 连接到对等节点时使用的默认协议 [env: ET_DEFAULT_PROTOCOL=] | +| `-u, --disable-encryption` | 禁用对等节点通信的加密,默认为false,必须与对等节点相同 [env: ET_DISABLE_ENCRYPTION=] | +| `--encryption-algorithm` | 要使用的加密算法,支持:''(默认aes-gcm)、'xor'、'chacha20'、'aes-gcm'、'aes-gcm-256'、'openssl-aes128-gcm'、'openssl-aes256-gcm'、'openssl-chacha20' [env: ET_ENCRYPTION_ALGORITHM=] | +| `--multi-thread` | 使用多线程运行时,默认为单线程 [env: ET_MULTI_THREAD=] | +| `--multi-thread-count` | 使用的线程数,默认为2,仅在多线程模式下有效。取值必须大于2 [env: ET_MULTI_THREAD_COUNT=] | +| `--disable-ipv6` | 不使用IPv6 [env: ET_DISABLE_IPV6=] | +| `--dev-name` | 可选的TUN接口名称 [env: ET_DEV_NAME=] | +| `--mtu` | TUN设备的MTU,默认为非加密时为1380,加密时为1360 [env: ET_MTU=] | +| `--latency-first` | 延迟优先模式,将尝试使用最低延迟路径转发流量,默认使用最短路径 [env: ET_LATENCY_FIRST=] | +| `--exit-nodes` | 转发所有流量的出口节点,虚拟IPv4地址,优先级由列表顺序决定 [env: ET_EXIT_NODES=] | +| `--enable-exit-node` | 允许此节点成为出口节点 [env: ET_ENABLE_EXIT_NODE=] | +| `--proxy-forward-by-system` | 通过系统内核转发子网代理数据包,禁用内置NAT [env: ET_PROXY_FORWARD_BY_SYSTEM=] | +| `--no-tun` | 不创建TUN设备,可以使用子网代理访问节点 [env: ET_NO_TUN=] | +| `--use-smoltcp` | 为子网代理和 KCP 代理启用smoltcp堆栈 [env: ET_USE_SMOLTCP=] | +| `--manual-routes` | 手动分配路由CIDR,将禁用子网代理和从对等节点传播的wireguard路由。例如:`192.168.0.0/16` [env: ET_MANUAL_ROUTES=] | +| `--relay-network-whitelist` | 仅转发白名单网络的流量,支持通配符字符串。多个网络名称间可以使用英文空格间隔。 [env: ET_RELAY_NETWORK_WHITELIST=] | +| `--p2p-only` | 仅与已经建立P2P连接的对等节点通信。若同时启用 `lazy-p2p`,首次访问某个尚未直连的节点时,可能需要等待 P2P 建立完成后才会成功。 [env: ET_P2P_ONLY=] | +| `--lazy-p2p` | 仅在实际流量需要某个对等节点时才尝试建立 P2P;被标记为 `need-p2p` 的节点仍会主动建立连接。详见 [改善 P2P](/guide/network/p2p-optimize) [env: ET_LAZY_P2P=] | +| `--disable-p2p` | 禁用普通自动 P2P;仍会与标记为 `need-p2p` 的节点建立 P2P,且普通节点不应主动与当前节点建立 P2P。详见 [改善 P2P](/guide/network/p2p-optimize) [env: ET_DISABLE_P2P=] | +| `--need-p2p` | 声明即使其他节点启用了 `lazy-p2p`,也应主动与当前节点建立 P2P。与 `disable-p2p` 同时启用时,可用于“仅对显式需要的节点开放 P2P”的模式。详见 [改善 P2P](/guide/network/p2p-optimize) [env: ET_NEED_P2P=] | +| `--disable-tcp-hole-punching` | 禁用TCP打洞功能 [env: ET_DISABLE_TCP_HOLE_PUNCHING=] | +| `--disable-udp-hole-punching` | 禁用UDP打洞功能 [env: ET_DISABLE_UDP_HOLE_PUNCHING=] | +| `--disable-sym-hole-punching` | 如果为true,则禁用基于生日攻击的对称NAT (NAT4) UDP 打洞功能,该打洞方式可能会被运营商封锁 [env: ET_DISABLE_SYM_HOLE_PUNCHING=] | +| `--relay-all-peer-rpc` | 转发所有对等节点的RPC数据包,即使对等节点不在转发网络白名单中。 [env: ET_RELAY_ALL_PEER_RPC=] | +| `--socks5` | 启用 socks5 服务器,允许 socks5 客户端访问虚拟网络。格式: `<端口>`,例如:`1080` [env: ET_SOCKS5=] | +| `--compression` | 要使用的压缩算法,支持 `none`、`zstd`。默认为 `none` [env: ET_COMPRESSION=] | +| `--bind-device` | 将连接器的套接字绑定到物理设备以避免路由问题。 [env: ET_BIND_DEVICE=] | +| `--enable-kcp-proxy` | 使用 KCP 代理 TCP 流,提高在 UDP 丢包网络上的延迟和吞吐量。 [env: ET_ENABLE_KCP_PROXY=] | +| `--disable-kcp-input` | 不允许其他节点使用 KCP 代理 TCP 流到此节点。 [env: ET_DISABLE_KCP_INPUT=] | +| `--enable-quic-proxy` | 使用 QUIC 代理 TCP 流,提高在 UDP 丢包网络上的延迟和吞吐量。 [env: ET_ENABLE_QUIC_PROXY=] | +| `--disable-quic-input` | 不允许其他节点使用 QUIC 代理 TCP 流到此节点。 [env: ET_DISABLE_QUIC_INPUT=] | +| `--quic-listen-port` | 监听 QUIC 连接的端口,默认值为0(随机端口)。 [env: ET_QUIC_LISTEN_PORT=] | +| `--port-forward` | 将本地端口转发到虚拟网络中的远程端口。例如:`udp://0.0.0.0:12345/10.126.126.1:23456` [env: ET_PORT_FORWARD=] | +| `--accept-dns` | 如果为true,则启用魔法DNS。使用魔法DNS,您可以使用域名访问其他节点,例如:`.et.net` [env: ET_ACCEPT_DNS=] | +| `--tld-dns-zone` | 指定魔法DNS的顶级域名区域。如果未提供,默认使用dns_server模块中的值(et.net.)。仅在accept_dns为true时使用。 [env: ET_TLD_DNS_ZONE=] | +| `--private-mode` | 如果为true,则不允许使用了与本网络不相同的网络名称和密码的节点通过本节点进行握手或中转 [env: ET_PRIVATE_MODE=] | +| `--foreign-relay-bps-limit` | 限制转发流量的带宽 [env: ET_FOREIGN_RELAY_BPS_LIMIT=] | +| `--tcp-whitelist` | TCP 端口白名单。支持单个端口(80)和范围(8000-9000) [env: ET_TCP_WHITELIST=] | +| `--udp-whitelist` | UDP 端口白名单。支持单个端口(53)和范围(5000-6000) [env: ET_UDP_WHITELIST=] | +| `--disable-relay-kcp` | 如果为true,则禁止节点转发 KCP 数据包,防止过度消耗流量。默认值为false [env: ET_DISABLE_RELAY_KCP=] | +| `--enable-relay-foreign-network-kcp` | 如果为true,则作为共享节点时也可以转发其他网络的 KCP 数据包。默认值为false(不转发) [env: ET_ENABLE_RELAY_FOREIGN_NETWORK_KCP=] | +| `--stun-servers` | 覆盖内置的默认 STUN server 列表;如果设置了但是为空,则不使用 STUN servers;如果没设置,则使用默认 STUN server 列表 [env: ET_STUN_SERVERS=] | +| `--stun-servers-v6` | 覆盖内置的默认 IPv6 STUN server 列表;如果设置了但是为空,则不使用 IPv6 STUN servers;如果没设置,则使用默认 IPv6 STUN server 列表 [env: ET_STUN_SERVERS_V6=] | ### 日志设置 diff --git a/guide/network/p2p-optimize.md b/guide/network/p2p-optimize.md index 84e9a0e..eda5890 100644 --- a/guide/network/p2p-optimize.md +++ b/guide/network/p2p-optimize.md @@ -1,6 +1,79 @@ # P2P 优化 -如果您希望 EasyTier 更容易地与其他 EasyTier 节点建立 P2P 连接,可以通过以下方式进行优化。 +本文档介绍如何优化 EasyTier 的 P2P 体验,包括两部分: + +1. **控制 P2P 连接行为**:通过参数调整节点间是否主动建立直连、按需打洞或保持安静。 +2. **提升 P2P 成功率**:通过 IPv6、NAT 优化、公网端口映射等网络环境配置,让节点更容易打通直连。 + +## 控制 P2P 连接行为 + +EasyTier 默认会在后台主动尝试和所有普通节点建立 P2P 直连。如果你希望改变这个行为,可以通过以下三个参数按需调整。 + +### 按需打洞:`--lazy-p2p` + +默认情况下,EasyTier 会主动对所有节点尝试打洞。开启 `--lazy-p2p` 后,节点不再主动后台打洞,**只有当真正有流量要发往对方时,才会触发建立 P2P**。 + +实际效果: + +- 初始阶段先通过 relay 通信,路由 cost 可能是 `2`。 +- 有真实流量后,再逐步建立直连,建立完成后路由 cost 变成 `1`。 + +适合场景: + +- 网络中节点很多,但彼此之间并不都需要频繁直连。 +- 希望减少后台打洞尝试、降低空闲资源消耗。 + +### 优先被直连:`--need-p2p` + +`--need-p2p` 向其他节点表明"请优先与我建立 P2P"。即使对方开启了 `--lazy-p2p`,也会主动来连接本节点。 + +适合场景: + +- 游戏服务器/房主、固定入口节点、对延迟要求高的节点。 +- 希望尽快形成直连,而不是先走中继等待"热身"。 + +### 减少自动打洞:`--disable-p2p` + +`--disable-p2p` 会让本节点**退出普通自动打洞**: + +- 不再主动向普通节点发起 P2P 尝试。 +- 普通节点也不会主动来连接本节点。 +- 但仍然会与开启了 `--need-p2p` 的节点建立 P2P。 +- 流量可以继续通过 relay 转发,不受影响。 + +适合场景: + +- 只想和少数关键节点直连,不想和所有节点都自动建连。 +- 希望把 P2P 变成"按需白名单"模式。 + +### 组合使用建议 + +| 你的需求 | 推荐参数 | +|---------|---------| +| 节点很多,想省资源,不介意首包走中继 | `--lazy-p2p` | +| 我是服务器/房主,希望别人尽快直连我 | `--need-p2p` | +| 只想和特定节点建 P2P,不想被普通节点打扰 | `--disable-p2p` + `--need-p2p` | +| 彻底安静,只走中继,不建任何 P2P | `--disable-p2p`(不搭配 `--need-p2p`) | + +### 只走 P2P 直连:`--p2p-only` + +`--p2p-only` 要求所有流量只能通过已建立的 P2P 直连传输。如果与某个节点之间还没有 P2P 直连,发往它的流量会被直接丢弃,不会走 relay 中转。 + +适合场景:安全敏感环境,强制要求所有流量必须端到端直连,不允许经过第三方 relay 节点转发。 + +::: warning 注意 +如果同时开启 `--lazy-p2p` 和 `--p2p-only`,第一次访问尚未建立直连的节点时流量会先失败(因为 `p2p-only` 不允许走中继),失败会触发按需打洞,等直连建好后后续通信才恢复。因此不要把高实时业务和这个组合一起使用;如需低延迟,应在目标节点上开启 `--need-p2p` 提前建立直连。 +::: + +### 禁用特定打洞方式 + +如果你发现某种打洞方式在当前网络环境下频繁失败或不稳定,可以单独禁用该方式,避免无效尝试浪费资源。 + +| 参数 | 作用 | 适用场景 | +|------|------|---------| +| `--disable-udp-hole-punching` | 完全禁用 UDP 打洞 | 网络环境完全阻断 UDP(如某些企业防火墙),或 UDP 打洞频繁失败 | +| `--disable-tcp-hole-punching` | 完全禁用 TCP 打洞 | TCP 打洞在当前网络下不稳定 | +| `--disable-sym-hole-punching` | 禁用对称型 NAT (NAT4) 的 UDP 打洞 | 对称型 NAT 打洞基于端口预测(生日攻击原理),在某些网络中可能被运营商识别并阻断。开启后,对称型 NAT 节点之间不再尝试 UDP 打洞(会走 relay),但对称型 NAT 节点与锥型 NAT 节点之间仍可按普通逻辑打洞 | ## IPv6