如何在 Ubuntu 服务器上安装 Hysteria 2 和 AnyTLS 服务

y2k38

2026-05-12

anytls, hysteria

准备

安装 Hysteria 2

# 添加用户
sudo useradd hysteria

# 方式一：官方脚本
# 会自动创建配置、用户等，可执行文件也放在/usr/local/bin
bash <(curl -fsSL https://get.hy2.sh/)

# 方式二：手动安装
# 下载
curl -L https://github.com/apernet/hysteria/releases/download/app%2Fv2.9.1/hysteria-linux-amd64 -o hysteria
# 校验哈希值 0524001e171f543624124e0b61ad4db568f6113d0543d7d9f2e080f1a699c065
sha256sum hysteria
# 添加执行权限
chmod +x hysteria
# 安装到指定位置
sudo mv hysteria /usr/local/bin

安装 AnyTLS

# 添加用户
sudo useradd mihomo

# 下载mihomo
curl -LO https://github.com/MetaCubeX/mihomo/releases/download/v1.19.24/mihomo-linux-amd64-v3-v1.19.24.gz
# 校验哈希值 0c7682057121fc02c9de22b265d5c4127a82e5c2d233dbb91859215bb449d978
sha256sum mihomo-linux-amd64-v3-v1.19.24.gz
# 解压缩
gzip -d mihomo-linux-amd64-v3-v1.19.24.gz
# 重命名
mv mihomo-linux-amd64-v3-v1.19.24 mihomo
# 添加执行权限
chmod +x mihomo
# 安装到指定位置
sudo mv mihomo /usr/local/bin

安装SSL证书

主服务器

建立nginx配置文件

1	sudo vi /etc/nginx/sites-enabled/<your_domain.com>

内容，先别配置ssl，让certbot自己设置

server {
    listen 80;
    server_name <your_domain.com>;

    # 用于 Let’s Encrypt 证书验证
    location /.well-known/acme-challenge/ {
        root /var/www/folder_name;
    }

    # 其它 HTTP 请求重定向到 HTTPS
    location / {
        return 301 https://$host$request_uri;
    }
}

server {
    listen 443 ssl http2;
    server_name <your_domain.com>;

    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_ciphers HIGH:!aNULL:!MD5;
}

执行certbot申请证书

1	sudo certbot --nginx -d <your_domain.com>

将证书软链接到指定目录

# 确保目录存在
sudo mkdir -p /etc/hysteria/certs
 
# 软链接到配置目录，safe_path
sudo ln -s /etc/letsencrypt/live/<your_domain.com>/fullchain.pem /etc/hysteria/certs/
sudo ln -s /etc/letsencrypt/live/<your_domain.com>/privkey.pem /etc/hysteria/certs/

# 确保目录存在
sudo mkdir -p /etc/mihomo/certs

# 软链接到配置目录，safe_path
sudo ln -s /etc/letsencrypt/live/<your_domain.com>/fullchain.pem /etc/mihomo/certs/
sudo ln -s /etc/letsencrypt/live/<your_domain.com>/privkey.pem /etc/mihomo/certs/

我们可以将主服务器申请的证书通过rsync同步到其他服务器，当然，也可以为每个服务器申请不同的证书

# 在主服务器上执行
# rsync -avzL /etc/letsencrypt/live/<your_domain.com>/ user@host:/data/certs/
rsync -avzL /etc/letsencrypt/live/<your_domain.com>/fullchain.pem user@host:/data/certs/
rsync -avzL /etc/letsencrypt/live/<your_domain.com>/privkey.pem user@host:/data/certs/

定时设置

创建一个脚本certbot_post_hook.sh

#!/bin/bash
systemctl reload nginx
rsync -avzL /etc/letsencrypt/live/<your_domain.com>/ user@host:/data/certs/ >> /var/log/certbot_rsync.log 2>&1
if [ $? -ne 0]; then
  echo "[`date '+%F %T'`] rsync failed" >> /var/log/certbot_rsync.log
fi

给脚本加执行权限

1	chmod +x certbot_post_hook.sh

测试验证

1	certbot renew --quite --post-hook "/path/to/certbot_post_hook.sh"

设置crontab

1	0 2 * * * certbot renew --quite --post-hook "/path/to/certbot_post_hook.sh"

其他服务器

# 因为要共享给多个用户，创建一个共同的组
sudo groupadd certs

sudo usermod -aG certs hysteria
sudo usermod -aG certs mihomo
# ...

# 确保目录存在
sudo mkdir -p /etc/hysteria/certs
sudo mkdir -p /etc/mihomo/certs

# 原始目录/文件设置权限
sudo chown -R root:certs /data/certs
sudo chmod 750 /data/certs
sudo chmod 640 /data/certs/*

# hysteria

# 创建软链
sudo ln -s /data/certs/fullchain.pem /etc/hysteria/certs/
sudo ln -s /data/certs/privkey.pem /etc/hysteria/certs/

# 设置目录权限
sudo chown hysteria:certs /etc/hysteria/certs
# 需要x（遍历）权限
sudo chmod 750 /etc/hysteria/certs

# 让hysteria有权限读写
sudo chown hysteria /etc/hysteria

# mihomo

# 创建软链
sudo ln -s /data/certs/fullchain.pem /etc/mihomo/certs/
sudo ln -s /data/certs/privkey.pem /etc/mihomo/certs/

# 设置目录权限
sudo chown mihomo:certs /etc/mihomo/certs
# 需要x（遍历）权限
sudo chmod 750 /etc/mihomo/certs

# 让mihomo有权限读写
sudo chown mihomo /etc/mihomo

Hysteria 2

配置

服务端

1	sudo vi /etc/hysteria/config.yaml

内容如下

trafficStats:
  listen: 127.0.0.1:10002

listen: :30002

tls:
  cert: /etc/hysteria/certs/fullchain.pem
  key: /etc/hysteria/certs/privkey.pem

auth:
  type: userpass
  userpass:
    user1: <64_character_password(openssl rand -hex 32)>

obfs:
  type: salamander
  salamander:
    password: <32_character_password(openssl rand -hex 16)>

bandwidth:
  up: 10 mbps
  down: 50 mbps

注意：iOS的stash还不支持salamander混淆方式，但是shadowrocket支持

客户端

1	hysteria2://user1:64_character_password@your_domain.com:30002/?sni=your_domain.com&insecure=0&udp=true&alpn=h3&obfs=salamander&obfs-password=32_character_password#Hy2

Systemd

创建service文件

1	sudo vi /etc/systemd/system/hysteria-server.service

内容如下

[Unit]
Description=Hysteria2 Service
After=network.target

[Service]
User=hysteria
Group=hysteria
Type=simple
ExecStart=/usr/local/bin/hysteria server -c /etc/hysteria/config.yaml
Restart=on-failure
LimitNOFILE=512000

[Install]
WantedBy=multi-user.target

启动/验证

# 启动
sudo systemctl start hysteria-server
# 验证
sudo systemctl status hysteria-server
sudo journalctl -u hysteria-server -f

# 开机启动
sudo systemctl enable hysteria-server

查看流量消耗

curl http://127.0.0.1:10002/traffic

# 输出如下
#  {"user1":{"tx":125753,"rx":1549737}}#

AnyTLS

配置

服务端

1	sudo vi /etc/mihomo/config.yaml

内容如下

mode: direct

external-controller: 127.0.0.1:10003

listeners:
  - name: anytls-in
    type: anytls
    listen: 0.0.0.0
    port: 30003

    users:
      user1: <uuidgen>

    certificate: /etc/mihomo/certs/fullchain.pem
    private-key: /etc/mihomo/certs/privkey.pem

    udp: true

客户端

1	anytls://uuid@your_domain.com:30003?security=tls&sni=your_domain.com&insecure=0&udp=true&fp=chrome#AnyTLS

Systemd

创建service文件

1	sudo vi /etc/systemd/system/mihomo-anytls.service

内容如下

[Unit]
Description=Mihomo AnyTLS Service
After=network.target

[Service]
User=mihomo
Group=mihomo
Type=simple
ExecStart=/usr/local/bin/mihomo -d /etc/mihomo
Restart=on-failure
LimitNOFILE=512000

[Install]
WantedBy=multi-user.target

启动/验证

# 启动
sudo systemctl start mihomo-anytls
# 验证
sudo systemctl status mihomo-anytls
sudo journalctl -u mihomo-anytls -f

# 开机启动
sudo systemctl enable mihomo-anytls

查看流量消耗

curl http://127.0.0.1:10003/traffic

# 输出如下
#  {"up":0,"down":0,"upTotal":582626,"downTotal":11017232}