# 1. 系统更新+安装基础依赖（openssl用于生成自签名证书）
apt update -y && apt upgrade -y
apt install -y wget curl openssl net-tools tzdata systemd-cron
# 2. 设置时区为上海（同步国内时间）
timedatectl set-timezone Asia/Shanghai
timedatectl set-ntp true
# 3. 开启TCP BBR拥塞控制（Ubuntu24.04原生支持）
echo "net.core.default_qdisc=fq" >> /etc/sysctl.conf
echo "net.ipv4.tcp_congestion_control=bbr" >> /etc/sysctl.conf
sysctl -p
# 4. 优化TCP/QUIC内核参数（适配国际网络）
cat > /etc/sysctl.d/99-hy2-tls.conf << EOF
net.core.somaxconn = 65535
net.core.netdev_max_backlog = 65535
net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_tw_reuse = 1
net.ipv4.tcp_fin_timeout = 30
net.ipv4.tcp_keepalive_time = 600
net.ipv4.tcp_max_syn_backlog = 65535
net.ipv4.ip_local_port_range = 1024 65535
net.ipv4.tcp_fastopen = 3
net.ipv4.ip_forward=1
EOF
sysctl --system
# 5. 验证BBR是否开启（输出tcp_bbr即成功）
sysctl net.ipv4.tcp_congestion_control

# 1. 创建证书专属目录
mkdir -p /usr/local/etc/hysteria/tls
# 2. 生成ECC私钥+自签名证书（屏蔽无用输出，有效期3650天）
openssl ecparam -genkey -name prime256v1 -out /usr/local/etc/hysteria/tls/server.key 2>&1 > /dev/null
openssl req -new -x509 -days 3650 -key /usr/local/etc/hysteria/tls/server.key -out /usr/local/etc/hysteria/tls/server.crt -subj "/C=US/ST=California/L=Los Angeles/O=Hy2/CN=hysteria2-server" 2>&1 > /dev/null
# 3. 验证证书生成（有server.crt/server.key输出即成功）
ls /usr/local/etc/hysteria/tls/

# 证书文件权限（防止启动失败核心问题）
# 1. 修改证书目录/文件所属用户为hysteria
chown -R hysteria:hysteria /usr/local/etc/hysteria/tls/
# 2. 设置证书权限（兼顾安全与可读取）
chmod 600 /usr/local/etc/hysteria/tls/server.key
chmod 644 /usr/local/etc/hysteria/tls/server.crt
# 3. 验证权限（输出hysteria:hysteria即成功）
ls -l /usr/local/etc/hysteria/tls/

# 官方一键安装脚本
curl -fsSL https://get.hy2.sh | bash
hysteria version                 # 验证版本
chmod +x /usr/local/bin/hysteria # 赋予执行权限（防止启动失败）

# 需要先写入Hysteria2核心配置
# Hysteria2 服务管理 + 开机自启
hysteria server --config /etc/hysteria/config.yaml --dry-run # 验证：配置合法性（无任何输出=配置正确）
systemctl daemon-reload                   # 1. 重新加载systemd配置
systemctl enable hysteria-server.service  # 2. 设置开机自启
systemctl start hysteria-server.service   # 3. 启动服务
systemctl status hysteria-server.service  # 4. 服务状态（输出active (running)即成功）
ss -ulpn | grep 443                       # 验证3：443 UDP端口监听（有hysteria进程输出即成功）

cat > /etc/hysteria/config.yaml << EOF
listen: :443
tls:
  disable: true
  cert: /usr/local/etc/hysteria/tls/server.crt
  key: /usr/local/etc/hysteria/tls/server.key
  alpn: [h3]
auth:
  type: password
  password: 密码  #注意密码需要修改
masquerade:
  type: proxy
  proxy:
    url: https://www.google.com
    rewriteHost: true
quic:
  initStreamReceiveWindow: 8388608
  maxStreamReceiveWindow: 8388608
  initConnReceiveWindow: 20971520
  maxConnReceiveWindow: 20971520
  maxIdleTimeout: 30s
  keepAlivePeriod: 10s
  disablePathMTUDiscovery: false
bandwidth:       #注意上下传速度根据服务器情况设置
  up: 50Mbps
  down: 50Mbps
cc:
  type: bbr
EOF

# 客户端核心配置（仅改server的IP）
server: "你的VPS公网IP:443"
auth: "密码"
# TLS配置（自签名证书必开insecure，sni与服务端证书CN一致）
tls:
  sni: "hysteria2-server"
  insecure: true
# 与服务端一致的参数
bandwidth:
  up: "50Mbps"
  down: "50Mbps"
cc: "bbr"
udp: true
# 本地代理端口（默认SOCKS5:1080，HTTP:8080，无需修改）
socks5:
  listen: "127.0.0.1:1080"
http:
  listen: "127.0.0.1:8080"