No public IP? No problem. Hysteria Realms punches through your NAT to let you host a Hysteria server from home, a cellular network, or even a coffee shop. Clients connect directly, peer-to-peer. No port forwarding, no relay.

• Fixed an issue where the client failed to connect to a server behind symmetric NAT, improving hole punching success rate
• The hysteria cert command now includes sniGuard: disable in its sample server config, so self-signed certs work with Realms out of the box

没有公网 IP 也没问题！Hysteria Realms 通过 NAT 打洞，让你从家宽、手机流量甚至咖啡店都能运行 Hysteria 服务端。与客户端 P2P 连接，无需配置端口转发或中转。

• 修复了一个导致服务端位于对称 NAT 后时客户端无法连接的问题，提升打洞成功率
• hysteria cert 命令现在会在示例服务端配置中包含 sniGuard: disable，让自签名证书在 Realms 模式下能正常使用

• Added Hysteria Realms: No public IP? No problem. Punches through your NAT to let you host a Hysteria server from home, a cellular network, or even a coffee shop. Clients connect directly, peer-to-peer. No port forwarding, no relay.

• 新增 Hysteria Realms：没有公网 IP 也没问题！通过 NAT 打洞，让你从家宽、手机流量甚至咖啡店都能运行 Hysteria 服务端。与客户端 P2P 连接，无需配置端口转发或中转。

This release contains important security fixes and we strongly encourage everyone to upgrade.

• Fixed a security issue where, when sniff was enabled, an attacker could craft malicious QUIC packets to cause a server OOM crash
• Fixed a compatibility issue with some older versions of nftables when server port hopping was enabled
• Fixed a potential thread safety issue in salamander obfs
• Important: Due to changes in how some QUIC handshake parameters are handled, UDP forwarding will not work when v2.8.2 clients connect to older servers (TCP is unaffected). New servers are fully compatible with both new and old clients. We strongly recommend upgrading both servers and clients.

此版本包含重要安全修复，强烈建议更新

• 修复了启用 sniff 时，攻击者可通过构造恶意 QUIC 包导致服务端 OOM 崩溃的安全问题
• 修复了服务端启用端口跳跃时，与部分旧版本 nftables 的兼容性问题
• 修复了 salamander obfs 中潜在的线程安全问题
• 重要提示：本版本由于调整了 QUIC 握手中部分参数的处理方式，v2.8.2 客户端在连接旧版本服务端时 UDP 转发将无法正常工作 (TCP 不受影响)。新版服务端则完全兼容新旧客户端。强烈建议同步升级服务端与客户端。

This release contains important fixes and we strongly encourage everyone to upgrade.

• Fixed an issue where client connections could cause the server to crash when using BBR/Reno as the congestion control algorithm
• Fixed iptables calls potentially failing due to lock contention during server port-range listening
• Added HYSTERIA_FIREWALL_BACKEND environment variable to specify the firewall backend (iptables or nftables) for server port-range listening

此版本包含重要修复，强烈建议更新

• 修复了在使用 BBR/Reno 作为拥塞控制算法时，客户端连接在一些情况下会导致服务端崩溃的问题
• 修复了服务端端口范围监听时，iptables 调用可能因为竞争条件而失败的问题
• 新增 HYSTERIA_FIREWALL_BACKEND 环境变量，用于指定服务端端口范围监听的防火墙后端 (iptables 或 nftables)

• Added configurable congestion control: select between BBR and Reno, with three BBR profiles (standard, conservative, aggressive) for fine-tuning congestion control behavior
• Added server-side UDP port range listening (Linux only): the server can now listen on a port range and automatically set up nftables/iptables redirect rules
• Added random port hopping interval: use minHopInterval/maxHopInterval for a randomized hopping pattern instead of a fixed interval
• Added xForwarded option to masquerade proxy for setting X-Forwarded-For/Host/Proto headers
• Minor BBR fixes and improvements
• Minor port hopping fixes and improvements

• 新增可配置拥塞控制：可在 BBR 和 Reno 之间选择，并提供标准、保守、激进三种 BBR 预设 (standard, conservative, aggressive) 用于精细调节拥塞控制行为
• 新增服务端 UDP 端口范围监听（仅 Linux）：服务器现在可以监听端口范围并自动设置 nftables/iptables 重定向规则
• 新增随机端口跳跃间隔：使用 minHopInterval/maxHopInterval 实现随机化跳跃模式，替代固定间隔
• 伪装代理新增 xForwarded 选项，用于设置 X-Forwarded-For/Host/Proto 头
• BBR 小幅修复和改进
• 端口跳跃小幅修复和改进

• Updated quic-go to v0.59.0, QUIC protocol level improvements
• Speed test now defaults to time-based mode, testing download and upload for 10 seconds each. Use --duration to customize. The previous size-based behavior is still available via --data-size.
• Minor code cleanup

• quic-go 更新到 v0.59.0，一些 QUIC 协议级别改进
• 测速工具现在默认使用时间模式，分别测试下载和上传各 10 秒。可通过 --duration 自定义时长。之前基于大小的模式仍可通过 --data-size 使用。
• 小幅代码清理

This release contains important fixes and we strongly encourage everyone to upgrade.

• Updated quic-go to v0.57.1
• Fixed a long-standing bug in BBR that caused the connection to send faster than the available bandwidth in some cases
• Minor performance improvements

此版本包含重要修复，强烈建议更新

• quic-go 更新到 v0.57.1
• 修复此前版本 BBR 中一直存在的一个导致连接发送速度超出实际带宽的 bug
• 小幅性能优化

This release contains important fixes and we strongly encourage everyone to upgrade.

• Fixed a server-side memory leak issue that accumulates with each client connection

此版本包含重要修复，强烈建议更新

• 修复一个会随着每个客户端连接而累积的服务端内存泄漏问题

This release contains important fixes and we strongly encourage everyone to upgrade.

• Security fix & behavior change: tls.pinSHA256 now matches only the fingerprint of the leaf certificate, instead of any certificate in the chain. This change mitigates MITM risks in cases where insecure=true by preventing 1) user accidentally pinning a CA certificate, which would allow any certificate issued by that CA to be accepted, and 2) attacker constructing a forged certificate chain by combining their own leaf certificate with the user server's certificate.
• Fix tun mode UDP packet AF corruption
• Updated quic-go to v0.54.0

此版本包含重要修复，强烈建议更新

• 安全修复与行为变更：tls.pinSHA256 现在只会匹配叶子证书的指纹，而不是整条链中任意证书。此改动在 insecure=true 的情况下避免了中间人攻击风险，特别是以下两种情况： 1) 用户错误地 pin 了 CA 证书，从而导致该 CA 签发的任何证书都能被接受；2) 攻击者伪造证书链，将自己的叶子证书与用户服务器的证书拼接使用。
• 修复 tun 模式下 UDP 包 AF 字段损坏问题
• quic-go 更新到 v0.54.0

• Added mTLS support for client certificate authentication
• Fixed a memory leak issue in tun mode
• Fixed an issue where DNS resolution failed in tun mode on Linux systems using systemd-resolved
• Fixed a bug in the ACL cache that caused rules with different ports or protocols to be applied to irrelevant connections
• Removed the license-conflicted DoH library and replaced it with an in-house implementation
• Fixed a race condition in UDP session handling

• 新增 mTLS 客户端证书验证
• 修复 tun 模式下一个内存泄漏问题
• 修复使用 systemd-resolved 的 Linux 设备上 tun 模式 DNS 解析失败的问题
• 修复一个 ACL 中协议/端口不匹配的规则被错误应用到其他连接的 bug
• 移除许可协议不兼容的 DoH 库，改为自行实现
• 修复一个 UDP session 处理的线程安全问题