Enable ECH for sing-box server and CatBox/NekoXray client

Hello every one! CatBox added ech options in 1.2.6, and NekoXray added it in 3.23.beta.1(You should use sing-box core!). But how can we use them? In this post, I will show you how to enable ECH for sing-box server, add ECH DNS records to Cloudflare and how to enabled it in client.

At first, we need to generate a pair of ECH-key. You can use sing-box to do it:

sing-box generate ech-keypair yourdomain.com

Then you could get the resault like this:

-----BEGIN ECH CONFIGS-----

AEX+DQBBAAAgACDXbzkvyyfz3p+hgLnHPGwP3o2G5Sg2cB7biBPpkgGofQAIAAEA

AQABAAMADnlvdXJkb21haW4uY29tAAA=

-----END ECH CONFIGS-----

-----BEGIN ECH KEYS-----

ACAX8myM7cWdKgsV9QGW+zHDN2PMu/i4clivyQbluJztVgBF/g0AQQAAIAAg1285

L8sn896foYC5xzxsD96NhuUoNnAe24gT6ZIBqH0ACAABAAEAAQADAA55b3VyZG9t

YWluLmNvbQAA

-----END ECH KEYS-----

Alright, let's edit the configuration of your sing-box server. Edit the part of your TLS configuration:

{

  "tls": {

    "enabled": true,

    "ech": {

      "enabled": true,

      "pq_signature_schemes_enabled": false,

      "key": [

        "-----BEGIN ECH KEYS-----",

        "ACAX8myM7cWdKgsV9QGW+zHDN2PMu/i4clivyQbluJztVgBF/g0AQQAAIAAg1285",

        "L8sn896foYC5xzxsD96NhuUoNnAe24gT6ZIBqH0ACAABAAEAAQADAA55b3VyZG9t",

        "YWluLmNvbQAA",

        "-----END ECH KEYS-----"

      ]

    }

  }

}

Good. So now you can edit the ECH configuration in client (CatBox or NekoXray with sing-box core):

After that, you can try to connect to your server :)

If you want to set the ECH configuration in your DNS records, here is an example for Cloudfalre DNS:

Create a SVCB record, the name is your domain. The target is ".". The value is "ech=<your ech configutation>".

Then you can try to not edit ECH configuration, just click the button "Enabled ECH".Make sure your direct DNS is encrypted, or you may not get the SVCB DNS record.

If you have any question, welcome to create a issue in our github.