How to secure mKCP transport?

[zonescape]

From the documentation on mKCP transport:

seed: string

An optional obfuscation seed is used to obfuscate traffic data using the AES-128-GCM algorithm...

This obfuscation mechanism cannot ensure the security of the content...

It states that seed cannot ensure the security of the content but mKCP usage example doesn't contain any additional security layer over mKCP. So how to use mKCP securely? I also don't understand why the AES-128-GCM cipher called "obfuscation" in the aforementioned docs.

[chise0713]

Just use Vmess inside mKCP, it can provide a secure encryption for your connection.

[zonescape]

I read an article about Xray where VMess called "obsolete". So I think it would be better to try TLS first. Is this setup good enough?

client:

"outbounds": [
    {
        "protocol": "vless",
        "streamSettings": {
            "network": "kcp",
            "kcpSettings": {...},
            "security": "tls",
            "tlsSettings": {
                "serverName": "zonescape.proxy",
                "certificates": [
                    {
                        "certificate": [...],
                        "usage": "verify"
                    }
                ]
            }
        }
    }
]

server:

"inbounds": [
    {
        "protocol": "vless",
        "streamSettings": {
            "network": "kcp",
            "kcpSettings": {...},
            "security": "tls",
            "tlsSettings": {
                "certificates": [
                    {
                        "certificate": [...],
                        "key": [...]
                    }
                ]
            }
        }
    }
]

I use this command to generate certificate/key pair:

xray tls cert -domain zonescape.proxy -expire 87600h

[chise0713]

mKCP seems not compatible with TLS, and VMess is safe enough if you don't leak your uuid.

Edit:
I looked into the source code, mKCP is compatible with TLS, my mistake.
And if you want forward security, TLS is always a good option.

[zonescape]

I ended up with these configs. They are the same as in the examples, but with TLS. Hope it is secure enough now.

client.json

{
    "log": {
        "loglevel": "warning"
    },
    "inbounds": [
        {
            "port": 1080,
            "listen": "127.0.0.1",
            "protocol": "socks",
            "settings": {
                "udp": true
            }
        }
    ],
    "outbounds": [
        {
            "protocol": "vless",
            "settings": {
                "vnext": [
                    {
                        "address": "{{ host }}",
                        "port": {{ port }},
                        "users": [
                            {
                                "id": "{{ uuid }}",
                                "encryption": "none"
                            }
                        ]
                    }
                ]
            },
            "streamSettings": {
                "network": "kcp",
                "kcpSettings": {
                    "seed": "{{ seed }}"
                },
                "security": "tls",
                "tlsSettings": {
                    "serverName": "some.domain",
                    "certificates": [
                        {
                            "certificate": [...],
                            "usage": "verify"
                        }
                    ]
                }
            }
        }
    ]
}

server.json

{
    "log": {
        "loglevel": "warning"
    },
    "inbounds": [
        {
            "protocol": "vless",
            "port": {{ port }}, 
            "settings": {
                "decryption":"none",
                "clients": [
                    {
                        "id": "{{ uuid }}"
                    }
                ]
            },
            "streamSettings": {
                "network": "kcp",
                "kcpSettings": {
                    "seed": "{{ seed }}"
                },
                "security": "tls",
                "tlsSettings": {
                    "certificates": [
                        {
                            "certificate": [...],
                            "key": [...]
                        }
                    ]
                }
            }
        }
    ],
    "outbounds": [
        {
            "protocol": "freedom"
        }
    ]
}

Certificate/key pair is generated using this command (certificate will expire in 10 years):

xray tls cert -domain some.domain -expire 87600h