Running Hysteria 2 VPN/Proxy client as a service

Wartan · 6 December 2025 15:22

Hysteria 2 is a client&server proxy application. This guide assumes you have a working server set up and will mainly focus on Sailfish “features”.

Downloading an appropriate hysteria executable and fixing its permissions:

devel-su

curl -o /usr/local/bin/hysteria https://download.hysteria.network/app/latest/hysteria-linux-arm64

chown root root /usr/local/bin/hysteria
chmod 755 /usr/local/bin/hysteria

Create Hysteria configuration file. Preferably in /etc. System might not be able to fetch files from user directories.

#devel-su

vi /etc/hysteria/config.yaml

The config is pretty standard but since SFOS have little to none proxy integration (in apps or the system in general) Hysteria client must have TUN mode enabled. If you need to exclude your local network (to use Sailfish Connect) you can do it here in the ipv(4/6)Exclude sections.

server: hysteria2://USER:PASS@example.com/

transport:
  type: udp
  udp:
    hopInterval: 30s

socks5:
  listen: 127.0.0.1:2080
  disableUDP: false

http:
  listen: 127.0.0.1:2080

tun:
  name: "hytun"
  mtu: 1500
  timeout: 5m
  address:
    ipv4: 100.100.100.101/30
    ipv6: 2001::ffff:ffff:ffff:fff1/126
  route:
    ipv4: [0.0.0.0/0]
    ipv6: ["2000::/3"]
    ipv4Exclude: [example.com_IPv4/32,192.168.0.0/16]
    ipv6Exclude: ["example.com_IPv6/128"]

Finally setting up a systemd service. It will start at boot and keep the connection up.

#devel-su

systemctl edit --full --force hysteria

There are 2 things what have to be adjusted for SFOS: due to the ancient version of the kernel ip rule “from all goto 9010” must be removed and the main process have to executed in group “vpn”. Usually /dev/net/tun owned by root:root but in SFOS it is owned by system:vpn.



[Unit]
Description=Hysteria Client Service
Documentation=https://hysteria.network/
After=network.target

[Service]
Type=simple
ExecStart=/usr/local/bin/hysteria client --config /etc/hysteria/config.yaml --disable-update-check
ExecStartPost=+/bin/sleep 3
ExecStartPost=+/usr/sbin/ip rule del from all goto 9010
ExecStartPost=+/usr/sbin/ip -6 rule del from all goto 9010
WorkingDirectory=~
User=root
Group=vpn
Environment=HYSTERIA_LOG_LEVEL=info
CapabilityBoundingSet=CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_RAW
AmbientCapabilities=CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_RAW
NoNewPrivileges=true
Restart=always
RestartSec=4s


[Install]
WantedBy=multi-user.target

Finally enable hysteria service.

#devel-su

systemctl enable hysteria --now

Now Hysteria will start at boot, re-establish connection and route all traffic via your server.

Corrections and improvements are welcome.

Wartan · 9 December 2025 16:02

Edit:

If you want to keep the app updated automatically you can add another post start command into the systemd unit (after other ExecStartPost commands):



ExecStartPost=+-/bin/bash -c 'rm -f /tmp/hysteria & curl --remove-on-error -sLR -z /usr/local/bin/hysteria https://download.hysteria.network/app/latest/hysteria-linux-arm64 --output /tmp/hysteria && mv -f /tmp/hysteria /usr/local/bin/hysteria && chmod 755 /usr/local/bin/hysteria && systemctl restart hysteria'

Post start is used because access to ‘hysteria.network’ might be blocked on your current internet connection.