Skip to content

A Rust implementation of Trojan with QUIC tunnel, Lite-TLS and more.

License

Notifications You must be signed in to change notification settings

3andne/trojan-oxide

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

Trojan-Oxide

A Rust implementation of Trojan with QUIC tunnel, Lite-TLS and more.

Overview

  1. Full support for the original Trojan Protocol, including TCP and UDP traffic.
  2. Pure Rust implementation with no comprimise on security and speed.
    • Highly efficient Tokio-based async network io.
    • Minimized memory consumption.
    • Predictable performance with no runtime garbage collector.
    • Poll based UDP Traffic.
  3. QUIC tunnel. The stealth Trojan implementation is still undetectable in the HTTP/3 era.
  4. Lite-TLS. Avoid redundant encrpytion with TLS traffics without modifying the underlying TLS library. We do things in the Trojan way, i.e., we imitate rather than create.
  5. Zero-Copy (Linux Kernel >= 5.8 is required). With Lite-TLS enabled, we can achieve maximum efficiency on both the client and server sides. Up to 60% improvement is observed in a TCP echo server based on io-uring.

License

GPL-3

Examples

Install Rust

Please follow the instructions.

Build Trojan-Oxide From Source

git clone https://github.com/3andne/trojan-oxide.git && cd ./trojan-oxide
cargo build --release

The executable binary file is ./target/release/trojan-oxide.

Build Selected Features

You can select features according to your needs; the default configuration builds both the server and client.

Server Only
cargo build --release --features server_full
Client Only
cargo build --release --features client_full
Zero Copy Feature

This feature is disabled by default since it only works on Linux with a kernel >= 5.8. The following command will build this feature.

cargo build --release --features client_full,zio
cargo build --release --features server_full,zio

Run Server

Suppose you have a server your.website.com.

  • Your TLS certificate is in "/path/to/cert/fullchain.cert".

  • Your TLS private key is in "/path/to/key/private.key".

  • You want the server to listen on port 443, and re-direct unauthenticated traffics to 80.

  • You set password to your_password. If your password contains '$', please write it as '\$'.

Then you should start the server by:

./target/release/trojan-oxide -s -w "your_password" -k "/path/to/key/private.key" -c "/path/to/cert/fullchain.cert" -u "your.website.com" -x 443 -f 80

Note that rustls (the underlying tls library) doesn't support ECC keys as of this moment. Please Follow the instructions if you have a pair of ECC keys.

Run Client

If you have a tcp-tls trojan service on your.website.com:443 with the password your_password. You can start your client by:

./target/release/trojan-oxide -w "your_password" -u you.website.com -x 443 -m t
  • the default tunnel is TCP-TLS

    • use -m q if you want to use the QUIC tunnel
    • use -m l if you want to use the Lite-TLS tunnel
  • you can also specify your server ip by:

    ./target/release/trojan-oxide -w "your_password" -u you.website.com -d 114.51.4.191 -x 443 -m t
    
  • The default http and socks5 port is 8888 and 8889 respectively. Please specify them by -h and -5.

Run Zero Copy Endpoints

Note that this feature only works when Linux kernel >= 5.8. Please build the client/server with zio feature first.

Then start the client in Lite-TLS mode.

./target/release/trojan-oxide -w "your_password" -u you.website.com -d 114.51.4.191 -x 443 -m l

You don't need to configure the server.

Manual

./target/release/trojan-oxide --help
USAGE:
    trojan-oxide [FLAGS] [OPTIONS] --password <password> [remote-socket-addr]

FLAGS:
        --help       
            Prints help information

    -s, --server     
            whether to start as server

    -V, --version    
            Prints version information


OPTIONS:
        --ca <ca>                              
            

    -c, --cert <cert>                          
            TLS certificate in PEM format

    -m, --connection-mode <connection-mode>    
            Connetion Mode:
            
            - t (for tcp-tls)
            
            - q (for quic)
            
            - l (for lite-tls) [default: t]
    -f, --fallback-port <fallback-port>        
            port to re-direct unauthenticated connections [default: 0]

    -k, --key <key>                            
            TLS private key in PEM format

    -h, --http_port <local-http-addr>          
            client http proxy port [default: 8888]

    -5, --socks5_port <local-socks5-addr>      
            client socks5 proxy port [default: 8889]

    -l, --log-level <log-level>                
            Log level (from least to most verbose):
            
            error < warn < info < debug < trace [default: info]
    -w, --password <password>                  
            the password to authenticate connections

    -u, --server-hostname <server-hostname>    
            Server Name Indication (sni), or Hostname [default: localhost]

    -d, --server-ip <server-ip>                
            server ip address [default: ]

    -x, --server-port <server-port>            
            server proxy port [default: 443]

About

A Rust implementation of Trojan with QUIC tunnel, Lite-TLS and more.

Resources

License

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published

Languages