Golang实现的Trojan,支持自动证书申请/多路复用/路由功能/CDN中转,多平台,无依赖。
A Trojan proxy written in golang. An unidentifiable mechanism that helps you bypass GFW.
------------------------------------------A Trojan proxy written in golang. An unidentifiable mechanism that helps you bypass GFW.
使用Golang实现的完整Trojan,和Trojan协议以及原版的配置文件格式兼容。安全,高效,轻巧,易用。
支持CDN流量中转(基于WebSocket over TLS/SSL)
支持使用ACME协议从Let's Encrypt自动申请和更新HTTPS证书,只需提供域名和邮箱。
完整配置教程参见这里。
使用方法
自动申请证书:
sudo ./trojan-go -cert request
(注意备份生成的证书和密钥,并确保其安全)
为证书续期:
sudo ./trojan-go -cert renew
关于证书申请更详细的说明
运行客户端/服务端/透明代理/中继:
./trojan-go -config 你的配置文件.json
配置文件格式和Trojan相同, 完整说明可以参考Trojan-Go的文档。
Trojan-Go支持并且兼容原版Trojan的绝大多数功能,包括
- TLS隧道传输
- 透明代理 (NAT模式,iptables设置参见这里)
- UDP代理
- 对抗GFW被动/主动检测的机制
- MySQL数据库支持
- 流量统计,用户流量配额限制
- 从数据库中的用户列表进行认证
- TCP性能方面的选项,如TCP Fast Open,端口复用等
注意, TLS 1.2密码学套件的名称在golang中有一些不同,并且不安全的TLS 1.2套件已经被弃用,直接使用包含这些套件的原版Trojan配置文件会引发一个警告,但不影响运行。
特性
移植性
运行Trojan-Go的可执行文件不依赖其他组件。你可以将编译得到的单个可执行文件在目标机器上直接执行而不需要考虑依赖的问题。你可以很方便地编译(或者交叉编译)它,然后在你的服务器,PC,树莓派,甚至路由器上部署。
易用
配置文件格式与原版兼容,但做了大幅简化,未指定的字段会被附上一个默认值。你可以更方便地部署你的服务器和客户端。下面是一个简单的例子,完整的配置文件可以参见Github pages。
服务器配置文件
server.json
{
"run_type": "server",
"local_addr": "0.0.0.0",
"local_port": 443,
"remote_addr": "127.0.0.1",
"remote_port": 80,
"password": [
"your_awesome_password"
],
"ssl": {
"cert": "your_cert.crt",
"key": "your_key.key"
}
}
客户端配置文件
client.json
{
"run_type": "client",
"local_addr": "127.0.0.1",
"local_port": 1080,
"remote_addr": "www.your_awesome_domain_name.com",
"remote_port": 443,
"password": [
"your_awesome_password"
]
}
自动证书申请
使用
sudo ./trojan-go -cert request
向Let's Encrypt申请证书
申请过程中,按照ACME协议要求,trojan-go需要和letsencrypt服务器交互,因此需要暂时占用本地443和80端口,此时请暂时关闭nginx,apache,或者trojan等服务。
Linux下,绑定80和443端口需要root权限,因此你需要使用sudo执行trojan-go才能正常证书申请流程。
如果申请成功,本目录下会得到
- server.key 服务器私钥
- server.crt 经过Let's Encrypt签名的服务器证书
- user.key 用户Email对应的私钥
- domain_info.json 域名和用户Email信息
请备份这几个文件并且妥善保管。接下来你可以将服务器私钥和证书文件名填入你的配置文件,开启你的trojan-go服务器即可。
如果证书过期了,使用
sudo ./trojan-go -cert renew
更新证书,确保上面提到的四个文件在trojan-go所在目录,运行后trojan-go将自动更新证书文件。
WebSocket
Trojan-Go支持使用TLS+Websocket承载Trojan协议,使得利用CDN进行流量中转成为可能。
服务器和客户端配置文件中同时添加
websocket选项即可启用Websocket支持,例如"websocket": {
"enabled": true,
"path": "/im_a_url_path",
"hostname": "www.your_awesome_domain_name.com"
}
服务端可以省略
hostname, 但是服务器和客户端的path必须相同。服务器开启Websocket支持后可以同时支持Websocket和一般Trojan流量,未配置Websocket选项的客户端依然可以正常使用。
由于原版Trojan并不支持Websocket,因此,虽然开启了Websocket支持的服务端可以兼容原版Trojan客户端,但是如果要使用Websocket承载流量进行CDN中转等,请确保双方都使用Trojan-Go。
多路复用
在很差的网络条件下,TLS握手可能会花费很多时间。
Trojan-Go支持多路复用(smux)。通过使一个TLS隧道连接承载多个TCP连接的方式,减少TLS握手带来的延迟,以期提升高并发情景下的性能。
启用多路复用并不会增加你测速得到的带宽,但是会加速你有大量并发请求时的网络体验,例如浏览含有大量图片的网页等。
注意,这个特性和原版Trojan不兼容,所以出于兼容性考虑,这个特性是默认关闭的。你可以通过设置mux选项中的"enabled"字段启用它。如下
"mux": {
"enabled": true
}
你只需要设置客户端的配置文件即可,服务端会自动检测是否启用多路复用并提供支持。
路由模块
Trojan-Go的客户端内建一个简单实用的路由模块用以方便实现国内直连等自定义路由功能。
路由策略有三种
- Proxy 代理。将请求通过TLS隧道进行代理,由trojan服务器和目的地址进行连接。
- Bypass 绕过。直接在本地和目的地址进行连接。
- Block 封锁。不代理请求,直接关闭连接。
要激活模块,在你的配置文件中添加router选项,并且设置enabled为true,例如
"router": {
"enabled": true,
"bypass": [
"geoip:tag1",
"geosite:tag2",
"bypass_list1.txt",
"bypass_list2.txt"
],
"block": [
"block_list.txt"
]
"proxy": [
"proxy_list.txt"
]
}
其中
bypass,block, proxy字段中填入相应的列表文件或者geo数据库tag。列表文件每行是一个域名或者IP地址段(CIDR)。geo数据库geoip和geosite为IP数据库和域名数据库。一旦匹配,则执行相应策略。
完整的选项说明参见Github Pages。
下面是一个实现国内直连的选项,它将绕过中国大陆IP地址,中国大陆域名,以及内网IP等保留的私有IP地址,直接连接远端而不通过隧道代理。
"router": {
"enabled": true,
"bypass": [
"geoip:cn",
"geoip:private",
"geosite:cn"
]
}
所需要的geoip.dat和geosite.dat已经包含在release的压缩包中。它们来自v2ray的domain-list-community和geoip。
构建
确保你的Golang版本 >= 1.13
git clone https://github.com/p4gefau1t/trojan-go.git
cd trojan-go
go build
Golang支持通过设置环境变量进行交叉编译,例如
CGO_ENABLE=0 GOOS=windows GOARCH=amd64 go build -o trojan-go.exe
以及
CGO_ENABLE=0 GOOS=linux GOARCH=arm go build -o trojan-go
致谢
Trojan-Go
Full-featured Trojan proxy written in golang, compatiable with the original Trojan protocol and config file. It's safe, efficient, lightweight and easy to use.
Supports multiplexing and traffic routing.
Supports CDN traffic transferring, based on WebSocket over TLS/SSL
Uses the ACME protocol to automatically request and renew HTTPS certificates from Let's Encrypt.
Usage
To request a certificate automatically:
./trojan-go -cert request
Don't forget to backup the .key file and .crt file.
To renew a certificate:
./trojan-go -cert renew
Run a client/server/transparent proxy/forwarder:
./trojan-go -config your_awesome_config_file.json
Trojan-Go supports most features of the original trojan, including
- TLS tunneling
- Transparent proxy (NAT mode, see here)
- UDP Relaying
- Mechanism against passive and active detection of GFW
- MySQL Database support
- Traffic statistics, quota limits for each user
- Authentication by users record in database
- TCP performance-related options, like TCP fast open, port reusing, etc.
Note that the name of the TLS 1.2 cipher suite is slightly different in golang, and some of them has been deprecated and disabled. Using the original configuration file directly will cause a warning, but it will not affect the running.
The format of the configuration file is compatible, see here.
Features
Portable
It's written in Golang, so it will be statically linked by default, which means that you can execute the compiled single executable directly on the target machine without having to consider dependencies. You can easily compile (or cross compile) it and deploy it on your server, PC, Raspberry Pi, or even a router.
Easy to use
Trojan-go's configuration file format is compatible with Trojan's, while it's being simplyfied. Unspecified fields will be filled in with a default value. You can launch your server and client much easier. Here's an example:
server.json
{
"run_type": "server",
"local_addr": "0.0.0.0",
"local_port": 443,
"remote_addr": "127.0.0.1",
"remote_port": 80,
"password": [
"your_awesome_password"
],
"ssl": {
"cert": "your_cert.crt",
"key": "your_key.key"
}
}
client.json
{
"run_type": "client",
"local_addr": "127.0.0.1",
"local_port": 1080,
"remote_addr": "www.your_awesome_domain_name.com",
"remote_port": 443,
"password": [
"your_awesome_password"
]
}
Certificate requesting
Use
` sudo ./trojan-go -cert request `
to request a certificate from Let's Encrypt.
During the process, according to ACME protocol requirements, trojan-go needs to interact with letsencrypt server, so it needs to temporarily occupy local ports 443 and 80. At this time, please temporarily close services such as nginx, apache, or trojan.
Binding port 80 and 443 under Linux requires root privileges, so you may need to use sudo to execute trojan-go for the certificate requesting.
If everything goes well, you will get
- server.key: server private key
- server.crt: server certificate signed by Let's Encrypt
- user.key: The private key corresponding to the user's email
- domain_info.json: domain name and user email information
Please back up these files and keep them in a safe place. You can fill the server private key and certificate file name into your configuration file, and start your trojan-go server.
If the certificate has expired, use
` sudo ./trojan-go -cert renew `
To renew the certificate. Make sure that the files mentioned above are in the same directory where trojan-go is located. Trojan-Go will automatically update the certificate file.
#WebSocket
Trojan-Go can use WebSocket over TLS/SSL to carry the Trojan traffic, making it possible to exploit CDN to proxy traffic.
Websocket support can be enabled by adding the "websocket" option to both server and client configuration files, for example
"websocket": {
"enabled": true,
"path": "/im_a_url_path",
"hostname": "www.your_awesome_domain_name.com"
}
The server can omit
hostname field, but the path of the server and client must be the same. After Websocket support is enabled on the server, Websocket and general Trojan traffic can be supported at the same time. Clients without Websocket options will still work.
Since the original Trojan does not support Websocket, if you want to use Websocket to carry traffic, please make sure that both endpoints use Trojan-Go.
Multiplexing
TLS handshaking may takes much time in a poor network condition. Trojan-go supports multiplexing(smux), which imporves the performance in the high-concurrency scenario by forcing one single TLS tunnel connection carries mutiple TCP connections.
Enabling multiplexing does not increase the bandwidth you get from a speed test, but it will speed up the network experience when you have a large number of concurrent requests, such as browsing web pages containing a large number of images, etc.
Note that this feature is not compatible with the original Trojan , so for compatibility reasons, this feature is turned off by default. But you can enable it by setting the "mux" field in the tcp options. as follows
"mux": {
"enabled": true
}
You only need to set up the client's configuration file, and the server will automatically detect whether to enable multiplexing.
Routing
A simple and practical routing module is built into the Trojan-Go client.
There are three routing strategies
- Proxy. The request is proxied through the TLS tunnel, and the trojan server will connect to the destination remote endpoints.
- Bypass. Local client will connect to the remote endpoints directly without using the TLS tunnel.
- Block. Close the incoming connection immediately.
To activate the module, setup the "router" option in your config file, for example:
"router": {
"enabled": true,
"bypass": [
"geoip:tag1",
"geosite:tag2",
"bypass_list1.txt",
"bypass_list2.txt"
],
"block": [
"block_list.txt"
]
"proxy": [
"proxy_list.txt"
]
}
Build
Just make sure your golang version >= 1.13
git clone https://github.com/p4gefau1t/trojan-go.git
cd trojan-go
go build
You can cross-compile it by setting up the environment vars, for example
CGO_ENABLE=0 GOOS=windows GOARCH=amd64 go build -o trojan-go.exe
or
CGO_ENABLE=0 GOOS=linux GOARCH=arm go build -o trojan-gofrom https://github.com/p4gefau1t/trojan-goTrojan server and proxy programs written in Rust.
Trojan-rs
Trojan server and proxy programs written in Rust.
- For the server mode, the protocol is compatible with original trojan except UDP Associate does not support domain address type (maybe later?) If you are not ok with that, you can use the original version, it should work perfectly with the proxy mode.
- For the proxy mode, it uses TPROXY to relay all UDP and TCP packets, and it should work with the original server in both route or local type.
How to use it
hoping@HopingPC:~/workspace/trojan-rs$ trojan --help
trojan 0.3
Hoping White
a trojan implementation using rust
USAGE:
trojan [OPTIONS] --local-addr <local-addr> --password <password> <SUBCOMMAND>
FLAGS:
-h, --help Prints help information
-V, --version Prints version information
OPTIONS:
-i, --idle-timeout <idle-timeout> time in seconds before closing an inactive connection [default: 120]
-a, --local-addr <local-addr> listen address for server
-l, --log-file <log-file> log file path
-L, --log-level <log-level> log level, 0 for trace, 1 for debug, 2 for info, 3 for warning, 4 for error, 5
for off [default: 2]
-m, --marker <marker> set marker used by tproxy [default: 1]
-p, --password <password> passwords for negotiation
SUBCOMMANDS:
help Prints this message or the help of the given subcommand(s)
proxy run in proxy mode
server run in server mode
hoping@HopingPC:~/workspace/trojan-rs$ trojan help proxy
trojan-proxy
USAGE:
trojan proxy --hostname <hostname>
FLAGS:
-h, --help Prints help information
-V, --version Prints version information
OPTIONS:
-H, --hostname <hostname> trojan server hostname
hoping@HopingPC:~/workspace/trojan-rs$ trojan help server
trojan-server
USAGE:
trojan server [OPTIONS] --cert <cert> --key <key>
FLAGS:
-h, --help Prints help information
-V, --version Prints version information
OPTIONS:
-n, --alpn <alpn>... alpn protocol supported
-c, --cert <cert> certificate file path, This should contain PEM-format certificates in the
right order (the first certificate should certify KEYFILE, the last should
be a root CA
-d, --dns-cache-time <dns-cache-time> time in seconds for dns query cache [default: 300]
-k, --key <key> private key file path, This should be a RSA private key or PKCS8-encoded
private key, in PEM format.
-r, --remote-addr <remote-addr> http backend server address [default: 127.0.0.1:80]
IPTABLES settings.
A workable example as follows. lanlist and byplist is ipset which you can create by ipset command.
IMPORTANT your trojan server IP should be included in byplist or lanlist, otherwise, route loop should occur.
# Add any tproxy policy rules
ip rule add fwmark 0xff table 100
ip route add local 0.0.0.0/0 dev lo table 100
# --------------- Route Rules Begin ---------------------------
# Create a new chain for router
iptables -t mangle -N TROJAN_ROUTE
# Ignore LANs and any other addresses you'd like to bypass the proxy
iptables -t mangle -A TROJAN_ROUTE -m set --match-set lanlist dst -j RETURN
iptables -t mangle -A TROJAN_ROUTE -m set --match-set byplist dst -j RETURN
iptables -t mangle -A TROJAN_ROUTE -m set --match-set chslist dst -j RETURN
# Anything else should be redirected to shadowsocks's local port
iptables -t mangle -A TROJAN_ROUTE -p tcp -j TPROXY --on-port 60080 --on-ip 127.0.0.1 --tproxy-mark 0xff
iptables -t mangle -A TROJAN_ROUTE -p udp -j TPROXY --on-port 60080 --on-ip 127.0.0.1 --tproxy-mark 0xff
# Apply the route rules
iptables -t mangle -A PREROUTING -j TROJAN_ROUTE
# ---------------- Route Rules End -----------------------------
# ---------------- Local Rules Begin --------------------------
# Create new chain for localhost
iptables -t mangle -N TROJAN_LOCAL
# Ignore Lans and any other address you'd like to bypass the proxy
iptables -t mangle -A TROJAN_LOCAL -m set --match-set lanlist dst -j RETURN
iptables -t mangle -A TROJAN_LOCAL -m set --match-set byplist dst -j RETURN
iptables -t mangle -A TROJAN_LOCAL -m set --match-set chslist dst -j RETURN
# Ignore packets sent from trojan itself.
iptables -t mangle -A TROJAN_LOCAL -m mark --mark 0xff -j RETURN
# Mark tcp 80, 443, udp 53 to reroute.
iptables -t mangle -A TROJAN_LOCAL -p udp --dport 53 -j MARK --set-xmark 0xff
iptables -t mangle -A TROJAN_LOCAL -p tcp --dport 80 -j MARK --set-xmark 0xff
iptables -t mangle -A TROJAN_LOCAL -p tcp --dport 443 -j MARK --set-xmark 0xff
# Apply the local rules
iptables -t mangle -A OUTPUT -j TROJAN_LOCAL
# ----------------- Local Rules End --------------------------------
# Flush all the rules to effect immediately
ip route flush cache
You can get more about iptables rules in PRINCIPLE.md
----------------------------------------------
A slim client for trojan-gfw, also called TCS.
TCS
A slim cilent for Trojan-GFW.
What's TCS?
TCS(Trojan Client Slim) is a slim and easy client for Trojan-GFW.
TIPS: TCS only gives the most basic functions. If you need full-feature experience, please configure Trojan-G*W manually.
What's supported?
- Now TCS support share link! (With Igniter-TCS)
- Auto configure HTTP proxy.
- Auto save config.
- Auto generate trojan conf. (TLS1.3, H2, etc.)
- G*WList mode to bypass ***. You know what I mean.
Components
- TCS (2.2.0) GPLv3
- Privoxy (3.0.28.0) GPLv2
- Trojan-GFW (1.14.0) GPLv3
TODO
- Use Clash instead of Privoxy
- Local Port settings
- Node list
Smart GFWList updator
Screenshot(s)
One more thing
Welcome to use Telegram to communicate with us. Our group link is https://t.me/trojangfwcs
from https://github.com/KevinZonda/trojan-client-slim/tree/master
-------
轻量高效的 Trojan 代理,使用 Rust 实现.
Trojan-R
高性能的 Trojan 代理,使用 Rust 实现。为嵌入式设备或低性能机器设计。R 意为 Rust / Rapid。
Trojan-R 目前为实验性项目,仍处于重度开发中,协议、接口和配置文件格式均可能改变,请勿用于任何生产环境。
特性
极致性能
牺牲部分灵活性,采用激进的性能优化策略以极力减少不必要的开销。采用更高效的
rustls(相较 openssl)建立 TLS 隧道以提升加解密的性能表现。使用 tokio 异步运行时,允许
Trojan-R同时使用所有 CPU 核心,保证低时延和高效的吞吐能力。需要更多 benchmark 数据和更多优化
低内存占用
Rust 无 GC 机制,内存占用可被预计。简化的握手和连接流程,仅使用极少的堆内存和复制。
需要更多 benchmark 数据和更多优化
简易配置
使用 toml 格式配置,仅需数行配置即可启动完整客户端或服务器。
内存安全
使用 Rust 语言实现,可证明的内存安全性。在语法层面保证所有内存操作安全可靠。无竞争条件,无悬挂指针,无 UAF,无 Double Free。
密码学安全
使用
rustls建立 TLS 加密安全信道,过时的或不安全的密码学套件均被禁用。Trojan-R强制开启服务器证书校验以防止中间人攻击。隐蔽传输
Trojan-R使用 TLS 建立代理隧道,难以从正常 TLS 流量中被区分。支持协议回落,在遭到主动探测时将与普通 TLS 服务器表现一致。跨平台支持
Trojan-R可被交叉编译,支持 Android, Linux,Windows 和 MacOS 等操作系统,以及 x86,x86_64,armv7,aarch64 等硬件平台。
非特性
由于与项目的设计原则冲突,下列特性不计划实现
统计功能,包括 API 和数据库对接等
路由功能
用户自定义协议栈
透明代理
如果需要实现上述功能,请使用其他类似工具与 Trojan-R 组合实现。
设计原则
安全性
Trojan-R不涉及底层操作,且目前的性能瓶颈与其无关,无使用 unsafe rust 的必要。协议回落和 TLS 配置等安全敏感代码经过仔细考虑和审计,同时也欢迎更多来自开源社区的安全审计。目前
Trojan-R使用#![forbid(unsafe_code)]禁用 unsafe rust。如未来有必要使用 unsafe rust 时,必须经过严格审计和测试。使用静态分发而非动态分发
协议实现使用统一的 trait。协议嵌套使用静态分发,以保证嵌套协议栈的函数调用关系在编译时被确定,使编译器可以进行内联和更好的优化。
低内存分配
减少热点代码的内存分配,用引用替换复制,以实现更高的性能和更低的内存开销。
简洁
保持最简洁干净的实现,以保证最低的代码复杂度,尽可能少的性能开销,并增加可靠性和减少攻击面。
部署和使用
Trojan-R 使用 toml 进行配置,参考 config 文件夹下配置文件。
编译
cargo build --release交叉编译基于 cross 完成,编译前请确认已经安装 cross (cargo install cross)
make armv7-unknown-linux-musleabihf编译默认开启链接时优化,以提升性能并减小可执行文件体积,因此编译耗时可能较其他项目更长。
编译完成后可以使用 strip 去除调试符号表以减少文件体积。
from https://github.com/p4gefau1t/trojan-r
---------
