simple-tls

给连接加一层TLS1.3。可选Websocket(wss)。支持SIP003插件协议和Android。没有其他花里胡哨的功能。

可能是最简单的tls/wss套壳伪装插件。

---

在这里下载：release

特点：

• 强制使用TLS1.3
• 支持shadowsocks插件模式(sip003)，客户端支持Android
• 体积小(<2m li="">

命令

|client|-->|simple-tls client|--TLS1.3-->|simple-tls server|-->|destination|

-b string
    [Host:Port] 监听地址 (必需，SIP003插件模式除外)
-d string
    [Host:Port] 目的地地址 (必需，SIP003插件模式除外)
-wss
    使用 Websocket Secure 协议
-path string
    Websocket 的路径

# 客户端模式
-n string
    服务端名称，用于证书host name验证 (客户端必需)
-cca string
    客户端用于验证服务器的无补全的base64编码的PEM格式CA证书。
    如果服务端证书是合法证书的话一般不需要此参数，
    simple-tls会使用系统的证书池去验证证书。

# 服务端模式
-s    
    以服务端模式运行 (服务端必需)
-cert string
    [Path] PEM格式的证书 (服务端必需)
-key string
    [Path] PEM格式的密钥 (服务端必需)

# 其他
-gen-cert
    [This is a helper function]: generate a certificate, 
    store it's key to [-key] and cert to [-cert],
    print cert in base64 format without padding characters
-cpu int
    the maximum number of CPUs that can be executing simultaneously
-fast-open
    enable tfo, only available on linux 4.11+
-t int
    timeout after sec (default 300)

无补全的base64编码： 如果base64编码末尾有=，去掉它们。

SIP003

支援shadowsocks SIP003插件协议。接受的键值对同上。

以SIP003插件模式运行时，b,d参数由shadowsocks自动设定，无需再次在plugin-opts中设定。

以shadowsocks-libev为例：

# TLS
ss-server -c config.json --plugin simple-tls --plugin-opts "s;key=/path/to/your/key;cert=/path/to/your/cert"
ss-local -c config.json --plugin simple-tls --plugin-opts "n=your.server.certificates.dnsname"

# WSS
ss-server -c config.json --plugin simple-tls --plugin-opts "s;wss;key=/path/to/your/key;cert=/path/to/your/cert"
ss-local -c config.json --plugin simple-tls --plugin-opts "wss;n=your.server.certificates.dnsname"

Android

是shadowsocks-android的插件。

支援Android 7以上系统。

Tips

-gen-cert 可以快速的生成一个ECC证书，并打印出无补全的base64编码后的cert的用于客户端用-cca导入。证书DNSName取自-n参数或随机生成。key和cert文件会放在-key，-cert指定的位置或当前目录./。比如：

simple-tls -gen-cert -n example.com

从Let's Encrypt可以免费获得一个合法的证书。

TLS 1.3的加密强度足够。下层的加密强度可降低或不加密。

v2ray-plagin使用mux=0禁用mux后，simple-tls的wss模式与v2ray-plagin的websocket(HTTPS)模式双向兼容。服务端客户端可混用。

from https://github.com/IrineSistiana/simple-tls

------

mos-tls-tunnel

mos-tls-tunnel is a command line based utility that open a tls tunnel between two addresses and transfers data between them. Also support shadowsocks SIP003 and multi-user server.

---

• mos-tls-tunnel
  • Usage
    • mtt-client
    • mtt-server
    • mtt-mu-server
  • Shadowsocks Plugin (SIP003)
    • Example Command
    • Recommended Shadowsocks server and client
    • Android plugin
  • WebSocket Secure
  • Multiplex (Experimental)
  • Self Signed Certificate
  • mtt-server Multi-user Version (mtt-mu-server)
  • Build from Source
  • Open Source Components / Libraries

Usage

client ---> |mtt-client| ---> |mtt-server| ---> destination

Note: In order for the client to connect to the server normally, the following options must be consistent between the client and the server. In other words, if the server has this option, the client must also have this option, and vice versa.

• if server enabled wss: wss and wss-path must be consistent.
• if server NOT enabled wss: wss and mux must be consistent.

mtt-client

-b string
    [Host:Port] Bind address, e.g. '127.0.0.1:1080'
-s string
    [Host:Port] Server address

-wss
    Enable WebSocket Secure protocol
-wss-path string
    WebSocket path (default "/")
-mux
    Enable multiplex
-mux-max-stream int
    The max number of multiplexed streams in one ture TCP connection, 1 - 16 (default 4)

Geek options

mtt-server

-b string
    [Host:Port] or [Path](if bind-unix) Server bind address, e.g. '127.0.0.1:1080', '/run/mmt-server', '@mmt-server'
-d string
    [Host:Port] Destination address

-wss
    Enable WebSocket Secure protocol
-wss-path string
    WebSocket path (default "/")
-mux
    Enable multiplex

-cert string
    [Path] X509KeyPair cert file
-key string
    [Path] X509KeyPair key file

Geek options

mtt-mu-server

See here

Shadowsocks Plugin (SIP003)

mos-tls-tunnel support shadowsocks SIP003. Options keys are the same as Usage defined. You don't have to set client and server address: b,d,s, shadowsocks will set those automatically.

Example Command

Below are example commands with shadowsocks-libev.

Shadowsocks over TLS

ss-server -c config.json --plugin mtt-server --plugin-opts "key=/path/to/your/key;cert=/path/to/your/cert"
ss-local -c config.json --plugin mtt-client --plugin-opts "n=your.server.hostname"

Shadowsocks over WebSocket Secure(wss)

ss-server -c config.json --plugin mtt-server --plugin-opts "wss,key=/path/to/your/key;cert=/path/to/your/cert"
ss-local -c config.json --plugin mtt-client --plugin-opts "wss;n=your.server.hostname"

Recommended Shadowsocks server and client

• shadowsocks-libev
• shadowsocks-windows
• shadowsocks-android

Android plugin

The Android plugin project is maintained here: mostunnel-android. This is a plugin of shadowsocks-android.

WebSocket Secure

mos-tls-tunnel support WebSocket Secure protocol (wss). WebSocket connections can be proxied by HTTP server such as Apache, as well as most of CDNs that support WebSocket.

wss-path will be the path of HTTP request.

Multiplex (Experimental)

mos-tls-tunnel support connection Multiplex (mux). It significantly reduces handshake latency, at the cost of high throughput.

Client can set mux-max-stream to control the maximum number of data streams in one TCP connection. The value should be between 1 and 16.

if wss is enabled, server can automatically detect whether client enable mux or not. But you can still use the mux to force the server to enable multiplex if auto-detection fails.

Self Signed Certificate

On the server, if both key and cert is empty, a self signed certificate will be used. And the string from n will be certificate's hostname. This self signed certificate CANNOT be verified.

On the client, if server's certificate can't be verified. You can enable sv to skip the verification. Enable this option only if you know what you are doing. Use it with caution.

We recommend that you use a valid certificate all the time. A free and valid certificate can be easily obtained here. Let's Encrypt

mtt-server Multi-user Version (mtt-mu-server)

mtt-mu-server allows multiple users to use the wss mode of mtt-client to transfer data on the same server port (eg: 443). Users are offloaded to the corresponding backend (dst destination) according to the path (wss-path) of their HTTP request.

This can increase the concealment and security of the server. Because we no longer need to expose a large number of ports to different users. And if mtt-mu-server can run on port 443, it will look like a normal HTTPS server.

API is very simple: Use HTTP's POST method to send commands to the Controller to add or delete as many users as you want.

For more, see here.

Build from Source

In general, you need the following build dependencies:

• golang-go
• git

You might build mos-tls-tunnel like this:

Example

Open Source Components / Libraries

• gorilla/websocket: BSD-2-Clause
• sirupsen/logrus: MIT
• xtaci/smux: MIT

frm https://github.com/IrineSistiana/mos-tls-tunnel

-------------------

https://github.com/Snawoot/httpierce