GO Simple Tunnel - a simple tunnel written in golang

dns go golang http2 kcp obfs4 quic shadowsocks sni socks5 ssh tls tunnel tuntap udp

Go to file

ginuerzh 6b4a84ee6e move hosts to github.com/go-gost/hosts		2020-04-05 21:04:13 +08:00
.config	add reloader for authenticator	2019-01-09 22:36:44 +08:00
.github/workflows	rm shadowstream used in tuntap	2020-03-25 14:52:16 +08:00
cmd/gost	move hosts to github.com/go-gost/hosts	2020-04-05 21:04:13 +08:00
examples	修复 examples 中的参数错误 (#315 )	2018-11-03 11:01:48 +08:00
.dockerignore	add timeout for Connectors	2018-12-22 23:10:55 +08:00
.gitignore	fix udp forward: clear closed client info	2019-12-18 23:37:01 +08:00
.travis.yml	add more test cases for socks5	2018-12-31 20:44:20 +08:00
auth_test.go	add reloader for authenticator	2019-01-09 22:36:44 +08:00
auth.go	fix HTTP Host header	2019-06-03 16:14:49 +08:00
chain.go	move hosts to github.com/go-gost/hosts	2020-04-05 21:04:13 +08:00
client.go	fix issue #520	2020-03-18 13:39:29 +08:00
common_test.go	use new logger	2020-03-25 19:56:10 +08:00
dns.go	use new logger	2020-03-25 19:56:10 +08:00
Dockerfile	use new buffer pool	2020-03-25 19:01:21 +08:00
forward_test.go	add ssu connector	2020-02-02 15:32:49 +08:00
forward.go	use new logger	2020-03-25 19:56:10 +08:00
ftcp.go	use new logger	2020-03-25 19:56:10 +08:00
go.mod	move hosts to github.com/go-gost/hosts	2020-04-05 21:04:13 +08:00
go.sum	move hosts to github.com/go-gost/hosts	2020-04-05 21:04:13 +08:00
gost.go	use new logger	2020-03-25 19:56:10 +08:00
handler_test.go	add more test cases for socks5	2018-12-31 20:44:20 +08:00
handler.go	move hosts to github.com/go-gost/hosts	2020-04-05 21:04:13 +08:00
http2_test.go	fix http2 test	2020-01-09 11:43:35 +08:00
http2.go	fix nil bypasser	2020-04-05 20:16:06 +08:00
http_test.go	add reloader for authenticator	2019-01-09 22:36:44 +08:00
http.go	fix nil bypasser	2020-04-05 20:16:06 +08:00
kcp_test.go	fix tests	2019-06-21 21:30:48 +08:00
kcp.go	use new logger	2020-03-25 19:56:10 +08:00
LICENSE	add missing files	2017-08-04 14:26:30 +08:00
Makefile	Update Makefile (#448 )	2019-11-30 19:19:44 +08:00
mux.go	add more test cases for socks5	2018-12-31 20:44:20 +08:00
node_test.go	add stop for live reloading	2018-11-29 22:09:10 +08:00
node.go	move bypass to github.com/go-gost/bypass	2020-03-26 09:16:45 +08:00
obfs_test.go	add more test cases	2019-01-05 13:21:33 +08:00
obfs.go	use new logger	2020-03-25 19:56:10 +08:00
permissions_test.go	Change + to space to allows nice + be in the url	2017-04-10 13:25:43 +02:00
permissions.go	add test files	2017-08-13 09:30:18 +08:00
quic_test.go	fix tests	2019-06-21 21:30:48 +08:00
quic.go	use new logger	2020-03-25 19:56:10 +08:00
README_en.md	update README	2020-02-09 14:48:41 +08:00
README.md	update README	2020-02-09 14:48:41 +08:00
redirect_other.go	use new logger	2020-03-25 19:56:10 +08:00
redirect.go	use new logger	2020-03-25 19:56:10 +08:00
relay.go	use new logger	2020-03-25 19:56:10 +08:00
resolver_test.go	fix test cases	2020-02-02 15:33:26 +08:00
resolver.go	update reloader package	2020-03-26 09:31:00 +08:00
selector_test.go	add max_fails & fail_timeout options support for port forwarding	2019-06-20 10:47:58 +08:00
selector.go	add max_fails & fail_timeout options support for port forwarding	2019-06-20 10:47:58 +08:00
server.go	use new logger	2020-03-25 19:56:10 +08:00
signal_unix.go	use new logger	2020-03-25 19:56:10 +08:00
signal.go	fix compile error	2017-03-03 21:57:10 +08:00
snapcraft.yaml	add relay proxy protocol	2020-02-27 14:56:48 +08:00
sni_test.go	fix sni test	2020-01-04 16:37:36 +08:00
sni.go	fix nil bypasser	2020-04-05 20:16:06 +08:00
socks_test.go	add reloader for authenticator	2019-01-09 22:36:44 +08:00
socks.go	fix nil bypasser	2020-04-05 20:16:06 +08:00
ss_test.go	add chain.DialContext	2020-02-08 15:02:04 +08:00
ss.go	fix nil bypasser	2020-04-05 20:16:06 +08:00
ssh_test.go	fix tests	2019-06-21 21:30:48 +08:00
ssh.go	fix nil bypasser	2020-04-05 20:16:06 +08:00
tcp.go	add ssu connector	2020-02-02 15:32:49 +08:00
tls_test.go	fix tests	2019-06-21 21:30:48 +08:00
tls.go	use new logger	2020-03-25 19:56:10 +08:00
tuntap_darwin.go	use new logger	2020-03-25 19:56:10 +08:00
tuntap_linux.go	use new logger	2020-03-25 19:56:10 +08:00
tuntap_unix.go	use new logger	2020-03-25 19:56:10 +08:00
tuntap_windows.go	use new logger	2020-03-25 19:56:10 +08:00
tuntap.go	use new logger	2020-03-25 19:56:10 +08:00
udp.go	use new logger	2020-03-25 19:56:10 +08:00
ws_test.go	fix tests	2019-06-21 21:30:48 +08:00
ws.go	use new logger	2020-03-25 19:56:10 +08:00
wss_test.go	fix tests	2019-06-21 21:30:48 +08:00

README_en.md

gost - GO Simple Tunnel

A simple security tunnel written in Golang

Features

Listening on multiple ports
Multi-level forward proxy - proxy chain
Standard HTTP/HTTPS/HTTP2/SOCKS4(A)/SOCKS5 proxy protocols support
Probing resistance support for web proxy
Support multiple tunnel types
TLS encryption via negotiation support for SOCKS5 proxy
Tunnel UDP over TCP
TCP/UDP Transparent proxy
Local/remote TCP/UDP port forwarding
Shadowsocks protocol
SNI proxy
Permission control
Load balancing
Routing control
DNS resolver and proxy
TUN/TAP device

Wiki: https://docs.ginuerzh.xyz/gost/en/

Telegram group: https://t.me/gogost

Google group: https://groups.google.com/d/forum/go-gost

Installation

Binary files

https://github.com/ginuerzh/gost/releases

From source

git clone https://github.com/ginuerzh/gost.git
cd gost/cmd/gost
go build

Docker

docker pull ginuerzh/gost

Ubuntu store

sudo snap install core
sudo snap install gost

Getting started

No forward proxy

Standard HTTP/SOCKS5 proxy

gost -L=:8080

Proxy authentication

gost -L=admin:123456@localhost:8080

Multiple sets of authentication information

gost -L=localhost:8080?secrets=secrets.txt

The secrets parameter allows you to set multiple authentication information for HTTP/SOCKS5 proxies, the format is:

# username password

test001 123456
test002 12345678

Listen on multiple ports

gost -L=http2://:443 -L=socks5://:1080 -L=ss://aes-128-cfb:123456@:8338

Forward proxy

gost -L=:8080 -F=192.168.1.1:8081

Forward proxy authentication

gost -L=:8080 -F=http://admin:123456@192.168.1.1:8081

Multi-level forward proxy

gost -L=:8080 -F=quic://192.168.1.1:6121 -F=socks5+wss://192.168.1.2:1080 -F=http2://192.168.1.3:443 ... -F=a.b.c.d:NNNN

Gost forwards the request to a.b.c.d:NNNN through the proxy chain in the order set by -F, each forward proxy can be any HTTP/HTTPS/HTTP2/SOCKS4/SOCKS5/Shadowsocks type.

Local TCP port forwarding

gost -L=tcp://:2222/192.168.1.1:22 [-F=...]

The data on the local TCP port 2222 is forwarded to 192.168.1.1:22 (through the proxy chain). If the last node of the chain (the last -F parameter) is a SSH forwad tunnel, then gost will use the local port forwarding function of SSH directly:

gost -L=tcp://:2222/192.168.1.1:22 -F forward+ssh://:2222

Local UDP port forwarding

gost -L=udp://:5353/192.168.1.1:53?ttl=60 [-F=...]

The data on the local UDP port 5353 is forwarded to 192.168.1.1:53 (through the proxy chain). Each forwarding channel has a timeout period. When this time is exceeded and there is no data interaction during this time period, the channel will be closed. The timeout value can be set by the ttl parameter. The default value is 60 seconds.

NOTE: When forwarding UDP data, if there is a proxy chain, the end of the chain (the last -F parameter) must be gost SOCKS5 proxy, gost will use UDP-over-TCP to forward data.

Remote TCP port forwarding

gost -L=rtcp://:2222/192.168.1.1:22 [-F=... -F=socks5://172.24.10.1:1080]

The data on 172.24.10.1:2222 is forwarded to 192.168.1.1:22 (through the proxy chain). If the last node of the chain (the last -F parameter) is a SSH tunnel, then gost will use the remote port forwarding function of SSH directly:

gost -L=rtcp://:2222/192.168.1.1:22 -F forward+ssh://:2222

Remote UDP port forwarding

gost -L=rudp://:5353/192.168.1.1:53?ttl=60 [-F=... -F=socks5://172.24.10.1:1080]

The data on 172.24.10.1:5353 is forwarded to 192.168.1.1:53 (through the proxy chain). Each forwarding channel has a timeout period. When this time is exceeded and there is no data interaction during this time period, the channel will be closed. The timeout value can be set by the ttl parameter. The default value is 60 seconds.

NOTE: When forwarding UDP data, if there is a proxy chain, the end of the chain (the last -F parameter) must be gost SOCKS5 proxy, gost will use UDP-over-TCP to forward data.

HTTP2

Gost HTTP2 supports two modes:

As a standard HTTP2 proxy, and backwards-compatible with the HTTPS proxy.
As a transport tunnel.

Standard proxy

Server:

gost -L=http2://:443

Client:

gost -L=:8080 -F=http2://server_ip:443?ping=30

Tunnel

Server:

gost -L=h2://:443

Client:

gost -L=:8080 -F=h2://server_ip:443

QUIC

Support for QUIC is based on library quic-go.

Server:

gost -L=quic://:6121

Client:

gost -L=:8080 -F=quic://server_ip:6121

NOTE: QUIC node can only be used as the first node of the proxy chain.

KCP

Support for KCP is based on libraries kcp-go and kcptun.

Server:

gost -L=kcp://:8388

Client:

gost -L=:8080 -F=kcp://server_ip:8388

Gost will automatically load kcp.json configuration file from current working directory if exists, or you can use the parameter to specify the path to the file.

gost -L=kcp://:8388?c=/path/to/conf/file

NOTE: KCP node can only be used as the first node of the proxy chain.

SSH

Gost SSH supports two modes:

As a forward tunnel, used by local/remote TCP port forwarding.
As a transport tunnel.

Forward tunnel

Server:

gost -L=forward+ssh://:2222

Client:

gost -L=rtcp://:1222/:22 -F=forward+ssh://server_ip:2222

Transport tunnel

Server:

gost -L=ssh://:2222

Client:

gost -L=:8080 -F=ssh://server_ip:2222?ping=60

The client supports the ping parameter to enable heartbeat detection (which is disabled by default). Parameter value represents heartbeat interval seconds.

Transparent proxy

Iptables-based transparent proxy

gost -L=redirect://:12345 -F=http2://server_ip:443

obfs4

Contributed by @isofew.

Server:

gost -L=obfs4://:443

When the server is running normally, the console prints out the connection address for the client to use:

obfs4://:443/?cert=4UbQjIfjJEQHPOs8vs5sagrSXx1gfrDCGdVh2hpIPSKH0nklv1e4f29r7jb91VIrq4q5Jw&iat-mode=0

Client:

gost -L=:8888 -F='obfs4://server_ip:443?cert=4UbQjIfjJEQHPOs8vs5sagrSXx1gfrDCGdVh2hpIPSKH0nklv1e4f29r7jb91VIrq4q5Jw&iat-mode=0'

Encryption Mechanism

HTTP

For HTTP, you can use TLS to encrypt the entire communication process, the HTTPS proxy:

Server:

gost -L=http+tls://:443

Client:

gost -L=:8080 -F=http+tls://server_ip:443

HTTP2

Gost HTTP2 proxy mode only supports the use of TLS encrypted HTTP2 protocol, does not support plaintext HTTP2.

Gost HTTP2 tunnel mode supports both encryption (h2) and plaintext (h2c) modes.

SOCKS5

Gost supports the standard SOCKS5 protocol methods: no-auth (0x00) and user/pass (0x02), and extends two methods for data encryption: tls(0x80) and tls-auth(0x82).

Server:

gost -L=socks://:1080

Client:

gost -L=:8080 -F=socks://server_ip:1080

If both ends are gosts (as example above), the data transfer will be encrypted (using tls or tls-auth). Otherwise, use standard SOCKS5 for communication (no-auth or user/pass).

Shadowsocks

Support for shadowsocks is based on library shadowsocks-go.

Server:

gost -L=ss://aes-128-cfb:123456@:8338

Client:

gost -L=:8080 -F=ss://aes-128-cfb:123456@server_ip:8338

Shadowsocks UDP relay

Currently, only the server supports UDP Relay.

Server:

gost -L=ssu://aes-128-cfb:123456@:8338

TLS

There is built-in TLS certificate in gost, if you need to use other TLS certificate, there are two ways:

Place two files cert.pem (public key) and key.pem (private key) in the current working directory, gost will automatically load them.
Use the parameter to specify the path to the certificate file:

gost -L="http2://:443?cert=/path/to/my/cert/file&key=/path/to/my/key/file"

Client can specify secure parameter to perform server's certificate chain and host name verification:

gost -L=:8080 -F="http2://server_domain_name:443?secure=true"

Client can specify a CA certificate to allow for Certificate Pinning:

gost -L=:8080 -F="http2://:443?ca=ca.pem"

Certificate Pinning is contributed by @sheerun.