modulepackage
2.12.0+incompatible
Repository: https://github.com/ginuerzh/gost.git
Documentation: pkg.go.dev
# README
GO Simple Tunnel
GO语言实现的安全隧道
!!!V3版本已经可用,欢迎抢先体验!!!
特性
- 多端口监听
- 可设置转发代理,支持多级转发(代理链)
- 支持标准HTTP/HTTPS/HTTP2/SOCKS4(A)/SOCKS5代理协议
- Web代理支持探测防御
- 支持多种隧道类型
- SOCKS5代理支持TLS协商加密
- Tunnel UDP over TCP
- TCP/UDP透明代理
- 本地/远程TCP/UDP端口转发
- 支持Shadowsocks(TCP/UDP)协议
- 支持SNI代理
- 权限控制
- 负载均衡
- 路由控制
- DNS解析和代理
- TUN/TAP设备
Wiki站点: v2.gost.run
Telegram讨论群: https://t.me/gogost
Google讨论组: https://groups.google.com/d/forum/go-gost
安装
二进制文件
https://github.com/ginuerzh/gost/releases
源码编译
git clone https://github.com/ginuerzh/gost.git
cd gost/cmd/gost
go build
Docker
docker run --rm ginuerzh/gost -V
Homebrew
brew install gost
Ubuntu商店
sudo snap install core
sudo snap install gost
快速上手
不设置转发代理
- 作为标准HTTP/SOCKS5代理
gost -L=:8080
- 设置代理认证信息
gost -L=admin:123456@localhost:8080
- 多端口监听
gost -L=http2://:443 -L=socks5://:1080 -L=ss://aes-128-cfb:123456@:8338
设置转发代理
gost -L=:8080 -F=192.168.1.1:8081
- 转发代理认证
gost -L=:8080 -F=http://admin:[email protected]:8081
设置多级转发代理(代理链)
gost -L=:8080 -F=quic://192.168.1.1:6121 -F=socks5+wss://192.168.1.2:1080 -F=http2://192.168.1.3:443 ... -F=a.b.c.d:NNNN
gost按照-F设置的顺序通过代理链将请求最终转发给a.b.c.d:NNNN处理,每一个转发代理可以是任意HTTP/HTTPS/HTTP2/SOCKS4/SOCKS5/Shadowsocks类型代理。
本地端口转发(TCP)
gost -L=tcp://:2222/192.168.1.1:22 [-F=...]
将本地TCP端口2222上的数据(通过代理链)转发到192.168.1.1:22上。当代理链末端(最后一个-F参数)为SSH转发通道类型时,gost会直接使用SSH的本地端口转发功能:
gost -L=tcp://:2222/192.168.1.1:22 -F forward+ssh://:2222
本地端口转发(UDP)
gost -L=udp://:5353/192.168.1.1:53?ttl=60 [-F=...]
将本地UDP端口5353上的数据(通过代理链)转发到192.168.1.1:53上。
每条转发通道都有超时时间,当超过此时间,且在此时间段内无任何数据交互,则此通道将关闭。可以通过ttl参数来设置超时时间,默认值为60秒。
注: 转发UDP数据时,如果有代理链,则代理链的末端(最后一个-F参数)必须是gost SOCKS5类型代理,gost会使用UDP over TCP方式进行转发。
远程端口转发(TCP)
gost -L=rtcp://:2222/192.168.1.1:22 [-F=... -F=socks5://172.24.10.1:1080]
将172.24.10.1:2222上的数据(通过代理链)转发到192.168.1.1:22上。当代理链末端(最后一个-F参数)为SSH转发通道类型时,gost会直接使用SSH的远程端口转发功能:
gost -L=rtcp://:2222/192.168.1.1:22 -F forward+ssh://:2222
远程端口转发(UDP)
gost -L=rudp://:5353/192.168.1.1:53?ttl=60 [-F=... -F=socks5://172.24.10.1:1080]
将172.24.10.1:5353上的数据(通过代理链)转发到192.168.1.1:53上。
每条转发通道都有超时时间,当超过此时间,且在此时间段内无任何数据交互,则此通道将关闭。可以通过ttl参数来设置超时时间,默认值为60秒。
注: 转发UDP数据时,如果有代理链,则代理链的末端(最后一个-F参数)必须是GOST SOCKS5类型代理,gost会使用UDP-over-TCP方式进行转发。
HTTP2
gost的HTTP2支持两种模式:
- 作为标准的HTTP2代理,并向下兼容HTTPS代理。
- 作为通道传输其他协议。
代理模式
服务端:
gost -L=http2://:443
客户端:
gost -L=:8080 -F=http2://server_ip:443
通道模式
服务端:
gost -L=h2://:443
客户端:
gost -L=:8080 -F=h2://server_ip:443
QUIC
gost对QUIC的支持是基于quic-go库。
服务端:
gost -L=quic://:6121
客户端:
gost -L=:8080 -F=quic://server_ip:6121
注: QUIC模式只能作为代理链的第一个节点。
KCP
服务端:
gost -L=kcp://:8388
客户端:
gost -L=:8080 -F=kcp://server_ip:8388
gost会自动加载当前工作目录中的kcp.json(如果存在)配置文件,或者可以手动通过参数指定配置文件路径:
gost -L=kcp://:8388?c=/path/to/conf/file
注: KCP模式只能作为代理链的第一个节点。
SSH
gost的SSH支持两种模式:
- 作为转发通道,配合本地/远程TCP端口转发使用。
- 作为通道传输其他协议。
转发模式
服务端:
gost -L=forward+ssh://:2222
客户端:
gost -L=rtcp://:1222/:22 -F=forward+ssh://server_ip:2222
通道模式
服务端:
gost -L=ssh://:2222
客户端:
gost -L=:8080 -F=ssh://server_ip:2222?ping=60
可以通过ping参数设置心跳包发送周期,单位为秒。默认不发送心跳包。
透明代理
基于iptables的透明代理。
gost -L=redirect://:12345 -F=http2://server_ip:443
obfs4
此功能由@isofew贡献。
服务端:
gost -L=obfs4://:443
当服务端运行后会在控制台打印出连接地址供客户端使用:
obfs4://:443/?cert=4UbQjIfjJEQHPOs8vs5sagrSXx1gfrDCGdVh2hpIPSKH0nklv1e4f29r7jb91VIrq4q5Jw&iat-mode=0
客户端:
gost -L=:8888 -F='obfs4://server_ip:443?cert=4UbQjIfjJEQHPOs8vs5sagrSXx1gfrDCGdVh2hpIPSKH0nklv1e4f29r7jb91VIrq4q5Jw&iat-mode=0'
加密机制
HTTP
对于HTTP可以使用TLS加密整个通讯过程,即HTTPS代理:
服务端:
gost -L=https://:443
客户端:
gost -L=:8080 -F=http+tls://server_ip:443
HTTP2
gost的HTTP2代理模式仅支持使用TLS加密的HTTP2协议,不支持明文HTTP2传输。
gost的HTTP2通道模式支持加密(h2)和明文(h2c)两种模式。
SOCKS5
gost支持标准SOCKS5协议的no-auth(0x00)和user/pass(0x02)方法,并在此基础上扩展了两个:tls(0x80)和tls-auth(0x82),用于数据加密。
服务端:
gost -L=socks5://:1080
客户端:
gost -L=:8080 -F=socks5://server_ip:1080
如果两端都是gost(如上)则数据传输会被加密(协商使用tls或tls-auth方法),否则使用标准SOCKS5进行通讯(no-auth或user/pass方法)。
Shadowsocks
gost对shadowsocks的支持是基于shadowsocks-go库。
服务端:
gost -L=ss://chacha20:123456@:8338
客户端:
gost -L=:8080 -F=ss://chacha20:123456@server_ip:8338
Shadowsocks UDP relay
目前仅服务端支持UDP Relay。
服务端:
gost -L=ssu://chacha20:123456@:8338
TLS
gost内置了TLS证书,如果需要使用其他TLS证书,有两种方法:
- 在gost运行目录放置cert.pem(公钥)和key.pem(私钥)两个文件即可,gost会自动加载运行目录下的cert.pem和key.pem文件。
- 使用参数指定证书文件路径:
gost -L="http2://:443?cert=/path/to/my/cert/file&key=/path/to/my/key/file"
对于客户端可以通过secure参数开启服务器证书和域名校验:
gost -L=:8080 -F="http2://server_domain_name:443?secure=true"
对于客户端可以指定CA证书进行证书锁定(Certificate Pinning):
gost -L=:8080 -F="http2://:443?ca=ca.pem"
证书锁定功能由@sheerun贡献
# Functions
AddrConnectOption specifies the corresponding address of the target.
AddrHandlerOption sets the Addr option of HandlerOptions.
AddrHandshakeOption specifies the server address.
AuthenticatorHandlerOption sets the Authenticator option of HandlerOptions.
AutoConnector is a Connector.
AutoHandler creates a server Handler for auto proxy server.
BlacklistHandlerOption sets the Blacklist option of HandlerOptions.
BypassHandlerOption sets the bypass option of HandlerOptions.
Can tests whether the given action and address is allowed by the whitelist and blacklist.
ChainDialOption specifies a chain used by Transporter.Dial.
ChainExchangerOption sets the chain for Exchanger.
ChainHandlerOption sets the Chain option of HandlerOptions.
ChainNameServerOption sets the chain for name server.
ChainResolverOption sets the chain for Resolver.
CIDRMatcher creates a Matcher for a specific CIDR notation IP address.
ClientObfsTLSConn creates a connection for obfs-tls client.
Connect connects to the address addr via the DefaultClient.
Dial connects to the address addr via the DefaultClient.
DNSHandler creates a Handler for DNS server.
DNSListener creates a Listener for DNS proxy server.
DomainMatcher creates a Matcher for a specific domain pattern, the pattern can be a plain domain such as 'example.com', a wildcard such as '*.exmaple.com' or a special wildcard '.example.com'.
FailTimeoutHandlerOption sets the fail_timeout option of HandlerOptions.
FakeTCPListener creates a Listener for fake TCP server.
FakeTCPTransporter creates a Transporter that is used by fake tcp client.
ForwardConnector creates a Connector for data forward client.
GenCertificate generates a random TLS certificate.
H2CListener creates a Listener for HTTP2 h2c tunnel server.
H2CTransporter creates a Transporter that is used by HTTP2 h2c tunnel client.
H2Listener creates a Listener for HTTP2 h2 tunnel server.
H2Transporter creates a Transporter that is used by HTTP2 h2 tunnel client.
Handshake performs a handshake via the DefaultClient.
HostDialOption specifies the host used by Transporter.Dial.
HostHandlerOption sets the target host for SNI proxy.
HostHandshakeOption specifies the hostname.
HostsChainOption specifies the hosts used by Chain.Dial.
HostsHandlerOption sets the Hosts option of HandlerOptions.
HTTP2Connector creates a Connector for HTTP2 proxy client.
HTTP2Handler creates a server Handler for HTTP2 proxy server.
HTTP2Listener creates a Listener for HTTP2 proxy server.
HTTP2Transporter creates a Transporter that is used by HTTP2 h2 proxy client.
HTTPConnector creates a Connector for HTTP proxy client.
HTTPHandler creates a server Handler for HTTP proxy server.
HTTPTunnelHandlerOption sets the Tunnel mode for HTTP client used in HTTP handler.
IntervalHandshakeOption specifies the interval time used by Transporter.Handshake.
IPMatcher creates a Matcher for a specific IP address.
IPRoutesHandlerOption sets the IP routes for tun tunnel.
IPsHandlerOption sets the ip list for port forward.
IsIPv6Multicast reports whether the address addr is an IPv6 multicast address.
KCPConfigHandshakeOption specifies the KCP config used by KCP handshake.
KCPListener creates a Listener for KCP proxy server.
KCPTransporter creates a Transporter that is used by KCP proxy client.
KnockingHandlerOption adds the knocking host for probe resistance.
MaxFailsHandlerOption sets the max_fails option of HandlerOptions.
MTLSListener creates a Listener for multiplex-TLS proxy server.
MTLSTransporter creates a Transporter that is used by multiplex-TLS proxy client.
MWSListener creates a Listener for multiplex-websocket proxy server.
MWSSListener creates a Listener for multiplex-websocket secure proxy server.
MWSSTransporter creates a Transporter that is used by multiplex-websocket secure proxy client.
MWSTransporter creates a Transporter that is used by multiplex-websocket proxy client.
NewBypass creates and initializes a new Bypass using matchers as its match rules.
NewBypassPatterns creates and initializes a new Bypass using matcher patterns as its match rules.
NewChain creates a proxy chain with a list of proxy nodes.
NewDNSExchanger creates a DNS over UDP Exchanger.
NewDNSTCPExchanger creates a DNS over TCP Exchanger.
NewDoHExchanger creates a DNS over HTTPS Exchanger.
NewDoTExchanger creates a DNS over TLS Exchanger.
NewHost creates a Host.
NewHosts creates a Hosts with optional list of hosts.
NewLocalAuthenticator creates an Authenticator that authenticates client by local infos.
NewMatcher creates a Matcher for the given pattern.
NewNodeGroup creates a node group.
NewResolver create a new Resolver with the given name servers and resolution timeout.
NewStrategy creates a Strategy by the name s.
NodeHandlerOption set the server node for server handler.
NoDelayConnectOption specifies the NoDelay option for ss.Connect.
NoTLSConnectOption specifies the SOCKS5 method without TLS.
Obfs4Init initializes the obfs client or server based on isServeNode.
Obfs4Listener creates a Listener for obfs4 server.
Obfs4Transporter creates a Transporter that is used by obfs4 client.
ObfsHTTPListener creates a Listener for HTTP obfuscating tunnel server.
ObfsHTTPTransporter creates a Transporter that is used by HTTP obfuscating tunnel client.
ObfsTLSListener creates a Listener for TLS obfuscating server.
ObfsTLSTransporter creates a Transporter that is used by TLS obfuscating.
ParseNode parses the node info.
ParsePermissions parses the s to a Permissions.
ParsePortRange parses the s to a PortRange.
ParsePortSet parses the s to a PortSet.
ParseSSHAuthorizedKeysFile parses ssh Authorized Keys file.
ParseSSHKeyFile parses ssh key file.
ParseStringSet parses the s to a StringSet.
PeriodReload reloads the config configFile periodically according to the period of the Reloader r.
PreferResolverOption sets the prefer for Resolver.
ProbeResistHandlerOption adds the probe resistance for HTTP proxy.
ProxyAgentHandlerOption sets the proxy agent for http handler.
QUICConfigHandshakeOption specifies the QUIC config used by QUIC handshake.
QUICListener creates a Listener for QUIC proxy server.
QUICTransporter creates a Transporter that is used by QUIC proxy client.
RelayConnector creates a Connector for TCP/UDP data relay.
RelayHandler creates a server Handler for TCP/UDP relay server.
ResolverChainOption specifies the Resolver used by Chain.Dial.
ResolverHandlerOption sets the resolver option of HandlerOptions.
RetryChainOption specifies the times of retry used by Chain.Dial.
RetryHandlerOption sets the retry option of HandlerOptions.
RetryHandshakeOption specifies the times of retry used by Transporter.Handshake.
SelectorConnectOption specifies the SOCKS5 client selector.
ServerObfsTLSConn creates a connection for obfs-tls server.
SetLogger sets a new logger for internal log system.
ShadowConnector creates a Connector for shadowsocks proxy client.
ShadowHandler creates a server Handler for shadowsocks proxy server.
ShadowUDPConnector creates a Connector for shadowsocks UDP client.
ShadowUDPHandler creates a server Handler for shadowsocks UDP relay server.
SNIConnector creates a Connector for SNI proxy client.
SNIHandler creates a server Handler for SNI proxy server.
SOCKS4AConnector creates a Connector for SOCKS4A proxy client.
SOCKS4Connector creates a Connector for SOCKS4 proxy client.
SOCKS4Handler creates a server Handler for SOCKS4(A) proxy server.
SOCKS5BindConnector creates a connector for SOCKS5 bind.
SOCKS5Connector creates a connector for SOCKS5 proxy client.
SOCKS5Handler creates a server Handler for SOCKS5 proxy server.
Socks5MuxBindConnector creates a Connector for SOCKS5 multiplex bind client.
SOCKS5MuxBindTransporter creates a Transporter for SOCKS5 multiplex bind client.
SOCKS5UDPConnector creates a connector for SOCKS5 UDP relay.
SOCKS5UDPTunConnector creates a connector for SOCKS5 UDP-over-TCP relay.
SrcIPResolverOption sets the source IP for Resolver.
SSHConfigHandshakeOption specifies the ssh config used by SSH client handshake.
SSHDirectForwardConnector creates a Connector for SSH TCP direct port forwarding.
SSHForwardHandler creates a server Handler for SSH port forwarding server.
SSHForwardTransporter creates a Transporter that is used by SSH port forwarding server.
SSHRemoteForwardConnector creates a Connector for SSH TCP remote port forwarding.
SSHTunnelListener creates a Listener for SSH tunnel server.
SSHTunnelTransporter creates a Transporter that is used by SSH tunnel client.
StrategyHandlerOption sets the strategy option of HandlerOptions.
TapHandler creates a handler for tap tunnel.
TapListener creates a listener for tap tunnel.
TCPDirectForwardHandler creates a server Handler for TCP port forwarding server.
TCPListener creates a Listener for TCP proxy server.
TCPModeHandlerOption sets the tcp mode for tun/tap device.
TCPRedirectHandler creates a server Handler for TCP transparent server.
TCPRemoteForwardHandler creates a server Handler for TCP remote port forwarding server.
TCPRemoteForwardListener creates a Listener for TCP remote port forwarding server.
TCPTransporter creates a raw TCP client.
TimeoutChainOption specifies the timeout used by Chain.Dial.
TimeoutConnectOption specifies the timeout for connecting to target.
TimeoutDialOption specifies the timeout used by Transporter.Dial.
TimeoutExchangerOption sets the timeout for Exchanger.
TimeoutHandlerOption sets the timeout option of HandlerOptions.
TimeoutHandshakeOption specifies the timeout used by Transporter.Handshake.
TimeoutNameServerOption sets the timeout for name server.
TimeoutResolverOption sets the timeout for Resolver.
TLSConfigHandlerOption sets the TLSConfig option of HandlerOptions.
TLSConfigHandshakeOption specifies the TLS config used by Transporter.Handshake.
TLSListener creates a Listener for TLS proxy server.
TLSTransporter creates a Transporter that is used by TLS proxy client.
TTLResolverOption sets the timeout for Resolver.
TunHandler creates a handler for tun tunnel.
TunListener creates a listener for tun tunnel.
UDPDirectForwardHandler creates a server Handler for UDP port forwarding server.
UDPListener creates a Listener for UDP server.
UDPRedirectHandler creates a server Handler for UDP transparent server.
UDPRedirectListener creates a Listener for UDP transparent proxy server.
UDPRemoteForwardHandler creates a server Handler for UDP remote port forwarding server.
UDPRemoteForwardListener creates a Listener for UDP remote port forwarding server.
UDPTransporter creates a Transporter for UDP client.
UserAgentConnectOption specifies the HTTP user-agent header.
UserConnectOption specifies the user info for authentication.
UserHandshakeOption specifies the user used by Transporter.Handshake.
UsersHandlerOption sets the Users option of HandlerOptions.
VSOCKListener creates a Listener for VSOCK proxy server.
VSOCKTransporter creates a raw VSOCK client.
WhitelistHandlerOption sets the Whitelist option of HandlerOptions.
WithFilter adds a filter function to the list of filters used during the Select call.
WithStrategy sets the selector strategy.
WSListener creates a Listener for websocket proxy server.
WSOptionsHandshakeOption specifies the websocket options used by websocket handshake.
WSSListener creates a Listener for websocket secure proxy server.
WSSTransporter creates a Transporter that is used by websocket secure proxy client.
WSTransporter creates a Transporter that is used by websocket proxy client.
# Constants
RFC 4254 7.1.
CmdMuxBind is an extended SOCKS5 request CMD for multiplexing transport with the binding server.
CmdUDPTun is an extended SOCKS5 request CMD for UDP over TCP.
default options for FailFilter.
default options for FailFilter.
RFC 4254 7.2.
RFC 4254 7.2.
extended request type for ssh tunnel.
MethodMux is an extended SOCKS5 method for stream multiplexing.
MethodTLS is an extended SOCKS5 method with tls encryption support.
MethodTLSAuth is an extended SOCKS5 method with tls encryption and authentication support.
RFC 4254 7.1.
Version is the gost version.
# Variables
ConnectTimeout is the timeout for connect.
Debug is a flag that enables the debug log.
DefaultClient is a standard HTTP proxy client.
DefaultKCPConfig is the default KCP config.
DefaultMTU is the default mtu for tun/tap device.
DefaultResolverTimeout is the default timeout for name resolution.
DefaultTLSConfig is a default TLS config for internal use.
DefaultUserAgent is the default HTTP User-Agent header used by HTTP and websocket.
DialTimeout is the timeout of dial.
ErrEmptyChain is an error that implies the chain is empty.
ErrInvalidNode is an error that implies the node is invalid.
ErrNoneAvailable indicates there is no node available.
HandshakeTimeout is the timeout of handshake.
KCPSalt is the default salt for KCP cipher.
KeepAliveTime is the keep alive time period for TCP connection.
PingRetries is the reties of ping.
PingTimeout is the timeout for pinging.
ReadTimeout is the timeout for reading.
WriteTimeout is the timeout for writing.
# Structs
Bypass is a filter for address (IP or domain).
Chain is a proxy chain that holds a list of proxy node groups.
ChainOptions holds options for Chain.
Client is a proxy client.
ConnectOptions describes the options for Connector.Connect.
DialOptions describes the options for Transporter.Dial.
DNSOptions is options for DNS Listener.
FailFilter filters the dead node.
FakeTCPListenConfig is config for fake TCP Listener.
FastestFilter filter the fastest node.
FIFOStrategy is a strategy for node selector.
HandlerOptions describes the options for Handler.
HandshakeOptions describes the options for handshake.
Host is a static mapping from hostname to IP.
Hosts is a static table lookup for hostnames.
InvalidFilter filters the invalid node.
IPRoute is an IP routing entry.
KCPConfig describes the config for KCP.
LocalAuthenticator is an Authenticator that authenticates client by local key-value pairs.
LogLogger uses the standard log package as the logger.
NameServer is a name server.
Node is a proxy node, mainly used to construct a proxy chain.
NodeGroup is a group of nodes.
NopLogger is a dummy logger that discards the log outputs.
Permission is a rule for blacklist and whitelist.
PortRange specifies the range of port, such as 1000-2000.
QUICConfig is the config for QUIC client and server.
RandomStrategy is a strategy for node selector.
RoundStrategy is a strategy for node selector.
SelectOptions is the options for node selection.
Server is a proxy server.
ServerOptions holds the options for Server.
SSHConfig holds the SSH tunnel server config.
TapConfig is the config for TAP device.
TempError satisfies the net.Error interface and presents itself as temporary to make sure that it gets retried by the Accept loop in server.go.
TunConfig is the config for TUN device.
UDPListenConfig is the config for UDP Listener.
WSOptions describes the options for websocket.
# Interfaces
Accepter represents a network endpoint that can accept connection from peer.
Authenticator is an interface for user authentication.
Connector is responsible for connecting to the destination address.
Exchanger is an interface for DNS synchronous query.
Filter is used to filter a node during the selection process.
Handler is a proxy server handler.
Listener is a proxy server listener, just like a net.Listener.
Matcher is a generic pattern matcher, it gives the match result of the given pattern for specific v.
NodeSelector as a mechanism to pick nodes and mark their status.
Reloader is the interface for objects that support live reloading.
ReloadResolver is resolover that support live reloading.
Resolver is a name resolver for domain name.
Stoppable is the interface that indicates a Reloader can be stopped.
Strategy is a selection strategy e.g random, round-robin.
Transporter is responsible for handshaking with the proxy server.
# Type aliases
ChainOption allows a common way to set chain options.
ConnectOption allows a common way to set ConnectOptions.
DialOption allows a common way to set DialOptions.
ExchangerOption allows a common way to set Exchanger options.
HandlerOption allows a common way to set handler options.
HandshakeOption allows a common way to set HandshakeOptions.
NameServerOption allows a common way to set name server options.
PasswordCallbackFunc is a callback function used by SSH server.
Permissions is a set of Permission.
PortSet is a set of PortRange.
PublicKeyCallbackFunc is a callback function used by SSH server.
ResolverOption allows a common way to set Resolver options.
SelectOption is the option used when making a select call.
ServerOption allows a common way to set server options.
StringSet is a set of string.