overtls
overtls is SOCKS5 type proxy software, which realizes data transmission through TLS inside the software and supports TCP and UDP traffic forwarding at the same time.
The function is complete and the code is concise, and the core function is 1200 lines of code in total.
OverTLS
is a Rust implementation of SSRoT withoutSSR
andSS
, only retainingoT
, which is fast and stable.fun isOverTLS() : Boolean = over_tls_enable && method == "none" && obfs == "plain" && protocol == "origin"
Principle
In order to effectively deceive GFW, directly using TLS as a proxy protocol is the simplest way. TLS protocol is an encryption protocol, which is symmetric encryption, i.e. the client and server use the same key for encryption and decryption.
We can take advantage of this feature to encapsulate the encryption and decryption process on the client and server sides as a proxy service, so that encrypted TCP and UDP proxies can be performed under GFW
surveillance.
The overtls client first establishes a TLS connection with the overtls server, and then the data exchange between the overtls client and the overtls server is encrypted.
We simply agree that the overtls client accessing a unique resource uri
is considered to be a proxy, and the server will forward the packets containing this uri
to the specified destination address.
This is how our proxy is achieved.
Thus, the data exchange between the overtls server and the overtls client is encrypted, while the data exchange between the overtls server and the target server is in plaintext.
In summary, we need to prepare the following things
- A
VPS
host with a publicIP
, which must be purchased by yourself. - A
domain name
, which can be purchased or applied for free, and resolve thedomain name
to theIP
of theVPS
host. - A pair of
https
certificates/private keys, which can be purchased or applied for free at Let's Encrypt . - an http server software (such as nginx ), and provide site resources for masquerading purposes or acting as a front
reverse proxy
.
Installation
Can be compiled directly from the source code, or you can download the pre-compiled binary file from the Release page.
To compile from source code, you need to install the Rust programming language environment first, and then run the following command to compile the software.
git clone https://github.com/shadowsocksr-live/overtls.git
cd overtls
cargo build --release
Server-side one-click installation script
Before installation, please prepare a VPS
host with a public IP
and a domain name
, and resolve the domain name
to this host IP
, then run the following command and follow the prompts, if everything goes smoothly, the result will be overtls server and nginx front proxy installed on your host, and apply for a certificate.
Currently only 3 CPU
architectures of Linux
machines are supported: x86_64
, armv7
and arm64
.
sudo apt install -y wget # Debian/Ubuntu
sudo yum install -y wget # CentOS
wget https://raw.githubusercontent.com/shadowsocksr-live/overtls/master/install/overtls-install.sh
chmod +x overtls-install.sh
./overtls-install.sh
sudo systemctl start overtls
Usage
Server
overtls -r server -c config.json
Client
overtls -r client -c config.json
If you want to see log info, you can create a .env
file in current dir (pwd
) with RUST_LOG=overtls=trace
as content.
Configuration file
{
"tunnel_path": "/secret-tunnel-path/",
"server_settings": {
"certfile": "/etc/mysite_cert/fullchain.pem",
"keyfile": "/etc/mysite_cert/privkey.pem",
"forward_addr": "http://127.0.0.1:80",
"listen_host": "0.0.0.0",
"listen_port": 443
},
"client_settings": {
"server_host": "123.45.67.89",
"server_port": 443,
"server_domain": "example.com",
"listen_host": "127.0.0.1",
"listen_port": 1080
}
}
The configuration file is very simple. It is common to both server
and client
.
- When the application is running as a
server
, theserver_settings
section is valid and theclient_settings
section is ignored. - When the program is run as a
client
, theclient_settings
section is valid and theserver_settings
section is ignored.
The certfile
and keyfile
are optional, and the software will become https
protocol server after the correct pairing, and the non-flip traffic will be forwarded directly to the forward_addr
destination. If the certfile
and keyfile
are incorrectly matched or simply do not exist, you will need the help of a previous reverse proxy
such as nginx
to work.
If the forward_addr option does not exist, the default value is
http://127.0.0.1:80
, which is the port80
on which the localnginx
listens tohttp
.
Note the tunnel_path
configuration, please make sure to change it to your own unique complex string, otherwise GFW
will block you immediately.
For testing purposes, the
disable_tls
option is provided to have the ability to disableTLS
; that is, if this option exists and is true, the software will transmit traffic inplain text
; for security reasons, please do not use it on official occasions.
This example shows the configuration file of the least entry, the complete configuration file can refer to config.json.