Trojan-rs
Trojan server and proxy programs written in Rust.
- For the server mode, the protocol is compatible with original trojan except UDP Associate does not support domain address type (maybe later?) If you are not ok with that, you can use the original version, it should work perfectly with the proxy mode.
- For the proxy mode, it uses TPROXY to relay all UDP and TCP packets, and it should work with the original server in both route or local type.
How to use it
hoping@HopingPC:~/workspace/trojan-rs$ trojan --help
trojan 0.6
Hoping White
A trojan implementation using rust
USAGE:
trojan [OPTIONS] --local-addr <local-addr> --password <password> <SUBCOMMAND>
FLAGS:
-h, --help Prints help information
-V, --version Prints version information
OPTIONS:
-a, --local-addr <local-addr> listen address for server, format like 0.0.0.0:443
-l, --log-file <log-file> log file path
-L, --log-level <log-level>
log level, 0 for trace, 1 for debug, 2 for info, 3 for warning, 4 for error, 5 for off [default: 2]
-m, --marker <marker> set marker used by tproxy [default: 1]
-p, --password <password> passwords for negotiation
-t, --tcp-idle-timeout <tcp-idle-timeout>
time in seconds before closing an inactive tcp connection [default: 600]
-u, --udp-idle-timeout <udp-idle-timeout> time in seconds before closing an inactive udp connection [default: 60]
SUBCOMMANDS:
help Prints this message or the help of the given subcommand(s)
proxy run in proxy mode
server run in server mode
hoping@HopingPC:~/workspace/trojan-rs$ trojan help proxy
trojan-proxy
run in proxy mode
USAGE:
trojan proxy [OPTIONS] --hostname <hostname>
FLAGS:
-h, --help Prints help information
-V, --version Prints version information
OPTIONS:
-H, --hostname <hostname> trojan server hostname
-P, --pool-size <pool-size> pool size, 0 for disable [default: 0]
-o, --port <port> trojan server port [default: 443]
hoping@HopingPC:~/workspace/trojan-rs$ trojan help server
trojan-server
run in server mode
USAGE:
trojan server [OPTIONS] --cert <cert> --key <key>
FLAGS:
-h, --help Prints help information
-V, --version Prints version information
OPTIONS:
-n, --alpn <alpn>... alpn protocol supported
-c, --cert <cert> certificate file path, This should contain PEM-format certificates in the
right order (the first certificate should certify KEYFILE, the last should
be a root CA
-d, --dns-cache-time <dns-cache-time> time in seconds for dns query cache [default: 300]
-k, --key <key> private key file path, This should be a RSA private key or PKCS8-encoded
private key, in PEM format.
-r, --remote-addr <remote-addr> http backend server address [default: 127.0.0.1:80]
IPTABLES settings.
A workable example as follows. lanlist and byplist are ipsets which you can create by ipset command.
IMPORTANT your trojan server IP should be included in byplist or lanlist, otherwise, route loop should occur.
# Add any tproxy policy rules
ip rule add fwmark 0xff table 100
ip route add local 0.0.0.0/0 dev lo table 100
# --------------- Route Rules Begin ---------------------------
# Create a new chain for router
iptables -t mangle -N TROJAN_ROUTE
# Ignore LANs and any other addresses you'd like to bypass the proxy
iptables -t mangle -A TROJAN_ROUTE -m set --match-set lanlist dst -j RETURN
iptables -t mangle -A TROJAN_ROUTE -m set --match-set byplist dst -j RETURN
iptables -t mangle -A TROJAN_ROUTE -m set --match-set chslist dst -j RETURN
# Anything else should be redirected to shadowsocks's local port
iptables -t mangle -A TROJAN_ROUTE -p tcp -j TPROXY --on-port 60080 --on-ip 127.0.0.1 --tproxy-mark 0xff
iptables -t mangle -A TROJAN_ROUTE -p udp -j TPROXY --on-port 60080 --on-ip 127.0.0.1 --tproxy-mark 0xff
# Apply the route rules
iptables -t mangle -A PREROUTING -j TROJAN_ROUTE
# ---------------- Route Rules End -----------------------------
# ---------------- Local Rules Begin --------------------------
# Create new chain for localhost
iptables -t mangle -N TROJAN_LOCAL
# Ignore Lans and any other address you'd like to bypass the proxy
iptables -t mangle -A TROJAN_LOCAL -m set --match-set lanlist dst -j RETURN
iptables -t mangle -A TROJAN_LOCAL -m set --match-set byplist dst -j RETURN
iptables -t mangle -A TROJAN_LOCAL -m set --match-set chslist dst -j RETURN
# Ignore packets sent from trojan itself.
iptables -t mangle -A TROJAN_LOCAL -m mark --mark 0xff -j RETURN
# Mark tcp 80, 443, udp 53 to reroute.
iptables -t mangle -A TROJAN_LOCAL -p udp --dport 53 -j MARK --set-xmark 0xff
iptables -t mangle -A TROJAN_LOCAL -p tcp --dport 80 -j MARK --set-xmark 0xff
iptables -t mangle -A TROJAN_LOCAL -p tcp --dport 443 -j MARK --set-xmark 0xff
# Apply the local rules
iptables -t mangle -A OUTPUT -j TROJAN_LOCAL
# ----------------- Local Rules End --------------------------------
# Flush all the rules to effect immediately
ip route flush cache
You can get more about iptables rules in PRINCIPLE.md
Windows
For Windows users, wintun mode may supply a virtual device operating on ip layer base on Wintun and Smoltcp library.
You can check trojan help wintun
for more parameter detail.
Assuming your virtual device number is 3, which can be got by route print
The following command can route all traffic to 8.8.8.8 into this device.
route ADD 8.8.8.8 MASK 255.255.255.255 0.0.0.0 METRIC 1 IF 3
You can get more about windows global proxy in WINDOWS.md
Special Thanks for
Thanks Jetbrains open source license project. Clion is a great IDE which help me a lot when developing this project.