Brook

A cross-platform programmable network tool. 一个跨平台可编程网络工具

Sponsor

❤️ Shiliew - China Optimized VPN

Table of Contents

• Brook
• Sponsor
• Getting Started 快速上手
  • Server
  • GUI Client
  • CLI Client
• Install CLI 安装命令行
  • nami
  • brook
  • joker
  • jinbe
  • tun2brook
  • via pacman
  • via brew
  • via docker
• Daemon 守护进程
• Auto Start at Boot 开机自启
• One Click Script 一键脚本
• CLI Documentation 命令行文档
• NAME
• SYNOPSIS
• GLOBAL OPTIONS
• COMMANDS
  • server
  • client
  • wsserver
  • wsclient
  • wssserver
  • wssclient
  • quicserver
  • quicclient
  • relayoverbrook
  • dnsserveroverbrook
  • tproxy
  • link
  • connect
  • relay
  • dnsserver
  • dnsclient
  • dohserver
  • dohclient
  • dhcpserver
  • socks5
  • socks5tohttp
  • pac
  • testsocks5
  • testbrook
  • echoserver
  • echoclient
  • completion
  • mdpage
    • help, h
  • manpage
  • help, h
• GUI Documentation
  • Software for which this article applies
  • Windows Proxy mode, Linux Proxy mode
  • iOS, Mac, Android, Windows TUN mode, Linux TUN mode
  • Configuration Introduction
  • Programmable
    • Introduction to incoming variables
    • in_brooklinks
    • in_dnsquery
    • in_address
    • in_httprequest
    • in_httpresponse
  • Write script
  • Debug script
  • Standalone Script Example
  • Brook Script Builder
  • Packet Capture
  • Install CA
    • iOS
    • Android
    • macOS
    • Windows
  • Apple Push Problem
• 图形客户端文档
  • 本文适用的软件
  • Windows GUI proxy 模式, Linux GUI proxy 模式
  • iOS, Mac, Android, Windows TUN 模式, Linux TUN 模式
  • 配置介绍
  • Programmable
    • 传入变量介绍
    • in_brooklinks
    • in_dnsquery
    • in_address
    • in_httprequest
    • in_httpresponse
  • 写脚本
  • 调试脚本
  • 独立脚本例子
  • 脚本生成器
  • 抓包
  • 安装 CA
    • iOS
    • Android
    • macOS
    • Windows
  • Apple 推送问题
• Diagram 图解
  • overview
  • withoutBrookProtocol
  • relayoverbrook
  • dnsserveroverbrook
  • relay
  • dnsserver
  • tproxy
  • gui
  • script
• Protocol
• Blog
• YouTube
• Telegram
• brook-mamanger
• nico
• Brook Deploy
• Pastebin
• 独立脚本例子 | Standalone Script Example
• 脚本生成器 | Brook Script Builder

Brook

A cross-platform programmable network tool. 一个跨平台可编程网络工具

Sponsor

❤️ Shiliew - China Optimized VPN

Getting Started 快速上手

Server

bash <(curl https://bash.ooo/nami.sh)

nami install brook

brook server -l :9999 -p hello

GUI Client

iOS	Android	Mac	Windows	Linux	OpenWrt

Linux: Socks5 Configurator
OpenWrt: After installation, you need to refresh the page to see the menu

• brook server: 1.2.3.4:9999 replace 1.2.3.4 with your server IP
• password: hello

CLI Client

brook client -s 1.2.3.4:9999 -p hello --socks5 127.0.0.1:1080

Install CLI 安装命令行

nami

The easy way to download anything from anywhere

bash <(curl https://bash.ooo/nami.sh)

brook

A cross-platform network tool

nami install brook

joker

Joker can turn process into daemon

nami install joker

jinbe

Auto start at boot. thanks to the cute cat

nami install jinbe

tun2brook

Proxy all traffic just one line command

nami install tun2brook

via pacman

maintained by felixonmars

pacman -S brook

via brew

brew install brook

via docker

maintained by teddysun

docker pull teddysun/brook

Daemon 守护进程

Run the brook daemon with joker

joker brook server -l :9999 -p hello

Get the last command ID

joker last

View output and error of a command

joker log ID

View running commmands

joker list

Stop a running command

joker stop ID

Auto Start at Boot 开机自启

Add one auto-start command at boot

jinbe joker brook server -l :9999 -p hello

View added commmands

jinbe list

Remove one added command

jinbe remove ID

One Click Script 一键脚本

bash <(curl https://bash.ooo/brook.sh)

CLI Documentation 命令行文档

NAME

Brook - A cross-platform programmable network tool

SYNOPSIS

Brook

[--dialWithDNSPrefer]=[value]
[--dialWithDNS]=[value]
[--dialWithIP4]=[value]
[--dialWithIP6]=[value]
[--dialWithNIC]=[value]
[--dialWithSocks5Password]=[value]
[--dialWithSocks5TCPTimeout]=[value]
[--dialWithSocks5UDPTimeout]=[value]
[--dialWithSocks5Username]=[value]
[--dialWithSocks5]=[value]
[--help|-h]
[--log]=[value]
[--pprof]=[value]
[--prometheusPath]=[value]
[--prometheus]=[value]
[--tag]=[value]
[--version|-v]

Usage:

Brook [GLOBAL OPTIONS] command [COMMAND OPTIONS] [ARGUMENTS...]

GLOBAL OPTIONS

--dialWithDNS="": When a domain name needs to be resolved, use the specified DNS. Such as 8.8.8.8:53 or https://dns.google/dns-query?address=8.8.8.8%3A443, the address is required. Note that for client-side commands, this does not affect the client passing the domain address to the server

--dialWithDNSPrefer="": This is used with the dialWithDNS parameter. Prefer A record or AAAA record. Value is A or AAAA

--dialWithIP4="": When the current machine establishes a network connection to the outside IPv4, both TCP and UDP, it is used to specify the IPv4 used

--dialWithIP6="": When the current machine establishes a network connection to the outside IPv6, both TCP and UDP, it is used to specify the IPv6 used

--dialWithNIC="": When the current machine establishes a network connection to the outside, both TCP and UDP, it is used to specify the NIC used

--dialWithSocks5="": When the current machine establishes a network connection to the outside, both TCP and UDP, with your socks5 proxy, such as 127.0.0.1:1081

--dialWithSocks5Password="": If there is

--dialWithSocks5TCPTimeout="": time (s) (default: 0)

--dialWithSocks5UDPTimeout="": time (s) (default: 60)

--dialWithSocks5Username="": If there is

--help, -h: show help

--log="": Enable log. A valid value is file path or 'console'. If you want to debug SOCKS5 lib, set env SOCKS5_DEBUG=true

--pprof="": go http pprof listen addr, such as :6060

--prometheus="": prometheus http listen addr, such as :7070. If it is transmitted on the public network, it is recommended to use it with nico

--prometheusPath="": prometheus http path, such as /xxx. If it is transmitted on the public network, a hard-to-guess value is recommended

--tag="": Tag can be used to the process, will be append into log, such as: 'key1:value1'

--version, -v: print the version

COMMANDS

server

Run as brook server, both TCP and UDP

--blockCIDR4List="": One CIDR per line, https://, http:// or local file absolute path, like: https://txthinking.github.io/bypass/example_cidr4.txt

--blockCIDR6List="": One CIDR per line, https://, http:// or local file absolute path, like: https://txthinking.github.io/bypass/example_cidr6.txt

--blockDomainList="": One domain per line, suffix match mode. https://, http:// or local file absolute path. Like: https://txthinking.github.io/bypass/example_domain.txt

--blockGeoIP="": Block IP by Geo country code, such as US

--listen, -l="": Listen address, like: ':9999'

--password, -p="": Server password

--tcpTimeout="": time (s) (default: 0)

--udpTimeout="": time (s) (default: 60)

--updateListInterval="": Update list interval, second. default 0, only read one time on start (default: 0)

client

Run as brook client, both TCP and UDP, to start a socks5 proxy, [src <-> socks5 <-> $ brook client <-> $ brook server <-> dst]

--http="": Where to listen for HTTP proxy connections

--password, -p="": Brook server password

--server, -s="": Brook server address, like: 1.2.3.4:9999

--socks5="": Where to listen for SOCKS5 connections (default: 127.0.0.1:1080)

--socks5ServerIP="": Only if your socks5 server IP is different from listen IP

--tcpTimeout="": time (s) (default: 0)

--udpTimeout="": time (s) (default: 60)

--udpovertcp: UDP over TCP

wsserver

Run as brook wsserver, both TCP and UDP, it will start a standard http server and websocket server

--blockCIDR4List="": One CIDR per line, https://, http:// or local file absolute path, like: https://txthinking.github.io/bypass/example_cidr4.txt

--blockCIDR6List="": One CIDR per line, https://, http:// or local file absolute path, like: https://txthinking.github.io/bypass/example_cidr6.txt

--blockDomainList="": One domain per line, suffix match mode. https://, http:// or local file absolute path. Like: https://txthinking.github.io/bypass/example_domain.txt

--blockGeoIP="": Block IP by Geo country code, such as US

--listen, -l="": Listen address, like: ':80'

--password, -p="": Server password

--path="": URL path (default: /ws)

--tcpTimeout="": time (s) (default: 0)

--udpTimeout="": time (s) (default: 60)

--updateListInterval="": Update list interval, second. default 0, only read one time on start (default: 0)

--withoutBrookProtocol: The data will not be encrypted with brook protocol

wsclient

Run as brook wsclient, both TCP and UDP, to start a socks5 proxy, [src <-> socks5 <-> $ brook wsclient <-> $ brook wsserver <-> dst]

--address="": Specify address instead of resolving addresses from host, such as 1.2.3.4:443

--http="": Where to listen for HTTP proxy connections

--password, -p="": Brook wsserver password

--socks5="": Where to listen for SOCKS5 connections (default: 127.0.0.1:1080)

--socks5ServerIP="": Only if your socks5 server IP is different from listen IP

--tcpTimeout="": time (s) (default: 0)

--udpTimeout="": time (s) (default: 60)

--withoutBrookProtocol: The data will not be encrypted with brook protocol

--wsserver, -s="": Brook wsserver address, like: ws://1.2.3.4:80, if no path then /ws will be used. Do not omit the port under any circumstances

wssserver

Run as brook wssserver, both TCP and UDP, it will start a standard https server and websocket server

--blockCIDR4List="": One CIDR per line, https://, http:// or local file absolute path, like: https://txthinking.github.io/bypass/example_cidr4.txt

--blockCIDR6List="": One CIDR per line, https://, http:// or local file absolute path, like: https://txthinking.github.io/bypass/example_cidr6.txt

--blockDomainList="": One domain per line, suffix match mode. https://, http:// or local file absolute path. Like: https://txthinking.github.io/bypass/example_domain.txt

--blockGeoIP="": Block IP by Geo country code, such as US

--cert="": The cert file absolute path for the domain, such as /path/to/cert.pem. If cert or certkey is empty, a certificate will be issued automatically

--certkey="": The cert key file absolute path for the domain, such as /path/to/certkey.pem. If cert or certkey is empty, a certificate will be issued automatically

--domainaddress="": Such as: domain.com:443. If you choose to automatically issue certificates, the domain must have been resolved to the server IP and 80 port also will be used

--password, -p="": Server password

--path="": URL path (default: /ws)

--tcpTimeout="": time (s) (default: 0)

--udpTimeout="": time (s) (default: 60)

--updateListInterval="": Update list interval, second. default 0, only read one time on start (default: 0)

--withoutBrookProtocol: The data will not be encrypted with brook protocol

wssclient

Run as brook wssclient, both TCP and UDP, to start a socks5 proxy, [src <-> socks5 <-> $ brook wssclient <-> $ brook wssserver <-> dst]

--address="": Specify address instead of resolving addresses from host, such as 1.2.3.4:443

--ca="": When server is brook wssserver, specify ca instead of insecure, such as /path/to/ca.pem

--http="": Where to listen for HTTP proxy connections

--insecure: Client do not verify the server's certificate chain and host name

--password, -p="": Brook wssserver password

--socks5="": Where to listen for SOCKS5 connections (default: 127.0.0.1:1080)

--socks5ServerIP="": Only if your socks5 server IP is different from listen IP

--tcpTimeout="": time (s) (default: 0)

--tlsfingerprint="": When server is brook wssserver, select tls fingerprint, value can be: chrome

--udpTimeout="": time (s) (default: 60)

--withoutBrookProtocol: The data will not be encrypted with brook protocol

--wssserver, -s="": Brook wssserver address, like: wss://google.com:443, if no path then /ws will be used. Do not omit the port under any circumstances

quicserver

Run as brook quicserver, both TCP and UDP

--blockCIDR4List="": One CIDR per line, https://, http:// or local file absolute path, like: https://txthinking.github.io/bypass/example_cidr4.txt

--blockCIDR6List="": One CIDR per line, https://, http:// or local file absolute path, like: https://txthinking.github.io/bypass/example_cidr6.txt

--blockDomainList="": One domain per line, suffix match mode. https://, http:// or local file absolute path. Like: https://txthinking.github.io/bypass/example_domain.txt

--blockGeoIP="": Block IP by Geo country code, such as US

--cert="": The cert file absolute path for the domain, such as /path/to/cert.pem. If cert or certkey is empty, a certificate will be issued automatically

--certkey="": The cert key file absolute path for the domain, such as /path/to/certkey.pem. If cert or certkey is empty, a certificate will be issued automatically

--domainaddress="": Such as: domain.com:443. If you choose to automatically issue certificates, the domain must have been resolved to the server IP and 80 port also will be used

--password, -p="": Server password

--tcpTimeout="": time (s) (default: 0)

--udpTimeout="": time (s) (default: 60)

--updateListInterval="": Update list interval, second. default 0, only read one time on start (default: 0)

--withoutBrookProtocol: The data will not be encrypted with brook protocol

quicclient

Run as brook quicclient, both TCP and UDP, to start a socks5 proxy, [src <-> socks5 <-> $ brook quicclient <-> $ brook quicserver <-> dst]. (Note that the global dial parameter is ignored now)

--address="": Specify address instead of resolving addresses from host, such as 1.2.3.4:443

--ca="": Specify ca instead of insecure, such as /path/to/ca.pem

--http="": Where to listen for HTTP proxy connections

--insecure: Client do not verify the server's certificate chain and host name

--password, -p="": Brook quicserver password

--quicserver, -s="": Brook quicserver address, like: quic://google.com:443. Do not omit the port under any circumstances

--socks5="": Where to listen for SOCKS5 connections (default: 127.0.0.1:1080)

--socks5ServerIP="": Only if your socks5 server IP is different from listen IP

--tcpTimeout="": time (s) (default: 0)

--udpTimeout="": time (s) (default: 60)

--withoutBrookProtocol: The data will not be encrypted with brook protocol

relayoverbrook

Run as relay over brook, both TCP and UDP, this means access [from address] is equal to [to address], [src <-> from address <-> $ brook server/wsserver/wssserver/quicserver <-> to address]

--address="": When server is brook wsserver or brook wssserver or brook quicserver, specify address instead of resolving addresses from host, such as 1.2.3.4:443

--ca="": When server is brook wssserver or brook quicserver, specify ca instead of insecure, such as /path/to/ca.pem

--from, -f, -l="": Listen address: like ':9999'

--insecure: When server is brook wssserver or brook quicserver, client do not verify the server's certificate chain and host name

--password, -p="": Password

--server, -s="": brook server or brook wsserver or brook wssserver or brook quicserver, like: 1.2.3.4:9999, ws://1.2.3.4:9999, wss://domain:443/ws, quic://domain.com:443

--tcpTimeout="": time (s) (default: 0)

--tlsfingerprint="": When server is brook wssserver, select tls fingerprint, value can be: chrome

--to, -t="": Address which relay to, like: 1.2.3.4:9999

--udpTimeout="": time (s) (default: 60)

--udpovertcp: When server is brook server, UDP over TCP

--withoutBrookProtocol: When server is brook wsserver or brook wssserver or brook quicserver, the data will not be encrypted with brook protocol

dnsserveroverbrook

Run as dns server over brook, both TCP and UDP, [src <-> $ brook dnserversoverbrook <-> $ brook server/wsserver/wssserver/quicserver <-> dns] or [src <-> $ brook dnsserveroverbrook <-> dnsForBypass]

--address="": When server is brook wsserver or brook wssserver or brook quicserver, specify address instead of resolving addresses from host, such as 1.2.3.4:443

--blockDomainList="": One domain per line, suffix match mode. https://, http:// or local absolute file path. Like: https://txthinking.github.io/bypass/example_domain.txt

--bypassDomainList="": One domain per line, suffix match mode. https://, http:// or local absolute file path. Like: https://txthinking.github.io/bypass/example_domain.txt

--ca="": When server is brook wssserver or brook quicserver, specify ca instead of insecure, such as /path/to/ca.pem

--disableA: Disable A query

--disableAAAA: Disable AAAA query

--dns="": DNS server for resolving domains NOT in list (default: 8.8.8.8:53)

--dnsForBypass="": DNS server for resolving domains in bypass list. Such as 223.5.5.5:53 or https://dns.alidns.com/dns-query?address=223.5.5.5:443, the address is required (default: 223.5.5.5:53)

--insecure: When server is brook wssserver or brook quicserver, client do not verify the server's certificate chain and host name

--listen, -l="": Listen address, like: 127.0.0.1:53

--password, -p="": Password

--server, -s="": brook server or brook wsserver or brook wssserver or brook quicserver, like: 1.2.3.4:9999, ws://1.2.3.4:9999, wss://domain.com:443/ws, quic://domain.com:443

--tcpTimeout="": time (s) (default: 0)

--tlsfingerprint="": When server is brook wssserver, select tls fingerprint, value can be: chrome

--udpTimeout="": time (s) (default: 60)

--udpovertcp: When server is brook server, UDP over TCP

--withoutBrookProtocol: When server is brook wsserver or brook wssserver or brook quicserver, the data will not be encrypted with brook protocol

tproxy

Run as transparent proxy, a router gateway, both TCP and UDP, only works on Linux, [src <-> $ brook tproxy <-> $ brook server/wsserver/wssserver/quicserver <-> dst]

--address="": When server is brook wsserver or brook wssserver or brook quicserver, specify address instead of resolving addresses from host, such as 1.2.3.4:443

--blockDomainList="": One domain per line, Suffix match mode. https://, http:// or local file absolute path. Like: https://txthinking.github.io/bypass/example_domain.txt

--bypassCIDR4List="": One CIDR per line, https://, http:// or local file absolute path, like: https://txthinking.github.io/bypass/example_cidr4.txt

--bypassCIDR6List="": One CIDR per line, https://, http:// or local file absolute path, like: https://txthinking.github.io/bypass/example_cidr6.txt

--bypassDomainList="": One domain per line, Suffix match mode. https://, http:// or local file absolute path. Like: https://txthinking.github.io/bypass/example_domain.txt

--bypassGeoIP="": Bypass IP by Geo country code, such as US

--ca="": When server is brook wssserver or brook quicserver, specify ca instead of insecure, such as /path/to/ca.pem

--disableA: Disable A query

--disableAAAA: Disable AAAA query

--dnsForBypass="": DNS server for resolving domains in bypass list. Such as 223.5.5.5:53 or https://dns.alidns.com/dns-query?address=223.5.5.5:443, the address is required (default: 223.5.5.5:53)

--dnsForDefault="": DNS server for resolving domains NOT in list (default: 8.8.8.8:53)

--dnsListen="": Start a DNS server, like: ':53'. MUST contain IP, like '192.168.1.1:53', if you expect your gateway to accept requests from clients to other public DNS servers at the same time

--doNotRunScripts: This will not change iptables and others if you want to do by yourself

--insecure: When server is brook wssserver or brook quicserver, client do not verify the server's certificate chain and host name

--link="": brook link. This will ignore server, password, udpovertcp, address, insecure, withoutBrookProtocol, ca

--listen, -l="": Listen address, DO NOT contain IP, just like: ':8888'. No need to operate iptables by default! (default: :8888)

--password, -p="": Password

--redirectDNS="": It is usually the value of dnsListen. If the client has set custom DNS instead of dnsListen, this parameter can be intercepted and forwarded to dnsListen. Usually you don't need to set this, only if you want to control it instead of being proxied directly as normal UDP data.

--server, -s="": brook server or brook wsserver or brook wssserver or brook quicserver, like: 1.2.3.4:9999, ws://1.2.3.4:9999, wss://domain.com:443/ws, quic://domain.com:443

--tcpTimeout="": time (s) (default: 0)

--tlsfingerprint="": When server is brook wssserver, select tls fingerprint, value can be: chrome

--udpTimeout="": time (s) (default: 60)

--udpovertcp: When server is brook server, UDP over TCP

--webListen="": Ignore all other parameters, run web UI, like: ':9999'

--withoutBrookProtocol: When server is brook wsserver or brook wssserver or brook quicserver, the data will not be encrypted with brook protocol

link

Generate brook link

--address="": When server is brook wsserver or brook wssserver or brook quicserver, specify address instead of resolving addresses from host, such as 1.2.3.4:443

--ca="": When server is brook wssserver or brook quicserver, specify ca for untrusted cert, such as /path/to/ca.pem

--insecure: When server is brook wssserver or brook quicserver, client do not verify the server's certificate chain and host name

--name="": Give this server a name

--password, -p="": Password

--server, -s="": Support brook server, brook wsserver, brook wssserver, socks5 server, brook quicserver. Like: 1.2.3.4:9999, ws://1.2.3.4:9999, wss://google.com:443/ws, socks5://1.2.3.4:1080, quic://google.com:443

--tlsfingerprint="": When server is brook wssserver, select tls fingerprint, value can be: chrome

--udpovertcp: When server is brook server, UDP over TCP

--username, -u="": Username, when server is socks5 server

--withoutBrookProtocol: When server is brook wsserver or brook wssserver or brook quicserver, the data will not be encrypted with brook protocol

connect

Run as client and connect to brook link, both TCP and UDP, to start a socks5 proxy, [src <-> socks5 <-> $ brook connect <-> $ brook server/wsserver/wssserver/quicserver <-> dst]

--http="": Where to listen for HTTP proxy connections

--link, -l="": brook link, you can get it via $ brook link

--socks5="": Where to listen for SOCKS5 connections (default: 127.0.0.1:1080)

--socks5ServerIP="": Only if your socks5 server IP is different from listen IP

--tcpTimeout="": time (s) (default: 0)

--udpTimeout="": time (s) (default: 60)

relay

Run as standalone relay, both TCP and UDP, this means access [from address] is equal to access [to address], [src <-> from address <-> to address]

--from, -f, -l="": Listen address: like ':9999'

--tcpTimeout="": time (s) (default: 0)

--to, -t="": Address which relay to, like: 1.2.3.4:9999

--udpTimeout="": time (s) (default: 60)

dnsserver

Run as standalone dns server

--blockDomainList="": One domain per line, suffix match mode. https://, http:// or local absolute file path. Like: https://txthinking.github.io/bypass/example_domain.txt

--disableA: Disable A query

--disableAAAA: Disable AAAA query

--dns="": DNS server which forward to. Such as 8.8.8.8:53 or https://dns.google/dns-query?address=8.8.8.8%3A443, the address is required (default: 8.8.8.8:53)

--listen, -l="": Listen address, like: 127.0.0.1:53

--tcpTimeout="": time (s) (default: 0)

--udpTimeout="": time (s) (default: 60)

dnsclient

Send a dns query

--dns, -s="": DNS server, such as 8.8.8.8:53 (default: 8.8.8.8:53)

--domain, -d="": Domain

--short: Short for A/AAAA

--type, -t="": Type, such as A (default: A)

dohserver

Run as standalone doh server

--blockDomainList="": One domain per line, suffix match mode. https://, http:// or local absolute file path. Like: https://txthinking.github.io/bypass/example_domain.txt

--cert="": The cert file absolute path for the domain, such as /path/to/cert.pem. If cert or certkey is empty, a certificate will be issued automatically

--certkey="": The cert key file absolute path for the domain, such as /path/to/certkey.pem. If cert or certkey is empty, a certificate will be issued automatically

--disableA: Disable A query

--disableAAAA: Disable AAAA query

--dns="": DNS server which forward to. Such as 8.8.8.8:53 or https://dns.google/dns-query?address=8.8.8.8%3A443, the address is required (default: 8.8.8.8:53)

--domainaddress="": Such as: domain.com:443, if you want to create a https server. If you choose to automatically issue certificates, the domain must have been resolved to the server IP and 80 port also will be used

--listen="": listen address, if you want to create a http server behind nico

--path="": URL path (default: /dns-query)

--tcpTimeout="": time (s) (default: 0)

--udpTimeout="": time (s) (default: 60)

dohclient

Send a dns query

--doh, -s="": DOH server, the address is required (default: https://dns.quad9.net/dns-query?address=9.9.9.9%3A443)

--domain, -d="": Domain

--short: Short for A/AAAA

--type, -t="": Type, such as A (default: A)

dhcpserver

Run as standalone dhcp server. Note that you need to stop other dhcp servers, if there are.

--cache="": Cache file, local absolute file path, default is $HOME/.brook.dhcpserver

--count="": IP range from the start, which you want to assign to clients (default: 100)

--dnsserver="": The dns server which you want to assign to clients, such as: 192.168.1.1 or 8.8.8.8

--gateway="": The router gateway which you want to assign to clients, such as: 192.168.1.1

--interface="": Select interface on multi interface device. Linux only

--netmask="": Subnet netmask which you want to assign to clients (default: 255.255.255.0)

--serverip="": DHCP server IP, the IP of the this machine, you shoud set a static IP to this machine before doing this, such as: 192.168.1.10

--start="": Start IP which you want to assign to clients, such as: 192.168.1.100

socks5

Run as standalone standard socks5 server, both TCP and UDP

--limitUDP: The server MAY use this information to limit access to the UDP association. This usually causes connection failures in a NAT environment, where most clients are.

--listen, -l="": Socks5 server listen address, like: :1080 or 1.2.3.4:1080

--password="": Password, optional

--socks5ServerIP="": Only if your socks5 server IP is different from listen IP

--tcpTimeout="": Connection deadline time (s) (default: 0)

--udpTimeout="": Connection deadline time (s) (default: 60)

--username="": User name, optional

socks5tohttp

Convert socks5 to http proxy, [src <-> listen address(http proxy) <-> socks5 address <-> dst]

--listen, -l="": HTTP proxy which will be create: like: 127.0.0.1:8010

--socks5, -s="": Socks5 server address, like: 127.0.0.1:1080

--socks5password="": Socks5 password, optional

--socks5username="": Socks5 username, optional

--tcpTimeout="": Connection tcp timeout (s) (default: 0)

pac

Run as PAC server or save PAC to file

--bypassDomainList, -b="": One domain per line, suffix match mode. http(s):// or local absolute file path. Like: https://txthinking.github.io/bypass/example_domain.txt

--file, -f="": Save PAC to file, this will ignore listen address

--listen, -l="": Listen address, like: 127.0.0.1:1980

--proxy, -p="": Proxy, like: 'SOCKS5 127.0.0.1:1080; SOCKS 127.0.0.1:1080; DIRECT' (default: SOCKS5 127.0.0.1:1080; SOCKS 127.0.0.1:1080; DIRECT)

testsocks5

Test UDP and TCP of socks5 server

--dns="": DNS server for connecting (default: 8.8.8.8:53)

--domain="": Domain for query (default: http3.ooo)

--password, -p="": Socks5 password

--socks5, -s="": Like: 127.0.0.1:1080

--username, -u="": Socks5 username

-a="": The A record of domain (default: 137.184.237.95)

testbrook

Test UDP and TCP of brook server/wsserver/wssserver/quicserver. (Note that the global dial parameter is ignored now)

--dns="": DNS server for connecting (default: 8.8.8.8:53)

--domain="": Domain for query (default: http3.ooo)

--link, -l="": brook link. Get it via $ brook link

--socks5="": Temporarily listening socks5 (default: 127.0.0.1:11080)

-a="": The A record of domain (default: 137.184.237.95)

echoserver

Echo server, echo UDP and TCP address of routes

--listen, -l="": Listen address, like: ':7777'

echoclient

Connect to echoserver, echo UDP and TCP address of routes

--server, -s="": Echo server address, such as 1.2.3.4:7777

--times="": Times of interactions (default: 1)

completion

Generate shell completions

--file, -f="": Write to file (default: brook_autocomplete)

mdpage

Generate markdown page

--file, -f="": Write to file, default print to stdout

--help, -h: show help

help, h

Shows a list of commands or help for one command

manpage

Generate man.1 page

--file, -f="": Write to file, default print to stdout. You should put to /path/to/man/man1/brook.1 on linux or /usr/local/share/man/man1/brook.1 on macos

help, h

Shows a list of commands or help for one command

GUI Documentation

Software for which this article applies

• Brook
• Brook Plus
• Shiliew
• tun2brook

Windows Proxy mode, Linux Proxy mode

This mode is very simple, will create:

• Socks5 proxy: socks5://[::1]:1080 or socks5://127.0.0.1:1080
• HTTP proxy: http://[::1]:8010 or http://127.0.0.1:8010
• PAC: http://127.0.0.1:1093/proxy.pac or http://[::1]:1093/proxy.pac based on Bypass Domain list
• Intel Mac GUI, Windows GUI set PAC to system proxy。Linux GUI can work with Socks5 Configurator
• What is socks5 and http proxy? Article and Video

iOS, Mac, Android, Windows TUN mode, Linux TUN mode

The so-called Internet connection is IP to IP connection, not domain name connection. Therefore, the domain name will be resolved into IP before deciding how to connect.

Configuration Introduction

Programmable

Brook GUI will pass different global variables to the script at different times, and the script only needs to assign the processing result to the global variable out

Introduction to incoming variables

in_brooklinks

out, ignored if not of type map

in_dnsquery

out, if it is error type will be recorded in the log. Ignored if not of type map

in_address

out, if it is error type will be recorded in the log. Ignored if not of type map

in_httprequest

out, must be set to a request or response

in_httpresponse

out, must be set to a response

Write script

Tengo Language Syntax

Library

• text: regular expressions, string conversion, and manipulation

• math: mathematical constants and functions

• times: time-related functions

• rand: random functions

• fmt: formatting functions

• json: JSON functions

• enum: Enumeration functions

• hex: hex encoding and decoding functions

• base64: base64 encoding and decoding functions

• brook: brook module

  Constants
  
  * os: string, linux/darwin/windows/ios/android. If ios app run on mac, it is ios
  * iosapponmac: bool, ios app run on mac
  
  Functions
  
  * splithostport(address string) => map/error: splits a network address of the form "host:port" to { "host": "xxx", "port": "xxx" }
  * country(ip string) => string/error: get country code from ip
  * cidrcontainsip(cidr string, ip string) => bool/error: reports whether the network includes ip
  * parseurl(url string) => map/error: parses a raw url into a map, keys: scheme/host/path/rawpath/rawquery
  * parsequery(query string) => map/error: parses a raw query into a kv map
  * map2query(kv map) => string/error: convert map{string:string} into a query string
  * bytes2ints(b bytes) => array/error: convert bytes into [int]
  * ints2bytes(ints array) => bytes/error: convert [int] into bytes
  * bytescompare(a bytes, b bytes) => int/error: returns an integer comparing two bytes lexicographically. The result will be 0 if a == b, -1 if a < b, and +1 if a > b
  * bytescontains(b bytes, sub bytes) => bool/error: reports whether sub is within b
  * byteshasprefix(s bytes, prefix bytes) => bool/error: tests whether the bytes s begins with prefix
  * byteshassuffix(s bytes, suffix bytes) => bool/error: tests whether the bytes s ends with suffix
  * bytesindex(s bytes, sep bytes) => int/error: returns the index of the first instance of sep in s, or -1 if sep is not present in s
  * byteslastindex(s bytes, sep bytes) => int/error: returns the index of the last instance of sep in s, or -1 if sep is not present in s
  * bytesreplace(s bytes, old bytes, new bytes, n int) => bytes/error: returns a copy of the s with the first n non-overlapping instances of old replaced by new. If n < 0, there is no limit on the number of replacements
  * pathescape(s string) => string/error: escapes the string so it can be safely placed inside a URL path segment, replacing special characters (including /) with %XX sequences as needed
  * pathunescape(s string) => string/error: does the inverse transformation of pathescape
  * queryescape(s string) => string/error: escapes the string so it can be safely placed inside a URL query
  * queryunescape(s string) => string/error: does the inverse transformation of queryescape
  * hexdecode(s string) => bytes/error: returns the bytes represented by the hexadecimal string s
  * hexencode(s string) => string/error: returns the hexadecimal encoding of src
  

Debug script

It is recommended to use tun2brook on desktop to debug with fmt.println

Standalone Script Example

https://github.com/txthinking/bypass

Brook Script Builder

https://modules.brook.app

Packet Capture

• Brook and mitmproxy for mobile app deep packet capture
• Brook Packet Capture on All Platform
• mitmproxy helper

Install CA

https://txthinking.github.io/ca/ca.pem

iOS

https://www.youtube.com/watch?v=HSGPC2vpDGk

Android

Android has user CA and system CA, must be installed in the system CA after ROOT

macOS

nami install mad ca.txthinking
sudo mad install --ca ~/.nami/bin/ca.pem

Windows

Open GitBash

nami install mad ca.txthinking

Then open GitBash with admin

mad install --ca ~/.nami/bin/ca.pem

Note that software such as GitBash or Firefox may not read the system CA, you can use the system Edge browser to test after installation

Apple Push Problem

To receive push, Apple Server only allows Ethernet, cellular data, Wi-Fi connections. So you need to Bypass the relevant domain name and IP. Reference link

图形客户端文档

本文适用的软件

• Brook
• Brook Plus
• Shiliew
• tun2brook

Windows GUI proxy 模式, Linux GUI proxy 模式

这个模式比较简单，会创建:

• Socks5 代理: socks5://[::1]:1080 或 socks5://127.0.0.1:1080
• HTTP 代理: http://[::1]:8010 或 http://127.0.0.1:8010
• PAC: http://127.0.0.1:1093/proxy.pac 或 http://[::1]:1093/proxy.pac 基于 Bypass Domain 列表
• Windows GUI 同时会配置 PAC 到系统代理。Linux GUI 可以配合 Socks5 Configurator
• 什么是 socks5 和 http proxy? 文章 和 视频

iOS, Mac, Android, Windows TUN 模式, Linux TUN 模式

所谓的互联网连接，是 IP 连接 IP，不是连接域名。所以域名会被先解析成IP再决定怎么去连接。

配置介绍

Programmable

Brook GUI 会在不同时机向脚本传入不同的全局变量，脚本只需要将处理结果赋值到全局变量 out 即可

传入变量介绍

in_brooklinks

out, 如果不是 map 类型则会被忽略

in_dnsquery

out, 如果是 error 类型会被记录在日志。如果不是 map 类型则会被忽略

in_address

out, 如果是 error 类型会被记录在日志。如果不是 map 类型则会被忽略

in_httprequest

out, 必须设置为一个 request 或 response

in_httpresponse

out, 必须设置为一个 response

写脚本

Tengo Language Syntax

Library

• text: regular expressions, string conversion, and manipulation

• math: mathematical constants and functions

• times: time-related functions

• rand: random functions

• fmt: formatting functions

• json: JSON functions

• enum: Enumeration functions

• hex: hex encoding and decoding functions

• base64: base64 encoding and decoding functions

• brook: brook module

  Constants
  
  * os: string, linux/darwin/windows/ios/android. If ios app run on mac, it is ios
  * iosapponmac: bool, ios app run on mac
  
  Functions
  
  * splithostport(address string) => map/error: splits a network address of the form "host:port" to { "host": "xxx", "port": "xxx" }
  * country(ip string) => string/error: get country code from ip
  * cidrcontainsip(cidr string, ip string) => bool/error: reports whether the network includes ip
  * parseurl(url string) => map/error: parses a raw url into a map, keys: scheme/host/path/rawpath/rawquery
  * parsequery(query string) => map/error: parses a raw query into a kv map
  * map2query(kv map) => string/error: convert map{string:string} into a query string
  * bytes2ints(b bytes) => array/error: convert bytes into [int]
  * ints2bytes(ints array) => bytes/error: convert [int] into bytes
  * bytescompare(a bytes, b bytes) => int/error: returns an integer comparing two bytes lexicographically. The result will be 0 if a == b, -1 if a < b, and +1 if a > b
  * bytescontains(b bytes, sub bytes) => bool/error: reports whether sub is within b
  * byteshasprefix(s bytes, prefix bytes) => bool/error: tests whether the bytes s begins with prefix
  * byteshassuffix(s bytes, suffix bytes) => bool/error: tests whether the bytes s ends with suffix
  * bytesindex(s bytes, sep bytes) => int/error: returns the index of the first instance of sep in s, or -1 if sep is not present in s
  * byteslastindex(s bytes, sep bytes) => int/error: returns the index of the last instance of sep in s, or -1 if sep is not present in s
  * bytesreplace(s bytes, old bytes, new bytes, n int) => bytes/error: returns a copy of the s with the first n non-overlapping instances of old replaced by new. If n < 0, there is no limit on the number of replacements
  * pathescape(s string) => string/error: escapes the string so it can be safely placed inside a URL path segment, replacing special characters (including /) with %XX sequences as needed
  * pathunescape(s string) => string/error: does the inverse transformation of pathescape
  * queryescape(s string) => string/error: escapes the string so it can be safely placed inside a URL query
  * queryunescape(s string) => string/error: does the inverse transformation of queryescape
  * hexdecode(s string) => bytes/error: returns the bytes represented by the hexadecimal string s
  * hexencode(s string) => string/error: returns the hexadecimal encoding of src
  

调试脚本

建议使用 tun2brook 在电脑上fmt.println调试

独立脚本例子

https://github.com/txthinking/bypass

脚本生成器

https://modules.brook.app

抓包

• Brook 搭配 mitmproxy 进行手机 App 深度抓包
• Brook 全平台抓包
• 用 mitmproxy helper 抓包

安装 CA

https://txthinking.github.io/ca/ca.pem

iOS

https://www.youtube.com/watch?v=HSGPC2vpDGk

Android

Android 分系统 CA 和用户 CA，必须要 ROOT 后安装到系统 CA 里

macOS

nami install mad ca.txthinking
sudo mad install --ca ~/.nami/bin/ca.pem

Windows

打开 GitBash

nami install mad ca.txthinking

然后用管理员打开 GitBash

mad install --ca ~/.nami/bin/ca.pem

注意 GitBash 或 Firefox 等软件可能不读取系统 CA，安装后可以用系统 Edge 浏览器测试

Apple 推送问题

要接收推送，Apple Server 只允许 Ethernet, cellular data, Wi-Fi 连接. 所以你需要 Bypass 掉相关域名和 IP. 参考链接

Diagram 图解

overview

withoutBrookProtocol

relayoverbrook

dnsserveroverbrook

relay

dnsserver

tproxy

gui

script

Protocol

https://github.com/txthinking/brook/tree/master/protocol

Blog

https://www.txthinking.com/talks/

YouTube

https://www.youtube.com/txthinking

Telegram

https://t.me/s/txthinking_news

brook-mamanger

https://github.com/txthinking/brook-manager

nico

https://github.com/txthinking/nico

Brook Deploy

https://www.txthinking.com/deploy.html

Pastebin

https://paste.brook.app

独立脚本例子 | Standalone Script Example

https://github.com/txthinking/bypass

脚本生成器 | Brook Script Builder

https://modules.brook.app