gost

English README

• Multiple port monitoring
• Forwarding agents can be set up to support multi-level forwarding (agent chain)
• Support standard HTTP/HTTPS/HTTP2/SOCKS4(A)/SOCKS5 proxy protocol
• Web proxy supports detection defense
• Supports multiple tunnel types
• SOCKS5 proxy supports TLS negotiated encryption
• Tunnel UDP over TCP
• TCP/UDP transparent proxy
• Local/remote TCP/UDP port forwarding
• Support Shadowsocks (TCP/UDP) protocol
• Support SNI proxy
• Permission control
• load balancing
• routing control
• DNS resolution and proxy
• TUN/TAP device

Wiki site: v2.gost.run

Telegram discussion group: https://t.me/gogost

Google discussion group: https://groups.google.com/d/forum/go-gost

https://github.com/ginuerzh/gost/releases

git clone https://github.com/ginuerzh/gost.git
cd gost/cmd/gost
go build

docker run --rm ginuerzh/gost -V

brew install gost

sudo snap install core
sudo snap install gost

• Acts as a standard HTTP/SOCKS5 proxy

gost -L=:8080

• Set proxy authentication information

gost -L=admin:123456@localhost:8080

• Multiple port monitoring

gost -L=http2://:443 -L=socks5://:1080 -L=ss://aes-128-cfb:123456@:8338

gost -L=:8080 -F=192.168.1.1:8081

• Forward proxy authentication

gost -L=:8080 -F=http://admin:[email protected]:8081

gost -L=:8080 -F=quic://192.168.1.1:6121 -F=socks5+wss://192.168.1.2:1080 -F=http2://192.168.1.3:443 ... -F=a.b.c.d:NNNN

gost will eventually forward the request to abcd:NNNN for processing through the proxy chain in the order set by -F. Each forwarding proxy can be any HTTP/HTTPS/HTTP2/SOCKS4/SOCKS5/Shadowsocks type proxy.

gost -L=tcp://:2222/192.168.1.1:22 [-F = ...]

Forward data on local TCP port 2222 (through the proxy chain) to 192.168.1.1:22. When the end of the proxy chain (the last -F parameter) is an SSH forwarding channel type, gost will directly use the local port forwarding function of SSH:

gost -L=tcp://:2222/192.168.1.1:22 -F forward+ssh://:2222

gost -L=udp://:5353/192.168.1.1:53 ? ttl=60 [-F = ...]

Forward data on local UDP port 5353 (through the proxy chain) to 192.168.1.1:53. Each forwarding channel has a timeout. When this time is exceeded and there is no data interaction within this time period, the channel will be closed. The timeout can be set through the ttl parameter, and the default value is 60 seconds.

Note: When forwarding UDP data, if there is a proxy chain, the end of the proxy chain (the last -F parameter) must be gost SOCKS5 type proxy, and gost will use UDP over TCP for forwarding.

gost -L=rtcp://:2222/192.168.1.1:22 [-F = ... -F = socks5://172.24.10.1:1080]

Forward the data on 172.24.10.1:2222 (through the proxy chain) to 192.168.1.1:22. When the end of the proxy chain (the last -F parameter) is an SSH forwarding channel type, gost will directly use the remote port forwarding function of SSH:

gost -L=rtcp://:2222/192.168.1.1:22 -F forward+ssh://:2222

gost -L=rudp://:5353/192.168.1.1:53 ? ttl=60 [-F = ... -F = socks5://172.24.10.1:1080]

Forward the data on 172.24.10.1:5353 (through the proxy chain) to 192.168.1.1:53. Each forwarding channel has a timeout. When this time is exceeded and there is no data interaction within this time period, the channel will be closed. The timeout can be set through the ttl parameter, and the default value is 60 seconds.

Note: When forwarding UDP data, if there is a proxy chain, the end of the proxy chain (the last -F parameter) must be a GOST SOCKS5 type proxy, and gost will use UDP-over-TCP for forwarding.

Gost's HTTP2 supports two modes:

• As a standard HTTP2 proxy and backward compatible with HTTPS proxy.
• Serves as a channel to transport other protocols.

Server:

gost -L=http2://:443

Client:

gost -L=:8080 -F=http2://server_ip:443

Server:

gost -L=h2://:443

Client:

gost -L=:8080 -F=h2://server_ip:443

gost's support for QUIC is based on the quic-go library.

Server:

gost -L=quic://:6121

Client:

gost -L=:8080 -F=quic://server_ip:6121

Note: QUIC mode can only be used as the first node of the proxy chain.

gost's support for KCP is based on the kcp-go and kcptun libraries.

Server:

gost -L=kcp://:8388

Client:

gost -L=:8080 -F=kcp://server_ip:8388

gost will automatically load the kcp.json (if it exists) configuration file in the current working directory, or you can manually specify the configuration file path through parameters:

gost -L=kcp://:8388 ? c=/path/to/conf/file

Note: KCP mode can only be used as the first node of the proxy chain.

gost's SSH supports two modes:

• As a forwarding channel, it is used with local/remote TCP port forwarding.
• Serves as a channel to transport other protocols.

Server:

gost -L=forward+ssh://:2222

Client:

gost -L=rtcp://:1222/:22 -F=forward+ssh://server_ip:2222

Server:

gost -L=ssh://:2222

Client:

gost -L=:8080 -F=ssh://server_ip:2222 ? ping=60

You can set the heartbeat packet sending period through the ping parameter, in seconds. Heartbeat packets are not sent by default.

Transparent proxy based on iptables.

gost -L=redirect://:12345 -F=http2://server_ip:443

This feature was contributed by @isofew.

Server:

gost -L=obfs4://:443

When the server is running, the connection address will be printed on the console for the client to use:

 obfs4://:443/?cert=4UbQjIfjJEQHPOs8vs5sagrSXx1gfrDCGdVh2hpIPSKH0nklv1e4f29r7jb91VIrq4q5Jw&iat-mode=0

Client:

 gost -L=:8888 -F='obfs4://server_ip:443?cert=4UbQjIfjJEQHPOs8vs5sagrSXx1gfrDCGdVh2hpIPSKH0nklv1e4f29r7jb91VIrq4q5Jw&iat-mode=0'

For HTTP, TLS can be used to encrypt the entire communication process, that is, HTTPS proxy:

Server:

gost -L=https://:443

Client:

gost -L=:8080 -F=http+tls://server_ip:443

Gost's HTTP2 proxy mode only supports the HTTP2 protocol using TLS encryption and does not support plaintext HTTP2 transmission.

Gost's HTTP2 channel mode supports encryption (h2) and plaintext (h2c) modes.

gost supports the no-auth (0x00) and user/pass (0x02) methods of the standard SOCKS5 protocol, and extends two on this basis: tls (0x80) and tls-auth (0x82) for data encryption.

Server:

gost -L=socks5://:1080

Client:

gost -L=:8080 -F=socks5://server_ip:1080

If both ends are gost (as above), the data transmission will be encrypted (negotiate using tls or tls-auth method), otherwise standard SOCKS5 will be used for communication (no-auth or user/pass method).

gost's support for shadowsocks is based on the shadowsocks-go library.

Server:

gost -L=ss://chacha20:123456@:8338

Client:

gost -L=:8080 -F=ss://chacha20:123456@server_ip:8338

Currently only the server supports UDP Relay.

Server:

gost -L=ssu://chacha20:123456@:8338

gost has a built-in TLS certificate. If you need to use other TLS certificates, there are two methods:

• Just place the two files cert.pem (public key) and key.pem (private key) in the gost running directory. Gost will automatically load the cert.pem and key.pem files in the running directory.
• Use parameters to specify the certificate file path:

gost -L= " http2://:443?cert=/path/to/my/cert/file&key=/path/to/my/key/file "

For the client, you can enable server certificate and domain name verification through secure parameter:

gost -L=:8080 -F= " http2://server_domain_name:443?secure=true "

For the client, you can specify the CA certificate for certificate pinning (Certificate Pinning):

gost -L=:8080 -F= " http2://:443?ca=ca.pem "

Certificate pinning feature contributed by @sheerun