ospab
/
ostp
mirror of https://github.com/ospab/ostp.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Compare commits

base: ospab:v0.3.11
Branches Tags
ospab:master
ospab:copilot/fix-check-and-test-job
ospab:v0.3.12
ospab:v0.3.11
ospab:v0.3.10
ospab:v0.3.8
ospab:v0.3.7
ospab:v0.3.6
ospab:v0.3.5
ospab:v0.3.4
ospab:v0.3.2
ospab:v0.3.1
ospab:v0.2.98
ospab:v0.2.97
ospab:v0.2.96
ospab:v0.2.95
ospab:v0.2.94
ospab:v0.2.93
ospab:v0.2.92
ospab:v0.2.91
ospab:v0.2.90
ospab:v0.2.89
ospab:v0.2.88
ospab:v0.2.87
ospab:v0.2.86
ospab:v0.2.85
ospab:v0.2.84
ospab:v0.2.83
ospab:v0.2.82
ospab:v0.2.81
ospab:v0.2.80
ospab:v0.2.79
ospab:v0.2.78
ospab:v0.2.77
ospab:v0.2.76
ospab:v0.2.75
ospab:v0.2.74
ospab:v0.2.73
ospab:v0.2.72
ospab:v0.2.71
ospab:v0.2.70
ospab:v0.2.69
ospab:v0.2.68
ospab:v0.2.67
ospab:v0.2.66
ospab:v0.2.65
ospab:v0.2.64
ospab:v0.2.63
ospab:v0.2.61
ospab:v0.2.60
ospab:v0.2.59
ospab:v0.2.58
ospab:v0.2.57
ospab:v0.2.56
ospab:v0.2.55
ospab:v0.2.54
ospab:v0.2.53
ospab:v0.2.52
ospab:v0.2.51
ospab:v0.2.50
ospab:v0.2.49
ospab:v0.2.48
ospab:v0.2.46
ospab:v0.2.45
ospab:v0.2.44
ospab:v0.2.43
ospab:v0.2.42
ospab:v0.2.41
ospab:v0.2.40
ospab:v0.2.39
ospab:v0.2.38
ospab:v0.2.37
ospab:v0.2.36
ospab:v0.2.35
ospab:v0.2.34
ospab:v0.2.33
ospab:v0.2.32
ospab:v0.2.31
ospab:v0.2.30
ospab:v0.2.29
ospab:v0.2.28
ospab:v0.2.27
ospab:v0.2.26
ospab:v0.2.25
ospab:v0.2.24
ospab:v0.2.23
ospab:v0.2.22
ospab:v0.2.21
ospab:v0.2.20
ospab:v0.2.19
ospab:v0.2.18
ospab:v0.2.17
ospab:v0.2.16
ospab:v0.2.15
ospab:v0.2.14
ospab:v0.2.13
ospab:v0.2.12
ospab:v0.2.11
ospab:v0.2.10
ospab:v0.2.9
ospab:v0.2.8
ospab:v0.2.7
ospab:v0.2.6
ospab:v0.2.5
ospab:v0.2.4
ospab:v0.2.3
ospab:v0.2.2
ospab:v0.2.1
ospab:v0.2.0
ospab:v0.1.70
ospab:v0.1.69
ospab:v0.1.68
ospab:v0.1.67
ospab:v0.1.66
ospab:v0.1.65
ospab:v0.1.64
ospab:v0.1.63
ospab:v0.1.62
ospab:v0.1.61
ospab:v0.1.60
ospab:v0.1.59
ospab:v0.1.58
ospab:v0.1.57
ospab:v0.1.56
ospab:v0.1.55
ospab:v0.1.54
ospab:v0.1.53
ospab:v0.1.52
ospab:v0.1.51
ospab:v0.1.50
ospab:v0.1.49
ospab:v0.1.48
ospab:v0.1.47
ospab:v0.1.46
ospab:v0.1.45
ospab:v0.1.44
ospab:v0.1.43
ospab:v0.1.42
ospab:v0.1.41
ospab:v0.1.40
ospab:v0.1.39
ospab:v0.1.38
ospab:v0.1.37
ospab:v0.1.36
ospab:v0.1.35
ospab:v0.1.34
ospab:v0.1.33
ospab:v0.1.32
ospab:v0.1.31
ospab:v0.1.30
ospab:v0.1.29
ospab:v0.1.28
ospab:v0.1.27
ospab:v0.1.26
ospab:v0.1.25
ospab:v0.1.24
ospab:v0.1.23
ospab:v0.1.22
ospab:v0.1.21
ospab:v0.1.20
ospab:v0.1.19
ospab:v0.1.18
ospab:v0.1.17
ospab:v0.1.16
ospab:v0.1.15
ospab:v0.1.14
ospab:v0.1.13
ospab:v0.1.12
ospab:v0.1.11
ospab:v0.1.10
ospab:v0.1.9
ospab:v0.1.7
...
compare: ospab:master
Branches Tags
ospab:master
ospab:copilot/fix-check-and-test-job
ospab:v0.3.12
ospab:v0.3.11
ospab:v0.3.10
ospab:v0.3.8
ospab:v0.3.7
ospab:v0.3.6
ospab:v0.3.5
ospab:v0.3.4
ospab:v0.3.2
ospab:v0.3.1
ospab:v0.2.98
ospab:v0.2.97
ospab:v0.2.96
ospab:v0.2.95
ospab:v0.2.94
ospab:v0.2.93
ospab:v0.2.92
ospab:v0.2.91
ospab:v0.2.90
ospab:v0.2.89
ospab:v0.2.88
ospab:v0.2.87
ospab:v0.2.86
ospab:v0.2.85
ospab:v0.2.84
ospab:v0.2.83
ospab:v0.2.82
ospab:v0.2.81
ospab:v0.2.80
ospab:v0.2.79
ospab:v0.2.78
ospab:v0.2.77
ospab:v0.2.76
ospab:v0.2.75
ospab:v0.2.74
ospab:v0.2.73
ospab:v0.2.72
ospab:v0.2.71
ospab:v0.2.70
ospab:v0.2.69
ospab:v0.2.68
ospab:v0.2.67
ospab:v0.2.66
ospab:v0.2.65
ospab:v0.2.64
ospab:v0.2.63
ospab:v0.2.61
ospab:v0.2.60
ospab:v0.2.59
ospab:v0.2.58
ospab:v0.2.57
ospab:v0.2.56
ospab:v0.2.55
ospab:v0.2.54
ospab:v0.2.53
ospab:v0.2.52
ospab:v0.2.51
ospab:v0.2.50
ospab:v0.2.49
ospab:v0.2.48
ospab:v0.2.46
ospab:v0.2.45
ospab:v0.2.44
ospab:v0.2.43
ospab:v0.2.42
ospab:v0.2.41
ospab:v0.2.40
ospab:v0.2.39
ospab:v0.2.38
ospab:v0.2.37
ospab:v0.2.36
ospab:v0.2.35
ospab:v0.2.34
ospab:v0.2.33
ospab:v0.2.32
ospab:v0.2.31
ospab:v0.2.30
ospab:v0.2.29
ospab:v0.2.28
ospab:v0.2.27
ospab:v0.2.26
ospab:v0.2.25
ospab:v0.2.24
ospab:v0.2.23
ospab:v0.2.22
ospab:v0.2.21
ospab:v0.2.20
ospab:v0.2.19
ospab:v0.2.18
ospab:v0.2.17
ospab:v0.2.16
ospab:v0.2.15
ospab:v0.2.14
ospab:v0.2.13
ospab:v0.2.12
ospab:v0.2.11
ospab:v0.2.10
ospab:v0.2.9
ospab:v0.2.8
ospab:v0.2.7
ospab:v0.2.6
ospab:v0.2.5
ospab:v0.2.4
ospab:v0.2.3
ospab:v0.2.2
ospab:v0.2.1
ospab:v0.2.0
ospab:v0.1.70
ospab:v0.1.69
ospab:v0.1.68
ospab:v0.1.67
ospab:v0.1.66
ospab:v0.1.65
ospab:v0.1.64
ospab:v0.1.63
ospab:v0.1.62
ospab:v0.1.61
ospab:v0.1.60
ospab:v0.1.59
ospab:v0.1.58
ospab:v0.1.57
ospab:v0.1.56
ospab:v0.1.55
ospab:v0.1.54
ospab:v0.1.53
ospab:v0.1.52
ospab:v0.1.51
ospab:v0.1.50
ospab:v0.1.49
ospab:v0.1.48
ospab:v0.1.47
ospab:v0.1.46
ospab:v0.1.45
ospab:v0.1.44
ospab:v0.1.43
ospab:v0.1.42
ospab:v0.1.41
ospab:v0.1.40
ospab:v0.1.39
ospab:v0.1.38
ospab:v0.1.37
ospab:v0.1.36
ospab:v0.1.35
ospab:v0.1.34
ospab:v0.1.33
ospab:v0.1.32
ospab:v0.1.31
ospab:v0.1.30
ospab:v0.1.29
ospab:v0.1.28
ospab:v0.1.27
ospab:v0.1.26
ospab:v0.1.25
ospab:v0.1.24
ospab:v0.1.23
ospab:v0.1.22
ospab:v0.1.21
ospab:v0.1.20
ospab:v0.1.19
ospab:v0.1.18
ospab:v0.1.17
ospab:v0.1.16
ospab:v0.1.15
ospab:v0.1.14
ospab:v0.1.13
ospab:v0.1.12
ospab:v0.1.11
ospab:v0.1.10
ospab:v0.1.9
ospab:v0.1.7

10 Commits
v0.3.11 ... master

Author SHA1 Message Date
ospab 6987ac5344 Fallback to server parameter for DNS resolver if not specified 2026-06-20 00:07:52 +03:00
ospab d65af355f1 Fix handshake timeouts in OSTP outbounds and remove test_parse 2026-06-19 23:57:35 +03:00
ospab 23c4d38ee4 Make --import and --url patch existing configuration instead of overwriting 2026-06-19 23:45:33 +03:00
ospab b7a31af911 Add DNS Tunneling example to client init config 2026-06-19 23:21:39 +03:00
ospab 76bf1c9a98 fix(cli): evaluate CARGO_PKG_VERSION in parse_ostp_link to prevent false migrations 2026-06-19 19:24:37 +03:00
ospab fc339b3643 feat(server): log reasons for dropped packets 2026-06-19 19:14:46 +03:00
ospab 6eb7b369a0 fix(client): wait for handshake response in dial_tcp before sending data 2026-06-19 19:06:51 +03:00
ospab 01d7d19b11 Restore Session import for Windows compatibility and fix Flutter build 2026-06-19 18:24:51 +03:00
ospab 0953b83e3c CI/CD: release version v0.3.12 2026-06-19 17:53:16 +03:00
ospab 8a0b633bb1 Fix compiler warnings and errors 2026-06-19 17:51:58 +03:00
28 changed files with 924 additions and 454 deletions
Show Stats Expand all files Collapse all files

36
Cargo.lock generated
View File

@ -388,6 +388,16 @@ version = "1.1.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "c8d4a3bb8b1e0c1050499d1815f5ab16d04f0959b233085fb31653fbfc9d98f9"
[[package]]
name = "clipboard-win"
version = "3.1.1"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "9fdf5e01086b6be750428ba4a40619f847eb2e95756eee84b18e06e5f0b50342"
dependencies = [
"lazy-bytes-cast",
"winapi",
]
[[package]]
name = "colorchoice"
version = "1.0.5"
@ -1252,6 +1262,12 @@ version = "0.2.2"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "9dbbfed4e59ba9750e15ba154fdfd9329cee16ff3df539c2666b70f58cc32105"
[[package]]
name = "lazy-bytes-cast"
version = "5.0.1"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "10257499f089cd156ad82d0a9cd57d9501fa2c989068992a97eb3c27836f206b"
[[package]]
name = "lazy_static"
version = "1.5.0"
@ -1431,16 +1447,18 @@ checksum = "c08d65885ee38876c4f86fa503fb49d7b507c2b62552df7c70b2fce627e06381"
[[package]]
name = "ostp"
version = "0.3.11"
version = "0.3.12"
dependencies = [
"anyhow",
"base64",
"clap",
"clipboard-win",
"colored",
"json_comments",
"ostp-client",
"ostp-core",
"ostp-server",
"pico-args",
"rand 0.8.5",
"reqwest",
"serde",
@ -1453,7 +1471,7 @@ dependencies = [
[[package]]
name = "ostp-client"
version = "0.3.11"
version = "0.3.12"
dependencies = [
"anyhow",
"base64",
@ -1488,7 +1506,7 @@ dependencies = [
[[package]]
name = "ostp-core"
version = "0.3.11"
version = "0.3.12"
dependencies = [
"anyhow",
"byteorder",
@ -1525,7 +1543,7 @@ dependencies = [
[[package]]
name = "ostp-server"
version = "0.3.11"
version = "0.3.12"
dependencies = [
"anyhow",
"axum",
@ -1558,7 +1576,7 @@ dependencies = [
[[package]]
name = "ostp-tun"
version = "0.3.11"
version = "0.3.12"
dependencies = [
"anyhow",
"libc",
@ -1570,7 +1588,7 @@ dependencies = [
[[package]]
name = "ostp-tun-helper"
version = "0.3.11"
version = "0.3.12"
dependencies = [
"anyhow",
"chrono",
@ -1594,6 +1612,12 @@ version = "2.3.2"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "9b4f627cb1b25917193a259e49bdad08f671f8d9708acfd5fe0a8c1455d87220"
[[package]]
name = "pico-args"
version = "0.5.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "5be167a7af36ee22fe3115051bc51f6e6c7054c9348e28deb4f49bd6f705a315"
[[package]]
name = "pin-project-lite"
version = "0.2.17"

2
Cargo.toml
View File

@ -12,7 +12,7 @@ resolver = "2"
[workspace.package]
edition = "2021"
license = "BSL 1.1"
version = "0.3.11"
version = "0.3.12"
[workspace.dependencies]
anyhow = "1.0"

31
ostp-client/src/config.rs
View File

@ -50,6 +50,8 @@ pub enum InboundConfig {
protocol: String, // "socks" or "http"
listen: String,
port: u16,
#[serde(default)]
set_system_proxy: bool,
},
}
@ -172,18 +174,15 @@ impl ClientConfig {
.with_context(|| format!("failed to parse JSON from {}", path.display()))?;
let (migrated_json, was_migrated) = Self::migrate_json(raw_json);
if was_migrated {
tracing::info!("Config was migrated to v0.3.1. Saving to {}", path.display());
let serialized = serde_json::to_string_pretty(&migrated_json)?;
let header = "// OSTP Configuration v0.3.1\n// DO NOT EDIT THIS COMMENT - Migrator relies on it\n";
let final_content = format!("{}{}", header, serialized);
std::fs::write(&path, final_content)
.with_context(|| format!("failed to save migrated config to {}", path.display()))?;
tracing::warn!(
"Config at {} is in an outdated format. Run 'ostp --migrate' to upgrade it.",
path.display()
);
}
let config: ClientConfig = serde_json::from_value(migrated_json)
.with_context(|| format!("failed to deserialize migrated config from {}", path.display()))?;
.with_context(|| format!("failed to deserialize config from {}", path.display()))?;
Ok(config)
}
@ -191,8 +190,20 @@ impl ClientConfig {
/// Migrates old monolithic JSON to the new modular format.
/// Returns the migrated JSON value and a boolean indicating if a migration occurred.
pub fn migrate_json(json: serde_json::Value) -> (serde_json::Value, bool) {
let is_migrated = json.get("version").and_then(|v| v.as_str()) == Some(env!("CARGO_PKG_VERSION"));
if is_migrated {
// Consider the config already migrated if:
// 1. Version matches exactly, OR
// 2. The JSON already has the new modular format (inbounds + outbounds arrays)
let has_version = json.get("version").and_then(|v| v.as_str()) == Some(env!("CARGO_PKG_VERSION"));
let has_new_format = json.get("inbounds").and_then(|v| v.as_array()).is_some()
&& json.get("outbounds").and_then(|v| v.as_array()).is_some();
if has_version || has_new_format {
// If format is already new but version is old, just bump the version
if has_new_format && !has_version {
let mut updated = json.clone();
updated["version"] = serde_json::json!(env!("CARGO_PKG_VERSION"));
return (updated, false);
}
return (json, false);
}

1
ostp-client/src/tunnel/balancer.rs
View File

@ -59,6 +59,7 @@ impl Balancer {
/// Fetches the config for a concrete outbound
pub fn get_concrete_outbound(&self, tag: &str) -> Option<&OutboundConfig> {
let resolved_tag = self.resolve_outbound(tag);
tracing::debug!("Balancer: tag '{}' resolved to '{}'", tag, resolved_tag);
self.outbounds.get(&resolved_tag)
}
}

9
ostp-client/src/tunnel/inbounds/local_proxy.rs
View File

@ -14,13 +14,20 @@ pub async fn run_socks_inbound(
outbound_manager: Arc<OutboundManager>,
mut shutdown: watch::Receiver<bool>,
) -> Result<()> {
let InboundConfig::LocalProxy { tag, protocol, listen, port } = inbound_config else {
let InboundConfig::LocalProxy { tag, protocol, listen, port, set_system_proxy } = inbound_config else {
return Err(anyhow!("Invalid config for LocalProxy inbound"));
};
let bind_addr = format!("{}:{}", listen, port);
tracing::info!("Starting {} proxy inbound on {} (tag: {})", protocol, bind_addr, tag);
let _proxy_guard = if set_system_proxy {
let proxy_host = if listen == "0.0.0.0" { "127.0.0.1" } else { &listen };
Some(crate::sysproxy::SystemProxyGuard::enable(&format!("{}:{}", proxy_host, port)))
} else {
None
};
let listener = TcpListener::bind(&bind_addr).await?;
loop {

1
ostp-client/src/tunnel/inbounds/tun.rs
View File

@ -1,6 +1,7 @@
use anyhow::{anyhow, Result};
use std::sync::Arc;
use crate::config::{ClientConfig, InboundConfig};
#[allow(unused_imports)]
use crate::tunnel::router::{Router, Session};
use crate::tunnel::outbounds::OutboundManager;
use tokio::sync::watch;

4
ostp-client/src/tunnel/outbounds/direct.rs
View File

@ -66,7 +66,7 @@ pub fn bind_socket_to_interface(socket: &tokio::net::TcpSocket, _is_ipv6: bool,
Ok(())
}
pub async fn dial_tcp(target_host: &str, target_port: u16, phys_if_idx: Option<u32>) -> Result<TcpStream> {
pub async fn dial_tcp(target_host: &str, target_port: u16, _phys_if_idx: Option<u32>) -> Result<TcpStream> {
let addrs = tokio::net::lookup_host((target_host, target_port)).await?.collect::<Vec<_>>();
if addrs.is_empty() {
return Err(anyhow!("Could not resolve target host: {}", target_host));
@ -79,7 +79,7 @@ pub async fn dial_tcp(target_host: &str, target_port: u16, phys_if_idx: Option<u
};
#[cfg(target_os = "windows")]
if let Some(idx) = phys_if_idx {
if let Some(idx) = _phys_if_idx {
if let Err(e) = bind_socket_to_interface(&socket, target_addr.is_ipv6(), idx) {
tracing::warn!("DIRECT: Failed to bind to physical interface {}: {}", idx, e);
}

6
ostp-client/src/tunnel/outbounds/mod.rs
View File

@ -11,7 +11,7 @@ pub mod socks;
pub struct OutboundManager {
balancer: Arc<Balancer>,
phys_if_index: Option<u32>,
phys_if_name: Option<String>,
_phys_if_name: Option<String>,
}
impl OutboundManager {
@ -23,7 +23,7 @@ impl OutboundManager {
Self {
balancer,
phys_if_index,
phys_if_name,
_phys_if_name: phys_if_name,
}
}
@ -39,7 +39,7 @@ impl OutboundManager {
block::dial_tcp(target_host, target_port).await
}
OutboundConfig::Ostp { server, port, access_key, transport, multiplex, .. } => {
ostp::dial_tcp(server, *port, access_key, transport, multiplex).await
ostp::dial_tcp(target_host, target_port, server, *port, access_key, transport, multiplex).await
}
OutboundConfig::Socks { server, port, .. } => {
socks::dial_tcp(target_host, target_port, server, *port).await

179
ostp-client/src/tunnel/outbounds/ostp.rs
View File

@ -63,12 +63,15 @@ fn random_session_id() -> u32 {
}
pub async fn dial_tcp(
target_host: &str,
target_port: u16,
server: &str,
port: u16,
access_key: &str,
transport_cfg: &TransportConfig,
_multiplex: &MultiplexConfig,
) -> Result<TcpStream> {
tracing::info!("Dialing OSTP server {}:{} for target {}:{}", server, port, target_host, target_port);
let listener = tokio::net::TcpListener::bind("127.0.0.1:0").await?;
let local_addr = listener.local_addr()?;
let client_stream = tokio::net::TcpStream::connect(local_addr).await?;
@ -80,12 +83,103 @@ pub async fn dial_tcp(
let config = make_initiator_config(session_id, access_key, transport_cfg);
let mut machine = ProtocolMachine::new(config).unwrap();
// Spawn bridge task
tokio::spawn(async move {
// Send initial handshake
if let Ok(action) = machine.on_event(OstpEvent::Start) {
let target_host_str = target_host.to_string();
let server_str = server.to_string();
// Spawn bridge task
tokio::spawn(async move {
// Send initial handshake
if let Ok(action) = machine.on_event(OstpEvent::Start) {
handle_action(action, &transport, &mut server_stream).await;
}
// Wait for handshake response (server sends HandshakePayload back)
let mut buf = [0u8; 8192];
let mut handshake_success = false;
match tokio::time::timeout(
std::time::Duration::from_millis(15000),
transport.recv(&mut buf),
).await {
Ok(Ok(n)) => {
if let Ok(action) = machine.on_event(OstpEvent::Inbound(bytes::Bytes::copy_from_slice(&buf[..n]))) {
handle_action(action, &transport, &mut server_stream).await;
handshake_success = true;
}
}
_ => {
tracing::warn!("OSTP handshake timeout for {}:{}", server_str, port);
return;
}
}
if !handshake_success {
tracing::warn!("TCP handshake failed or protocol machine error");
return;
}
// Send connection request
let connect_msg = ostp_core::relay::RelayMessage::Connect(format!("{}:{}", target_host_str, target_port));
let connect_encoded = connect_msg.encode();
if let Ok(action) = machine.on_event(OstpEvent::Outbound(1, bytes::Bytes::from(connect_encoded))) {
handle_action(action, &transport, &mut server_stream).await;
}
// ── Wait for ConnectOk before forwarding any data ─────────────────
// This is critical: if we enter the data loop immediately, the TLS
// ClientHello arrives at the server before it has established the
// outbound TCP connection, causing it to drop the packet as
// "Relay DATA for unknown stream".
// The kernel will buffer incoming data from server_stream while we wait.
let mut connect_ok = false;
match tokio::time::timeout(
std::time::Duration::from_secs(30),
async {
let mut wait_buf = [0u8; 8192];
loop {
tokio::select! {
Ok(n) = transport.recv(&mut wait_buf) => {
if let Ok(action) = machine.on_event(OstpEvent::Inbound(
bytes::Bytes::copy_from_slice(&wait_buf[..n]),
)) {
// Check for ConnectOk or Error before dispatching
let result = check_connect_result(&action);
handle_action(action, &transport, &mut server_stream).await;
match result {
Some(true) => return true,
Some(false) => return false,
None => {}
}
}
}
_ = tokio::time::sleep(std::time::Duration::from_millis(10)) => {
if let Ok(action) = machine.on_event(OstpEvent::Tick) {
handle_action(action, &transport, &mut server_stream).await;
}
}
}
}
},
)
.await
{
Ok(true) => {
tracing::debug!("ConnectOk received for {}:{}, starting data forwarding", target_host_str, target_port);
connect_ok = true;
}
Ok(false) => {
tracing::warn!("Server refused connection to {}:{}", target_host_str, target_port);
}
Err(_) => {
tracing::warn!("ConnectOk timeout for {}:{}", target_host_str, target_port);
}
}
if !connect_ok {
return;
}
// ── Main bidirectional data forwarding loop ───────────────────────
let mut buf = [0u8; 65535];
let mut udp_buf = [0u8; 65535];
@ -93,7 +187,9 @@ pub async fn dial_tcp(
tokio::select! {
Ok(n) = server_stream.read(&mut buf) => {
if n == 0 { break; }
if let Ok(action) = machine.on_event(OstpEvent::Outbound(1, bytes::Bytes::copy_from_slice(&buf[..n]))) {
let data_msg = ostp_core::relay::RelayMessage::Data(buf[..n].to_vec());
let encoded = data_msg.encode();
if let Ok(action) = machine.on_event(OstpEvent::Outbound(1, bytes::Bytes::from(encoded))) {
handle_action(action, &transport, &mut server_stream).await;
}
}
@ -111,6 +207,7 @@ pub async fn dial_tcp(
}
});
Ok(client_stream)
}
@ -150,28 +247,29 @@ pub async fn handle_udp(
// Wait for handshake response (server sends HandshakePayload back)
let mut buf = [0u8; 8192];
match tokio::time::timeout(
std::time::Duration::from_millis(2000),
std::time::Duration::from_millis(15000),
transport.recv(&mut buf),
).await {
Ok(Ok(n)) => {
let _ = machine.on_event(OstpEvent::Inbound(bytes::Bytes::copy_from_slice(&buf[..n])));
}
_ => {
tracing::warn!("UDP handshake timeout for {}:{}", server, port);
tracing::warn!("OSTP handshake timeout for {}:{}", server, port);
return Ok(());
}
}
// Send relay connect + data
let relay_msg = ostp_core::relay::RelayMessage::Connect(
format!("{}:{}", target_dst.ip(), target_dst.port())
);
let encoded = relay_msg.encode();
// Send relay UdpAssociate + data
let assoc_msg = ostp_core::relay::RelayMessage::UdpAssociate;
let encoded = assoc_msg.encode();
if let Ok(action) = machine.on_event(OstpEvent::Outbound(1, bytes::Bytes::from(encoded))) {
handle_udp_action(action, &transport).await;
}
let data_msg = ostp_core::relay::RelayMessage::Data(payload.to_vec());
let data_msg = ostp_core::relay::RelayMessage::UdpData(
format!("{}:{}", target_dst.ip(), target_dst.port()),
payload.to_vec()
);
let encoded = data_msg.encode();
if let Ok(action) = machine.on_event(OstpEvent::Outbound(1, bytes::Bytes::from(encoded))) {
handle_udp_action(action, &transport).await;
@ -184,7 +282,10 @@ pub async fn handle_udp(
transport.recv(&mut buf),
).await {
Ok(Ok(n)) => {
let _ = machine.on_event(OstpEvent::Inbound(bytes::Bytes::copy_from_slice(&buf[..n])));
if let Ok(action) = machine.on_event(OstpEvent::Inbound(bytes::Bytes::copy_from_slice(&buf[..n]))) {
// Just process incoming UDP response internally
let _ = action;
}
}
_ => break,
}
@ -203,7 +304,7 @@ async fn make_transport(
let domain = transport_cfg.domain.clone()
.unwrap_or_else(|| "tunnel.example.com".to_string());
let resolver = transport_cfg.resolver.clone()
.unwrap_or_else(|| "8.8.8.8".to_string());
.unwrap_or_else(|| server.to_string());
let transport = crate::transport::dns::start_dns_transport(domain, resolver, transport_cfg.pubkey.clone()).await
.map_err(|e| anyhow::anyhow!(e))?;
Ok(transport)
@ -238,17 +339,53 @@ async fn handle_action(action: ProtocolAction, transport: &crate::transport::Tra
let _ = transport.send(&data).await;
}
ProtocolAction::DeliverApp(_stream_id, payload) => {
let _ = server_stream.write_all(&payload).await;
if let Ok(msg) = ostp_core::relay::RelayMessage::decode(&payload) {
match msg {
ostp_core::relay::RelayMessage::Data(data) => {
let _ = server_stream.write_all(&data).await;
}
ostp_core::relay::RelayMessage::ConnectOk => {
tracing::debug!("TCP Connection established successfully");
}
ostp_core::relay::RelayMessage::Error(err) => {
tracing::warn!("Server returned TCP connection error: {}", err);
}
_ => {}
}
}
}
ProtocolAction::Multiple(actions) => {
for a in actions {
match a {
ProtocolAction::SendDatagram(data) => { let _ = transport.send(&data).await; }
ProtocolAction::DeliverApp(_stream_id, payload) => { let _ = server_stream.write_all(&payload).await; }
_ => {}
}
Box::pin(handle_action(a, transport, server_stream)).await;
}
}
_ => {}
}
}
/// Inspect a ProtocolAction for ConnectOk / Error relay messages.
/// Returns Some(true) on ConnectOk, Some(false) on Error, None if neither.
/// Works recursively through Multiple actions.
fn check_connect_result(action: &ProtocolAction) -> Option<bool> {
match action {
ProtocolAction::DeliverApp(_stream_id, payload) => {
if let Ok(msg) = ostp_core::relay::RelayMessage::decode(payload) {
match msg {
ostp_core::relay::RelayMessage::ConnectOk => return Some(true),
ostp_core::relay::RelayMessage::Error(_) => return Some(false),
_ => {}
}
}
None
}
ProtocolAction::Multiple(actions) => {
for a in actions {
if let Some(result) = check_connect_result(a) {
return Some(result);
}
}
None
}
_ => None,
}
}

6
ostp-client/src/tunnel/process_lookup.rs
View File

@ -126,7 +126,6 @@ pub fn get_process_name_from_port(port: u16) -> Option<String> {
use std::fs;
use std::io::{BufRead, BufReader};
let mut target_inode = None;
let hex_port = format!("{:04X}", port);
let check_net_file = |path: &str| -> Option<u64> {
@ -146,12 +145,11 @@ pub fn get_process_name_from_port(port: u16) -> Option<String> {
None
};
target_inode = check_net_file("/proc/net/tcp")
let target_inode = check_net_file("/proc/net/tcp")
.or_else(|| check_net_file("/proc/net/tcp6"))
.or_else(|| check_net_file("/proc/net/udp"))
.or_else(|| check_net_file("/proc/net/udp6"));
.or_else(|| check_net_file("/proc/net/udp6"))?;
let target_inode = target_inode?;
let socket_str = format!("socket:[{}]", target_inode);
for entry in fs::read_dir("/proc").ok()?.filter_map(Result::ok) {

2
ostp-core/src/dns.rs
View File

@ -1,5 +1,5 @@
use byteorder::{BigEndian, ReadBytesExt, WriteBytesExt};
use std::io::{Cursor, Read, Write};
use std::io::{Cursor, Read};
const BASE32_ALPHABET: &[u8] = b"abcdefghijklmnopqrstuvwxyz234567";

44
ostp-core/src/protocol.rs
View File

@ -393,23 +393,9 @@ impl ProtocolMachine {
} else {
// Gap detected
if self.reorder_buffer.len() >= self.max_reorder_buffer {
tracing::warn!("Reorder buffer full ({}/{}), forcing gap recovery to prevent packet drops",
self.reorder_buffer.len(), self.max_reorder_buffer
tracing::warn!("Reorder buffer full ({}/{}), dropping new frame nonce={} to wait for recovery of nonce={}",
self.reorder_buffer.len(), self.max_reorder_buffer, nonce, self.expected_recv_nonce
);
if let Some(&first_buffered) = self.reorder_buffer.keys().next() {
let skipped = first_buffered.saturating_sub(self.expected_recv_nonce);
self.expected_recv_nonce = first_buffered;
self.last_recv_advance = Instant::now();
let mut delivered = 0u64;
while let Some(buffered_action) = self.reorder_buffer.remove(&self.expected_recv_nonce) {
app_actions.push(buffered_action);
self.expected_recv_nonce = self.expected_recv_nonce.saturating_add(1);
delivered += 1;
}
self.ack_pending = true;
tracing::debug!("Forced Gap recovery: skipped {} lost frames, delivered {} buffered frames", skipped, delivered);
}
}
if nonce >= self.expected_recv_nonce {
@ -533,32 +519,6 @@ impl ProtocolMachine {
fn handle_tick(&mut self) -> Result<ProtocolAction, ProtocolError> {
let mut actions = Vec::new();
// ── Gap Recovery ──────────────────────────────────────────────
// If expected_recv_nonce hasn't advanced for 500ms+ and there
// are buffered frames waiting, the sender likely evicted the lost
// frame from sent_history. Skip the gap to restore data flow.
// This trades a small amount of data loss for connection liveness.
if !self.reorder_buffer.is_empty()
&& self.last_recv_advance.elapsed() > Duration::from_millis(500)
{
if let Some(&first_buffered) = self.reorder_buffer.keys().next() {
let skipped = first_buffered.saturating_sub(self.expected_recv_nonce);
self.expected_recv_nonce = first_buffered;
self.last_recv_advance = Instant::now();
let mut delivered = 0u64;
while let Some(buffered_action) = self.reorder_buffer.remove(&self.expected_recv_nonce) {
actions.push(buffered_action);
self.expected_recv_nonce = self.expected_recv_nonce.saturating_add(1);
delivered += 1;
}
self.ack_pending = true;
tracing::debug!("Gap recovery: skipped {} lost frames, delivered {} buffered frames (reorder_buf={})",
skipped, delivered, self.reorder_buffer.len()
);
}
}
// ── Pending ACK flush ─────────────────────────────────────────
if let Some(ack_frame) = self.build_ack_if_due()? {
actions.push(ProtocolAction::SendDatagram(ack_frame));

5
ostp-flutter/lib/ui/settings_screen.dart
View File

@ -527,8 +527,9 @@ class _SettingsScreenState extends State<SettingsScreen> {
if (_dnsDomainCtrl.text.trim().isNotEmpty) {
queryParams.add('domain=${Uri.encodeComponent(_dnsDomainCtrl.text.trim())}');
}
if (_dnsRegion != 'Global') {
queryParams.add('region=${Uri.encodeComponent(_dnsRegion)}');
final resolver = _dnsRegionCtrl.text.trim();
if (resolver.isNotEmpty && resolver != '1.1.1.1') {
queryParams.add('resolver=${Uri.encodeComponent(resolver)}');
}
if (_pbkCtrl.text.trim().isNotEmpty) {
queryParams.add('pbk=${Uri.encodeComponent(_pbkCtrl.text.trim())}');

2
ostp-flutter/pubspec.yaml
View File

@ -16,7 +16,7 @@ publish_to: 'none' # Remove this line if you wish to publish to pub.dev
# https://developer.apple.com/library/archive/documentation/General/Reference/InfoPlistKeyReference/Articles/CoreFoundationKeys.html
# In Windows, build-name is used as the major, minor, and patch parts
# of the product and file versions while build-number is used as the build suffix.
version: 0.3.10+23
version: 0.3.12+25
environment:
sdk: ^3.11.4

6
ostp-gui/src-tauri/Cargo.lock generated
View File

@ -2665,7 +2665,7 @@ dependencies = [
[[package]]
name = "ostp-client"
version = "0.3.10"
version = "0.3.12"
dependencies = [
"anyhow",
"base64 0.22.1",
@ -2700,7 +2700,7 @@ dependencies = [
[[package]]
name = "ostp-core"
version = "0.3.10"
version = "0.3.12"
dependencies = [
"anyhow",
"byteorder",
@ -2742,7 +2742,7 @@ dependencies = [
[[package]]
name = "ostp-tun"
version = "0.3.10"
version = "0.3.12"
dependencies = [
"anyhow",
"libc",

2
ostp-gui/src-tauri/tauri.conf.json
View File

@ -1,7 +1,7 @@
{
"$schema": "https://schema.tauri.app/config/2",
"productName": "ostp-gui",
"version": "0.3.10",
"version": "0.3.12",
"identifier": "com.ospab.ostp",
"build": {
"frontendDist": "../src"

2
ostp-server/src/config.rs
View File

@ -1,5 +1,5 @@
use serde::{Deserialize, Serialize};
use crate::{api::ApiConfig, fallback::FallbackConfig, outbound::OutboundConfig, dns::DnsConfig};
use crate::{fallback::FallbackConfig, dns::DnsConfig};
#[derive(Debug, Deserialize, Serialize, Clone)]
#[serde(tag = "protocol", rename_all = "snake_case")]

38
ostp-server/src/dispatcher.rs
View File

@ -12,7 +12,7 @@ use portable_atomic::AtomicU64;
// const MAX_SESSIONS removed because dynamic limit is used
pub enum DispatchOutcome {
Unauthorized,
Unauthorized(String),
Accepted {
responses: Vec<Bytes>,
app_payloads: Vec<(u32, u16, Bytes)>, // session_id, stream_id, payload
@ -182,7 +182,7 @@ impl Dispatcher {
pub fn on_datagram(&mut self, peer: SocketAddr, packet: Bytes) -> Result<DispatchOutcome> {
if packet.len() < 4 {
return Ok(DispatchOutcome::Unauthorized);
return Ok(DispatchOutcome::Unauthorized("packet too short".to_string()));
}
let mut session_id_opt = None;
@ -239,7 +239,7 @@ impl Dispatcher {
tracing::info!("Dropping session {} for key {} (valid={}, over_limit={})",
session_id, access_key, key_valid, user_stats.is_over_limit());
self.drop_session(session_id);
return Ok(DispatchOutcome::Unauthorized);
return Ok(DispatchOutcome::Unauthorized("key invalid or over limit".to_string()));
}
}
@ -260,8 +260,7 @@ impl Dispatcher {
let action = match peer_state.machine.on_event(OstpEvent::Inbound(packet)) {
Ok(a) => a,
Err(e) => {
tracing::warn!("Protocol error for session {}: {}", session_id, e);
return Ok(DispatchOutcome::Unauthorized);
return Ok(DispatchOutcome::Unauthorized(format!("protocol error: {}", e)));
}
};
@ -303,13 +302,17 @@ impl Dispatcher {
// Not an existing session — try each registered access key's derived obfuscation key
let keys_snapshot: Vec<String> = self.access_keys.read().unwrap_or_else(|e| e.into_inner()).keys().cloned().collect();
let mut failed_trials = Vec::new();
for candidate_key in keys_snapshot {
let secrets = ostp_core::crypto::derive_all_secrets(candidate_key.as_bytes());
// Decode the session_id using this key's obfuscation
// The handshake mask is derived from the Noise payload at bytes [6..],
// so we must deobfuscate the full packet, not just the header.
if packet.len() < 7 { continue; }
if packet.len() < 7 {
failed_trials.push(format!("key {}: packet too short", candidate_key));
continue;
}
let mut trial = packet.to_vec();
ostp_core::crypto::deobfuscate_packet_inplace(&mut trial, &secrets.obfuscation_key, true);
let candidate_session_id = u32::from_be_bytes([trial[0], trial[1], trial[2], trial[3]]);
@ -331,7 +334,10 @@ impl Dispatcher {
};
let action = match machine.on_event(OstpEvent::Inbound(packet.clone())) {
Ok(a) => a,
Err(_) => continue,
Err(e) => {
failed_trials.push(format!("key {}: crypto err: {}", candidate_key, e));
continue;
}
};
if let ProtocolAction::HandshakePayload(payload, response_opt) = action {
@ -345,6 +351,7 @@ impl Dispatcher {
let sid_from_payload = u32::from_be_bytes(sid_bytes);
if sid_from_payload != candidate_session_id {
failed_trials.push(format!("key {}: sid mismatch", candidate_key));
continue;
}
@ -352,6 +359,7 @@ impl Dispatcher {
if let Ok(key_from_payload) = std::str::from_utf8(key_bytes) {
// The key embedded in the payload must match the candidate key we decoded with
if key_from_payload != candidate_key {
failed_trials.push(format!("key {}: embedded key mismatch", candidate_key));
continue;
}
@ -362,14 +370,16 @@ impl Dispatcher {
let drift = (now as i64 - ts as i64).abs();
if drift > 300 {
tracing::warn!("Handshake rejected: timestamp drift {}s exceeds 300s limit (peer={})", drift, peer);
let reason = format!("timestamp drift {}s exceeds 300s limit", drift);
tracing::warn!("Handshake rejected for {}: {}", peer, reason);
failed_trials.push(format!("key {}: {}", candidate_key, reason));
continue;
}
if !self.replay_cache.contains_key(&payload.to_vec()) {
if self.replay_cache.len() >= 50_000 {
tracing::warn!("Replay cache full (100000 entries), rejecting handshake from {}", peer);
return Ok(DispatchOutcome::Unauthorized);
return Ok(DispatchOutcome::Unauthorized("replay cache full".to_string()));
}
self.replay_cache.insert(payload.to_vec(), ts);
@ -383,7 +393,7 @@ impl Dispatcher {
// Check traffic limit before accepting
if user_stats.is_over_limit() {
tracing::warn!("User {} exceeded traffic limit, rejecting handshake from {}", candidate_key, peer);
return Ok(DispatchOutcome::Unauthorized);
return Ok(DispatchOutcome::Unauthorized("user over traffic limit".to_string()));
}
self.peer_machines.insert(candidate_session_id, PeerState {
@ -410,7 +420,13 @@ impl Dispatcher {
}
}
Ok(DispatchOutcome::Unauthorized)
let reason = if failed_trials.is_empty() {
"no valid handshake payload found".to_string()
} else {
format!("all key trials failed: {}", failed_trials.join(", "))
};
Ok(DispatchOutcome::Unauthorized(reason))
}
pub fn outbound_to_session(&mut self, session_id: u32, stream_id: u16, payload: Bytes) -> Result<Option<(Bytes, SocketAddr)>> {

13
ostp-server/src/lib.rs
View File

@ -45,7 +45,7 @@ pub(crate) enum UiEvent {
PeerSeen { peer: IpAddr },
#[allow(dead_code)] Rx { peer: IpAddr, bytes: usize },
#[allow(dead_code)] Tx { peer: IpAddr, bytes: usize },
UnauthorizedProbe { peer: IpAddr, bytes: usize },
UnauthorizedProbe { peer: IpAddr, bytes: usize, reason: String },
KeyCreated { key: String },
Log(String),
#[allow(dead_code)]
@ -328,10 +328,9 @@ pub async fn run_server(
UiEvent::KeyCreated { key } => {
tracing::info!("Access key created: {key}");
}
UiEvent::UnauthorizedProbe { peer, bytes } => {
if debug {
tracing::debug!("Unauthorized probe from {peer} ({bytes} bytes)");
}
UiEvent::UnauthorizedProbe { peer, bytes, reason } => {
// Make it a warn so it's always visible outside debug mode!
tracing::warn!("Unauthorized probe from {peer} ({bytes} bytes): {reason}");
}
UiEvent::PeerSeen { .. } => {}
_ => {}
@ -576,8 +575,8 @@ async fn handle_udp_packet(
) -> Result<()> {
let size = packet.len();
match dispatcher.on_datagram(peer, packet) {
Ok(DispatchOutcome::Unauthorized) => {
let _ = ui_event_tx.send(UiEvent::UnauthorizedProbe { peer: peer.ip(), bytes: size });
Ok(DispatchOutcome::Unauthorized(reason)) => {
let _ = ui_event_tx.send(UiEvent::UnauthorizedProbe { peer: peer.ip(), bytes: size, reason });
}
Ok(DispatchOutcome::Accepted { responses, app_payloads, peer_addr }) => {
let peer_ip = peer_addr.ip();

2
ostp-server/src/transport/dns.rs
View File

@ -6,7 +6,7 @@ use std::net::SocketAddr;
use bytes::Bytes;
use tokio::time::Duration;
use ostp_core::dns::{DnsPacket, DnsRecordType, decode_domain_to_payload, encode_payload_to_domain};
use ostp_core::dns::{DnsPacket, DnsRecordType, decode_domain_to_payload};
use crate::config::DnsTransportConfig;
use crate::UiEvent;

2
ostp-server/src/tui.rs
View File

@ -12,7 +12,7 @@ pub enum UiEvent {
PeerSeen { peer: IpAddr },
Rx { peer: IpAddr, bytes: usize },
Tx { peer: IpAddr, bytes: usize },
UnauthorizedProbe { peer: IpAddr, bytes: usize },
UnauthorizedProbe { peer: IpAddr, bytes: usize, reason: String },
KeyCreated { key: String },
Log(String),
KeyCount(usize),

10
ostp-tun/src/linux.rs
View File

@ -12,6 +12,8 @@ struct LinuxRouteGuard {
impl Drop for LinuxRouteGuard {
fn drop(&mut self) {
let _ = Command::new("ip").args(["route", "del", "0.0.0.0/1", "dev", "ostp_tun"]).output();
let _ = Command::new("ip").args(["route", "del", "128.0.0.0/1", "dev", "ostp_tun"]).output();
let _ = Command::new("ip").args(["route", "del", "default", "dev", "ostp_tun"]).output();
let _ = Command::new("ip").args(["route", "del", &format!("{}/32", self.server_ip)]).output();
for route in &self.bypass_routes {
@ -38,10 +40,6 @@ pub async fn create(opts: OstpTunOptions) -> Result<OstpTunInterface> {
.mtu(opts.mtu)
.up();
tun_cfg.platform_config(|cfg| {
cfg.packet_information(false);
});
let dev = tun::create(&tun_cfg).map_err(|e| anyhow!("Failed to create TUN device: {}", e))?;
let dev = tun::AsyncDevice::new(dev).map_err(|e| anyhow!("TUN device async failed: {}", e))?;
tracing::info!("TUN device 'ostp_tun' created.");
@ -74,7 +72,9 @@ pub async fn create(opts: OstpTunOptions) -> Result<OstpTunInterface> {
bypass_routes.push(route);
}
let _ = Command::new("ip").args(["route", "add", "default", "dev", "ostp_tun"]).output();
// Override default route gracefully by adding more specific /1 routes
let _ = Command::new("ip").args(["route", "add", "0.0.0.0/1", "dev", "ostp_tun"]).output();
let _ = Command::new("ip").args(["route", "add", "128.0.0.0/1", "dev", "ostp_tun"]).output();
if opts.kill_switch {
tracing::info!("Kill Switch: deleting original default route to prevent leakage.");

3
ostp/Cargo.toml
View File

@ -21,3 +21,6 @@ tracing-subscriber = { version = "0.3", features = ["env-filter"] }
ostp-core = { path = "../ostp-core" }
colored = "2.1"
reqwest = { version = "0.12", default-features = false, features = ["blocking", "rustls-tls"] }
pico-args = "0.5.0"
clipboard-win = "3.1.1"

2
ostp/src/dns_prober.rs
View File

@ -158,7 +158,7 @@ pub async fn run_prober(config_path: &std::path::Path) {
// Send a real OSTP ping packet encoded as a domain
let payload = b"PING";
let encoded_domain = ostp_core::dns::encode_payload_to_domain(payload, target_domain);
let encoded_domain = ostp_core::dns::encode_payload_to_domain(payload, &target_domain);
let mut rng = rand::thread_rng();

799
ostp/src/main.rs
View File

@ -80,6 +80,83 @@ struct Args {
prober: bool,
}
fn patch_existing_client_config(config_path: &std::path::Path, new_client_inner: serde_json::Value) -> serde_json::Value {
let unified_new = serde_json::to_value(UnifiedConfig {
mode: AppMode::Client(new_client_inner.clone()),
version: Some(env!("CARGO_PKG_VERSION").to_string()),
log: Some(serde_json::json!({ "level": "info" })),
}).unwrap();
if !config_path.exists() {
return unified_new;
}
let content = match std::fs::read_to_string(config_path) {
Ok(c) => c,
Err(_) => return unified_new,
};
let mut stripped = json_comments::StripComments::new(content.as_bytes());
let mut existing: serde_json::Value = match serde_json::from_reader(&mut stripped) {
Ok(v) => v,
Err(_) => return unified_new,
};
if existing.get("mode").and_then(|m| m.as_str()) != Some("client") {
return unified_new;
}
let mut new_proxy = None;
if let Some(outbounds) = new_client_inner.get("outbounds").and_then(|o| o.as_array()) {
for ob in outbounds {
if ob.get("tag").and_then(|t| t.as_str()) == Some("proxy") {
new_proxy = Some(ob.clone());
break;
}
}
}
if let Some(new_proxy) = new_proxy {
if let Some(existing_outbounds) = existing.get_mut("outbounds").and_then(|o| o.as_array_mut()) {
let mut replaced = false;
for ob in existing_outbounds.iter_mut() {
if ob.get("tag").and_then(|t| t.as_str()) == Some("proxy") {
*ob = new_proxy.clone();
replaced = true;
break;
}
}
if !replaced {
existing_outbounds.insert(0, new_proxy);
}
} else {
existing["outbounds"] = serde_json::json!([new_proxy]);
}
}
if let Some(new_inbounds) = new_client_inner.get("inbounds").and_then(|i| i.as_array()) {
for new_ib in new_inbounds {
if new_ib.get("type").and_then(|t| t.as_str()) == Some("tun") {
if let Some(auto_route) = new_ib.get("auto_route").and_then(|a| a.as_bool()) {
if auto_route {
if let Some(existing_inbounds) = existing.get_mut("inbounds").and_then(|i| i.as_array_mut()) {
for existing_ib in existing_inbounds.iter_mut() {
if existing_ib.get("type").and_then(|t| t.as_str()) == Some("tun") {
existing_ib["auto_route"] = serde_json::json!(true);
}
}
}
}
}
}
}
}
existing["version"] = serde_json::json!(env!("CARGO_PKG_VERSION"));
existing
}
fn parse_ostp_link(link: &str) -> Result<serde_json::Value> {
let parsed = url::Url::parse(link)
.map_err(|e| anyhow!("Failed to parse share link URL: {e}"))?;
@ -131,7 +208,7 @@ fn parse_ostp_link(link: &str) -> Result<serde_json::Value> {
}
Ok(serde_json::json!({
"version": "{}",
"version": env!("CARGO_PKG_VERSION"),
"log": {
"level": "info"
},
@ -286,6 +363,7 @@ impl UserConfig {
}
}
#[allow(dead_code)]
#[derive(Debug, Deserialize, Serialize)]
struct OutboundConfig {
enabled: bool,
@ -297,6 +375,7 @@ struct OutboundConfig {
default_action: Option<String>,
}
#[allow(dead_code)]
#[derive(Debug, Deserialize, Serialize)]
struct OutboundRule {
domain_suffix: Option<Vec<String>>,
@ -305,6 +384,7 @@ struct OutboundRule {
action: Option<String>,
}
#[allow(dead_code)]
#[derive(Debug, Deserialize, Serialize, Clone)]
struct TransportConfigRaw {
mode: Option<String>,
@ -360,6 +440,7 @@ impl ListenConfig {
}
}
#[allow(dead_code)]
#[derive(Debug, Deserialize, Serialize)]
struct ApiConfig {
enabled: Option<bool>,
@ -370,6 +451,7 @@ struct ApiConfig {
password_hash: Option<String>,
}
#[allow(dead_code)]
#[derive(Debug, Deserialize, Serialize)]
struct FallbackCfg {
enabled: Option<bool>,
@ -704,7 +786,7 @@ fn run_setup_wizard(config_path: &std::path::Path) -> Result<()> {
let client_json = serde_json::json!({
"mode": "client",
"version": "{}",
"version": env!("CARGO_PKG_VERSION"),
"log": {
"level": "info"
},
@ -922,7 +1004,7 @@ fn run_setup_wizard(config_path: &std::path::Path) -> Result<()> {
};
wizard_step(4, TOTAL, "Saving configuration");
let panel_bind = format!("0.0.0.0:{}", panel_port);
let _panel_bind = format!("0.0.0.0:{}", panel_port);
let server_json = serde_json::json!({
"mode": "server",
"version": "{}",
@ -1124,18 +1206,7 @@ async fn run_app() -> Result<()> {
return cmd_migrate(&args.config);
}
if args.config.exists() && !args.uninstall && !args.update {
if let Ok(config_content) = fs::read_to_string(&args.config) {
let mut stripped = json_comments::StripComments::new(config_content.as_bytes());
if let Ok(raw_json) = serde_json::from_reader::<_, serde_json::Value>(&mut stripped) {
if raw_json.get("version").and_then(|v| v.as_str()) != Some(env!("CARGO_PKG_VERSION")) {
println!("{} Outdated configuration format detected.", "[ostp]".yellow().bold());
println!("{} Please run '{}' to update your configuration to the latest modular format.", "[ostp]".yellow().bold(), "ostp --migrate".green());
std::process::exit(1);
}
}
}
}
// ── Setup wizard: explicit flag or first-time (no config) ────────
if args.setup {
@ -1230,12 +1301,8 @@ async fn run_app() -> Result<()> {
println!("{} Importing configuration from share link...", "[ostp]".cyan().bold());
let client_cfg = parse_ostp_link(&import_url)
.map_err(|e| anyhow!("Share Link Error: {e}"))?;
let unified = UnifiedConfig {
mode: AppMode::Client(client_cfg),
version: Some("0.3.1".to_string()),
log: Some(serde_json::json!({ "level": "info" })),
};
let content = serde_json::to_string_pretty(&unified)?;
let patched = patch_existing_client_config(&args.config, client_cfg);
let content = serde_json::to_string_pretty(&patched)?;
if let Some(parent) = args.config.parent() {
if !parent.as_os_str().is_empty() {
fs::create_dir_all(parent)?;
@ -1307,7 +1374,8 @@ async fn run_app() -> Result<()> {
client_cfg["log"]["level"] = serde_json::json!("debug");
}
return run_client_directly(client_cfg).await;
let patched = patch_existing_client_config(&args.config, client_cfg);
return run_client_directly(patched).await;
}
// Handle --check: validate config and exit
@ -1324,7 +1392,7 @@ async fn run_app() -> Result<()> {
AppMode::Server(s) => {
println!("{} Config OK: server mode", "[ostp]".green().bold());
let mut keys_count = 0;
let mut has_outbound = false;
let mut _has_outbound = false;
for inbound in &s.inbounds {
match inbound {
ostp_server::config::ServerInbound::Ostp { listen, port, users, fallback, .. } => {
@ -1348,7 +1416,7 @@ async fn run_app() -> Result<()> {
for ob in &s.outbounds {
if let ostp_server::config::ServerOutbound::Socks { server, port, .. } = ob {
println!(" Outbound Proxy: SOCKS5 {}:{}", server.cyan(), port.to_string().cyan());
has_outbound = true;
_has_outbound = true;
}
}
if let Some(dns) = &s.dns {
@ -1546,6 +1614,25 @@ async fn run_app() -> Result<()> {
"sessions": 1
}}
}},
{{
// DNS Tunneling connection to the remote OSTP server
// NOTE: DNS Tunneling is very slow and should be used only when UDP/TCP are blocked.
// Read the manual here: https://github.com/ospab/ostp/wiki/DNS-Tunneling
"type": "ostp",
"tag": "proxy-dns",
"server": "1.1.1.1",
"port": 53,
"access_key": "{key}",
"transport": {{
"type": "dns",
"domain": "tunnel.yourdomain.com",
"pubkey": "SERVER_PUBLIC_KEY_HERE"
}},
"multiplex": {{
"enabled": true,
"sessions": 5
}}
}},
{{
"type": "direct",
"tag": "direct"
@ -1630,29 +1717,28 @@ async fn run_app() -> Result<()> {
let mut raw_json: serde_json::Value = serde_json::from_reader(&mut stripped)
.map_err(|e| anyhow!("Failed to parse config as JSON: {}", e))?;
let is_migrated = raw_json.get("version").and_then(|v| v.as_str()) == Some(env!("CARGO_PKG_VERSION"));
if !is_migrated {
let is_server = raw_json.get("listen").is_some() || raw_json.get("access_keys").is_some();
if is_server {
raw_json["mode"] = serde_json::json!("server");
raw_json["version"] = serde_json::json!(env!("CARGO_PKG_VERSION"));
if let Some(log) = raw_json.get("log_level") {
raw_json["log"] = serde_json::json!({ "level": log.clone() });
}
} else {
let (migrated, _) = ostp_client::config::ClientConfig::migrate_json(raw_json);
raw_json = migrated;
raw_json["mode"] = serde_json::json!("client");
}
// Save migrated config back
let serialized = serde_json::to_string_pretty(&raw_json)?;
let header = "// OSTP Configuration v0.3.1\n// DO NOT EDIT THIS COMMENT - Migrator relies on it\n";
let final_content = format!("{}{}", header, serialized);
let _ = fs::write(&args.config, final_content);
println!("{} Configuration automatically migrated to v0.3.1", "[ostp]".cyan().bold());
// Hard stop if config is not in current format — user must run --migrate explicitly
{
let has_new_format = raw_json.get("inbounds").and_then(|v| v.as_array()).is_some()
&& raw_json.get("outbounds").and_then(|v| v.as_array()).is_some();
let version_ok = raw_json.get("version").and_then(|v| v.as_str()) == Some(env!("CARGO_PKG_VERSION"));
if !has_new_format {
eprintln!();
eprintln!("{} Your configuration file is in an outdated format.", "[ostp]".yellow().bold());
eprintln!("{} Run the following command to upgrade it:", "[ostp]".yellow().bold());
eprintln!();
eprintln!(" {}", "ostp --migrate".green().bold());
eprintln!();
std::process::exit(1);
}
if !version_ok {
// New format but wrong version — silently fix just the version field in memory (no write)
raw_json["version"] = serde_json::json!(env!("CARGO_PKG_VERSION"));
}
}
let config: UnifiedConfig = serde_json::from_value(raw_json)
.map_err(|e| anyhow!("Failed to parse config: {}", e))?;
@ -1944,145 +2030,528 @@ fn cmd_migrate(config_path: &std::path::Path) -> Result<()> {
let config_content = fs::read_to_string(config_path)?;
let mut stripped = json_comments::StripComments::new(config_content.as_bytes());
let mut raw_json: serde_json::Value = serde_json::from_reader(&mut stripped)
let old: serde_json::Value = serde_json::from_reader(&mut stripped)
.map_err(|e| anyhow!("Failed to parse config as JSON: {}", e))?;
let is_migrated = raw_json.get("version").and_then(|v| v.as_str()) == Some(env!("CARGO_PKG_VERSION"));
if is_migrated {
println!("{} Configuration is already up to date (v0.3.5)", "[ostp]".cyan().bold());
return Ok(());
}
// --- Determine config type ---
let mode = old.get("mode").and_then(|m| m.as_str()).unwrap_or("");
let is_server = mode == "server"
|| old.get("listen").is_some()
|| old.get("access_keys").is_some()
|| old.get("inbounds").and_then(|v| v.as_array()).map(|arr| {
arr.iter().any(|i| {
i.get("protocol").and_then(|p| p.as_str()) == Some("ostp")
|| i.get("type").and_then(|t| t.as_str()) == Some("ostp")
})
}).unwrap_or(false);
let is_relay = mode == "relay" || old.get("upstream_tcp").is_some();
let _is_client = !is_server && !is_relay;
// --- Helper: extract log level ---
let log_level = old.get("log").and_then(|l| l.get("level")).and_then(|v| v.as_str())
.or_else(|| old.get("log_level").and_then(|v| v.as_str()))
.unwrap_or("info");
// --- Backup original ---
let bak_path = config_path.with_extension("json.bak");
fs::copy(config_path, &bak_path)?;
println!("{} Original config backed up to {:?}", "[ostp]".cyan().bold(), bak_path);
let new_content: String;
let is_server = raw_json.get("listen").is_some() || raw_json.get("access_keys").is_some() || raw_json.get("mode").and_then(|m| m.as_str()) == Some("server");
if is_server {
raw_json["mode"] = serde_json::json!("server");
raw_json["version"] = serde_json::json!(env!("CARGO_PKG_VERSION"));
if let Some(log) = raw_json.get("log_level") {
raw_json["log"] = serde_json::json!({ "level": log.clone() });
}
println!("{} Detected: Server configuration", "[ostp]".cyan().bold());
let mut inbounds = Vec::new();
let mut outbounds = Vec::new();
let mut routing = serde_json::json!({
"rules": [],
"default_outbound": "direct"
});
// --- Extract server data ---
// Listen host:port
let (listen_host, listen_port) = extract_server_listen(&old);
// Migrate Ostp inbound
let listen = raw_json.get("listen").and_then(|l| l.as_str()).unwrap_or("0.0.0.0:50000");
let parts: Vec<&str> = listen.split(':').collect();
let host = parts.get(0).unwrap_or(&"0.0.0.0");
let port: u16 = parts.get(1).and_then(|p| p.parse().ok()).unwrap_or(50000);
// Access keys — support old flat list and new inbounds format
let users_json = extract_server_users(&old);
let mut users = Vec::new();
if let Some(keys) = raw_json.get("access_keys").and_then(|a| a.as_array()) {
for k in keys {
users.push(serde_json::json!({
"key": k.as_str().unwrap_or("")
}));
}
}
// Fallback
let (fallback_enabled, fallback_listen, fallback_target) = extract_server_fallback(&old);
let mut ostp_inbound = serde_json::json!({
"protocol": "ostp",
"tag": "ostp-in",
"listen": host,
"port": port,
"users": users
});
// API
let (api_listen, api_port, api_token, api_webpath, api_username, api_pass_hash) =
extract_server_api(&old);
if let Some(fallback) = raw_json.get("fallback") {
ostp_inbound["fallback"] = fallback.clone();
}
inbounds.push(ostp_inbound);
// DNS transport
let (dns_listen, dns_domain, dns_pubkey, dns_privkey) = extract_server_dns(&old);
// Migrate Api inbound
if let Some(api) = raw_json.get("api") {
let mut api_inbound = api.clone();
api_inbound["protocol"] = serde_json::json!("api");
api_inbound["tag"] = serde_json::json!("api-in");
let bind = api.get("bind").and_then(|b| b.as_str()).unwrap_or("127.0.0.1:9090");
let parts: Vec<&str> = bind.split(':').collect();
api_inbound["listen"] = serde_json::json!(parts.get(0).unwrap_or(&"127.0.0.1"));
api_inbound["port"] = serde_json::json!(parts.get(1).and_then(|p| p.parse::<u16>().ok()).unwrap_or(9090));
inbounds.push(api_inbound);
}
// Routing rules (preserve if present)
let routing_rules_str = extract_routing_rules_str(&old);
let default_outbound = old.get("routing").and_then(|r| r.get("default_outbound"))
.and_then(|v| v.as_str()).unwrap_or("direct");
// Migrate Outbound
outbounds.push(serde_json::json!({
"protocol": "direct",
"tag": "direct"
}));
outbounds.push(serde_json::json!({
"protocol": "block",
"tag": "block"
}));
let users_str = users_json.iter()
.map(|k| format!(
r#" {{
"key": "{}"
}}
"#, k))
.collect::<Vec<_>>()
.join(",\n");
let users_str = if users_str.is_empty() {
format!(r#" {{
"key": "{}"
}}
"#, generate_secure_key("hex"))
} else { users_str };
if let Some(ob) = raw_json.get("outbound") {
if ob.get("enabled").and_then(|e| e.as_bool()).unwrap_or(false) {
let tag = "socks5-legacy";
let mut socks = serde_json::json!({
"protocol": "socks5",
"tag": tag,
"server": ob.get("address").and_then(|a| a.as_str()).unwrap_or("127.0.0.1"),
"port": ob.get("port").and_then(|p| p.as_u64()).unwrap_or(9050)
});
outbounds.push(socks);
new_content = format!(r#"{{
// OSTP Server Configuration
"version": "{ver}",
"mode": "server",
"log": {{
// Log levels: trace, debug, info, warn, error
"level": "{log_level}"
}},
"inbounds": [
{{
// Primary OSTP protocol listener
"protocol": "ostp",
"tag": "ostp-in",
"listen": "{listen_host}",
"port": {listen_port},
"users": [
{users_str} ],
"fallback": {{
// Fallback protection: redirects unauthorized probes to a real website
"enabled": {fallback_enabled},
"listen": "{fallback_listen}",
"target": "{fallback_target}"
}}
}},
{{
// Web Administration API
"protocol": "api",
"tag": "api-in",
"listen": "{api_listen}",
"port": {api_port},
"token": "{api_token}",
"webpath": "{api_webpath}",
"username": "{api_username}",
"password_hash": "{api_pass_hash}"
}},
{{
// DNS Tunnel Inbound
// [WARNING] This is a last-resort transport via public DNS.
// It requires a dedicated registered domain with NS records pointing to this server.
// Full setup guide: https://github.com/ospab/ostp/wiki/DNS-Tunneling
"protocol": "dns",
"tag": "dns-tunnel",
"listen": "{dns_listen}",
"domain": "{dns_domain}",
"pubkey": "{dns_pubkey}",
"privkey": "{dns_privkey}"
}}
],
"outbounds": [
{{
// Example local SOCKS5 proxy (e.g. for Tor network)
"protocol": "socks5",
"tag": "socks5-local",
"server": "127.0.0.1",
"port": 9050
}},
{{
// Default direct internet access
"protocol": "direct",
"tag": "direct"
}},
{{
// Blackhole for blocked connections
"protocol": "block",
"tag": "block"
}}
],
"routing": {{
// Rule-based routing of client traffic
"rules": [{routing_rules}],
// If no rules match, use the default outbound
"default_outbound": "{default_outbound}"
}},
"debug": false
}}
"#,
ver = env!("CARGO_PKG_VERSION"),
log_level = log_level,
listen_host = listen_host,
listen_port = listen_port,
users_str = users_str,
fallback_enabled = fallback_enabled,
fallback_listen = fallback_listen,
fallback_target = fallback_target,
api_listen = api_listen,
api_port = api_port,
api_token = api_token,
api_webpath = api_webpath,
api_username = api_username,
api_pass_hash = api_pass_hash,
dns_listen = dns_listen,
dns_domain = dns_domain,
dns_pubkey = dns_pubkey,
dns_privkey = dns_privkey,
routing_rules = routing_rules_str,
default_outbound = default_outbound,
);
if let Some(rules) = ob.get("rules").and_then(|r| r.as_array()) {
let mut new_rules = Vec::new();
for rule in rules {
let mut new_rule = rule.clone();
new_rule["outbound"] = serde_json::json!(tag);
new_rules.push(new_rule);
}
routing["rules"] = serde_json::json!(new_rules);
}
} else if is_relay {
println!("{} Detected: Relay configuration", "[ostp]".cyan().bold());
let default_action = ob.get("default_action").and_then(|a| a.as_str()).unwrap_or("proxy");
if default_action == "proxy" {
routing["default_outbound"] = serde_json::json!(tag);
} else if default_action == "block" {
routing["default_outbound"] = serde_json::json!("block");
}
}
}
let upstream_tcp = old.get("upstream_tcp").and_then(|v| v.as_str()).unwrap_or("TARGET_SERVER_IP:50000");
let upstream_udp = old.get("upstream_udp").and_then(|v| v.as_str()).unwrap_or(upstream_tcp);
let api_url = old.get("upstream_api_url").and_then(|v| v.as_str()).unwrap_or("http://TARGET_SERVER_IP:9090");
let api_token = old.get("upstream_api_token").and_then(|v| v.as_str()).unwrap_or("");
let sync_interval = old.get("sync_interval_secs").and_then(|v| v.as_u64()).unwrap_or(30);
let listen = old.get("listen").and_then(|v| v.as_str()).unwrap_or("0.0.0.0:50000");
// DNS migrate
if let Some(dns) = raw_json.get("dns_transport") {
let mut dns_inbound = dns.clone();
dns_inbound["protocol"] = serde_json::json!("dns");
dns_inbound["tag"] = serde_json::json!("dns-tunnel");
inbounds.push(dns_inbound);
}
new_content = format!(r#"{{
// OSTP Relay Configuration
"version": "{ver}",
"mode": "relay",
"log": {{
// Log levels: trace, debug, info, warn, error
"level": "{log_level}"
}},
// Local port for the relay to listen on
"listen": "{listen}",
// Upstream server details
"upstream_tcp": "{upstream_tcp}",
"upstream_udp": "{upstream_udp}",
// Upstream Control Panel API for automatic key synchronization
"upstream_api_url": "{api_url}",
"upstream_api_token": "{api_token}",
"sync_interval_secs": {sync_interval},
"debug": false
}}
"#,
ver = env!("CARGO_PKG_VERSION"),
log_level = log_level,
listen = listen,
upstream_tcp = upstream_tcp,
upstream_udp = upstream_udp,
api_url = api_url,
api_token = api_token,
sync_interval = sync_interval,
);
raw_json["inbounds"] = serde_json::json!(inbounds);
raw_json["outbounds"] = serde_json::json!(outbounds);
raw_json["routing"] = routing;
// Remove legacy fields
let obj = raw_json.as_object_mut().unwrap();
obj.remove("listen");
obj.remove("access_keys");
obj.remove("fallback");
obj.remove("api");
obj.remove("outbound");
obj.remove("log_level");
obj.remove("dns_transport");
println!("{} Detected Server configuration.", "[ostp]".cyan().bold());
} else {
println!("{} Detected Client configuration.", "[ostp]".cyan().bold());
let (migrated, _) = ostp_client::config::ClientConfig::migrate_json(raw_json.clone());
raw_json = migrated;
raw_json["mode"] = serde_json::json!("client");
raw_json["version"] = serde_json::json!(env!("CARGO_PKG_VERSION"));
println!("{} Detected: Client configuration", "[ostp]".cyan().bold());
// Extract client data
let (server_ip, server_port, access_key, transport_type) = extract_client_server(&old);
let (socks_listen, socks_port) = extract_client_socks(&old);
let tun_enabled = extract_client_tun(&old);
let mux_enabled = old.get("mux").and_then(|m| m.get("enabled")).and_then(|v| v.as_bool())
.or_else(|| old.get("outbounds").and_then(|o| o.as_array()).and_then(|arr| {
arr.iter().find(|o| o.get("type").and_then(|t| t.as_str()) == Some("ostp"))
.and_then(|o| o.get("multiplex")).and_then(|m| m.get("enabled")).and_then(|v| v.as_bool())
}))
.unwrap_or(false);
let mux_sessions = old.get("mux").and_then(|m| m.get("sessions")).and_then(|v| v.as_u64())
.or_else(|| old.get("outbounds").and_then(|o| o.as_array()).and_then(|arr| {
arr.iter().find(|o| o.get("type").and_then(|t| t.as_str()) == Some("ostp"))
.and_then(|o| o.get("multiplex")).and_then(|m| m.get("sessions")).and_then(|v| v.as_u64())
}))
.unwrap_or(1);
let routing_rules_str = extract_routing_rules_str(&old);
let default_outbound = old.get("routing").and_then(|r| r.get("default_outbound"))
.and_then(|v| v.as_str()).unwrap_or("proxy");
let tun_block = if tun_enabled {
r#" {{
// Virtual network interface for transparent proxying
"type": "tun",
"tag": "tun-in",
"auto_route": true,
"mtu": 1140
}},
"#
} else {
r#" // Uncomment below to enable TUN (VPN) mode:
// {{ "type": "tun", "tag": "tun-in", "auto_route": true, "mtu": 1140 }},
"#
};
new_content = format!(r#"{{
// OSTP Client Configuration
"version": "{ver}",
"mode": "client",
"log": {{
"level": "{log_level}"
}},
"inbounds": [
{tun_block} {{
// Local SOCKS5 proxy server for browser configuration
"type": "local_proxy",
"tag": "socks-in",
"protocol": "socks",
"listen": "{socks_listen}",
"port": {socks_port}
}}
],
"outbounds": [
{{
// Connection to the remote OSTP server
"type": "ostp",
"tag": "proxy",
"server": "{server_ip}",
"port": {server_port},
"access_key": "{access_key}",
"transport": {{
"type": "{transport_type}"
}},
"multiplex": {{
"enabled": {mux_enabled},
"sessions": {mux_sessions}
}}
}},
{{
"type": "direct",
"tag": "direct"
}},
{{
"type": "block",
"tag": "block"
}}
],
"routing": {{
"rules": [{routing_rules}],
"default_outbound": "{default_outbound}"
}}
}}
"#,
ver = env!("CARGO_PKG_VERSION"),
log_level = log_level,
tun_block = tun_block,
socks_listen = socks_listen,
socks_port = socks_port,
server_ip = server_ip,
server_port = server_port,
access_key = access_key,
transport_type = transport_type,
mux_enabled = mux_enabled,
mux_sessions = mux_sessions,
routing_rules = routing_rules_str,
default_outbound = default_outbound,
);
}
let serialized = serde_json::to_string_pretty(&raw_json)?;
let final_content = format!("{}", serialized);
fs::write(config_path, final_content)?;
println!("{} Successfully migrated configuration to v0.3.5!", "[ostp]".green().bold());
fs::write(config_path, &new_content)?;
println!("{} Configuration successfully migrated to v{}!", "[ostp]".green().bold(), env!("CARGO_PKG_VERSION"));
println!("{} Backup saved at {:?}", "[ostp]".dimmed(), bak_path);
Ok(())
}
// ---------------------------------------------------------------------------
// Migration helper extractors
// ---------------------------------------------------------------------------
/// Extract listen host and port for server from old or new format
fn extract_server_listen(old: &serde_json::Value) -> (String, u16) {
// New format: inbounds[type=ostp].listen + port
if let Some(arr) = old.get("inbounds").and_then(|v| v.as_array()) {
for inbound in arr {
let proto = inbound.get("protocol").or(inbound.get("type")).and_then(|v| v.as_str()).unwrap_or("");
if proto == "ostp" {
let h = inbound.get("listen").and_then(|v| v.as_str()).unwrap_or("0.0.0.0").to_string();
let p = inbound.get("port").and_then(|v| v.as_u64()).unwrap_or(50000) as u16;
return (h, p);
}
}
}
// Old format: "listen": "0.0.0.0:50000"
if let Some(s) = old.get("listen").and_then(|v| v.as_str()) {
let parts: Vec<&str> = s.split(':').collect();
let h = parts.get(0).unwrap_or(&"0.0.0.0").to_string();
let p = parts.get(1).and_then(|x| x.parse().ok()).unwrap_or(50000);
return (h, p);
}
("0.0.0.0".to_string(), 50000)
}
/// Extract access keys as list of strings
fn extract_server_users(old: &serde_json::Value) -> Vec<String> {
// New format: inbounds[type=ostp].users[].key
if let Some(arr) = old.get("inbounds").and_then(|v| v.as_array()) {
for inbound in arr {
let proto = inbound.get("protocol").or(inbound.get("type")).and_then(|v| v.as_str()).unwrap_or("");
if proto == "ostp" {
if let Some(users) = inbound.get("users").and_then(|v| v.as_array()) {
return users.iter().filter_map(|u| {
u.get("key").and_then(|k| k.as_str()).map(|s| s.to_string())
.or_else(|| u.as_str().map(|s| s.to_string()))
}).collect();
}
}
}
}
// Old flat format: "access_keys": ["key1", "key2"]
if let Some(keys) = old.get("access_keys").and_then(|v| v.as_array()) {
return keys.iter().filter_map(|k| k.as_str().map(|s| s.to_string())).collect();
}
vec![]
}
/// Extract fallback config
fn extract_server_fallback(old: &serde_json::Value) -> (bool, String, String) {
// New format: inbounds[type=ostp].fallback
if let Some(arr) = old.get("inbounds").and_then(|v| v.as_array()) {
for inbound in arr {
let proto = inbound.get("protocol").or(inbound.get("type")).and_then(|v| v.as_str()).unwrap_or("");
if proto == "ostp" {
if let Some(fb) = inbound.get("fallback") {
let enabled = fb.get("enabled").and_then(|v| v.as_bool()).unwrap_or(false);
let listen = fb.get("listen").and_then(|v| v.as_str()).unwrap_or("0.0.0.0:443").to_string();
let target = fb.get("target").and_then(|v| v.as_str()).unwrap_or("127.0.0.1:8080").to_string();
return (enabled, listen, target);
}
}
}
}
// Old flat format
if let Some(fb) = old.get("fallback") {
let enabled = fb.get("enabled").and_then(|v| v.as_bool()).unwrap_or(false);
let listen = fb.get("listen").and_then(|v| v.as_str()).unwrap_or("0.0.0.0:443").to_string();
let target = fb.get("target").and_then(|v| v.as_str()).unwrap_or("127.0.0.1:8080").to_string();
return (enabled, listen, target);
}
(false, "0.0.0.0:443".to_string(), "127.0.0.1:8080".to_string())
}
/// Extract API config
fn extract_server_api(old: &serde_json::Value) -> (String, u16, String, String, String, String) {
let default_hash = "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855".to_string();
// New format: inbounds[protocol=api]
if let Some(arr) = old.get("inbounds").and_then(|v| v.as_array()) {
for inbound in arr {
let proto = inbound.get("protocol").or(inbound.get("type")).and_then(|v| v.as_str()).unwrap_or("");
if proto == "api" {
let listen = inbound.get("listen").and_then(|v| v.as_str()).unwrap_or("127.0.0.1").to_string();
let port = inbound.get("port").and_then(|v| v.as_u64()).unwrap_or(9090) as u16;
let token = inbound.get("token").and_then(|v| v.as_str()).unwrap_or("YOUR_SECRET_TOKEN").to_string();
let webpath = inbound.get("webpath").and_then(|v| v.as_str()).unwrap_or("/admin").to_string();
let username = inbound.get("username").and_then(|v| v.as_str()).unwrap_or("admin").to_string();
let pass = inbound.get("password_hash").and_then(|v| v.as_str()).unwrap_or(&default_hash).to_string();
return (listen, port, token, webpath, username, pass);
}
}
}
// Old format: "api": { "bind": "127.0.0.1:9090", ... }
if let Some(api) = old.get("api") {
let bind = api.get("bind").and_then(|v| v.as_str()).unwrap_or("127.0.0.1:9090");
let parts: Vec<&str> = bind.split(':').collect();
let listen = parts.get(0).unwrap_or(&"127.0.0.1").to_string();
let port = parts.get(1).and_then(|p| p.parse().ok()).unwrap_or(9090);
let token = api.get("token").and_then(|v| v.as_str()).unwrap_or("YOUR_SECRET_TOKEN").to_string();
let webpath = api.get("webpath").and_then(|v| v.as_str()).unwrap_or("/admin").to_string();
let username = api.get("username").and_then(|v| v.as_str()).unwrap_or("admin").to_string();
let pass = api.get("password_hash").and_then(|v| v.as_str()).unwrap_or(&default_hash).to_string();
return (listen, port, token, webpath, username, pass);
}
("127.0.0.1".to_string(), 9090, "YOUR_SECRET_TOKEN".to_string(), "/admin".to_string(), "admin".to_string(), default_hash)
}
/// Extract DNS transport config
fn extract_server_dns(old: &serde_json::Value) -> (String, String, String, String) {
// New format: inbounds[protocol=dns]
if let Some(arr) = old.get("inbounds").and_then(|v| v.as_array()) {
for inbound in arr {
let proto = inbound.get("protocol").or(inbound.get("type")).and_then(|v| v.as_str()).unwrap_or("");
if proto == "dns" {
let listen = inbound.get("listen").and_then(|v| v.as_str()).unwrap_or("0.0.0.0:53").to_string();
let domain = inbound.get("domain").and_then(|v| v.as_str()).unwrap_or("tunnel.example.com").to_string();
let pubkey = inbound.get("pubkey").and_then(|v| v.as_str()).unwrap_or("").to_string();
let privkey = inbound.get("privkey").and_then(|v| v.as_str()).unwrap_or("").to_string();
return (listen, domain, pubkey, privkey);
}
}
}
// Old flat format: "dns_transport": {...}
if let Some(dns) = old.get("dns_transport") {
let listen = dns.get("listen").and_then(|v| v.as_str()).unwrap_or("0.0.0.0:53").to_string();
let domain = dns.get("domain").and_then(|v| v.as_str()).unwrap_or("tunnel.example.com").to_string();
let pubkey = dns.get("pubkey").and_then(|v| v.as_str()).unwrap_or("").to_string();
let privkey = dns.get("privkey").and_then(|v| v.as_str()).unwrap_or("").to_string();
return (listen, domain, pubkey, privkey);
}
let new_pub = generate_secure_key("base64");
let new_priv = generate_secure_key("base64");
("0.0.0.0:53".to_string(), "tunnel.example.com".to_string(), new_pub, new_priv)
}
/// Extract routing rules as a formatted JSON string for embedding in template
fn extract_routing_rules_str(old: &serde_json::Value) -> String {
if let Some(rules) = old.get("routing").and_then(|r| r.get("rules")).and_then(|v| v.as_array()) {
if !rules.is_empty() {
let parts: Vec<String> = rules.iter()
.filter_map(|r| serde_json::to_string_pretty(r).ok())
.collect();
return format!("\n {}\n ", parts.join(",\n "));
}
}
String::new()
}
/// Extract client server address, port, key, transport
fn extract_client_server(old: &serde_json::Value) -> (String, u16, String, String) {
// New format: outbounds[type=ostp]
if let Some(arr) = old.get("outbounds").and_then(|v| v.as_array()) {
for ob in arr {
let t = ob.get("type").and_then(|v| v.as_str()).unwrap_or("");
if t == "ostp" {
let server = ob.get("server").and_then(|v| v.as_str()).unwrap_or("YOUR_SERVER_IP").to_string();
let port = ob.get("port").and_then(|v| v.as_u64()).unwrap_or(50000) as u16;
let key = ob.get("access_key").and_then(|v| v.as_str()).unwrap_or("").to_string();
let transport = ob.get("transport").and_then(|t| t.get("type")).and_then(|v| v.as_str()).unwrap_or("udp").to_string();
return (server, port, key, transport);
}
}
}
// Old flat format
let server_full = old.get("server").and_then(|v| v.as_str()).unwrap_or("YOUR_SERVER_IP:50000");
let parts: Vec<&str> = server_full.split(':').collect();
let server = parts.get(0).unwrap_or(&"YOUR_SERVER_IP").to_string();
let port = parts.get(1).and_then(|p| p.parse().ok()).unwrap_or(50000);
let key = old.get("access_key").and_then(|v| v.as_str()).unwrap_or("").to_string();
let transport = old.get("transport").and_then(|t| t.get("mode").or(t.get("type"))).and_then(|v| v.as_str()).unwrap_or("udp").to_string();
(server, port, key, transport)
}
/// Extract client SOCKS listen address and port
fn extract_client_socks(old: &serde_json::Value) -> (String, u16) {
// New format: inbounds[type=local_proxy]
if let Some(arr) = old.get("inbounds").and_then(|v| v.as_array()) {
for inbound in arr {
let t = inbound.get("type").and_then(|v| v.as_str()).unwrap_or("");
if t == "local_proxy" {
let listen = inbound.get("listen").and_then(|v| v.as_str()).unwrap_or("127.0.0.1").to_string();
let port = inbound.get("port").and_then(|v| v.as_u64()).unwrap_or(1088) as u16;
return (listen, port);
}
}
}
// Old flat format
let bind = old.get("socks5_bind").and_then(|v| v.as_str()).unwrap_or("127.0.0.1:1088");
let parts: Vec<&str> = bind.split(':').collect();
let listen = parts.get(0).unwrap_or(&"127.0.0.1").to_string();
let port = parts.get(1).and_then(|p| p.parse().ok()).unwrap_or(1088);
(listen, port)
}
/// Check if TUN is enabled in old config
fn extract_client_tun(old: &serde_json::Value) -> bool {
// New format: inbounds[type=tun]
if let Some(arr) = old.get("inbounds").and_then(|v| v.as_array()) {
for inbound in arr {
let t = inbound.get("type").and_then(|v| v.as_str()).unwrap_or("");
if t == "tun" {
return inbound.get("auto_route").and_then(|v| v.as_bool()).unwrap_or(true);
}
}
}
// Old flat format
old.get("tun").and_then(|t| t.get("enable")).and_then(|v| v.as_bool()).unwrap_or(false)
}

62
server.json
View File

@ -1,62 +0,0 @@
{
// OSTP Server Configuration
"mode": "server",
"log_level": "info",
// The address and port the server listens on for incoming OSTP connections.
"listen": "0.0.0.0:50000",
// List of valid keys. Clients must use one of these to connect.
"access_keys": [
"a1d8795a93553c08b4e89b017a16ca52"
],
// Optional proxy for outbound traffic.
"outbound": {
"enabled": false,
"protocol": "socks5",
"address": "127.0.0.1",
"port": 9050,
// default_action: 'proxy' (all through proxy) or 'direct' (bypass proxy by default).
"default_action": "proxy",
"rules": [
{
"domain_suffix": [".onion"],
"action": "proxy"
}
]
},
// Web control panel & Management API
"api": {
"enabled": false,
"bind": "0.0.0.0:9090",
// Static API token for Relay servers (optional)
"token": "",
// Secret URL path to hide panel from scanners (e.g. "mySecret123")
"webpath": "",
// Login credentials for web panel (password stored as SHA256 hash)
"username": "",
"password_hash": ""
},
// Fallback TCP proxy: unrecognized connections are proxied to a web server (anti-DPI).
"fallback": {
"enabled": false,
"listen": "0.0.0.0:443",
// Target web server (e.g., local nginx or caddy)
"target": "127.0.0.1:8080"
},
// Reality (XTLS) / UoT Masquerade parameters
"reality": {
"enabled": false,
"dest": "www.microsoft.com:443",
"private_key": "6FVg53jUBTt-dJ52F1Zu1RBCcW1gr9K84WdynBb7i80",
"pbk": "c9QjERoaqFGoKBd-9ZpNzj51E8B93fcnEQT_cohEk2E",
"sid": "960223edfa174fc5",
"sni_list": ["www.microsoft.com"]
},
"debug": false,
}

53
test_client.json
View File

@ -1,53 +0,0 @@
{
// OSTP Configuration v0.3.1
// DO NOT EDIT THIS COMMENT - Migrator relies on it
"version": "0.3.1",
"mode": "client",
"log": {
"level": "info"
},
"inbounds": [
{
"type": "tun",
"tag": "tun-in",
"auto_route": true,
"mtu": 1140
},
{
"type": "local_proxy",
"tag": "socks-in",
"protocol": "socks",
"listen": "127.0.0.1",
"port": 1088
}
],
"outbounds": [
{
"type": "ostp",
"tag": "proxy",
"server": "YOUR_SERVER_IP",
"port": 50000,
"access_key": "170756347f1562a4b260f8f4b419009a",
"transport": {
"type": "udp"
}
},
{
"type": "direct",
"tag": "direct"
},
{
"type": "block",
"tag": "block"
}
],
"routing": {
"rules": [
{
"domain_suffix": ["localhost"],
"outbound": "direct"
}
],
"default_outbound": "proxy"
}
}

42
test_server.json
View File

@ -1,42 +0,0 @@
{
// OSTP Configuration v0.3.1
// DO NOT EDIT THIS COMMENT - Migrator relies on it
"version": "0.3.1",
"mode": "server",
"log": {
"level": "info"
},
// The address and port the server listens on for incoming OSTP connections.
"listen": "0.0.0.0:50000",
// List of valid keys. Clients must use one of these to connect.
"access_keys": [
"1369293f64ed6382d96cd2c1fa2ee4ee"
],
// Optional proxy for outbound traffic.
"outbound": {
"enabled": false,
"protocol": "socks5",
"address": "127.0.0.1",
"port": 9050,
"default_action": "proxy",
"rules": [
{
"domain_suffix": [".onion"],
"action": "proxy"
}
]
},
// Fallback TCP proxy: unrecognized connections are proxied to a web server (anti-DPI).
"fallback": {
"enabled": false,
"listen": "0.0.0.0:443",
// Target web server (e.g., local nginx or caddy)
"target": "127.0.0.1:8080"
},
"debug": false
}