ostp/README.md

# OSTP — Ospab Stealth Transport Protocol

[Русский язык](README.ru.md)

![GitHub Release](https://img.shields.io/github/v/release/ospab/ostp?style=flat-square&color=blue)
![License: BSL 1.1](https://img.shields.io/badge/License-BSL%201.1-orange.svg?style=flat-square)
![Platform: Windows | Linux | macOS | Android](https://img.shields.io/badge/Platform-Windows%20%7C%20Linux%20%7C%20macOS%20%7C%20Android-green.svg?style=flat-square)

OSTP is a high-performance, censorship-resistant transport protocol designed to tunnel TCP traffic over UDP with full traffic obfuscation. It is resistant to Deep Packet Inspection (DPI), active probing, and statistical traffic analysis.

---

## Key Features

| Feature | Description |
|---------|-------------|
| **Traffic Obfuscation** | Every packet — including headers — is indistinguishable from random noise on the wire. Session IDs and nonces are masked with per-packet HMAC-derived keys. |
| **Noise Protocol Handshake** | `Noise_NNpsk0_25519_ChaChaPoly_BLAKE2s` — pre-shared key authenticated, forward-secret key exchange with no static identity exposure. |
| **Reliable UDP (ARQ)** | Selective ACK/NACK with rate-limited retransmission, configurable reorder buffer, and exponential backoff. Designed for 10 Gbps throughput. |
| **Multiplexed Streams** | Multiple logical TCP streams over a single encrypted UDP session, with per-stream flow control. |
| **Seamless Roaming** | Clients can switch networks (WiFi ↔ 4G) without session interruption — the server tracks session-ID, not IP address. |
| **TUN Mode** | Full-system VPN via `tun2socks` integration on Windows and Linux. All traffic is transparently routed through the tunnel. |
| **TURN Relay** | RFC 5766 TURN support for environments where direct UDP is blocked. |
| **Hot-Reload** | Runtime config reload without restarting the process (access keys, exclusions, mux settings, TURN). |
| **Cross-Platform** | Windows, Linux, macOS, Android. Single binary, no runtime dependencies. |

---

## Architecture

```
┌─────────────────────────────────────────────────────────────┐
│  Client                                                     │
│  ┌──────────┐   ┌──────────┐   ┌────────────────────────┐   │
│  │ Browser  │──▸│ SOCKS5/  │──▸│    Bridge (Mux)        │   │
│  │ / Apps   │   │ HTTP     │   │  ┌─────────────────┐   │   │
│  │          │   │ Proxy    │   │  │ ProtocolMachine │   │   │
│  └──────────┘   └──────────┘   │  │ (Noise + AEAD)  │   │   │
│                                │  └────────┬────────┘   │   │
│  ┌──────────┐                  │           │            │   │
│  │ TUN Mode │──────────────────┤      UDP Socket        │   │
│  │tun2socks │                  │  (32MB buffers,        │   │
│  └──────────┘                  │   obfuscated wire)     │   │
│                                └───────────┬────────────┘   │
└────────────────────────────────────────────┼────────────────┘
                                             │ UDP
┌────────────────────────────────────────────┼────────────────┐
│  Server                                    │                │
│  ┌─────────────────────────────────────────┴───────────┐    │
│  │              Dispatcher                             │    │
│  │  (Session lookup, roaming detection, replay guard)  │    │
│  └──────────────┬──────────────────────────────────────┘    │
│                 │                                           │
│  ┌──────────────▾──────────────────┐                        │
│  │   Relay Loop (per-stream TCP)   │──▸ Internet / Backend  │
│  └─────────────────────────────────┘                        │
└─────────────────────────────────────────────────────────────┘
```

---

## Installation

### Linux
```bash
bash <(curl -Ls https://raw.githubusercontent.com/ospab/ostp/master/scripts/install.sh)
```

### Windows (PowerShell, Administrator)
```powershell
irm https://raw.githubusercontent.com/ospab/ostp/master/scripts/install.ps1 | iex
```

---

## Configuration

Generate a default config:
```bash
./ostp --init server   # VPS
./ostp --init client   # Local machine
```

### Server (`config.json`)
```jsonc
{
  "mode": "server",
  "listen": "0.0.0.0:50000",
  "access_keys": ["YOUR_SECRET_KEY"],
  "debug": false,
  // Optional: forward traffic through an upstream proxy
  "outbound": {
    "enabled": false,
    "protocol": "socks5",    // "socks5" or "http"
    "address": "127.0.0.1",
    "port": 9050,
    "default_action": "proxy"
  }
}
```

### Client (`config.json`)
```jsonc
{
  "mode": "client",
  "server": "YOUR_SERVER_IP:50000",
  "access_key": "YOUR_SECRET_KEY",
  "socks5_bind": "127.0.0.1:1088",
  "debug": false,
  // TUN mode (full-system VPN)
  "tun": {
    "enable": false,
    "dns": "1.1.1.1"
  },
  // Multiplexing: spread traffic across multiple UDP sessions
  "mux": {
    "enabled": false,
    "sessions": 2
  },
  // TURN relay for restricted networks
  "turn": {
    "enabled": false,
    "server_addr": "turn.example.com:3478",
    "username": "user",
    "access_key": "pass"
  },
  // Traffic exclusions (bypassed directly)
  "exclude": {
    "domains": ["example.local"],
    "ips": ["192.168.0.0/16"]
  }
}
```

---

## Usage

```bash
# Start with config
./ostp --config config.json

# Or just run (looks for config.json in current/binary directory)
./ostp
```

### TUN Mode (Windows)
Requires `tun2socks.exe` in the same directory. Automatically requests Administrator privileges.

### TUN Mode (Linux)
Requires root. Uses `tun2socks` binary (same directory or in `$PATH`).

---

## Protocol Specification

See [docs/en/specification.md](docs/en/specification.md) for the full wire format, handshake flow, and ARQ semantics.

### Quick Summary

| Layer | Mechanism |
|-------|-----------|
| Key Exchange | Noise NNpsk0 (X25519 + ChaChaPoly + BLAKE2s) |
| Encryption | ChaCha20-Poly1305 AEAD per-packet |
| Header Obfuscation | HMAC-SHA256 derived per-packet mask over session_id + nonce |
| Reliability | Selective ACK with cumulative + SACK ranges |
| Retransmission | Rate-limited NACK (30ms cooldown) + exponential backoff RTO |
| Flow Control | In-flight window (retransmittable frames only) |
| Keepalive | Ping/Pong with RTT measurement every 5s |
| Session Timeout | 60s inactivity on client, 300s on server |

---

## Building from Source

```bash
# Prerequisites: Rust toolchain (1.75+)
cargo build --release

# Cross-compile for Linux (from Windows/macOS)
cross build --release --target x86_64-unknown-linux-gnu
```

---

## Documentation

- [Architecture Overview](docs/en/architecture.md)
- [Protocol Specification](docs/en/specification.md)
- [Obfuscation Design](docs/en/obfuscation.md)
- [Server Administration](docs/en/server.md)
- [Client Configuration](docs/en/client.md)
- [Integration Guide](docs/en/integrations.md)

---

## License

Business Source License 1.1. Free for personal and non-commercial use.
Converts to MIT License on May 14, 2030.