5.2 KiB
OSTP — Ospab Stealth Transport Protocol
Русский язык · Wiki · Contributing · Releases · Migration Guide
OSTP (Ospab Stealth Transport Protocol) is an encrypted transport protocol written in Rust. It implements a custom ARQ transport over UDP and a UDP-over-TCP (UoT) mode. The protocol uses cryptographic masking for all packet headers and payloads to resist traffic classification by Deep Packet Inspection (DPI) systems.
[!IMPORTANT] Upgrading from v0.2.x? Please read the v0.3.1 Configuration Migration Guide.
Technical Capabilities
| Capability | Description |
|---|---|
| Traffic Masking | Header and payload encryption using per-packet HMAC-derived keys. Indistinguishable from random noise. |
| Noise Protocol | Noise_NNpsk0_25519_ChaChaPoly_BLAKE2s — PSK-authenticated, forward-secret key exchange. |
| Reliable UDP (ARQ) | Selective ACK/NACK with rate-limited retransmission, configurable reorder buffer, and exponential backoff. |
| Multiplexed Streams | Multiple logical TCP streams over a single encrypted UDP session with per-stream flow control. |
| Session Roaming | Connection persistence across IP changes via session ID tracking. |
| UoT Mode | UDP-over-TCP encapsulation with length-prefixing to bypass UDP blocking. |
| Fallback Server | TCP proxying to a legitimate web server to resist active probing. |
| TUN Mode | Native network stack integration (smoltcp) for full-system routing without external dependencies. |
| Management API | Built-in REST API for server administration, metrics, and key generation. |
| TURN Relay | RFC 5766 TURN support for NAT traversal. |
Architecture
flowchart LR
Apps[Local Apps] -->|SOCKS5 / TUN| CoreC
subgraph Client [Client Node]
CoreC[OSTP Client] -.->|Encrypt & Mask| NetC[Transport Layer]
end
NetC <==>|Encrypted UDP / UoT| NetS
subgraph Server [Server Node]
NetS[Transport Layer] -.->|Decrypt & Auth| CoreS[OSTP Server]
NetS -->|Unauthenticated| Fallback[Fallback Server]
end
CoreS -->|Relay| WWW((Internet))
Fallback -->|Forward| Web((Web / NGINX))
Quick Start
1. Installation
Linux:
bash <(curl -Ls https://raw.githubusercontent.com/ospab/ostp/master/scripts/install.sh)
Windows (PowerShell as Administrator):
irm https://raw.githubusercontent.com/ospab/ostp/master/scripts/install.ps1 | iex
2. Configuration
Initialize the configuration files for the server and client:
# On the server:
./ostp --init server
# On the client:
./ostp --init client
Server Example (config.json):
{
"mode": "server",
"listen": "0.0.0.0:50000",
"access_keys": ["YOUR_SECRET_KEY"]
}
Client Example (config.json):
{
"mode": "client",
"version": "0.3.1",
"inbounds": [
{ "type": "local_proxy", "tag": "socks-in", "protocol": "socks", "listen": "127.0.0.1", "port": 1088 }
],
"outbounds": [
{
"type": "ostp",
"tag": "proxy",
"server": "YOUR_SERVER_IP",
"port": 50000,
"access_key": "YOUR_SECRET_KEY",
"transport": { "type": "udp" }
}
]
}
3. Execution
# Run with default config.json
./ostp
# Run with a specific config path
./ostp --config /path/to/config.json
Or connect via a one-line share link on the client:
./ostp "ostp://YOUR_SECRET_KEY@YOUR_SERVER_IP:50000?transport=udp"
Protocol Specification
| Layer | Mechanism |
|---|---|
| Key Exchange | Noise NNpsk0 (X25519 + ChaChaPoly + BLAKE2s) zero-RTT |
| Encryption | ChaCha20-Poly1305 AEAD per-packet |
| Header Masking | HMAC-SHA256 derived per-packet mask |
| Reliability | Selective ACK with cumulative + SACK ranges |
| Retransmission | Rate-limited NACK + exponential backoff RTO |
| Keepalive | Ping/Pong with RTT measurement every 5s |
Building from Source
# Requires Rust 1.75+
cargo build --release
# Cross-compile for Linux
cross build --release --target x86_64-unknown-linux-gnu
Documentation
License
GNU Affero General Public License v3.0 (AGPL-3.0). See LICENSE for more details.
Contacts
- Telegram: @ospab0
- Email: gvoprgrg@gmail.com