mirror of https://github.com/ospab/ostp.git
0-rttanti-dpibbrdpi-bypassnetworkingnoise-protocolprivacyproxyrustrust-langsecuritystealthtokioudpvpn
7424ccc0ff
Critical fixes (6): - protocol.rs: in_flight_count() now counts only retransmittable Data frames, not Ack/Nack control frames — eliminates false backpressure under load - protocol.rs: NACK is now rate-limited to once per 30ms — prevents retransmission storm during normal UDP jitter - protocol.rs: zombie frames exceeding max_retries+4 are evicted each tick — prevents unbounded memory growth and stale retransmits - protocol.rs: Closing state now processes final in-flight packets instead of silently dropping them — prevents data loss at session teardown - server/lib.rs: stream_tx changed from bounded(10000) to unbounded_channel — prevents TCP-reader collapse during Speedtest with 50+ streams - bridge.rs: liveness timeout raised from 30s to 60s — prevents false reconnect during heavy Speedtest load Medium fixes (8): - protocol.rs: ACK range truncation preserves cumulative range (index 0) - bridge.rs: Ping now uses send_datagram() for correct TURN wrapping - dispatcher.rs: replay_cache hard-capped at 100k entries (DoS protection) - dispatcher.rs: old addr cleaned from addr_to_session on roaming - server/lib.rs: TCP connect_target() now has 10s timeout - config.rs: TURN section parsed during hot-reload - proxy.rs: HTTP header parsing uses 512-byte chunks instead of 1-byte reads - proxy.rs: stream_id wrap-around skips active IDs to prevent collision - runner.rs: is_essential_log matches actual log strings from bridge.rs Other: - kex.rs: clearly marked as dead PQ stub (not used by protocol) - README.md + README.ru.md: complete rewrite with architecture diagram - docs/en/specification.md: updated ARQ section with all new semantics |
||
|---|---|---|
| .github/workflows | ||
| docs | ||
| ostp | ||
| ostp-client | ||
| ostp-core | ||
| ostp-gui | ||
| ostp-jni | ||
| ostp-server | ||
| ostp-tun-helper | ||
| scripts | ||
| .gitattributes | ||
| .gitignore | ||
| Cargo.lock | ||
| Cargo.toml | ||
| Cross.toml | ||
| LICENSE | ||
| README.md | ||
| README.ru.md | ||
README.md
OSTP — Ospab Stealth Transport Protocol
OSTP is a high-performance, censorship-resistant transport protocol designed to tunnel TCP traffic over UDP with full traffic obfuscation. It is resistant to Deep Packet Inspection (DPI), active probing, and statistical traffic analysis.
Key Features
| Feature | Description |
|---|---|
| Traffic Obfuscation | Every packet — including headers — is indistinguishable from random noise on the wire. Session IDs and nonces are masked with per-packet HMAC-derived keys. |
| Noise Protocol Handshake | Noise_NNpsk0_25519_ChaChaPoly_BLAKE2s — pre-shared key authenticated, forward-secret key exchange with no static identity exposure. |
| Reliable UDP (ARQ) | Selective ACK/NACK with rate-limited retransmission, configurable reorder buffer, and exponential backoff. Designed for 10 Gbps throughput. |
| Multiplexed Streams | Multiple logical TCP streams over a single encrypted UDP session, with per-stream flow control. |
| Seamless Roaming | Clients can switch networks (WiFi ↔ 4G) without session interruption — the server tracks session-ID, not IP address. |
| TUN Mode | Full-system VPN via tun2socks integration on Windows and Linux. All traffic is transparently routed through the tunnel. |
| TURN Relay | RFC 5766 TURN support for environments where direct UDP is blocked. |
| Hot-Reload | Runtime config reload without restarting the process (access keys, exclusions, mux settings, TURN). |
| Cross-Platform | Windows, Linux, macOS, Android. Single binary, no runtime dependencies. |
Architecture
┌─────────────────────────────────────────────────────────────┐
│ Client │
│ ┌──────────┐ ┌──────────┐ ┌────────────────────────┐ │
│ │ Browser │──▸│ SOCKS5/ │──▸│ Bridge (Mux) │ │
│ │ / Apps │ │ HTTP │ │ ┌─────────────────┐ │ │
│ │ │ │ Proxy │ │ │ ProtocolMachine │ │ │
│ └──────────┘ └──────────┘ │ │ (Noise + AEAD) │ │ │
│ │ └────────┬────────┘ │ │
│ ┌──────────┐ │ │ │ │
│ │ TUN Mode │──────────────────┤ UDP Socket │ │
│ │tun2socks │ │ (32MB buffers, │ │
│ └──────────┘ │ obfuscated wire) │ │
│ └───────────┬────────────┘ │
└────────────────────────────────────────────┼────────────────┘
│ UDP
┌────────────────────────────────────────────┼────────────────┐
│ Server │ │
│ ┌─────────────────────────────────────────┴───────────┐ │
│ │ Dispatcher │ │
│ │ (Session lookup, roaming detection, replay guard) │ │
│ └──────────────┬──────────────────────────────────────┘ │
│ │ │
│ ┌──────────────▾──────────────────┐ │
│ │ Relay Loop (per-stream TCP) │──▸ Internet / Backend │
│ └─────────────────────────────────┘ │
└─────────────────────────────────────────────────────────────┘
Installation
Linux
bash <(curl -Ls https://raw.githubusercontent.com/ospab/ostp/master/scripts/install.sh)
Windows (PowerShell, Administrator)
irm https://raw.githubusercontent.com/ospab/ostp/master/scripts/install.ps1 | iex
Configuration
Generate a default config:
./ostp --init server # VPS
./ostp --init client # Local machine
Server (config.json)
{
"mode": "server",
"listen": "0.0.0.0:50000",
"access_keys": ["YOUR_SECRET_KEY"],
"debug": false,
// Optional: forward traffic through an upstream proxy
"outbound": {
"enabled": false,
"protocol": "socks5", // "socks5" or "http"
"address": "127.0.0.1",
"port": 9050,
"default_action": "proxy"
}
}
Client (config.json)
{
"mode": "client",
"server": "YOUR_SERVER_IP:50000",
"access_key": "YOUR_SECRET_KEY",
"socks5_bind": "127.0.0.1:1088",
"debug": false,
// TUN mode (full-system VPN)
"tun": {
"enable": false,
"dns": "1.1.1.1"
},
// Multiplexing: spread traffic across multiple UDP sessions
"mux": {
"enabled": false,
"sessions": 2
},
// TURN relay for restricted networks
"turn": {
"enabled": false,
"server_addr": "turn.example.com:3478",
"username": "user",
"access_key": "pass"
},
// Traffic exclusions (bypassed directly)
"exclude": {
"domains": ["example.local"],
"ips": ["192.168.0.0/16"]
}
}
Usage
# Start with config
./ostp --config config.json
# Or just run (looks for config.json in current/binary directory)
./ostp
TUN Mode (Windows)
Requires tun2socks.exe in the same directory. Automatically requests Administrator privileges.
TUN Mode (Linux)
Requires root. Uses tun2socks binary (same directory or in $PATH).
Protocol Specification
See docs/en/specification.md for the full wire format, handshake flow, and ARQ semantics.
Quick Summary
| Layer | Mechanism |
|---|---|
| Key Exchange | Noise NNpsk0 (X25519 + ChaChaPoly + BLAKE2s) |
| Encryption | ChaCha20-Poly1305 AEAD per-packet |
| Header Obfuscation | HMAC-SHA256 derived per-packet mask over session_id + nonce |
| Reliability | Selective ACK with cumulative + SACK ranges |
| Retransmission | Rate-limited NACK (30ms cooldown) + exponential backoff RTO |
| Flow Control | In-flight window (retransmittable frames only) |
| Keepalive | Ping/Pong with RTT measurement every 5s |
| Session Timeout | 60s inactivity on client, 300s on server |
Building from Source
# Prerequisites: Rust toolchain (1.75+)
cargo build --release
# Cross-compile for Linux (from Windows/macOS)
cross build --release --target x86_64-unknown-linux-gnu
Documentation
- Architecture Overview
- Protocol Specification
- Obfuscation Design
- Server Administration
- Client Configuration
- Integration Guide
License
Business Source License 1.1. Free for personal and non-commercial use.
Converts to MIT License on May 14, 2030.