mirror of https://github.com/ospab/ostp.git
0-rttanti-dpibbrdpi-bypassnetworkingnoise-protocolprivacyproxyrustrust-langsecuritystealthtokioudpvpn
774d926bf9
|
||
|---|---|---|
| .github/workflows | ||
| docs | ||
| icons | ||
| netstack-smoltcp | ||
| ostp | ||
| ostp-client | ||
| ostp-core | ||
| ostp-flutter | ||
| ostp-gui | ||
| ostp-jni | ||
| ostp-server | ||
| ostp-tun | ||
| ostp-tun-helper | ||
| ostp-wiki | ||
| scripts | ||
| .gitattributes | ||
| .gitignore | ||
| CONTRIBUTING.md | ||
| CONTRIBUTING.ru.md | ||
| Cargo.lock | ||
| Cargo.toml | ||
| Cross.toml | ||
| LICENSE | ||
| MIGRATION_V0_3_1.md | ||
| README.md | ||
| README.ru.md | ||
| app-icon.svg | ||
| server.json | ||
README.md
OSTP — Ospab Stealth Transport Protocol
Русский язык · Wiki · Contributing · Releases · Migration Guide
A fast, custom encrypted transport protocol written in Rust.
OSTP (Ospab Stealth Transport Protocol) is a high-performance transport protocol. It implements a custom ARQ transport over UDP, as well as a UoT (UDP-over-TCP) mode. Every byte on the wire — including packet headers — is cryptographically indistinguishable from random noise, making it highly resistant to Deep Packet Inspection (DPI).
[!IMPORTANT] Upgrading from v0.2.x? Please read the v0.3.1 Configuration Migration Guide.
Quick Install
Linux
bash <(curl -Ls https://raw.githubusercontent.com/ospab/ostp/master/scripts/install.sh)
Windows (PowerShell, run as Administrator)
irm https://raw.githubusercontent.com/ospab/ostp/master/scripts/install.ps1 | iex
Manual Download
Download pre-built binaries for your platform from GitHub Releases.
Key Features
| Feature | Description |
|---|---|
| Full Traffic Obfuscation | Every packet — including headers — is indistinguishable from random noise. Session IDs and nonces are masked with per-packet HMAC-derived keys. |
| Noise Protocol Handshake | Noise_NNpsk0_25519_ChaChaPoly_BLAKE2s — PSK-authenticated, forward-secret key exchange with no static identity exposure. |
| Reliable UDP (ARQ) | Selective ACK/NACK with rate-limited retransmission, configurable reorder buffer, and exponential backoff. |
| Multiplexed Streams | Multiple logical TCP streams over a single encrypted UDP session with per-stream flow control. |
| Seamless Roaming | Clients can switch networks (WiFi ↔ LTE) without session interruption — tracked by session-ID, not IP. |
| Management API | Built-in REST API for third-party panels (3x-ui, custom dashboards). Per-user stats, traffic limits, key CRUD. |
| Fallback Server | TCP fallback proxy to a web server — makes OSTP indistinguishable from nginx during active probing. |
| Multi-Listener | Bind to multiple addresses simultaneously (dual-stack IPv4/IPv6, multi-port). |
| TUN Mode | Full-system VPN via native smoltcp network stack without external dependencies. All traffic transparently routed through the tunnel. |
| xHTTP Stealth (UoT) | UDP-over-TCP tunnel that completely hides traffic. Since all data is fully encrypted and length-prefixed, it bypasses DPI filters that block unknown UDP traffic by riding over a plain TCP connection. |
| Mobile & Web Apps | Beautiful cross-platform mobile client (Flutter) and a modern Web Control Panel (React/Vite) for effortless server and client management. |
| TURN Relay | RFC 5766 TURN support for environments where direct UDP is blocked. |
| Hot-Reload | Runtime config reload without restart (access keys, exclusions, mux settings). |
| Structured Logging | tracing-based logging with RUST_LOG filtering. JSON/file/syslog output support. |
| Cross-Platform | Windows, Linux, macOS, Android, FreeBSD, MIPS, RISC-V. Single binary, no runtime dependencies. |
Architecture
graph TD
subgraph Client ["Client"]
A[Browser / Apps] -->|SOCKS5 / HTTP| B(Bridge Multiplexer)
TUN[TUN Interface] -->|IP Packets| B
subgraph OSTPCoreClient ["OSTP Core Protocol"]
B --> C{Protocol Machine}
C -->|Noise Handshake| D[ChaCha20Poly1305 AEAD]
D -->|Obfuscated UDP Payload| E((UDP Socket))
end
end
E <==>|Encrypted & Obfuscated UDP Tunnel| F
subgraph Server ["Server"]
F((UDP Socket)) --> G{Dispatcher}
subgraph OSTPCoreServer ["OSTP Core Backend"]
G -->|Auth & Decrypt| H[Session & State Guard]
H -->|TCP Stream| I[Relay Loop]
end
G -->|Active Probing / Unauth| FB[TCP Fallback Proxy]
FB -->|Forward| NGINX[nginx / Caddy]
H -->|Stats & Traffic| API[Management API]
I -->|Outbound| WWW((Internet))
end
Quick Start
1. Generate config
# On your VPS (server):
./ostp --init server
# On your machine (client):
./ostp --init client
2. Edit config
Server — set your access keys:
{
"mode": "server",
"listen": "0.0.0.0:50000",
"access_keys": ["YOUR_SECRET_KEY"],
"api": { "enabled": true, "bind": "127.0.0.1:9090", "token": "admin-token" },
"fallback": { "enabled": false, "listen": "0.0.0.0:443", "target": "127.0.0.1:8080" }
}
Client — point to your server:
{
"mode": "client",
"version": "0.3.1",
"log": { "level": "info" },
"inbounds": [
{ "type": "local_proxy", "tag": "socks-in", "protocol": "socks", "listen": "127.0.0.1", "port": 1088 },
{ "type": "tun", "tag": "tun-in", "auto_route": false, "mtu": 1140 }
],
"outbounds": [
{
"type": "ostp",
"tag": "proxy",
"server": "YOUR_SERVER_IP",
"port": 50000,
"access_key": "YOUR_SECRET_KEY",
"transport": { "type": "udp" }
},
{ "type": "direct", "tag": "direct" },
{ "type": "block", "tag": "block" }
],
"routing": {
"rules": [
{ "domain_suffix": ["localhost"], "outbound": "direct" }
],
"default_outbound": "proxy"
}
}
Note: Upgrading from v0.2.x? Read the v0.3.1 Migration Guide.
3. Run
./ostp # Uses config.json in current directory
./ostp --config /path/to.json # Custom config path
./ostp --check # Validate config without running
./ostp --generate-key # Generate a new access key
./ostp --links # Print client share links
4. Connect via share link (one-liner)
./ostp "ostp://ACCESS_KEY@server.com:50000?..."
[!WARNING] Always wrap the
ostp://...link in quotes (") so your terminal doesn't misinterpret special characters like&or?.
Management API
Built-in REST API for building panels and dashboards.
# Server status
curl -H "Authorization: Bearer mytoken" http://127.0.0.1:9090/api/server/status
# List all users with traffic stats
curl -H "Authorization: Bearer mytoken" http://127.0.0.1:9090/api/users
# Create a user with 10GB traffic limit
curl -X POST -H "Authorization: Bearer mytoken" \
-H "Content-Type: application/json" \
-d '{"limit_bytes": 10737418240}' \
http://127.0.0.1:9090/api/users
Full API reference: Management API
CLI Reference
ostp [OPTIONS] [URL]
Options:
--config <PATH> Config file path (default: config.json)
--init <MODE> Generate template config (server/client)
--check Validate configuration and exit
-g, --generate-key Generate a secure access key
-c, --count <N> Number of keys to generate (default: 1)
--format <FMT> Key format: hex, base64 (default: hex)
--links Print client share links from server config
Arguments:
[URL] Connect via share link: ostp://KEY@HOST:PORT
Protocol Summary
| Layer | Mechanism |
|---|---|
| Key Exchange | Noise NNpsk0 (X25519 + ChaChaPoly + BLAKE2s) zero-RTT |
| Encryption | ChaCha20-Poly1305 AEAD per-packet |
| Header Obfuscation | HMAC-SHA256 derived per-packet mask |
| Reliability | Selective ACK with cumulative + SACK ranges |
| Retransmission | Rate-limited NACK + exponential backoff RTO |
| Keepalive | Ping/Pong with RTT measurement every 5s |
Building from Source
# Prerequisites: Rust 1.75+
cargo build --release
# Cross-compile for Linux
cross build --release --target x86_64-unknown-linux-gnu
# Run tests
cargo test -p ostp-core -p ostp-server
Documentation
- Wiki — Full documentation
- Installation
- Configuration Reference
- Management API
- Protocol Design
- Building from Source
- FAQ
License
Business Source License 1.1. Free for personal and non-commercial use.
Converts to MIT License on May 14, 2030.
Contact
- Telegram: @ospab0
- Email: gvoprgrg@gmail.com