OSTP — Ospab Stealth Transport Protocol

Русский язык · Wiki · Contributing · Releases

OSTP is a high-performance, censorship-resistant transport protocol designed to tunnel TCP traffic over UDP with full traffic obfuscation. Every byte on the wire — including packet headers — is cryptographically indistinguishable from random noise. Resistant to Deep Packet Inspection (DPI), active probing, and statistical traffic analysis.

---

Quick Install

Linux

bash <(curl -Ls https://raw.githubusercontent.com/ospab/ostp/master/scripts/install.sh)

Windows (PowerShell, run as Administrator)

irm https://raw.githubusercontent.com/ospab/ostp/master/scripts/install.ps1 | iex

Manual Download

Download pre-built binaries for your platform from GitHub Releases.

---

Key Features

Feature	Description
Full Traffic Obfuscation	Every packet — including headers — is indistinguishable from random noise. Session IDs and nonces are masked with per-packet HMAC-derived keys.
Noise Protocol Handshake	Noise_NNpsk0_25519_ChaChaPoly_BLAKE2s — PSK-authenticated, forward-secret key exchange with no static identity exposure.
Reliable UDP (ARQ)	Selective ACK/NACK with rate-limited retransmission, configurable reorder buffer, and exponential backoff.
Multiplexed Streams	Multiple logical TCP streams over a single encrypted UDP session with per-stream flow control.
Seamless Roaming	Clients can switch networks (WiFi ↔ LTE) without session interruption — tracked by session-ID, not IP.
Management API	Built-in REST API for third-party panels (3x-ui, custom dashboards). Per-user stats, traffic limits, key CRUD.
Fallback Server	TCP fallback proxy to a web server — makes OSTP indistinguishable from nginx during active probing.
Multi-Listener	Bind to multiple addresses simultaneously (dual-stack IPv4/IPv6, multi-port).
TUN Mode	Full-system VPN via tun2socks integration. All traffic transparently routed through the tunnel.
xHTTP Stealth (UoT)	UDP-over-TCP tunnel disguised as standard HTTP/1.1 or TLS traffic to bypass Level 1 Deep Packet Inspection (DPI) whitelists.
XTLS-Reality	Custom, dependency-free implementation of the Reality protocol using ChaCha20Poly1305 and X25519 for perfect TLS 1.3 impersonation.
TURN Relay	RFC 5766 TURN support for environments where direct UDP is blocked.
Hot-Reload	Runtime config reload without restart (access keys, exclusions, mux settings).
Structured Logging	tracing-based logging with RUST_LOG filtering. JSON/file/syslog output support.
Cross-Platform	Windows, Linux, macOS, Android, FreeBSD, MIPS, RISC-V. Single binary, no runtime dependencies.

---

Architecture

┌─────────────────────────────────────────────────────────────┐
│  Client                                                     │
│  ┌──────────┐   ┌──────────┐   ┌────────────────────────┐   │
│  │ Browser  │──▸│ SOCKS5/  │──▸│    Bridge (Mux)        │   │
│  │ / Apps   │   │ HTTP     │   │  ┌─────────────────┐   │   │
│  │          │   │ Proxy    │   │  │ ProtocolMachine │   │   │
│  └──────────┘   └──────────┘   │  │ (Noise + AEAD)  │   │   │
│                                │  └────────┬────────┘   │   │
│  ┌──────────┐                  │           │            │   │
│  │ TUN Mode │──────────────────┤      UDP Socket        │   │
│  │tun2socks │                  │  (32MB buffers,        │   │
│  └──────────┘                  │   obfuscated wire)     │   │
│                                └───────────┬────────────┘   │
└────────────────────────────────────────────┼────────────────┘
                                             │ UDP
┌────────────────────────────────────────────┼────────────────┐
│  Server                                    │                │
│  ┌─────────────────────────────────────────┴───────────┐    │
│  │              Dispatcher                             │    │
│  │  (Session lookup, roaming, replay guard, per-user   │    │
│  │   traffic accounting, limit enforcement)            │    │
│  └──┬──────────────────────┬───────────────────────────┘    │
│     │                      │                                │
│  ┌──▾──────────────────┐ ┌─▾──────────────────────────┐     │
│  │ Relay Loop          │ │ Management API (REST)      │     │
│  │ (per-stream TCP)    │ │ /api/users, /api/stats     │     │
│  │ ──▸ Internet        │ │ Bearer token auth          │     │
│  └─────────────────────┘ └────────────────────────────┘     │
│                                                             │
│  ┌──────────────────────────────────────────────────────┐   │
│  │ Fallback TCP Proxy ──▸ nginx/caddy (anti-DPI)        │   │
│  └──────────────────────────────────────────────────────┘   │
└─────────────────────────────────────────────────────────────┘

---

Quick Start

1. Generate config

# On your VPS (server):
./ostp --init server

# On your machine (client):
./ostp --init client

2. Edit config

Server — set your access keys:

{
  "mode": "server",
  "listen": "0.0.0.0:50000",
  "access_keys": ["YOUR_SECRET_KEY"],
  "api": { "enabled": true, "bind": "127.0.0.1:9090", "token": "admin-token" },
  "fallback": { "enabled": false, "listen": "0.0.0.0:443", "target": "127.0.0.1:8080" }
}

Client — point to your server:

{
  "mode": "client",
  "server": "YOUR_SERVER_IP:50000",
  "access_key": "YOUR_SECRET_KEY",
  "socks5_bind": "127.0.0.1:1088",
  "transport": { "mode": "udp", "stealth_sni": "vk.com", "stealth_port": 443 },
  "tun": { "enable": false, "dns": "1.1.1.1" }
}

3. Run

./ostp                        # Uses config.json in current directory
./ostp --config /path/to.json # Custom config path
./ostp --check                # Validate config without running
./ostp --generate-key         # Generate a new access key
./ostp --links                # Print client share links

4. Connect via share link (one-liner)

./ostp "ostp://ACCESS_KEY@server.com:50000?..."

Note: Always wrap the ostp://... link in quotes (") so your terminal doesn't misinterpret special characters like & or ?.

---

Management API

Built-in REST API for building panels and dashboards.

# Server status
curl -H "Authorization: Bearer mytoken" http://127.0.0.1:9090/api/server/status

# List all users with traffic stats  
curl -H "Authorization: Bearer mytoken" http://127.0.0.1:9090/api/users

# Create a user with 10GB traffic limit
curl -X POST -H "Authorization: Bearer mytoken" \
  -H "Content-Type: application/json" \
  -d '{"limit_bytes": 10737418240}' \
  http://127.0.0.1:9090/api/users

Full API reference: Management API

---

CLI Reference

ostp [OPTIONS] [URL]

Options:
  --config <PATH>        Config file path (default: config.json)
  --init <MODE>          Generate template config (server/client)
  --check                Validate configuration and exit
  -g, --generate-key     Generate a secure access key
  -c, --count <N>        Number of keys to generate (default: 1)
  --format <FMT>         Key format: hex, base64 (default: hex)
  --links                Print client share links from server config

Arguments:
  [URL]                  Connect via share link: ostp://KEY@HOST:PORT

---

Protocol Summary

Layer	Mechanism
XTLS-Reality	Spoofed TLS 1.3 ClientHello, X25519 Key Exchange, ChaCha20-Poly1305 AEAD
Key Exchange	Noise NNpsk0 (X25519 + ChaChaPoly + BLAKE2s)
Encryption	ChaCha20-Poly1305 AEAD per-packet
Header Obfuscation	HMAC-SHA256 derived per-packet mask
Reliability	Selective ACK with cumulative + SACK ranges
Retransmission	Rate-limited NACK + exponential backoff RTO
Keepalive	Ping/Pong with RTT measurement every 5s

---

Building from Source

# Prerequisites: Rust 1.75+
cargo build --release

# Cross-compile for Linux
cross build --release --target x86_64-unknown-linux-gnu

# Run tests
cargo test -p ostp-core -p ostp-server

---

Documentation

• Wiki — Full documentation
• Installation
• Configuration Reference
• Management API
• Protocol Design
• Building from Source
• FAQ

---

License

Business Source License 1.1. Free for personal and non-commercial use.
Converts to MIT License on May 14, 2030.

---

Contact

• Telegram: @ospab0
• Email: gvoprgrg@gmail.com