TUN/TAP Device

GOST added support for TUN/TAP devices in version 2.9. You can create VPN via TUN/TAP devices.

Windows

You need to install the tap driver OpenVPN/tap-windows6 or OpenVPN client for Windows.

TUN

Usage

gost -L="tun://[method:[email protected]][local_ip]:port[/remote_ip:port]?net=192.168.123.2/24&name=tun0&mtu=1350&route=10.100.0.0/16&gw=192.168.123.1"

method:password - Optional, encryption method and password for UDP tunnel. Supported methods are the same as shadowsocks/go-shadowsocks2.

local_ip:port - Local UDP tunnel listen address.

remote_ip:port - Optional, remote UDP server address, IP packets received by the local TUN device will be forwarded to the remote server via UDP tunnel.

net - Required, CIDR IP address of the TUN device, such as: 192.168.123.1/24.

name - Optional, TUN device name.

mtu - Optional, MTU for TUN device. Default value is 1350.

route - Optional, comma-separated routing items, such as: 10.100.0.0/16,172.20.1.0/24,1.2.3.4/32

gw - Optional, routing gateway.

tcp - Optional, use fake TCP tunnel, default value is false means UDP-based tunnel.

Routing on server side (2.9.2+)

The server can access the client network by setting up routing table and gateway.

Default gateway

The server can set the default gateway through the gw parameter to specify the gateway of the routes in route parameter.

gost -L="tun://:8421?net=192.168.123.1/24&gw=192.168.123.2&route=172.10.0.0/16,10.138.0.0/16"

Packets send to network 172.10.0.0/16 and 10.138.0.0/16 will be forwarded to the client with the IP 192.168.123.2 through the TUN tunnel.

Gateway-specific routing

If you want to set a specific gateway for each route, you can specify it through a route configuration file:

gost -L="tun://:8421?net=192.168.123.1/24&route=route.txt"

The configuration file route.txt format´╝Ü

# Destination   Gateway

172.10.0.0/16   192.168.123.2
10.138.0.0/16   192.168.123.3

The first column is the destination network.

The second column is the gateway.

Packets send to network 172.10.0.0/16 will be forwarded to the client with the IP 192.168.123.2 through the TUN tunnel.

Packets send to network 10.138.0.0/16 will be forwarded to the client with the IP 192.168.123.3 through the TUN tunnel.

TUN-based VPN (Linux)

The value specified by net option may need to be adjusted according to your actual situation.

Create a TUN device and establish a UDP tunnel

Server side
gost -L tun://:8421?net=192.168.123.1/24
Client side
gost -L tun://:8421/SERVER_IP:8421?net=192.168.123.2/24

When no error occurred, you can use the ip addr command to inspect the created TUN device:

$ ip addr show tun0
2: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1350 qdisc pfifo_fast state UNKNOWN group default qlen 500
    link/none 
    inet 192.168.123.2/24 scope global tun0
       valid_lft forever preferred_lft forever
    inet6 fe80::d521:ad59:87d0:53e4/64 scope link flags 800 
       valid_lft forever preferred_lft forever

Now you can ping the server address:

$ ping 192.168.123.1
64 bytes from 192.168.123.1: icmp_seq=1 ttl=64 time=9.12 ms
64 bytes from 192.168.123.1: icmp_seq=2 ttl=64 time=10.3 ms
64 bytes from 192.168.123.1: icmp_seq=3 ttl=64 time=7.18 ms

iperf3 testing

Server side
$ iperf3 -s
Client side
$ iperf3 -c 192.168.123.1

IP routing and firewall rules

If you want the client to access the server network, you need to set the corresponding routing table and firewall rules according to your needs. For example, all the client external network traffic can be forwarded to the server.

Server side

Enable IP forwarding and set up firewall rules

$ sysctl -w net.ipv4.ip_forward=1

$ iptables -t nat -A POSTROUTING -s 192.168.123.0/24 ! -o tun0 -j MASQUERADE
$ iptables -A FORWARD -i tun0 ! -o tun0 -j ACCEPT
$ iptables -A FORWARD -o tun0 -j ACCEPT
Client side

Set up firewall rules

The following operations will change the client's network environment, unless you know what you are doing, please be careful!
$ ip route add SERVER_IP/32 dev eth0   # replace the SERVER_IP and eth0
$ ip route del default   # delete the default route
$ ip route add default via 192.168.123.2  # add new default route

TAP

TAP devices are not supported by macOS.

Usage

gost -L="tap://[method:[email protected]][local_ip]:port[/remote_ip:port]?net=192.168.123.2/24&name=tap0&mtu=1350&route=10.100.0.0/16&gw=192.168.123.1"

TUN/TAP tunnel over TCP

The TUN/TAP tunnel in GOST is based on the UDP protocol by default.

If you want to use TCP, you can choose the following methods:

Fake TCP

Fake TCP is not standard TCP, it just simulates the TCP protocol.

This feature is only available on Linux.

GOST uses xtaci/tcpraw with built-in support for TCP. This feature can be enabled via the tcp option.

Server side
gost -L "tun://:8421?net=192.168.123.1/24&tcp=true"
Client side
gost -L "tun://:0/SERVER_IP:8421?net=192.168.123.2/24&tcp=true"

Proxy chain (2.9.1+)

You can add a proxy chain to forward UDP data, analogous to UDP port forwarding.

High flexibility and compatibility, recommended.

The last node of the proxy chain (the last -F parameter) must support GOST socks5 or ssu protocol type, the transport can be any one.

ssu is supported in 2.10.1+.

Server side
gost -L tun://:8421?net=192.168.123.1/24" -L socks5://:1080
Client side
gost -L tun://:0/:8421?net=192.168.123.2/24 -F socks5://SERVER_IP:1080

GOST port forwarding

Based on UDP port forwarding and proxy chain.

Server side
gost -L tun://:8421?net=192.168.123.1/24 -L socks5://:1080
Client side
gost -L tun://:8421/:8420?net=192.168.123.2/24 -L udp://:8420/:8421 -F socks5://server_ip:1080

Third-party tools

udp2raw-tunnel.